On Tue, 2018-01-16 at 16:10 +0100, Alban Crequy wrote:
> From: Alban Crequy <alban@xxxxxxxxxx>
>
> This patch forces files to be re-measured, re-appraised and re-audited
> on file systems with the feature flag FS_NO_IMA_CACHE. In that way,
> cached integrity results won't be used.
>
> For now, this patch adds the new flag only FUSE filesystems. This is
> needed because the userspace FUSE process can change the underlying
> files at any time.
Thanks, it's working nicely.
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 511fbaabf624..2bd7e73ebc2a 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2075,6 +2075,7 @@ struct file_system_type {
> #define FS_BINARY_MOUNTDATA 2
> #define FS_HAS_SUBTYPE 4
> #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */
> +#define FS_NO_IMA_CACHE 16 /* Force IMA to re-measure, re-appraise, re-audit files */
> #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */
> struct dentry *(*mount) (struct file_system_type *, int,
> const char *, void *);
>
Since IMA is going to need another flag, we probably should have a
consistent prefix (eg. "FS_IMA"). Maybe rename this flag to
FS_IMA_NO_CACHE. I'm also wondering if this change should be
separated from the IMA change.
Mimi
