On Wed, 2021-07-07 at 15:10 +0000, THOBY Simon wrote:

quoted

quoted

Is there any way to enforce the use of the hash specified in the
'ima_hash' cmdline parameter ?

The cmdline parameter overrides the compile time default hash algorithm
used for (re-)calculating the file hash.

Yes, but that only applies to the hashes performed automatically by the kernel,
not to a user relabelling his whole / with
find / \( -fstype rootfs -o -fstype ext4 \) -type f -uid 0 -exec evmctl ima_hash '{}' 2> /dev/null \;
and forgetting to specify a stronger algorithm (that's how I learned of this pitfall myself).

If you were interested in limiting which algorithms could be used, the
change would be made in ima_inode_setxattr().  I'd be interested in
seeing what you come up with.

thanks,

Mimi