Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> writes: > On Wed, 2018-02-21 at 17:12 -0600, Eric W. Biederman wrote: >> >> As I understand the second scenario SB_I_IMA_UNVERIFIABLE_SIGNATURES >> is set, which implies that the filesystem is lacking something for IMA >> to reliably know when a file has changed. AKA a technical deficiency. >> >> The fourth scenario is the case when SB_I_IMA_UNVERIFIABLE_SIGNATURES >> can be legitimately be cleared, because the filesystem provides all >> of the necessary support for IMA to reliably know when a file has >> changed. > > The information might be there, but IMA currently detects a file > change and resets the flags only when the last writer calls > __fput(). Any other time, new support would be needed. My point was only that for local NTFS or local exFAT with a quality and trusted fuse implementation they should be as safe in this regard as any other filesystem. So in theory we could have fuse implementing this level of filesystem as well. Not that I suggest we try for that out of the gate. Thank you very much for the clarification about the last fput that helps me understand SB_I_IMA_UNVERIFIEDABLE_SIGNATURES much better. Eric
