On Sun, 2017-10-01 at 22:25 -0500, Eric W. Biederman wrote: > Mimi Zohar <zo...@linux.vnet.ibm.com> writes:
> > There should be no open writers in ima_check_last_writer(), so the > > file shouldn't be changing. > > This is slightly tangential but I think important to consider. > What do you do about distributed filesystems fuse, nfs, etc that > can change the data behind the kernels back. Exactly! > Do you not support such systems or do you have a sufficient way to > detect changes? Currently, only the initial file access in policy is measured, verified, audited. Even if there was a way of detecting the change, since we can't trust these file systems, the performance would be awful, but we should probably not be caching the measurement/verification results. Mimi
