From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0409110E6
	for <fsverity@lists.linux.dev>; Mon, 15 May 2023 06:00:10 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F011C433D2;
	Mon, 15 May 2023 06:00:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1684130410;
	bh=3vmTRAhPqR5UhiGRrbCqYK/u6K1pA4mtBYLQ/a2xO8A=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=Cdpi10H5B3icuu93NcaN/JwcYBa1AnQaauX+6rj58FRVpbjW4QX3NBoAmBMFuMtT3
	 LKbaqgA/v6HS2r0p2jr+M8BBgvhMt0pCbb/T5sOWhKhd2xGecUkQPzC/h1ohRClhZ9
	 2GwFzzowg0cD1g0vSOU7jBFSfCy5G7bF9H+14pKCX62IcgqOWePxd9CmRnp9oslIR1
	 h1iioLpiY7Ohm4wT+2c63xOd0iHrT95Gj3hoauVRftY9wd0DBjWO/hOAEnKgGKRSYJ
	 LyHJ1bIHdqHzwQn6pKuWpnXP7AFGxsb4obOCtd4XMzYlAbMl6FaWA1gIwDyVk3vzLo
	 qs1K9B3KFptmA==
Date: Sun, 14 May 2023 23:00:08 -0700
From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Larsson <alexl@redhat.com>
Cc: miklos@szeredi.hu, linux-unionfs@vger.kernel.org, amir73il@gmail.com,
	tytso@mit.edu, fsverity@lists.linux.dev
Subject: Re: [PATCH v2 4/6] ovl: Add framework for verity support
Message-ID: <20230515060008.GA15871@sol.localdomain>
References: <cover.1683102959.git.alexl@redhat.com>
 <0292ade77250a8bb563744f596ecaab5614cbd80.1683102959.git.alexl@redhat.com>
 <20230514192227.GE9528@sol.localdomain>
 <CAL7ro1EaqFcS5sRAAJLWuiy4OHEP8KGXTm5T-LRh09XSrnav5A@mail.gmail.com>
Precedence: bulk
X-Mailing-List: fsverity@lists.linux.dev
List-Id: <fsverity.lists.linux.dev>
List-Subscribe: <mailto:fsverity+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:fsverity+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAL7ro1EaqFcS5sRAAJLWuiy4OHEP8KGXTm5T-LRh09XSrnav5A@mail.gmail.com>

On Mon, May 15, 2023 at 07:44:13AM +0200, Alexander Larsson wrote:
> On Sun, May 14, 2023 at 9:22 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > On Wed, May 03, 2023 at 10:51:37AM +0200, Alexander Larsson wrote:
> > > +- "require":
> > > +    Same as "on", but additionally all metacopy files must specify a
> > > +    verity xattr. This means metadata copy up will only be used if
> > > +    the data file has fs-verity enabled, otherwise a full copy-up is
> > > +    used.
> >
> > The second sentence makes it sound like an attacker can inject arbitrary data
> > just by replacing a data file with one that doesn't have fsverity enabled.
> >
> > I really hope that's not the case?
> >
> > I *think* there is a subtlety here involving "metacopy files" that were created
> > ahead of time by the user, vs. being generated by overlayfs.  But it's not
> > really explained.
> 
> I'm not sure what you mean here? When you say "replacing a data file",
> do you mean "changing the content of the lowerdir"?

Yes.  Specifically the data-only lowerdir.

> Because if you can just change lowerdir content then you can make users of the
> overlayfs mount read whatever data you want (independent of metacopy or any of
> this).

But isn't preventing that the whole point of your feature?

What am I missing?

- Eric