On 4/29/26 12:03 PM, Roberto Sassu wrote:
From: Roberto Sassu <[email protected]>
Usage
=====
The IMA staging mechanism can be enabled from the kernel configuration
with the CONFIG_IMA_STAGING option.
If it is enabled, IMA duplicates the current measurements interfaces
(both binary and ASCII), by adding the _staged file suffix. Both the
original and the staging interfaces gain the write permission for the
root user and group, but require the process to have CAP_SYS_ADMIN set.
The staging mechanism supports two flavors.
Staging with prompt
~~~~~~~~~~~~~~~~~~~
The current measurements list is moved to a temporary staging area, and
staged measurements are deleted upon confirmation.
This staging process is achieved with the following steps.
1. echo A > <original interface>: the user requests IMA to stage the
entire measurements list;
2. cat <_staged interface>: the user reads the staged measurements;
3. echo D > <_staged interface>: the user requests IMA to delete
staged measurements.
I have a IMA log sharder (based on FUSE; does more 'copying' than
'sharding') that successfully uses this method.
Tested-by: Stefan Berger <[email protected]>
