[v5,05/24] fs: add FS_XFLAG_VERITY for verity files

Message ID	20240304191046.157464-7-aalbersh@redhat.com (mailing list archive)
State	Superseded
Headers	show Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D65879DBA for <fsverity@lists.linux.dev>; Mon, 4 Mar 2024 19:12:19 +0000 (UTC) From: Andrey Albershteyn <aalbersh@redhat.com> To: fsverity@lists.linux.dev, linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, chandan.babu@oracle.com, djwong@kernel.org, ebiggers@kernel.org Cc: Andrey Albershteyn <aalbersh@redhat.com> Subject: [PATCH v5 05/24] fs: add FS_XFLAG_VERITY for verity files Date: Mon, 4 Mar 2024 20:10:28 +0100 Message-ID: <20240304191046.157464-7-aalbersh@redhat.com> In-Reply-To: <20240304191046.157464-2-aalbersh@redhat.com> References: <20240304191046.157464-2-aalbersh@redhat.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true
Series	fs-verity support for XFS \| expand [v5,00/24] fs-verity support for XFS [v5,01/24] fsverity: remove hash page spin lock [v5,02/24] xfs: add parent pointer support to attribute code [v5,03/24] xfs: define parent pointer ondisk extended attribute format [v5,04/24] xfs: add parent pointer validator functions [v5,05/24] fs: add FS_XFLAG_VERITY for verity files [v5,06/24] fsverity: pass tree_blocksize to end_enable_verity() [v5,07/24] fsverity: support block-based Merkle tree caching [v5,08/24] fsverity: add per-sb workqueue for post read processing [v5,09/24] fsverity: add tracepoints [v5,10/24] iomap: integrate fs-verity verification into iomap's read path [v5,11/24] xfs: add XBF_VERITY_SEEN xfs_buf flag [v5,12/24] xfs: add XFS_DA_OP_BUFFER to make xfs_attr_get() return buffer [v5,13/24] xfs: add attribute type for fs-verity [v5,14/24] xfs: make xfs_buf_get() to take XBF_* flags [v5,15/24] xfs: add XBF_DOUBLE_ALLOC to increase size of the buffer [v5,16/24] xfs: add fs-verity ro-compat flag [v5,17/24] xfs: add inode on-disk VERITY flag [v5,18/24] xfs: initialize fs-verity on file open and cleanup on inode destruction [v5,19/24] xfs: don't allow to enable DAX on fs-verity sealsed inode [v5,20/24] xfs: disable direct read path for fs-verity files [v5,21/24] xfs: add fs-verity support [v5,22/24] xfs: make scrub aware of verity dinode flag [v5,23/24] xfs: add fs-verity ioctls [v5,24/24] xfs: enable ro-compat fs-verity flag

Message ID

20240304191046.157464-7-aalbersh@redhat.com (mailing list archive)

State

Superseded

Headers

From: Andrey Albershteyn <aalbersh@redhat.com>
To: fsverity@lists.linux.dev,
	linux-xfs@vger.kernel.org,
	linux-fsdevel@vger.kernel.org,
	chandan.babu@oracle.com,
	djwong@kernel.org,
	ebiggers@kernel.org
Cc: Andrey Albershteyn <aalbersh@redhat.com>
Subject: [PATCH v5 05/24] fs: add FS_XFLAG_VERITY for verity files
Date: Mon,  4 Mar 2024 20:10:28 +0100
Message-ID: <20240304191046.157464-7-aalbersh@redhat.com>
In-Reply-To: <20240304191046.157464-2-aalbersh@redhat.com>
References: <20240304191046.157464-2-aalbersh@redhat.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"; x-default=true

Series

fs-verity support for XFS | expand

Commit Message

Andrey Albershteyn March 4, 2024, 7:10 p.m. UTC

Add extended attribute FS_XFLAG_VERITY for inodes with fs-verity
enabled.

Signed-off-by: Andrey Albershteyn <aalbersh@redhat.com>
---
 Documentation/filesystems/fsverity.rst |  8 ++++++++
 fs/ioctl.c                             | 11 +++++++++++
 include/uapi/linux/fs.h                |  1 +
 3 files changed, 20 insertions(+)

Comments

Eric Biggers March 4, 2024, 10:35 p.m. UTC | #1

On Mon, Mar 04, 2024 at 08:10:28PM +0100, Andrey Albershteyn wrote:
> @@ -641,6 +645,13 @@ static int fileattr_set_prepare(struct inode *inode,
>  	    !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)))
>  		return -EINVAL;
>  
> +	/*
> +	 * Verity cannot be set through FS_IOC_FSSETXATTR/FS_IOC_SETFLAGS.
> +	 * See FS_IOC_ENABLE_VERITY
> +	 */
> +	if (fa->fsx_xflags & FS_XFLAG_VERITY)
> +		return -EINVAL;

This makes FS_IOC_SETFLAGS and FS_IOC_FSSETXATTR start failing on files that
already have verity enabled.

An error should only be returned when the new flags contain verity and the old
flags don't.

- Eric

Darrick J. Wong March 7, 2024, 9:39 p.m. UTC | #2

On Mon, Mar 04, 2024 at 02:35:48PM -0800, Eric Biggers wrote:
> On Mon, Mar 04, 2024 at 08:10:28PM +0100, Andrey Albershteyn wrote:
> > @@ -641,6 +645,13 @@ static int fileattr_set_prepare(struct inode *inode,
> >  	    !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)))
> >  		return -EINVAL;
> >  
> > +	/*
> > +	 * Verity cannot be set through FS_IOC_FSSETXATTR/FS_IOC_SETFLAGS.
> > +	 * See FS_IOC_ENABLE_VERITY
> > +	 */
> > +	if (fa->fsx_xflags & FS_XFLAG_VERITY)
> > +		return -EINVAL;
> 
> This makes FS_IOC_SETFLAGS and FS_IOC_FSSETXATTR start failing on files that
> already have verity enabled.
> 
> An error should only be returned when the new flags contain verity and the old
> flags don't.

What if the old flags have it and the new ones don't?  Is that supposed
to disable fsverity?  Is removal of the verity information not supported?

I'm guessing that removal isn't supposed to happen, in which case the
above check ought to be:

	if (!!IS_VERITY(inode) != !!(fa->fsx_xflags & FS_XFLAG_VERITY))
		return -EINVAL;

Right?

--D

> - Eric
>

Eric Biggers March 7, 2024, 10:06 p.m. UTC | #3

On Thu, Mar 07, 2024 at 01:39:11PM -0800, Darrick J. Wong wrote:
> On Mon, Mar 04, 2024 at 02:35:48PM -0800, Eric Biggers wrote:
> > On Mon, Mar 04, 2024 at 08:10:28PM +0100, Andrey Albershteyn wrote:
> > > @@ -641,6 +645,13 @@ static int fileattr_set_prepare(struct inode *inode,
> > >  	    !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)))
> > >  		return -EINVAL;
> > >  
> > > +	/*
> > > +	 * Verity cannot be set through FS_IOC_FSSETXATTR/FS_IOC_SETFLAGS.
> > > +	 * See FS_IOC_ENABLE_VERITY
> > > +	 */
> > > +	if (fa->fsx_xflags & FS_XFLAG_VERITY)
> > > +		return -EINVAL;
> > 
> > This makes FS_IOC_SETFLAGS and FS_IOC_FSSETXATTR start failing on files that
> > already have verity enabled.
> > 
> > An error should only be returned when the new flags contain verity and the old
> > flags don't.
> 
> What if the old flags have it and the new ones don't?  Is that supposed
> to disable fsverity?  Is removal of the verity information not supported?
> 
> I'm guessing that removal isn't supposed to happen, in which case the
> above check ought to be:
> 
> 	if (!!IS_VERITY(inode) != !!(fa->fsx_xflags & FS_XFLAG_VERITY))
> 		return -EINVAL;
> 
> Right?

Yeah, good catch.  We need to prevent disabling the flag too.  How about:

	if ((fa->flags ^ old_ma->flags) & FS_VERITY_FL)
		return -EINVAL;

That would be consistent with how changes to other flags such as FS_APPEND_FL
and FS_IMMUTABLE_FL are detected earlier in the function.

- Eric

diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
index 13e4b18e5dbb..887cdaf162a9 100644
--- a/Documentation/filesystems/fsverity.rst
+++ b/Documentation/filesystems/fsverity.rst
@@ -326,6 +326,14 @@  the file has fs-verity enabled.  This can perform better than
 FS_IOC_GETFLAGS and FS_IOC_MEASURE_VERITY because it doesn't require
 opening the file, and opening verity files can be expensive.
 
+FS_IOC_FSGETXATTR
+-----------------
+
+Since Linux v6.9, the FS_IOC_FSGETXATTR ioctl sets FS_XFLAG_VERITY (0x00020000)
+in the returned flags when the file has verity enabled. Note that this attribute
+cannot be set with FS_IOC_FSSETXATTR as enabling verity requires input
+parameters. See FS_IOC_ENABLE_VERITY.
+
 .. _accessing_verity_files:
 
 Accessing verity files
diff --git a/fs/ioctl.c b/fs/ioctl.c
index 76cf22ac97d7..38c00e47c069 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -481,6 +481,8 @@  void fileattr_fill_xflags(struct fileattr *fa, u32 xflags)
 		fa->flags |= FS_DAX_FL;
 	if (fa->fsx_xflags & FS_XFLAG_PROJINHERIT)
 		fa->flags |= FS_PROJINHERIT_FL;
+	if (fa->fsx_xflags & FS_XFLAG_VERITY)
+		fa->flags |= FS_VERITY_FL;
 }
 EXPORT_SYMBOL(fileattr_fill_xflags);
 
@@ -511,6 +513,8 @@  void fileattr_fill_flags(struct fileattr *fa, u32 flags)
 		fa->fsx_xflags |= FS_XFLAG_DAX;
 	if (fa->flags & FS_PROJINHERIT_FL)
 		fa->fsx_xflags |= FS_XFLAG_PROJINHERIT;
+	if (fa->flags & FS_VERITY_FL)
+		fa->fsx_xflags |= FS_XFLAG_VERITY;
 }
 EXPORT_SYMBOL(fileattr_fill_flags);
 
@@ -641,6 +645,13 @@  static int fileattr_set_prepare(struct inode *inode,
 	    !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode)))
 		return -EINVAL;
 
+	/*
+	 * Verity cannot be set through FS_IOC_FSSETXATTR/FS_IOC_SETFLAGS.
+	 * See FS_IOC_ENABLE_VERITY
+	 */
+	if (fa->fsx_xflags & FS_XFLAG_VERITY)
+		return -EINVAL;
+
 	/* Extent size hints of zero turn off the flags. */
 	if (fa->fsx_extsize == 0)
 		fa->fsx_xflags &= ~(FS_XFLAG_EXTSIZE | FS_XFLAG_EXTSZINHERIT);
diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h
index 48ad69f7722e..b1d0e1169bc3 100644
--- a/include/uapi/linux/fs.h
+++ b/include/uapi/linux/fs.h
@@ -140,6 +140,7 @@  struct fsxattr {
 #define FS_XFLAG_FILESTREAM	0x00004000	/* use filestream allocator */
 #define FS_XFLAG_DAX		0x00008000	/* use DAX for IO */
 #define FS_XFLAG_COWEXTSIZE	0x00010000	/* CoW extent size allocator hint */
+#define FS_XFLAG_VERITY		0x00020000	/* fs-verity enabled */
 #define FS_XFLAG_HASATTR	0x80000000	/* no DIFLAG for this	*/
 
 /* the read-only stuff doesn't really belong here, but any other place is

[v5,05/24] fs: add FS_XFLAG_VERITY for verity files

Commit Message

Comments

Patch