From: Eric Biggers <ebiggers@kernel.org> To: fsverity@lists.linux.dev Cc: linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-btrfs@vger.kernel.org Subject: [PATCH 2/2] fsverity: move sysctl registration out of signature.c Date: Wed, 5 Jul 2023 14:27:43 -0700 [thread overview] Message-ID: <20230705212743.42180-3-ebiggers@kernel.org> (raw) In-Reply-To: <20230705212743.42180-1-ebiggers@kernel.org> From: Eric Biggers <ebiggers@google.com> Currently the registration of the fsverity sysctls happens in signature.c, which couples it to CONFIG_FS_VERITY_BUILTIN_SIGNATURES. This makes it hard to add new sysctls unrelated to builtin signatures. Also, some users have started checking whether the directory /proc/sys/fs/verity exists as a way to tell whether fsverity is supported. This isn't the intended method; instead, the existence of /sys/fs/$fstype/features/verity should be checked, or users should just try to use the fsverity ioctls. Regardlesss, it should be made to work as expected without a dependency on CONFIG_FS_VERITY_BUILTIN_SIGNATURES. Therefore, move the sysctl registration into init.c. With CONFIG_FS_VERITY_BUILTIN_SIGNATURES, nothing changes. Without it, but with CONFIG_FS_VERITY, an empty list of sysctls is now registered. Signed-off-by: Eric Biggers <ebiggers@google.com> --- fs/verity/fsverity_private.h | 1 + fs/verity/init.c | 32 ++++++++++++++++++++++++++++++++ fs/verity/signature.c | 33 +-------------------------------- 3 files changed, 34 insertions(+), 32 deletions(-) diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index c5ab9023dd2d3..d071a6e32581e 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -123,6 +123,7 @@ void __init fsverity_init_info_cache(void); /* signature.c */ #ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES +extern int fsverity_require_signatures; int fsverity_verify_signature(const struct fsverity_info *vi, const u8 *signature, size_t sig_size); diff --git a/fs/verity/init.c b/fs/verity/init.c index bcd11d63eb1ca..a29f062f6047b 100644 --- a/fs/verity/init.c +++ b/fs/verity/init.c @@ -9,6 +9,37 @@ #include <linux/ratelimit.h> +#ifdef CONFIG_SYSCTL +static struct ctl_table_header *fsverity_sysctl_header; + +static struct ctl_table fsverity_sysctl_table[] = { +#ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES + { + .procname = "require_signatures", + .data = &fsverity_require_signatures, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +#endif + { } +}; + +static void __init fsverity_init_sysctl(void) +{ + fsverity_sysctl_header = register_sysctl("fs/verity", + fsverity_sysctl_table); + if (!fsverity_sysctl_header) + panic("fsverity sysctl registration failed"); +} +#else /* CONFIG_SYSCTL */ +static inline void fsverity_init_sysctl(void) +{ +} +#endif /* !CONFIG_SYSCTL */ + void fsverity_msg(const struct inode *inode, const char *level, const char *fmt, ...) { @@ -36,6 +67,7 @@ static int __init fsverity_init(void) fsverity_check_hash_algs(); fsverity_init_info_cache(); fsverity_init_workqueue(); + fsverity_init_sysctl(); fsverity_init_signature(); return 0; } diff --git a/fs/verity/signature.c b/fs/verity/signature.c index ec75ffec069ed..b95acae64eac6 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -24,7 +24,7 @@ * /proc/sys/fs/verity/require_signatures * If 1, all verity files must have a valid builtin signature. */ -static int fsverity_require_signatures; +int fsverity_require_signatures; /* * Keyring that contains the trusted X.509 certificates. @@ -93,35 +93,6 @@ int fsverity_verify_signature(const struct fsverity_info *vi, return 0; } -#ifdef CONFIG_SYSCTL -static struct ctl_table_header *fsverity_sysctl_header; - -static struct ctl_table fsverity_sysctl_table[] = { - { - .procname = "require_signatures", - .data = &fsverity_require_signatures, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, - .extra1 = SYSCTL_ZERO, - .extra2 = SYSCTL_ONE, - }, - { } -}; - -static void __init fsverity_sysctl_init(void) -{ - fsverity_sysctl_header = register_sysctl("fs/verity", - fsverity_sysctl_table); - if (!fsverity_sysctl_header) - panic("fsverity sysctl registration failed"); -} -#else /* !CONFIG_SYSCTL */ -static inline void fsverity_sysctl_init(void) -{ -} -#endif /* !CONFIG_SYSCTL */ - void __init fsverity_init_signature(void) { fsverity_keyring = @@ -132,6 +103,4 @@ void __init fsverity_init_signature(void) KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(fsverity_keyring)) panic("failed to allocate \".fs-verity\" keyring"); - - fsverity_sysctl_init(); } -- 2.41.0
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org> To: fsverity@lists.linux.dev Cc: linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net Subject: [f2fs-dev] [PATCH 2/2] fsverity: move sysctl registration out of signature.c Date: Wed, 5 Jul 2023 14:27:43 -0700 [thread overview] Message-ID: <20230705212743.42180-3-ebiggers@kernel.org> (raw) In-Reply-To: <20230705212743.42180-1-ebiggers@kernel.org> From: Eric Biggers <ebiggers@google.com> Currently the registration of the fsverity sysctls happens in signature.c, which couples it to CONFIG_FS_VERITY_BUILTIN_SIGNATURES. This makes it hard to add new sysctls unrelated to builtin signatures. Also, some users have started checking whether the directory /proc/sys/fs/verity exists as a way to tell whether fsverity is supported. This isn't the intended method; instead, the existence of /sys/fs/$fstype/features/verity should be checked, or users should just try to use the fsverity ioctls. Regardlesss, it should be made to work as expected without a dependency on CONFIG_FS_VERITY_BUILTIN_SIGNATURES. Therefore, move the sysctl registration into init.c. With CONFIG_FS_VERITY_BUILTIN_SIGNATURES, nothing changes. Without it, but with CONFIG_FS_VERITY, an empty list of sysctls is now registered. Signed-off-by: Eric Biggers <ebiggers@google.com> --- fs/verity/fsverity_private.h | 1 + fs/verity/init.c | 32 ++++++++++++++++++++++++++++++++ fs/verity/signature.c | 33 +-------------------------------- 3 files changed, 34 insertions(+), 32 deletions(-) diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index c5ab9023dd2d3..d071a6e32581e 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -123,6 +123,7 @@ void __init fsverity_init_info_cache(void); /* signature.c */ #ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES +extern int fsverity_require_signatures; int fsverity_verify_signature(const struct fsverity_info *vi, const u8 *signature, size_t sig_size); diff --git a/fs/verity/init.c b/fs/verity/init.c index bcd11d63eb1ca..a29f062f6047b 100644 --- a/fs/verity/init.c +++ b/fs/verity/init.c @@ -9,6 +9,37 @@ #include <linux/ratelimit.h> +#ifdef CONFIG_SYSCTL +static struct ctl_table_header *fsverity_sysctl_header; + +static struct ctl_table fsverity_sysctl_table[] = { +#ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES + { + .procname = "require_signatures", + .data = &fsverity_require_signatures, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +#endif + { } +}; + +static void __init fsverity_init_sysctl(void) +{ + fsverity_sysctl_header = register_sysctl("fs/verity", + fsverity_sysctl_table); + if (!fsverity_sysctl_header) + panic("fsverity sysctl registration failed"); +} +#else /* CONFIG_SYSCTL */ +static inline void fsverity_init_sysctl(void) +{ +} +#endif /* !CONFIG_SYSCTL */ + void fsverity_msg(const struct inode *inode, const char *level, const char *fmt, ...) { @@ -36,6 +67,7 @@ static int __init fsverity_init(void) fsverity_check_hash_algs(); fsverity_init_info_cache(); fsverity_init_workqueue(); + fsverity_init_sysctl(); fsverity_init_signature(); return 0; } diff --git a/fs/verity/signature.c b/fs/verity/signature.c index ec75ffec069ed..b95acae64eac6 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -24,7 +24,7 @@ * /proc/sys/fs/verity/require_signatures * If 1, all verity files must have a valid builtin signature. */ -static int fsverity_require_signatures; +int fsverity_require_signatures; /* * Keyring that contains the trusted X.509 certificates. @@ -93,35 +93,6 @@ int fsverity_verify_signature(const struct fsverity_info *vi, return 0; } -#ifdef CONFIG_SYSCTL -static struct ctl_table_header *fsverity_sysctl_header; - -static struct ctl_table fsverity_sysctl_table[] = { - { - .procname = "require_signatures", - .data = &fsverity_require_signatures, - .maxlen = sizeof(int), - .mode = 0644, - .proc_handler = proc_dointvec_minmax, - .extra1 = SYSCTL_ZERO, - .extra2 = SYSCTL_ONE, - }, - { } -}; - -static void __init fsverity_sysctl_init(void) -{ - fsverity_sysctl_header = register_sysctl("fs/verity", - fsverity_sysctl_table); - if (!fsverity_sysctl_header) - panic("fsverity sysctl registration failed"); -} -#else /* !CONFIG_SYSCTL */ -static inline void fsverity_sysctl_init(void) -{ -} -#endif /* !CONFIG_SYSCTL */ - void __init fsverity_init_signature(void) { fsverity_keyring = @@ -132,6 +103,4 @@ void __init fsverity_init_signature(void) KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); if (IS_ERR(fsverity_keyring)) panic("failed to allocate \".fs-verity\" keyring"); - - fsverity_sysctl_init(); } -- 2.41.0 _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2023-07-05 21:29 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-07-05 21:27 [PATCH 0/2] fsverity: simplify initcall and move sysctl registration Eric Biggers 2023-07-05 21:27 ` [f2fs-dev] " Eric Biggers 2023-07-05 21:27 ` [PATCH 1/2] fsverity: simplify handling of errors during initcall Eric Biggers 2023-07-05 21:27 ` [f2fs-dev] " Eric Biggers 2023-07-05 21:27 ` Eric Biggers [this message] 2023-07-05 21:27 ` [f2fs-dev] [PATCH 2/2] fsverity: move sysctl registration out of signature.c Eric Biggers [not found] ` <CGME20230906134906eucas1p18f20ec4bd1aa89ce9c8c6495255d442f@eucas1p1.samsung.com> 2023-09-06 13:49 ` Joel Granados 2023-09-07 4:12 ` Eric Biggers 2023-09-07 4:12 ` [f2fs-dev] " Eric Biggers 2023-09-04 18:11 ` [f2fs-dev] [PATCH 0/2] fsverity: simplify initcall and move sysctl registration patchwork-bot+f2fs 2023-09-04 18:11 ` patchwork-bot+f2fs
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230705212743.42180-3-ebiggers@kernel.org \ --to=ebiggers@kernel.org \ --cc=fsverity@lists.linux.dev \ --cc=linux-btrfs@vger.kernel.org \ --cc=linux-ext4@vger.kernel.org \ --cc=linux-f2fs-devel@lists.sourceforge.net \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.