Hi Fred, On Fri, 2026-01-30 at 08:00 -0500, Mimi Zohar wrote: > > Examples are fine, but first describe the problem - not detecting file > > change on > > xfs. > > > > > > > > In the case of stacking XFS on XFS, an action on either the LOWER or UPPER > > > will require re-evaluation. Stacking TMPFS on XFS for instance, once the > > > inode is UPPER is mutated, IMA resumes normal behavior because TMPFS > > > leverages generic_fillattr() to update the change cookie. > > > > This sounds like the same issue - not detecting file change on xfs. The > > problem > > is simply manifesting itself on stacked filesystems. > > Splitting this patch, so that the base XFS changes are in one patch and the > stacked filesystem changes are in the other, would really help clarify what is > needed and the reason why.
Tweaking your script with the following changes, you'll see duplicate audit entries on the base XFS system, without requiring an overlay filesystem. echo "audit func=FILE_CHECK uid=$(id -u nobody)" > "$IMA_POLICY" setpriv --reuid nobody $PWD/rdwr "$TEST_FILE" setpriv --reuid nobody $PWD/rdwr "$TEST_FILE" audit_count=$(grep -e "file=\"$TEST_FILE\"" /var/log/audit/audit.log | grep -c "comm=\"rdwr\"") "rdwr" is a C program that opens the file read-write, using the open() syscall. Mimi
