On Mon, Apr 8, 2019 at 4:11 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > The question of how much/how little to measure/appraise/audit is based > on policy and affects the integrity of the system and its performance. > Detecting and updating the file hash each time the file changes would > have major performance repercussions. Even that wouldn't solve the > problem, as the file change is in cache. Writing the file hash as an > xattr and making the file change persistent needs to be coordinated, > probably at the filesystem level. As an experiment, I will add 'ima_file_update' function and call it from few strategic spots (such as vfs write) and see how far that can go removing the crash-recovery band-aid. If the hash is in sync with the latest write, there is at least some hope of recovery since the emergency sync on crash should flush this data along the rest of it (I think). If this works, at least it will give an option to use ima relatively safely given that you are aware of it. -- Janne
