Menu
▾
▴
Re: [Linux-ima-user] IMA hash update
|
From: Mimi Z. <zo...@li...> - 2015-09-17 21:39:38
|
On Thu, 2015-09-17 at 12:48 +0200, Patrick Ohly wrote: > Hello! > > I have a system setup such that some files are hashed on the target > device. That works fine in most cases: "echo foo >bar" creates bar with > a valid security.ima and it can be updated with "echo abc >>bar", even > after a reboot. > > However, after a power off without properly shutting down first, a > sqlite3 DB file ended up with an invalid hash in security.ima. That > leads me to one question: when a file gets written to, when is the > security.ima hash updated? > > My theory is that sqlite3 has written and synced new data to the DB > file, but the hash wasn't updated yet when the machine was powered off, > or it wasn't synced to disk. If that's true, then I need to rethink > where such DB files get stored and how they will be protected. Updating the hash after each write would be a major performance hit. The hash is updated after the last close for write, during __fput(). Mimi |
