From: Mimi Zohar [mailto:zohar@linux.ibm.com] Sent: Friday, February 11, 2022 1:41 PM Hi Roberto,
On Fri, 2022-02-11 at 11:48 +0100, Roberto Sassu wrote:
__ima_inode_hash() checks if a digest has been already calculated by looking for the integrity_iint_cache structure associated to the passed inode.
Users of ima_file_hash() and ima_inode_hash() (e.g. eBPF) might be interested in obtaining the information without having to setup an IMA policy so that the digest is always available at the time they call one of those functions.
Things obviously changed, but the original use case for this interface, as I recall, was a quick way to determine if a file had been accessed on the system.
Hi Mimi
thanks for the info. I was not sure if I should export a new function or reuse the existing one. In my use case, just calculating the digest would be sufficient.
For finding whether a file was accessed (assuming that it matches the policy), probably bpf_ima_inode_hash() is not anyway too reliable. If integrity_iint_cache is evicted from the memory, it would report that the inode was not accessed even if it was.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua
-- thanks,
Mimi