[Linux-ima-user] Questions about the i_version field of the inode structure is used by IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello all

i have a two questions about how IMA (distributed in the last 2.6.30.2 kernel) 
detects file changes.
First, I see that the i_version field of an inode structure is incremented each 
time the file gets modified. It's possible to change the file many times as it's 
necessary to overflow the counter and to obtain the same value stored in the 
IMA table? (to avoid this event to be reported)
The second one, i see that the sb_umount hook is no longer used, then all 
measured files in a removable device are not marked as DIRTY, but i suppose 
that the measurement decision will be taken next time the volume is mounted 
comparing the two i_version integers. 
Doesn't it is dangerous because the i_version modification of inodes in the 
removable device is out of the control of the integrity system? (For example i 
can mount the removable device in another unsecure system that modifies some 
files without incrementing the i_version field of the inode).

Thanks in advance