From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D4A11877
	for <fsverity@lists.linux.dev>; Sun, 14 May 2023 19:22:29 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E2BA6C433EF;
	Sun, 14 May 2023 19:22:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1684092149;
	bh=igJIyKpflq3ZdDQLT8vidW1QaAmqyDBdhF6YagIwwcY=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=t5G7UXPNG4NLxnZ7yC+tONFhY9GtTwvB43PmCh5/jfVbxJRwNC0Qj8Uwfm0VG40BX
	 BQTYSmsbpWCFr92J5bLjkCxE+Fo6mFAGXHue3gysaZxgJoREpy1dFxu2/MmeThh6v0
	 UUiT6COAoJolwEF3L7ly4fi2xzpTuZPdvzmZF6vj3BtDLcYmcMPIWWtiJIAP8SSeUb
	 ZDXjYakeJ276VzYCKWn+1AtBevrkufWgNNWJw6BxQLRxhk2PmgLwIUkJjewWDGWFGW
	 wjdVPKZ9Fu84PjgnAyrt69bvmhe/E7V7nGT0pVbmdmjqSf9oFekd3zHgsN2pnBTSAK
	 Ai5ocBVokHpEA==
Date: Sun, 14 May 2023 12:22:27 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Larsson <alexl@redhat.com>
Cc: miklos@szeredi.hu, linux-unionfs@vger.kernel.org, amir73il@gmail.com,
	tytso@mit.edu, fsverity@lists.linux.dev
Subject: Re: [PATCH v2 4/6] ovl: Add framework for verity support
Message-ID: <20230514192227.GE9528@sol.localdomain>
References: <cover.1683102959.git.alexl@redhat.com>
 <0292ade77250a8bb563744f596ecaab5614cbd80.1683102959.git.alexl@redhat.com>
Precedence: bulk
X-Mailing-List: fsverity@lists.linux.dev
List-Id: <fsverity.lists.linux.dev>
List-Subscribe: <mailto:fsverity+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:fsverity+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0292ade77250a8bb563744f596ecaab5614cbd80.1683102959.git.alexl@redhat.com>

On Wed, May 03, 2023 at 10:51:37AM +0200, Alexander Larsson wrote:
> +- "require":
> +    Same as "on", but additionally all metacopy files must specify a
> +    verity xattr. This means metadata copy up will only be used if
> +    the data file has fs-verity enabled, otherwise a full copy-up is
> +    used.

The second sentence makes it sound like an attacker can inject arbitrary data
just by replacing a data file with one that doesn't have fsverity enabled.

I really hope that's not the case?

I *think* there is a subtlety here involving "metacopy files" that were created
ahead of time by the user, vs. being generated by overlayfs.  But it's not
really explained.

- Eric