Re: [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook
So disregarding the fact that using the fsverity builtin signatures still seems
like a bad idea to me, here's a few comments on the diff itself:
On Mon, Jan 30, 2023 at 02:57:27PM -0800, Fan Wu wrote:
diff --git a/fs/verity/open.c b/fs/verity/open.c
index 81ff94442f7b..7e6fa52c0e9c 100644
--- a/fs/verity/open.c
+++ b/fs/verity/open.c
@@ -7,7 +7,9 @@
#include "fsverity_private.h"
+#include <linux/security.h>
#include <linux/slab.h>
+#include <crypto/public_key.h>
There's no need to include <crypto/public_key.h>.
static struct kmem_cache *fsverity_info_cachep;
@@ -146,7 +148,7 @@ static int compute_file_digest(struct fsverity_hash_alg *hash_alg,
* appended signature), and check the signature if present. The
* fsverity_descriptor must have already undergone basic validation.
*/
-struct fsverity_info *fsverity_create_info(const struct inode *inode,
+struct fsverity_info *fsverity_create_info(struct inode *inode,
struct fsverity_descriptor *desc)
{
struct fsverity_info *vi;
@@ -182,6 +184,15 @@ struct fsverity_info *fsverity_create_info(const struct inode
*inode,
err = fsverity_verify_signature(vi, desc->signature,
le32_to_cpu(desc->sig_size));
+ if (err) {
+ fsverity_err(inode, "Error %d verifying signature", err);
+ goto out;
+ }
The above error message is unnecessary because fsverity_verify_signature()
already prints an error message on failure.
+
+ err = security_inode_setsecurity(inode, FS_VERITY_INODE_SEC_NAME, desc->signature,
+ le32_to_cpu(desc->sig_size), 0);
This runs even if CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled. Is that
really the right behavior?
Also a nit: please stick to the preferred line length of 80 characters.
See Documentation/process/coding-style.rst
diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index 143a530a8008..5d7b9496f9c4 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -9,6 +9,7 @@
#include <linux/cred.h>
#include <linux/key.h>
+#include <linux/security.h>
#include <linux/slab.h>
#include <linux/verification.h>
This change is unnecessary.
diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h
index 40f14e5fed9d..29e9888287ba 100644
--- a/include/linux/fsverity.h
+++ b/include/linux/fsverity.h
@@ -254,4 +254,6 @@ static inline bool fsverity_active(const struct inode *inode)
return fsverity_get_info(inode) != NULL;
}
+#define FS_VERITY_INODE_SEC_NAME "fsverity.inode-info"
"inode-info" is very vague. Shouldn't it be named "builtin-sig"
or something?
- Eric