On Thu, Feb 28, 2019 at 10:05 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > > > index 09a5def7e28a..6a517282068d 100644 > > > --- a/Documentation/ABI/testing/ima_policy > > > +++ b/Documentation/ABI/testing/ima_policy > > > @@ -24,7 +24,8 @@ Description: > > > [euid=] [fowner=] [fsname=] [subtype=]] > > > lsm: [[subj_user=] [subj_role=] [subj_type=] > > > [obj_user=] [obj_role=] [obj_type=]] > > > - option: [[appraise_type=]] [permit_directio] > > > + option: [[appraise_type=] [permit_directio] > > > + [trust_vfs]] > > > > Let's generalize "trust_vfs" a bit. How about introducing > > "collect_type=", with the default being reading and calculating the > > file hash? > > The naming might be based on the VFS name (e.g vfs_read, vfs_get_hash) > or on the file_operations name (eg. read, get_hash). If collect_type=get_hash and the filesystem doesn't support the get_hash type, should the behaviour be to fall back to read?
