You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed the hotfix functionality (related to ostree admin unlock --hotfix) is available even when one is using composefs (at least the part that applies the hotfix).
Specifically, in this stretch of code, ostree-prepare-root checks for the existence of a "hotfix overlay" by looking at the deployment directory even when composefs is in use. Unless I'm missing something, this would allow one to apply a hotfix on top of a composefs+verity image and hence bypass the integrity/authenticity guarantees you would normally expect. I suppose this is not intended, right?
Since the hotfix is made of overlay directories (workdir, upperdir) which aren't signed I suppose composefs and hotfixing are not compatible...
The text was updated successfully, but these errors were encountered:
As mentioned in ostreedev#3187, we
can't allow a hotfix overlay of /usr when using signed composefs
images as that would allow an attacker to persist something used
across boots.
I noticed the hotfix functionality (related to
ostree admin unlock --hotfix
) is available even when one is using composefs (at least the part that applies the hotfix).Specifically, in this stretch of code,
ostree-prepare-root
checks for the existence of a "hotfix overlay" by looking at the deployment directory even when composefs is in use. Unless I'm missing something, this would allow one to apply a hotfix on top of a composefs+verity image and hence bypass the integrity/authenticity guarantees you would normally expect. I suppose this is not intended, right?Since the hotfix is made of overlay directories (workdir, upperdir) which aren't signed I suppose composefs and hotfixing are not compatible...
The text was updated successfully, but these errors were encountered: