On Fri, Dec 10, 2021 at 10:47:52AM +0100, Vít Ondruch wrote:
Any file covered by fs-verity is immutable after installation. So you
cannot modify the contents, the kernel refuses. But you can just
replace the file (like during an upgrade), and of course copy and edit
in a different location. If replaced, no fs-verity checking is done
any more by the kernel. There was some talk about high-level solution
to prevent such files from being executed, e.g. an LSM module, but no
details... (Thinking about this, it would be pretty hard, because the
LSM would need to be smart enough to know which files are installed
through rpm, and which files are not. I would love to hear more details
about what is planned here.)
Zbyszek
There is such an LSM that supports fs-verity (and dm-verity), being reviewed right now:
IPE
https://lore.kernel.org/lkml/81d5e825-1ee2-8f6b-cd9d-07b0f8bd36d3@linux.m...
https://microsoft.github.io/ipe/