On Tue, 2022-02-15 at 08:00 +0000, Roberto Sassu wrote: > > > > > > I found that just checking that iint->ima_hash is not NULL is not enough > > > (ima_inode_hash() might still return the old digest after a file write). > > > Should I replace that check with !(iint->flags & IMA_COLLECTED)? > > > Or should I do only for ima_file_hash() and recalculate the digest > > > if necessary? > > > > Updating the file hash after each write would really impact IMA > > performance. If you really want to detect any file change, no matter > > how frequently it occurs, your best bet would be to track i_generation > > and i_version. Stefan is already adding "i_generation" for IMA > > namespacing. > > I just wanted the ability to get a fresh digest after a file opened > for writing is closed. Since in my use case I would not use an IMA > policy, that would not be a problem. As I recall, the __fput() delay was to prevent locking ordering issues - inode, iint. -- thanks, Mimi
