Hi Tushar, On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote: > diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c > > index c096ef8945c7..fbf359495fa8 100644 > --- a/security/integrity/ima/ima_queue.c > +++ b/security/integrity/ima/ima_queue.c > @@ -158,7 +158,7 @@ static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) > */ > int ima_add_template_entry(struct ima_template_entry *entry, int violation, > const char *op, struct inode *inode, > - const unsigned char *filename) > + const unsigned char *filename, bool allow_dup) > { > u8 *digest = entry->digests[ima_hash_algo_idx].digest; > struct tpm_digestate_entry(struct ima_template_entry *entry, int violation, > > mutex_lock(&ima_extend_list_mutex); > if (!violation) { > - if (ima_lookup_digest_entry(digest, entry->pcr)) { > + if (!allow_dup && > + ima_lookup_digest_entry(digest, entry->pcr)) { Can't this change be simplified to "if (!violation && !allow_dup)"? Also perhaps instead of passing another variable "allow_dup" to each of these functions, pass a mask containing violation and allow_dup. > audit_cause = "hash_exists"; > result = -EEXIST; > goto out; thanks, Mimi