Re: [RFC PATCH v9 12/16] fsverity: consume builtin signature via LSM hook

So disregarding the fact that using the fsverity builtin signatures still seems like a bad idea to me, here's a few comments on the diff itself:

On Mon, Jan 30, 2023 at 02:57:27PM -0800, Fan Wu wrote: > diff --git a/fs/verity/open.c b/fs/verity/open.c > index 81ff94442f7b..7e6fa52c0e9c 100644 > --- a/fs/verity/open.c > +++ b/fs/verity/open.c > @@ -7,7 +7,9 @@ > > #include "fsverity_private.h" > > +#include <linux/security.h> > #include <linux/slab.h> > +#include <crypto/public_key.h> There's no need to include <crypto/public_key.h>. > > + if (err) { > + fsverity_err(inode, "Error %d verifying signature", err); > + goto out; > + } The above error message is unnecessary because fsverity_verify_signature() already prints an error message on failure. > + > + err = security_inode_setsecurity(inode, FS_VERITY_INODE_SEC_NAME, desc->signature, > + le32_to_cpu(desc->sig_size), 0); This runs even if CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled. Is that really the right behavior?

Also a nit: please stick to the preferred line length of 80 characters. See Documentation/process/coding-style.rst > diff --git a/fs/verity/signature.c b/fs/verity/signature.c > index 143a530a8008..5d7b9496f9c4 100644 > --- a/fs/verity/signature.c > +++ b/fs/verity/signature.c > @@ -9,6 +9,7 @@ > > #include <linux/cred.h> > #include <linux/key.h> > +#include <linux/security.h> > #include <linux/slab.h> > #include <linux/verification.h> This change is unnecessary. > diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h > index 40f14e5fed9d..29e9888287ba 100644 > --- a/include/linux/fsverity.h > +++ b/include/linux/fsverity.h > @@ -254,4 +254,6 @@ static inline bool fsverity_active(const struct inode *inode) > return fsverity_get_info(inode) != NULL; > } > > +#define FS_VERITY_INODE_SEC_NAME "fsverity.inode-info" "inode-info" is very vague. Shouldn't it be named "builtin-sig" or something? - Eric