On Tue, Apr 9, 2019 at 10:58 AM Janne Karhunen <janne.karhunen@xxxxxxxxx> wrote:
>
> On Mon, Apr 8, 2019 at 4:11 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> > The question of how much/how little to measure/appraise/audit is based
> > on policy and affects the integrity of the system and its performance.
> > Detecting and updating the file hash each time the file changes would
> > have major performance repercussions. Even that wouldn't solve the
> > problem, as the file change is in cache. Writing the file hash as an
> > xattr and making the file change persistent needs to be coordinated,
> > probably at the filesystem level.
>
> As an experiment, I will add 'ima_file_update' function and call it
> from few strategic spots (such as vfs write) and see how far that can
> go removing the crash-recovery band-aid.
Adding ima_file_update in there seems to work fine and things stay
nicely up to date. It is certainly heavy, but maybe this is only
needed when sync() is intentionally being called for the fd?
void ima_file_update(struct file *file)
{
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint;
if (!ima_policy_flag || !S_ISREG(inode->i_mode))
return;
iint = integrity_iint_find(inode);
if (!iint)
return;
iint->flags &= ~IMA_COLLECTED;
ima_update_xattr(iint, file);
}
It would take an additional integrity hook, of course.
--
Janne
