On Mon, 2024-03-11 at 10:11 +0100, Roberto Sassu wrote: > > > > @@ -386,8 +402,6 @@ static int process_measurement(struct file *file, > > > const > > > struct cred *cred, > > > if (verif_mask_ptr) > > > allow_mask = policy_mask & *verif_mask_ptr; > > > } > > > - > > > - digest_cache_put(digest_cache); > > > > Keeping a reference to the digest_cache list for each file in the iint cache > > until the file is re-accessed, might take a while to free. > > Yes, that is the drawback... > > > I'm wondering if it necessary to keep a reference to the digest_cache. Or > > is it > > possible to just compare the existing iint->digest_cache pointer with the > > current digest_cache pointer? > > If the pointer value is the same, it does not guarantee that it is the > same digest cache used for the previous verification. It might have > been freed and reallocated.
Agreed. > > Maybe, if the digest_cache LSM is able to notify to IMA that the digest > cache changed, so that IMA resets its flags in the integrity metadata, > we would not need to pin it. Yes, something similar to the "ima_lsm_policy_notifier". Mimi
