On Wed, Oct 25, 2017 at 3:13 AM, Mikhail Kurinnoi <viewizard@xxxxxxxxxxxxx> wrote: > In case of IMA hash update we will forced to update EVM xattr from > ima_fix_xattr() with __vfs_setxattr_noperm(), this mean we will not call > evm_inode_setxattr(), but call evm_inode_post_setxattr(). > > Dmitry's patch > https://sourceforge.net/p/linux-ima/mailman/message/32987311/ > have work around for this issue. Since, in case we have immutable EVM, > we should prevent any file data changes (IMA hash update). Ah - does this need any more than adding EVM_XATTR_PORTABLE_DIGSIG to the check in ima_appraise_measurement()? I can't see any other way that we could get to ima_fix_xattr().
