| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260126201206.GA30838@quark>
Date: Mon, 26 Jan 2026 12:12:06 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Christoph Hellwig <hch@....de>
Cc: Matthew Wilcox <willy@...radead.org>, Al Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
David Sterba <dsterba@...e.com>, Theodore Ts'o <tytso@....edu>,
Jaegeuk Kim <jaegeuk@...nel.org>, Chao Yu <chao@...nel.org>,
Andrey Albershteyn <aalbersh@...hat.com>,
linux-fsdevel@...r.kernel.org, linux-btrfs@...r.kernel.org,
linux-ext4@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net,
fsverity@...ts.linux.dev
Subject: Re: [PATCH 11/11] fsverity: use a hashtable to find the fsverity_info
On Mon, Jan 26, 2026 at 05:44:32AM +0100, Christoph Hellwig wrote:
> On Sun, Jan 25, 2026 at 09:48:22PM +0000, Matthew Wilcox wrote:
> > Is there a reason not to do as DAX did:
>
> > +#ifdef CONFIG_FS_VERITY
> > #define S_VERITY (1 << 16) /* Verity file (using fs/verity/) */
> > +#else
> > +#define S_VERITY 0 /* Make all the verity checks disappear */
> > +#endif
> > #define S_KERNEL_FILE (1 << 17) /* File is in use by the kernel (eg. fs/cachefiles) */
> > #define S_ANON_INODE (1 << 19) /* Inode is an anonymous inode */
> >
> >
> > and then we can drop the CONFIG_FS_VERITY check here and in (at leaast)
> > three other places
>
> I looked into this, but wasn't entirely sure about all callers. Also
> in at least some places we might need the barrier in fsverity_active,
> so my plan was to see how many of the checks should simply be converted
> to fsverity_active in a follow on and how much is left after that first.
When CONFIG_FS_VERITY=n, there can still be inodes that have fsverity
enabled, since they might have already been present on the filesystem.
The S_VERITY flag and the corresponding IS_VERITY() macro are being used
to identify such inodes and handle them appropriately.
Consider fsverity_file_open() for example:
static inline int fsverity_file_open(struct inode *inode, struct file *filp)
{
if (IS_VERITY(inode))
return __fsverity_file_open(inode, filp);
return 0;
}
When CONFIG_FS_VERITY=n, __fsverity_file_open() resolves to the stub:
static inline int __fsverity_file_open(struct inode *inode, struct file *filp)
{
return -EOPNOTSUPP;
}
So the result is that on a kernel that doesn't have fsverity support
enabled, trying to open an fsverity file fails with EOPNOTSUPP.
But this relies on IS_VERITY() still working correctly.
Similar code that relies on IS_VERITY() working correctly exists in
other places as well, for example in the implementation of statx().
So IS_VERITY() can't be changed to always return false when
CONFIG_FS_VERITY=n, unless we identified all the callers like these and
updated them to check the underlying filesystem-specific flag instead.
- Eric
Powered by blists - more mailing lists