> > > If my assumptions so far are correct, then the effort for making > > > IMA/EVM work with overlayfs should focus around finding the > > > places where overlayfs uses lower level vfs interface (often > > > vfs_xxx helpers) and make sure that the IMA hooks are place > > > in those lower vfs interfaces, just like vfs_create() patch does > > > and like vfs_tmpfile() patch did before it. > > > > So basically turning on NOIMA for overlayfs while ensuring that integrity > > checks and operations still perform as expected? > > > > Yes. > As far as IMA is concerned, Overlayfs is like a filesystem user from kernel. > Very similar to knfsd in that respect. Fabian, if you're thinking of disabling IMA-appraisal on overlay filesystems, have you tried defining an appraise policy rule based on the overlayfs magic number (eg. dont_appraise fsmagic=0x794c7630)? Mimi
