On Tue, Dec 14, 2021 at 1:45 AM Davide Cavalca via devel <devel@lists.fedoraproject.org> wrote: > > On Mon, 2021-12-13 at 16:00 +0100, Vít Ondruch wrote: > > Would it be possible to document the editing of protected file in the > > change proposal, probably including example of the best way to do it > > (is > > it possible to replace the file by symlink?) Or is there a way to > > temporary enable the editing with some overlay? Is there any other way > > to restore the original file except "dnf reinstall"? > > I've added this to the wiki: > https://fedoraproject.org/wiki/Changes/FsVerityRPM#Can_the_user_modify_a_file_shipped_by_a_package_.28e.g._to_edit_a_script_while_debugging.29_.3F > > You could restore the original file via "dnf reinstall", or by moving > it back into place (rename() and unlink() are allowed on fs-verity > enabled files).
I thought fsverity was about determining at runtime that the system has not been tampered with? But if somebody who has (physical) access to the device can just ... move verified files out of the way and put their own (unverified) files there (which then apparently does not trigger red warning signs?) - doesn't that defeat the whole purpose of enabling fsverity? Fabio _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
