From owner-freebsd-hackers@freebsd.org  Mon Aug 28 07:21:39 2017
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C29CFE07B21
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Mon, 28 Aug 2017 07:21:39 +0000 (UTC) (envelope-from daniel@roe.ch)
Received: from schoggimuss.roe.ch (schoggimuss.roe.ch
 [IPv6:2a03:da40:0:35::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8B3CB6C561
 for <freebsd-hackers@freebsd.org>; Mon, 28 Aug 2017 07:21:39 +0000 (UTC)
 (envelope-from daniel@roe.ch)
Received: from daniel (ssh-from [178.197.231.54])
 by schoggimuss.roe.ch (envelope-from <daniel@roe.ch>)
 with LOCAL id 1dmEMZ-000AVh-G9
 for freebsd-hackers@freebsd.org; Mon, 28 Aug 2017 09:21:35 +0200
Date: Mon, 28 Aug 2017 09:21:35 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
To: freebsd-hackers@freebsd.org
Subject: Re: [PATCH] O_NOATIME support for open(2)
Message-ID: <20170828072135.GA40198@schoggimuss.roe.ch>
Mail-Followup-To: freebsd-hackers@freebsd.org
References: <20170826161827.GA21456@schoggimuss.roe.ch>
 <CALXu0UdK5uR4caUORYGSCeP0pvGVxG6gLDK=vSL8pFGyt7uKDg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALXu0UdK5uR4caUORYGSCeP0pvGVxG6gLDK=vSL8pFGyt7uKDg@mail.gmail.com>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2017 07:21:39 -0000

Cedric Blancher <cedric.blancher@gmail.com> 2017-08-28:
> You know, this was long discussed in a Solaris rfe,

Can you provide a pointer to the discussion you are refering to?

> and it was found that O_NOATIME has serious security
> implications and can be used to circumvent atime-based
> monitoring. So basically, you open a security hole with this.

Can you elaborate on what exactly you mean by "atime-based
monitoring"?  Are you thinking about DFIR?

How would the "serious security implications" differ from those
of utimes(2)?  Note that the use of O_NOATIME is restricted to
the file owner and root.

My take would be that atimes should not be confused with
auditing.

Daniel

-- 
Daniel Roethlisberger
http://daniel.roe.ch/