On Mon, 2019-03-04 at 11:52 -0800, Matthew Garrett wrote: > On Thu, Feb 28, 2019 at 2:38 PM Matthew Garrett <mjg59@xxxxxxxxxx> wrote: > > > > On Thu, Feb 28, 2019 at 1:59 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > On Thu, 2019-02-28 at 13:41 -0800, Matthew Garrett wrote: > > > > If collect_type=get_hash and the filesystem doesn't support the > > > > get_hash type, should the behaviour be to fall back to read? > > > > > > "get_hash" should be limited to a specific filesystem type and > > > subtype. Based on the filesystem type and subtype, couldn't a warning > > > be emitted at policy load time. > > > > The policy may be loaded before the filesystem is mounted, so even if > > we added a capabilities mechanism we wouldn't be able to verify it. > > There's also potentially cases where a filesystem could support hash > > retrieval for some files but not others, and in that case we'd > > probably want to fall back to reading the file. > > To be clear, I'm entirely happy to make this change - I'd just like to > ensure that I do it the right way! Falling back to reading the file is fine. So we're assuming that the person signing a policy containing "get_hash" understands the ramifications. And yes, only signed policies containing "get_hash" should be loaded. I'd really appreciate a regression test (eg. ltp, xfstests, or kselftests). Mimi
