On Thu, Oct 19, 2017 at 3:14 AM, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> wrote: > But how security.ima will protect against cut and paste attack? > Attacker can take any other file together with metadata and it will be > valid one. Unless the hashing algorithm is broken, the two files will need to be identical in order for security.ima to match. And if the two files are identical then an attacker can simply delete one and create a hardlink to the other, which will have the same inode.
