On Wed, 2021-07-07 at 15:10 +0000, THOBY Simon wrote:
> > > Is there any way to enforce the use of the hash specified in the
> > > 'ima_hash' cmdline parameter ?
> >
> > The cmdline parameter overrides the compile time default hash algorithm
> > used for (re-)calculating the file hash.
> >
>
> Yes, but that only applies to the hashes performed automatically by the kernel,
> not to a user relabelling his whole / with
> find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec evmctl ima_hash '{}' 2> /dev/null \;
> and forgetting to specify a stronger algorithm (that's how I learned of this pitfall myself).
If you were interested in limiting which algorithms could be used, the
change would be made in ima_inode_setxattr(). I'd be interested in
seeing what you come up with.
thanks,
Mimi
