On Tue, Dec 14, 2021 at 08:08:19PM +0100, Fabio Valentini wrote:
On Tue, Dec 14, 2021 at 1:45 AM Davide Cavalca via devel
<devel(a)lists.fedoraproject.org> wrote:
>
> On Mon, 2021-12-13 at 16:00 +0100, Vít Ondruch wrote:
> > Would it be possible to document the editing of protected file in the
> > change proposal, probably including example of the best way to do it
> > (is
> > it possible to replace the file by symlink?) Or is there a way to
> > temporary enable the editing with some overlay? Is there any other way
> > to restore the original file except "dnf reinstall"?
>
> I've added this to the wiki:
>
https://fedoraproject.org/wiki/Changes/FsVerityRPM#Can_the_user_modify_a_...
>
> You could restore the original file via "dnf reinstall", or by moving
> it back into place (rename() and unlink() are allowed on fs-verity
> enabled files).
I thought fsverity was about determining at runtime that the system
has not been tampered with? But if somebody who has (physical) access
to the device can just ... move verified files out of the way and put
their own (unverified) files there (which then apparently does not
trigger red warning signs?) - doesn't that defeat the whole purpose of
enabling fsverity?
That's a good question. fs-verity and dm-verity share the same
underlying concept (merkle trees and signature verification by the
kernel). So this raises the question that you asked… which can also be
phrased as "why would you even use fs-verity, if you can do dm-verity"?
My understanding it the following: fs-verity originated in the Android
world where you can have an unprivileged process downloading a file,
e.g. a jar. This unprivileged process manages the download, but the
file is only trusted and executed when it has a matching signature
from some central authority. The file contains the whole app,
including all resources, so there is no question of other unverified
files being used by the app. And the file can be large enough that
it's practical to do chunked verification, since checksumming the whole
file on first use would be slow.
We don't really have the same considerations: the download process
has full privileges, and the download is exploded into individual files,
and more importantly, unpackaged files are also used.
Zbyszek