On Fri, Feb 11, 2022 at 1:58 PM Roberto Sassu roberto.sassu@huawei.com wrote:
From: Mimi Zohar [mailto:zohar@linux.ibm.com] Sent: Friday, February 11, 2022 1:41 PM Hi Roberto,
On Fri, 2022-02-11 at 11:48 +0100, Roberto Sassu wrote:
__ima_inode_hash() checks if a digest has been already calculated by looking for the integrity_iint_cache structure associated to the passed inode.
Users of ima_file_hash() and ima_inode_hash() (e.g. eBPF) might be interested in obtaining the information without having to setup an IMA policy so that the digest is always available at the time they call one of those functions.
Things obviously changed, but the original use case for this interface, as I recall, was a quick way to determine if a file had been accessed on the system.
I believe we were the main users of this and I can confirm we are no longer using this interface to determine if a file has been accessed.
Hi Mimi
thanks for the info. I was not sure if I should export a new function or reuse the existing one. In my use case, just calculating the digest would be sufficient.
It would actually be nice for us too, sometimes we attach to hooks just before the hash is calculated and being able to calculate the hash would be helpful.
For finding whether a file was accessed (assuming that it matches the policy), probably bpf_ima_inode_hash() is not anyway too reliable. If integrity_iint_cache is evicted from the memory, it would report that the inode was not accessed even if it was.
I agree indeed, we'd have better ways to do this now.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua
-- thanks,
Mimi