On Wed, May 10, 2017 at 05:00:47PM -0400, Mimi Zohar wrote: > Without i_version support the file is measured/appraised once. With > i_version support it will be re-measured/appraised. As a file system > is mounted/remounted, some sort of message should be emitted > indicating whether i_version is supported. You can check for (sb->s_flags & MS_I_VERSION) to see if it's supported. > That does not imply that > there is no value in measuring/appraising the file only once. > > With this patch, the "opt-in" behavior, is only for measurement, not > appraisal. For appraisal, it still enforces file hash/signature > verification, as it should, based on policy. > > Christoph, could we call ->read_iter() in the NULL case as Boaz > suggested? No - that way you get deadlocks for every fs that uses i_rwsem in ->read_iter, which is perfectly valid behavior. We can set ->integrity_read for every file system that's been tested with IMA, though. Do you have a list of known-good file systems?
