Re: [PATCH 3/5] ovl: make redirect/metacopy rejection consistent

[Giuseppe Scrivano <gscrivan@redhat.com>]

Miklos Szeredi <miklos@szeredi.hu> writes:

> On Tue, 11 Feb 2025 at 16:52, Amir Goldstein <amir73il@gmail.com> wrote:
>
>> It sounds very complicated. Is that even possible?
>> Do we always know the path of the upper alias?
>> IIRC, the absolute redirect path in upper is not necessary
>> the absolute path where the origin is found.
>> e.g. if there are middle layer redirects of parents.
>
> Okay, it was a stupid idea.
>
>> > > Looking closer at ovl_maybe_validate_verity(), it's actually
>> > > worse - if you create an upper without metacopy above
>> > > a lower with metacopy, ovl_validate_verity() will only check
>> > > the metacopy xattr on metapath, which is the uppermost
>> > > and find no md5digest, so create an upper above a metacopy
>> > > lower is a way to avert verity check.
>> >
>> > I need to dig into how verity is supposed to work as I'm not seeing it
>> > clearly yet...
>> >
>>
>> The short version - for lazy data lookup we store the lowerdata
>> redirect absolute path in the ovl entry stack, but we do not store
>> the verity digest, we just store OVL_HAS_DIGEST inode flag if there
>> is a digest in metacopy xattr.
>>
>> If we store the digest from lookup time in ovl entry stack, your changes
>> may be easier.
>
> Sorry, I can't wrap my head around this issue.  Cc-ing Giuseppe.
>
>> > > So I think lookup code needs to disallow finding metacopy
>> > > in middle layer and need to enforce that also when upper is found
>> > > via index.
>> >
>> > That's the hard link case.  I.e. with metacopy=on,index=on it's
>> > possible that one link is metacopyied up, and the other one is then
>> > found through the index.  Metacopy *should* work in this case, no?
>> >
>>
>> Right. So I guess we only need to disallow uppermetacopy from
>> index when metacoy=off.

is that be safe from a user namespace?

Regards,
Giuseppe