On Tue, 2022-02-15 at 08:00 +0000, Roberto Sassu wrote:
I found that just checking that iint->ima_hash is not NULL is not enough (ima_inode_hash() might still return the old digest after a file write). Should I replace that check with !(iint->flags & IMA_COLLECTED)? Or should I do only for ima_file_hash() and recalculate the digest if necessary?
Updating the file hash after each write would really impact IMA performance. If you really want to detect any file change, no matter how frequently it occurs, your best bet would be to track i_generation and i_version. Stefan is already adding "i_generation" for IMA namespacing.
I just wanted the ability to get a fresh digest after a file opened for writing is closed. Since in my use case I would not use an IMA policy, that would not be a problem.
As I recall, the __fput() delay was to prevent locking ordering issues - inode, iint.