[PATCH] ima: Calculate digest in ima_inode_hash() if not available

Mimi Zohar zohar at linux.ibm.com
Tue Feb 15 11:16:52 UTC 2022


On Tue, 2022-02-15 at 08:00 +0000, Roberto Sassu wrote:
> > >
> > > I found that just checking that iint->ima_hash is not NULL is not enough
> > > (ima_inode_hash() might still return the old digest after a file write).
> > > Should I replace that check with !(iint->flags & IMA_COLLECTED)?
> > > Or should I do only for ima_file_hash() and recalculate the digest
> > > if necessary?
> > 
> > Updating the file hash after each write would really impact IMA
> > performance.  If you really want to detect any file change, no matter
> > how frequently it occurs, your best bet would be to track i_generation
> > and i_version.  Stefan is already adding "i_generation" for IMA
> > namespacing.
> 
> I just wanted the ability to get a fresh digest after a file opened
> for writing is closed. Since in my use case I would not use an IMA
> policy, that would not be a problem.

As I recall, the __fput() delay was to prevent locking ordering issues
- inode, iint.

-- 
thanks,

Mimi



More information about the Linux-security-module-archive mailing list