On Mon, May 15, 2023 at 07:44:13AM +0200, Alexander Larsson wrote: > On Sun, May 14, 2023 at 9:22 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > On Wed, May 03, 2023 at 10:51:37AM +0200, Alexander Larsson wrote: > > > +- "require": > > > + Same as "on", but additionally all metacopy files must specify a > > > + verity xattr. This means metadata copy up will only be used if > > > + the data file has fs-verity enabled, otherwise a full copy-up is > > > + used. > > > > The second sentence makes it sound like an attacker can inject arbitrary data > > just by replacing a data file with one that doesn't have fsverity enabled. > > > > I really hope that's not the case? > > > > I *think* there is a subtlety here involving "metacopy files" that were created > > ahead of time by the user, vs. being generated by overlayfs. But it's not > > really explained. > > I'm not sure what you mean here? When you say "replacing a data file", > do you mean "changing the content of the lowerdir"? Yes. Specifically the data-only lowerdir. > Because if you can just change lowerdir content then you can make users of the > overlayfs mount read whatever data you want (independent of metacopy or any of > this). But isn't preventing that the whole point of your feature? What am I missing? - Eric
