On Tue, 11 Feb 2025 at 13:01, Amir Goldstein <amir73il@xxxxxxxxx> wrote: > Looking closer at ovl_maybe_validate_verity(), it's actually > worse - if you create an upper without metacopy above > a lower with metacopy, ovl_validate_verity() will only check > the metacopy xattr on metapath, which is the uppermost > and find no md5digest, so create an upper above a metacopy > lower is a way to avert verity check. > > So I think lookup code needs to disallow finding metacopy > in middle layer and need to enforce that also when upper is found > via index. So I think the next patch does this: only allow following a metacopy redirect from lower to data. It's confusing to call this metacopy, as no copy is performed. We could call it data-redirect. Mixing data-redirect with real meta-copy is of dubious value, and we might be better to disable it even in the privileged scenario. Giuseppe, Alexander, AFAICS the composefs use case employs data-redirect only and not metacopy, right? Thanks, Miklos
