On Sun, May 14, 2023 at 9:16 PM Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> On Wed, May 03, 2023 at 10:51:38AM +0200, Alexander Larsson wrote:
> > When resolving lowerdata (lazily or non-lazily) we check the
> > overlay.verity xattr on the metadata inode, and if set verify that the
> > source lowerdata inode matches it (according to the verity options
> > enabled).
>
> Keep in mind that the lifetime of an inode's fsverity digest is from when it is
> first opened to when the inode is evicted from the inode cache.
>
> If the inode gets evicted from cache and re-instantiated, it could have been
> arbitrarily changed.
>
> Given that, does this verification happen in the right place? I would have
> expected it to happen whenever the file is opened, but it seems you do it when
> the dentry is looked up instead. Maybe that works too, but I'd appreciate an
> explanation.
The overlayfs inode will, after lookup, keep a reference to the dentry
(and thus inode) of the lower file, until such a time that the overlay
inode is evicted from the cache. This will keep the fsverity digest on
the lower alive while the overlay inode is alive. If the overlay inode
is evicted, then we will re-validate the verity on lookup().
As amir mentioned, this may not be optimal, and it may be beneficial
to sometimes delay the digest validation, but that is more of a
performance detail.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl@xxxxxxxxxx alexander.larsson@xxxxxxxxx
