On Wed, Sep 18, 2019 at 6:53 PM James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > Mutability for integrity checked executables/data is problematic. With > IMA you have to update the file and the xattr and make sure nothing > touches it before you've completed all the updates otherwise you get an > integrity check failure. This can work if your mutation is simply a > distro update, but it's really hard to do if the file is constantly > undergoing mutation because the window where the integrity check fails > is huge ... thus it depends on your use case for mutability. Right, but try those patches I posted. They mostly address this, even android mmap'd databases seem to stay pretty well up to date and the performance is not entirely destroyed either if tuned a bit. -- Janne
