Hello, Anyone can give a comment about it? - Dmitry On Tue, Sep 4, 2012 at 10:37 PM, Kasatkin, Dmitry <dmitry.kasatkin@xxxxxxxxx> wrote: > Hello Al, > > Certain file system types and partitions will never be measured or > appraised depending on the IMA policy. > For example, pseudo file systems are not measured and appraised. > In upstream IMA implementation policy will be checked again and again > for every inode in the filesystem. > It happens thousands times per second. That is absolute waste of CPU > and may be batter resources. > > To overcome such issue I would like to have a flag in super block data > structure which can be set once if IMA > does not need to measure anything from a partition.. The flag might be > tested by ima hooks to return without doing anything. > > I looked to <linux/fs.h> and found that there is a possibility to to > add additional flag for sb->s_flags. > For example > > #define MS_NOT_IMA (1<<25) /* NOT_IMA */ > #define IS_I_NOT_IMA(inode) __IS_FLG(inode, MS_NOT_IMA) > > > Another way is to add additional dedicated member to the sb structure. > > Can you please advice about this? > > Thanks, > Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
