On Tue, 2017-10-10 at 02:10 +0300, Mikhail Kurinnoi wrote: > For now, we don't have ready for upstream "immutable" EVM signature > format support patch. Both, Dmitry's and my, patches need more work > in order to prevent file's data changes (in case of IMA hash) and > metadata changes for files signed by "immutable" EVM xattr (same idea > as we already have for IMA digsig, that prevent file's data change). After looking at your patches again, I think we should combine the "immutable" and "portable" concepts so that the new "portable" signature type is written out and considered "immutable". Dmitry's patch does prevent the file from changing, but that code is in IMA, but should be in EVM. I agree we can defer preventing the file from changing. Mimi
