On Fri, 27 Sep 2024, Sami Tolvanen wrote: > > See for example openssh, the function read_config_file_depth. There is: > > > > while (getline(&line, &linesize, f) != -1) { > > ... process_config_line_depth > > } > > free(line); > > fclose(f) > > if (bad_options > 0) > > fatal("%s: terminating, %d bad configuration options", > > filename, bad_options);A > > return 1; > > > > So, the function doesn't distinguish between error and eof. If reading the > > config file returns -EIO, the function exits with 1 as if the file was > > empty. > > Sounds like OpenSSH's threat model doesn't include an attacker who can > trigger arbitrary I/O errors. If you want dm-verity to protect against > this, why not add a new restart_on_errors flag instead of changing the > semantics of the restart_on_corruption flag and risk breaking existing > users? > > Sami The dm-verity behavior was reported as a security bug, so by default, it should behave in the secure way - i.e. restart or panic on I/O error. Do you intend to use dm-verity in Android and ChromeOS in the less-secure way where it returns -EIO? Have you audited the Android and ChromeOS codebase so that -EIO can't cause security breach? If yes, I can make a configuration switch for you that will enable the old behavior. Mikulas