On Tue, Apr 9, 2019 at 3:05 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> > > As an experiment, I will add 'ima_file_update' function and call it
> > > from few strategic spots (such as vfs write) and see how far that can
> > > go removing the crash-recovery band-aid.
>
> Remember somehow EVM will need to be updated as well for it to work.
I will test some more, seemed to work fine under my quick trials.
> > Adding ima_file_update in there seems to work fine and things stay
> > nicely up to date. It is certainly heavy, but maybe this is only
> > needed when sync() is intentionally being called for the fd?
>
> I was thinking the same thing.
Right, so now if the application is designed correctly the guaranteed
appraisal failure caused by the kernel crash goes to 99.9% (or higher)
reliability. Big improvement, even if not perfect, IMHO..
> > void ima_file_update(struct file *file)
> > {
> > struct inode *inode = file_inode(file);
> > struct integrity_iint_cache *iint;
> >
> > if (!ima_policy_flag || !S_ISREG(inode->i_mode))
> > return;
> >
> > iint = integrity_iint_find(inode);
> > if (!iint)
> > return;
> >
> > iint->flags &= ~IMA_COLLECTED;
> > ima_update_xattr(iint, file);
> > }
> >
>
> I would think there needs to be some locking here.
>
> > It would take an additional integrity hook, of course.
>
> That's fine.
Great, I will work up a proper patch and check the locking.
--
Janne
