Dne 12. 12. 21 v 12:33 Zbigniew Jędrzejewski-Szmek napsal(a):
On Fri, Dec 10, 2021 at 10:47:52AM +0100, Vít Ondruch wrote:Dne 10. 12. 21 v 0:08 Davide Cavalca via devel napsal(a):On Fri, 2021-12-03 at 22:08 +0000, Richard W.M. Jones wrote:I'm unclear about the threat model - this is an attacker who is someone able to overwrite single files (eg. /bin/ls) but cannot turn off the fs-verity system as a whole? Also if RPM can update /bin/ls then surely an attacker who can widely compromise system files must also be able to update /bin/ls in the same way?Once fs-verity is enabled for a given file (which, in the RPM case, happens at package installation time), it cannot be disabled, and the file becomes immutable. One can still rename() or unlink() it (and this is indeed how rpm is able to replace files when upgrading packages), but the actual contents cannot be altered.Trying to debug some issue in shell/ruby/python script, will it be possible to modify such file?Any file covered by fs-verity is immutable after installation. So you cannot modify the contents, the kernel refuses. But you can just replace the file (like during an upgrade), and of course copy and edit in a different location. If replaced, no fs-verity checking is done any more by the kernel. There was some talk about high-level solution to prevent such files from being executed, e.g. an LSM module, but no details... (Thinking about this, it would be pretty hard, because the LSM would need to be smart enough to know which files are installed through rpm, and which files are not. I would love to hear more details about what is planned here.)
Thx for explanation.Would it be possible to document the editing of protected file in the change proposal, probably including example of the best way to do it (is it possible to replace the file by symlink?) Or is there a way to temporary enable the editing with some overlay? Is there any other way to restore the original file except "dnf reinstall"?
I am asking because I am torn between the security and OTOH convenient debugging if something goes wrong. Don't take me wrong I am far from editing system file on daily basis, but I have certainly did that.
Vít
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
