В Thu, 26 Oct 2017 01:31:44 -0700 Matthew Garrett <mjg59@xxxxxxxxxx> пишет: > @@ -317,7 +319,7 @@ void ima_update_xattr(struct integrity_iint_cache > *iint, struct file *file) int rc = 0; > > /* do not collect and update hash for digital signatures */ > - if (iint->flags & IMA_DIGSIG) > + if (iint->flags & IMA_DIGSIG || iint->flags & > EVM_IMMUTABLE_DIGSIG) return; > Isn't this mean, we already changed files data, and we just don't allow IMA xattr update? This file will not pass integrity verification next time. I thought, the idea was prevent data changes, and in this way prevent IMA xattr update. -- Best regards, Mikhail Kurinnoi
