Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes: > On Wed, 2018-03-14 at 08:52 +0100, Stef Bon wrote: >> I do not have any comments about the patches but a question. >> I completely agree that the files can change without the VFS knowing >> about it, but isn't that in general the case with filesystems with a >> backend shared with others (network fs's?). > > Right, the problem is not limited to fuse, but needs to be addressed > before unprivileged fuse mounts are upstreamed. > > Alban's response to this question: > https://marc.info/?l=linux-kernel&m=151784020321045&w=2 Which goes to why it is a flag that get's set. All of this just needs a follow-up patch to update every filesystem that does not meet ima's requirements. Mimi I believe you said that the requirement is that all file changes can be detected through the final __fput of a file that calls ima_file_free. Eric
