On Wed, 2017-10-18 at 11:23 -0700, Matthew Garrett wrote: > On Wed, Oct 18, 2017 at 11:19 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > The IMA_NEW_FILE check is applicable only when there are no security > > xattrs (INTEGRITY_NOXATTRS), which would not be the case after writing > > the first security xattr. The return result in that case is > > INTEGRITY_NOLABEL, meaning no security.evm. > > Ah, of course. Ok, how about going with my proposal with an intention > to relax the restriction around it and HMAC support once we have a > mechanism for setting multiple xattrs at once? Sure. We really need some way of keeping track of things needing to be done. And of course, putting a name with it. [I'm still hoping someone will add the CPIO xattr support. Any takers? It's really a self contained project, lots of impact. A really small, minor problem is reading and understanding the undocumented state table in order to make the change.] I assume you received, earlier today, the linux-next documentation conflict and resolution from Mark Brown. Hopefully, he'll be willing to carry this change as well. Mimi
