tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fsverity: move sysctl registration out of signature.c

Currently the registration of the fsverity sysctls happens in
signature.c, which couples it to CONFIG_FS_VERITY_BUILTIN_SIGNATURES.

This makes it hard to add new sysctls unrelated to builtin signatures.

Also, some users have started checking whether the directory
/proc/sys/fs/verity exists as a way to tell whether fsverity is
supported. This isn't the intended method; instead, the existence of
/sys/fs/$fstype/features/verity should be checked, or users should just
try to use the fsverity ioctls. Regardless, it should be made to work
as expected without a dependency on CONFIG_FS_VERITY_BUILTIN_SIGNATURES.

Therefore, move the sysctl registration into init.c. With
CONFIG_FS_VERITY_BUILTIN_SIGNATURES, nothing changes. Without it, but
with CONFIG_FS_VERITY, an empty list of sysctls is now registered.

Link: https://lore.kernel.org/r/20230705212743.42180-3-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>

Eric Biggers 456ae5fe e77000cc

+34 -32
+1
fs/verity/fsverity_private.h
··· 123 123 /* signature.c */ 124 124 125 125 #ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES 126 + extern int fsverity_require_signatures; 126 127 int fsverity_verify_signature(const struct fsverity_info *vi, 127 128 const u8 *signature, size_t sig_size); 128 129
+32
fs/verity/init.c
··· 9 9 10 10 #include <linux/ratelimit.h> 11 11 12 + #ifdef CONFIG_SYSCTL 13 + static struct ctl_table_header *fsverity_sysctl_header; 14 + 15 + static struct ctl_table fsverity_sysctl_table[] = { 16 + #ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES 17 + { 18 + .procname = "require_signatures", 19 + .data = &fsverity_require_signatures, 20 + .maxlen = sizeof(int), 21 + .mode = 0644, 22 + .proc_handler = proc_dointvec_minmax, 23 + .extra1 = SYSCTL_ZERO, 24 + .extra2 = SYSCTL_ONE, 25 + }, 26 + #endif 27 + { } 28 + }; 29 + 30 + static void __init fsverity_init_sysctl(void) 31 + { 32 + fsverity_sysctl_header = register_sysctl("fs/verity", 33 + fsverity_sysctl_table); 34 + if (!fsverity_sysctl_header) 35 + panic("fsverity sysctl registration failed"); 36 + } 37 + #else /* CONFIG_SYSCTL */ 38 + static inline void fsverity_init_sysctl(void) 39 + { 40 + } 41 + #endif /* !CONFIG_SYSCTL */ 42 + 12 43 void fsverity_msg(const struct inode *inode, const char *level, 13 44 const char *fmt, ...) 14 45 { ··· 67 36 fsverity_check_hash_algs(); 68 37 fsverity_init_info_cache(); 69 38 fsverity_init_workqueue(); 39 + fsverity_init_sysctl(); 70 40 fsverity_init_signature(); 71 41 return 0; 72 42 }
+1 -32
fs/verity/signature.c
··· 24 24 * /proc/sys/fs/verity/require_signatures 25 25 * If 1, all verity files must have a valid builtin signature. 26 26 */ 27 - static int fsverity_require_signatures; 27 + int fsverity_require_signatures; 28 28 29 29 /* 30 30 * Keyring that contains the trusted X.509 certificates. ··· 93 93 return 0; 94 94 } 95 95 96 - #ifdef CONFIG_SYSCTL 97 - static struct ctl_table_header *fsverity_sysctl_header; 98 - 99 - static struct ctl_table fsverity_sysctl_table[] = { 100 - { 101 - .procname = "require_signatures", 102 - .data = &fsverity_require_signatures, 103 - .maxlen = sizeof(int), 104 - .mode = 0644, 105 - .proc_handler = proc_dointvec_minmax, 106 - .extra1 = SYSCTL_ZERO, 107 - .extra2 = SYSCTL_ONE, 108 - }, 109 - { } 110 - }; 111 - 112 - static void __init fsverity_sysctl_init(void) 113 - { 114 - fsverity_sysctl_header = register_sysctl("fs/verity", 115 - fsverity_sysctl_table); 116 - if (!fsverity_sysctl_header) 117 - panic("fsverity sysctl registration failed"); 118 - } 119 - #else /* !CONFIG_SYSCTL */ 120 - static inline void fsverity_sysctl_init(void) 121 - { 122 - } 123 - #endif /* !CONFIG_SYSCTL */ 124 - 125 96 void __init fsverity_init_signature(void) 126 97 { 127 98 fsverity_keyring = ··· 103 132 KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); 104 133 if (IS_ERR(fsverity_keyring)) 105 134 panic("failed to allocate \".fs-verity\" keyring"); 106 - 107 - fsverity_sysctl_init(); 108 135 }