On Thu, 20 Feb 2025 at 10:54, Giuseppe Scrivano <gscrivan@xxxxxxxxxx> wrote: > > Miklos Szeredi <miklos@xxxxxxxxxx> writes: > > > On Tue, 11 Feb 2025 at 16:52, Amir Goldstein <amir73il@xxxxxxxxx> wrote: > >> The short version - for lazy data lookup we store the lowerdata > >> redirect absolute path in the ovl entry stack, but we do not store > >> the verity digest, we just store OVL_HAS_DIGEST inode flag if there > >> is a digest in metacopy xattr. > >> > >> If we store the digest from lookup time in ovl entry stack, your changes > >> may be easier. > > > > Sorry, I can't wrap my head around this issue. Cc-ing Giuseppe. Giuseppe, can you describe what should happen when verity is enabled and a file on a composefs setup is copied up? > >> Right. So I guess we only need to disallow uppermetacopy from > >> index when metacoy=off. > > is that be safe from a user namespace? You mean disallowing uppermetacopy? It's obviously safer than allowing it, no? Thanks, Miklos
