-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lib: Add lcfs_fd_measure_fsverity #394
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cgwalters
force-pushed
the
add-fd-require-verity
branch
from
November 6, 2024 01:39
1b3e9fc
to
0c39a47
Compare
cgwalters
force-pushed
the
add-fd-require-verity
branch
from
November 6, 2024 13:06
0c39a47
to
955a594
Compare
cgwalters
changed the title
lib: Add lcfs_fd_require_fsverity
lib: Add lcfs_fd_measure_fsverity
Nov 6, 2024
But only on s390x?? Hmm... |
Hummm I would bet money this is something like the run-on-arch action using qemu's userspace emulation which probably doesn't implement the ioctl so we're getting ENOSYS |
cgwalters
force-pushed
the
add-fd-require-verity
branch
2 times, most recently
from
November 6, 2024 13:38
272536b
to
154ec89
Compare
OK, this passes CI now. |
Our history with fsverity APIs is a bit messy. For now historical reasons lcfs_fd_get_fsverity tries to query the kernel (via ioctl) but will silently fall back to userspace computation - which is sometimes desirable, other times not. We also have lcfs_fd_compute_fsverity which is unconditionally userspace. However some cases actually really want to require the fd to have fsverity - so add an API to do that. Signed-off-by: Colin Walters <[email protected]>
This is what we do elsewhere. Signed-off-by: Colin Walters <[email protected]>
This is ensuring we have our fsverity ioctl parsing code in one place. Signed-off-by: Colin Walters <[email protected]>
We may get ENOSYS from qemu userspace emulation not implementing the ioctl. Signed-off-by: Colin Walters <[email protected]>
cgwalters
force-pushed
the
add-fd-require-verity
branch
from
November 6, 2024 20:14
154ec89
to
d771778
Compare
smcv
reviewed
Nov 15, 2024
Adapted from an equivalent patch by Simon for ostree: ostreedev/ostree@67ed2ac Reported-by: Simon McVittie <[email protected]> Signed-off-by: Colin Walters <[email protected]>
jluebbe
approved these changes
Nov 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
lib: Add lcfs_fd_measure_fsverity
Our history with fsverity APIs is a bit messy. For now historical
reasons lcfs_fd_get_fsverity tries to query the kernel (via ioctl)
but will silently fall back to userspace computation - which
is sometimes desirable, other times not.
We also have lcfs_fd_compute_fsverity which is unconditionally
userspace.
However some cases actually really want to require the
fd to have fsverity - so add an API to do that.
Signed-off-by: Colin Walters [email protected]
writer: Canonicalize no-verity errno to -ENOVERITY
This is what we do elsewhere.
Signed-off-by: Colin Walters [email protected]
lib/mount: Use lcfs_fd_measure_fsverity
This is ensuring we have our fsverity ioctl parsing code in
one place.
Signed-off-by: Colin Walters [email protected]
rust: Bind lcfs_fd_measure_fsverity
This is a reasonable thing to want to do.
Signed-off-by: Colin Walters [email protected]