I'm interested in extending our use of IMA digital signatures to EVM in order to protect security.capability (and, in the near future, security.apparmor). However, right now this doesn't seem to quite work in terms of allowing updates to a running system. We've discussed the EVM siganture format's use of inode numbers and I think I've got that sorted (I'll send a patch once I've got a last couple of things working). However, I'm a little confused by how EVM should be working here. Once EVM is initialised, all EVM attributes will be protected, making it impossible to write new values to any xattrs covered by EVM unless IMA_NEW_FILE is set. But as far as I can tell, IMA_NEW_FILE will only be set if there's an IMA action that covers the file in question. This means it's possible to write out security.evm and friends on newly created files that would be appraised, but not on any other files. Am I missing something?
