On Mon, 2019-04-08 at 12:22 +0300, Janne Karhunen wrote: > Hi, > > Hmm, looks to me ima_update_xattr seems to be kicking in only from the > appraisal failure when in fix mode or via fput() delayed work item. > So, no sync() or anything like that will ever help and there is > nothing listening on the i_version updates. Moreover, there is no > integrity hook for write() or sync() to put such update in. Uh. I was > under impression it would somehow see the interim file updates, but I > guess no. Fundamental misunderstanding from my point of view how this > thing works, duh. The question of how much/how little to measure/appraise/audit is based on policy and affects the integrity of the system and its performance. Detecting and updating the file hash each time the file changes would have major performance repercussions. Even that wouldn't solve the problem, as the file change is in cache. Writing the file hash as an xattr and making the file change persistent needs to be coordinated, probably at the filesystem level. Mimi
