From: Roberto Sassu <roberto.sassu@huawei.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
"shuah@kernel.org" <shuah@kernel.org>,
"ast@kernel.org" <ast@kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"andrii@kernel.org" <andrii@kernel.org>,
"kpsingh@kernel.org" <kpsingh@kernel.org>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Florent Revest <revest@google.com>
Subject: RE: [PATCH] ima: Calculate digest in ima_inode_hash() if not available
Date: Fri, 11 Feb 2022 12:57:52 +0000 [thread overview]
Message-ID: <3d0bdb4599e340a78b06094797e42bc9@huawei.com> (raw)
In-Reply-To: <f9ccc9be6cc084e9cab6cd75e87735492d120002.camel@linux.ibm.com>
> From: Mimi Zohar [mailto:zohar@linux.ibm.com]
> Sent: Friday, February 11, 2022 1:41 PM
> Hi Roberto,
>
> On Fri, 2022-02-11 at 11:48 +0100, Roberto Sassu wrote:
> > __ima_inode_hash() checks if a digest has been already calculated by
> > looking for the integrity_iint_cache structure associated to the passed
> > inode.
> >
> > Users of ima_file_hash() and ima_inode_hash() (e.g. eBPF) might be
> > interested in obtaining the information without having to setup an IMA
> > policy so that the digest is always available at the time they call one of
> > those functions.
>
> Things obviously changed, but the original use case for this interface,
> as I recall, was a quick way to determine if a file had been accessed
> on the system.
Hi Mimi
thanks for the info. I was not sure if I should export a new
function or reuse the existing one. In my use case, just calculating
the digest would be sufficient.
For finding whether a file was accessed (assuming that it matches
the policy), probably bpf_ima_inode_hash() is not anyway too reliable.
If integrity_iint_cache is evicted from the memory, it would report
that the inode was not accessed even if it was.
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
> --
> thanks,
>
> Mimi
next prev parent reply other threads:[~2022-02-11 12:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 10:48 [PATCH] ima: Calculate digest in ima_inode_hash() if not available Roberto Sassu
2022-02-11 12:40 ` Mimi Zohar
2022-02-11 12:57 ` Roberto Sassu [this message]
2022-02-11 13:11 ` Florent Revest
2022-02-13 13:06 ` Mimi Zohar
2022-02-14 17:05 ` Roberto Sassu
2022-02-14 22:32 ` Mimi Zohar
2022-02-15 8:00 ` Roberto Sassu
2022-02-15 11:16 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d0bdb4599e340a78b06094797e42bc9@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=revest@google.com \
--cc=shuah@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox