On Fri, 2026-05-01 at 09:16 -0700, Danny Hu wrote: > On Fri, May 1, 2026 at 4:42 AM Mimi Zohar <[email protected]> wrote: > > > > On Thu, 2026-04-30 at 21:32 -0500, Sahil Gupta wrote: > > > > Have you considered using IS_RDONLY(real_inode)? > > > > > > OOC are ima caches invalidated on fs reconfigure? If that is the case, > > > then IS_RDONLY ought to do the trick. > > > > Per-inode IMA integrity status (iint) is now stored directly in the inode's > > LSM > > security blob rather than in a red-black tree cache. By "fs > > reconfiguration", > > do you mean remounting the filesystem? If so, the iint stored in the LSM > > security blob should be freed when the filesystem is unmounted. > > > > We considered using IS_RDONLY(), but the concern involved the remount > path rather than an explicit unmount and subsequent mount. From my > understanding, userspace can toggle the read only flag using "mount -o > remount,rw" without freeing the inodes from memory. A malicious user > could then exploit this by caching the appraisal result, modifying the > file, remounting fs as read-only, and then IMA would trust the cached > appraisal result.
Thank you for the explanation. Just be aware that IS_IMMUTABLE is already defined. Otherwise your suggestion is plausible. Mimi
