On Tue, Dec 14, 2021 at 08:08:19PM +0100, Fabio Valentini wrote: > On Tue, Dec 14, 2021 at 1:45 AM Davide Cavalca via devel > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > On Mon, 2021-12-13 at 16:00 +0100, Vít Ondruch wrote: > > > Would it be possible to document the editing of protected file in the > > > change proposal, probably including example of the best way to do it > > > (is > > > it possible to replace the file by symlink?) Or is there a way to > > > temporary enable the editing with some overlay? Is there any other way > > > to restore the original file except "dnf reinstall"? > > > > I've added this to the wiki: > > https://fedoraproject.org/wiki/Changes/FsVerityRPM#Can_the_user_modify_a_file_shipped_by_a_package_.28e.g._to_edit_a_script_while_debugging.29_.3F > > > > You could restore the original file via "dnf reinstall", or by moving > > it back into place (rename() and unlink() are allowed on fs-verity > > enabled files). > > I thought fsverity was about determining at runtime that the system > has not been tampered with? But if somebody who has (physical) access > to the device can just ... move verified files out of the way and put > their own (unverified) files there (which then apparently does not > trigger red warning signs?) - doesn't that defeat the whole purpose of > enabling fsverity? That's a good question. fs-verity and dm-verity share the same underlying concept (merkle trees and signature verification by the kernel). So this raises the question that you asked… which can also be phrased as "why would you even use fs-verity, if you can do dm-verity"? My understanding it the following: fs-verity originated in the Android world where you can have an unprivileged process downloading a file, e.g. a jar. This unprivileged process manages the download, but the file is only trusted and executed when it has a matching signature from some central authority. The file contains the whole app, including all resources, so there is no question of other unverified files being used by the app. And the file can be large enough that it's practical to do chunked verification, since checksumming the whole file on first use would be slow. We don't really have the same considerations: the download process has full privileges, and the download is exploded into individual files, and more importantly, unpackaged files are also used. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
