From: Miklos Szeredi <miklos@szeredi.hu>
To: Giuseppe Scrivano <gscrivan@redhat.com>
Cc: Alexander Larsson <alexl@redhat.com>,
Amir Goldstein <amir73il@gmail.com>,
Miklos Szeredi <mszeredi@redhat.com>,
linux-unionfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Colin Walters <walters@redhat.com>
Subject: Re: [PATCH 3/5] ovl: make redirect/metacopy rejection consistent
Date: Tue, 25 Mar 2025 14:42:14 +0100 [thread overview]
Message-ID: <CAJfpegtvPW6tTfGbOUtW3GMe8UxX2Laqjopb1oSoUNgBWNUe9g@mail.gmail.com> (raw)
In-Reply-To: <87frj1fd3b.fsf@redhat.com>
On Tue, 25 Mar 2025 at 14:34, Giuseppe Scrivano <gscrivan@redhat.com> wrote:
>
> Alexander Larsson <alexl@redhat.com> writes:
>
> > On Tue, 2025-03-25 at 11:57 +0100, Miklos Szeredi wrote:
> >> On Tue, 11 Feb 2025 at 13:01, Amir Goldstein <amir73il@gmail.com>
> >> wrote:
> >> > Looking closer at ovl_maybe_validate_verity(), it's actually
> >> > worse - if you create an upper without metacopy above
> >> > a lower with metacopy, ovl_validate_verity() will only check
> >> > the metacopy xattr on metapath, which is the uppermost
> >> > and find no md5digest, so create an upper above a metacopy
> >> > lower is a way to avert verity check.
> >> >
> >> > So I think lookup code needs to disallow finding metacopy
> >> > in middle layer and need to enforce that also when upper is found
> >> > via index.
> >>
> >> So I think the next patch does this: only allow following a metacopy
> >> redirect from lower to data.
> >>
> >> It's confusing to call this metacopy, as no copy is performed. We
> >> could call it data-redirect. Mixing data-redirect with real meta-
> >> copy
> >> is of dubious value, and we might be better to disable it even in the
> >> privileged scenario.
> >>
> >> Giuseppe, Alexander, AFAICS the composefs use case employs
> >> data-redirect only and not metacopy, right?
> >
> > The most common usecase is to get a read-only image, say for
> > /usr. However, sometimes (for example with containers) we have a
> > writable upper layer too. I'm not sure how important metacopy is for
> > that though, it is more commonly used to avoid duplicating things
> > between e.g. the container image layers. Giuseppe?
>
> for the composefs use case we don't need metacopy, but if it is possible
> it would be nice to have metacopy since idmapped mounts do not work yet
> in a user namespace. So each time we run a container in a different
> mapping we need a fully copy of the image which would be faster with
> metacopy.
Okay, so there is a usecase for compose + metacopy.
Problem seems to be that this negatively affects the security of the
setup, because the digest is now stored on the unverified upper layer.
Am I misunderstanding this?
Thanks,
Miklos
next prev parent reply other threads:[~2025-03-25 13:42 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-10 19:45 [PATCH 1/5] ovl: don't allow datadir only Miklos Szeredi
2025-02-10 19:45 ` [PATCH 2/5] ovl: remove unused forward declaration Miklos Szeredi
2025-02-11 10:02 ` Amir Goldstein
2025-02-10 19:45 ` [PATCH 3/5] ovl: make redirect/metacopy rejection consistent Miklos Szeredi
2025-02-11 11:13 ` Amir Goldstein
2025-02-11 11:46 ` Miklos Szeredi
2025-02-11 12:00 ` Amir Goldstein
2025-02-11 12:34 ` Miklos Szeredi
2025-02-11 15:51 ` Amir Goldstein
2025-02-12 16:57 ` Miklos Szeredi
2025-02-20 9:53 ` Giuseppe Scrivano
2025-02-20 11:25 ` Miklos Szeredi
2025-02-20 11:39 ` Giuseppe Scrivano
2025-02-20 11:47 ` Miklos Szeredi
2025-03-25 12:16 ` Amir Goldstein
2025-03-27 15:28 ` Miklos Szeredi
2025-03-27 17:13 ` Amir Goldstein
2025-03-27 19:23 ` Miklos Szeredi
2025-03-28 9:04 ` Alexander Larsson
2025-03-27 22:20 ` Colin Walters
2025-03-25 10:57 ` Miklos Szeredi
2025-03-25 11:18 ` Alexander Larsson
2025-03-25 13:34 ` Giuseppe Scrivano
2025-03-25 13:42 ` Miklos Szeredi [this message]
2025-03-25 14:16 ` Alexander Larsson
[not found] ` <CAGUVWovzT=7Gj2nj-RWC9g5_KWMzPPzAbFs9-xKWpFuh8iFTiw@mail.gmail.com>
2025-03-25 14:04 ` Alexander Larsson
2025-02-10 19:45 ` [PATCH 4/5] ovl: don't require metacopy=on for lower -> data redirect Miklos Szeredi
2025-02-11 12:08 ` Amir Goldstein
2025-02-10 19:45 ` [PATCH 5/5] ovl: don't require "metacopy=on" for "verity" Miklos Szeredi
2025-02-11 10:49 ` Amir Goldstein
2025-02-11 12:14 ` Miklos Szeredi
2025-02-11 12:24 ` Amir Goldstein
2025-02-11 10:01 ` [PATCH 1/5] ovl: don't allow datadir only Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJfpegtvPW6tTfGbOUtW3GMe8UxX2Laqjopb1oSoUNgBWNUe9g@mail.gmail.com \
--to=miklos@szeredi.hu \
--cc=alexl@redhat.com \
--cc=amir73il@gmail.com \
--cc=gscrivan@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=walters@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).