Miklos Szeredi <miklos@xxxxxxxxxx> writes: > On Tue, 11 Feb 2025 at 16:52, Amir Goldstein <amir73il@xxxxxxxxx> wrote: > >> It sounds very complicated. Is that even possible? >> Do we always know the path of the upper alias? >> IIRC, the absolute redirect path in upper is not necessary >> the absolute path where the origin is found. >> e.g. if there are middle layer redirects of parents. > > Okay, it was a stupid idea. > >> > > Looking closer at ovl_maybe_validate_verity(), it's actually >> > > worse - if you create an upper without metacopy above >> > > a lower with metacopy, ovl_validate_verity() will only check >> > > the metacopy xattr on metapath, which is the uppermost >> > > and find no md5digest, so create an upper above a metacopy >> > > lower is a way to avert verity check. >> > >> > I need to dig into how verity is supposed to work as I'm not seeing it >> > clearly yet... >> > >> >> The short version - for lazy data lookup we store the lowerdata >> redirect absolute path in the ovl entry stack, but we do not store >> the verity digest, we just store OVL_HAS_DIGEST inode flag if there >> is a digest in metacopy xattr. >> >> If we store the digest from lookup time in ovl entry stack, your changes >> may be easier. > > Sorry, I can't wrap my head around this issue. Cc-ing Giuseppe. > >> > > So I think lookup code needs to disallow finding metacopy >> > > in middle layer and need to enforce that also when upper is found >> > > via index. >> > >> > That's the hard link case. I.e. with metacopy=on,index=on it's >> > possible that one link is metacopyied up, and the other one is then >> > found through the index. Metacopy *should* work in this case, no? >> > >> >> Right. So I guess we only need to disallow uppermetacopy from >> index when metacoy=off. is that be safe from a user namespace? Regards, Giuseppe
