Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lib: Add lcfs_fd_measure_fsverity #394

Merged
merged 5 commits into from
Nov 19, 2024

Conversation

cgwalters
Copy link
Contributor

@cgwalters cgwalters commented Nov 6, 2024

lib: Add lcfs_fd_measure_fsverity

Our history with fsverity APIs is a bit messy. For now historical
reasons lcfs_fd_get_fsverity tries to query the kernel (via ioctl)
but will silently fall back to userspace computation - which
is sometimes desirable, other times not.

We also have lcfs_fd_compute_fsverity which is unconditionally
userspace.

However some cases actually really want to require the
fd to have fsverity - so add an API to do that.

Signed-off-by: Colin Walters [email protected]


writer: Canonicalize no-verity errno to -ENOVERITY

This is what we do elsewhere.

Signed-off-by: Colin Walters [email protected]


lib/mount: Use lcfs_fd_measure_fsverity

This is ensuring we have our fsverity ioctl parsing code in
one place.

Signed-off-by: Colin Walters [email protected]


rust: Bind lcfs_fd_measure_fsverity

This is a reasonable thing to want to do.

Signed-off-by: Colin Walters [email protected]


@cgwalters cgwalters force-pushed the add-fd-require-verity branch from 1b3e9fc to 0c39a47 Compare November 6, 2024 01:39
@cgwalters cgwalters force-pushed the add-fd-require-verity branch from 0c39a47 to 955a594 Compare November 6, 2024 13:06
@cgwalters cgwalters changed the title lib: Add lcfs_fd_require_fsverity lib: Add lcfs_fd_measure_fsverity Nov 6, 2024
@cgwalters
Copy link
Contributor Author

test-lcfs: ../tests/test-lcfs.c:91: test_no_verity: Assertion `errsv == ENOVERITY' failed.

But only on s390x?? Hmm...

@cgwalters
Copy link
Contributor Author

Hummm I would bet money this is something like the run-on-arch action using qemu's userspace emulation which probably doesn't implement the ioctl so we're getting ENOSYS

@cgwalters cgwalters force-pushed the add-fd-require-verity branch 2 times, most recently from 272536b to 154ec89 Compare November 6, 2024 13:38
@cgwalters
Copy link
Contributor Author

OK, this passes CI now.

@cgwalters cgwalters enabled auto-merge November 6, 2024 15:31
Our history with fsverity APIs is a bit messy. For now historical
reasons lcfs_fd_get_fsverity tries to query the kernel (via ioctl)
but will silently fall back to userspace computation - which
is sometimes desirable, other times not.

We also have lcfs_fd_compute_fsverity which is unconditionally
userspace.

However some cases actually really want to require the
fd to have fsverity - so add an API to do that.

Signed-off-by: Colin Walters <[email protected]>
This is what we do elsewhere.

Signed-off-by: Colin Walters <[email protected]>
This is ensuring we have our fsverity ioctl parsing code in
one place.

Signed-off-by: Colin Walters <[email protected]>
 We may get ENOSYS from qemu userspace emulation not implementing the ioctl.

Signed-off-by: Colin Walters <[email protected]>
libcomposefs/lcfs-writer.c Outdated Show resolved Hide resolved
Adapted from an equivalent patch by Simon for ostree:
ostreedev/ostree@67ed2ac

Reported-by: Simon McVittie <[email protected]>
Signed-off-by: Colin Walters <[email protected]>
@cgwalters cgwalters merged commit 640eb95 into containers:main Nov 19, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants