Re: [PATCH] ima: Calculate digest in ima_inode_hash() if not available

From: Mimi Zohar
Date: Tue Feb 15 2022 - 06:17:27 EST

Next message: Sergey Shtylyov: "Re: [PATCH] ata: add/use ata_taskfile::{error|status} fields"
Previous message: John Garry: "Re: Test 73 Sig_trap fails on arm64 (was Re: [PATCH] perf test: Test 73 Sig_trap fails on s390)"
In reply to: Roberto Sassu: "RE: [PATCH] ima: Calculate digest in ima_inode_hash() if not available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2022-02-15 at 08:00 +0000, Roberto Sassu wrote:
> > >
> > > I found that just checking that iint->ima_hash is not NULL is not enough
> > > (ima_inode_hash() might still return the old digest after a file write).
> > > Should I replace that check with !(iint->flags & IMA_COLLECTED)?
> > > Or should I do only for ima_file_hash() and recalculate the digest
> > > if necessary?
> >
> > Updating the file hash after each write would really impact IMA
> > performance. If you really want to detect any file change, no matter
> > how frequently it occurs, your best bet would be to track i_generation
> > and i_version. Stefan is already adding "i_generation" for IMA
> > namespacing.
>
> I just wanted the ability to get a fresh digest after a file opened
> for writing is closed. Since in my use case I would not use an IMA
> policy, that would not be a problem.

As I recall, the __fput() delay was to prevent locking ordering issues
- inode, iint.

--
thanks,

Mimi

Next message: Sergey Shtylyov: "Re: [PATCH] ata: add/use ata_taskfile::{error|status} fields"
Previous message: John Garry: "Re: Test 73 Sig_trap fails on arm64 (was Re: [PATCH] perf test: Test 73 Sig_trap fails on s390)"
In reply to: Roberto Sassu: "RE: [PATCH] ima: Calculate digest in ima_inode_hash() if not available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]