Re: [Linux-ima-devel] [PATCH] ima: Support filesystems without i_version support

[Sascha H. <s....@pe...>]

Mimi,

On Wed, Sep 13, 2017 at 04:15:13PM +0200, Sascha Hauer wrote:
> IMA uses the inode's i_version field to detect changes on an inode.
> This seems to be an optimization for IMA and not strictly necessary.
> Just ignore the i_version field if it is zero and measure the file
> anyway. On filesystems which do not support i_version this may result
> in an unnecessary re-measurement of a file when it has been opened for
> writing without anything actually being written. For filesystems with
> i_version support the behaviour doesn't change.
> 
> Signed-off-by: Sascha Hauer <s....@pe...>
> ---
>  security/integrity/ima/ima_main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
>  I'm not sure if this patch is appropriate, but even when it's not it
>  would be interesting to know why it isn't.

Any input to this one?

Sascha

>  
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index ac66680689d3..931773049a09 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -123,7 +123,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
>  
>  	inode_lock(inode);
>  	if (atomic_read(&inode->i_writecount) == 1) {
> -		if ((iint->version != inode->i_version) ||
> +		if (!inode->i_version || (iint->version != inode->i_version) ||
>  		    (iint->flags & IMA_NEW_FILE)) {
>  			iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
>  			iint->measured_pcrs = 0;
> -- 
> 2.11.0
> 
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |