This is a preparation patch for adding a second sysctl to fs-verity.
Move the sysctl logic into its own file, so we can add more sysctls
unrelated to signatures.
Signed-off-by: Boris Burkov <boris@xxxxxx>
---
fs/verity/Makefile | 2 ++
fs/verity/fsverity_private.h | 14 ++++++++++
fs/verity/init.c | 7 ++++-
fs/verity/signature.c | 54 +-----------------------------------
fs/verity/sysctl.c | 51 ++++++++++++++++++++++++++++++++++
5 files changed, 74 insertions(+), 54 deletions(-)
create mode 100644 fs/verity/sysctl.c
diff --git a/fs/verity/Makefile b/fs/verity/Makefile
index 435559a4fa9e..81a468ca0131 100644
--- a/fs/verity/Makefile
+++ b/fs/verity/Makefile
@@ -9,3 +9,5 @@ obj-$(CONFIG_FS_VERITY) += enable.o \
verify.o
obj-$(CONFIG_FS_VERITY_BUILTIN_SIGNATURES) += signature.o
+
+obj-$(CONFIG_SYSCTL) += sysctl.o
diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h
index a7920434bae5..c416c1cd9371 100644
--- a/fs/verity/fsverity_private.h
+++ b/fs/verity/fsverity_private.h
@@ -136,6 +136,20 @@ int fsverity_get_descriptor(struct inode *inode,
int __init fsverity_init_info_cache(void);
void __init fsverity_exit_info_cache(void);
+/* sysctl.c */
+#ifdef CONFIG_SYSCTL
+int __init fsverity_sysctl_init(void);
+void __init fsverity_exit_sysctl(void);
+#else /* !CONFIG_SYSCTL */
+static inline int __init fsverity_sysctl_init(void)
+{
+ return 0;
+}
+static inline void __init fsverity_exit_sysctl(void)
+{
+}
+#endif /* !CONFIG_SYSCTL */
+
/* signature.c */
#ifdef CONFIG_FS_VERITY_BUILTIN_SIGNATURES
diff --git a/fs/verity/init.c b/fs/verity/init.c
index c98b7016f446..bd16495e8adf 100644
--- a/fs/verity/init.c
+++ b/fs/verity/init.c
@@ -45,13 +45,18 @@ static int __init fsverity_init(void)
if (err)
goto err_exit_info_cache;
- err = fsverity_init_signature();
+ err = fsverity_sysctl_init();
if (err)
goto err_exit_workqueue;
+ err = fsverity_init_signature();
+ if (err)
+ goto err_exit_sysctl;
pr_debug("Initialized fs-verity\n");
return 0;
+err_exit_sysctl:
+ fsverity_exit_sysctl();
err_exit_workqueue:
fsverity_exit_workqueue();
err_exit_info_cache:
diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index 143a530a8008..67a471e4b570 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -12,11 +12,7 @@
#include <linux/slab.h>
#include <linux/verification.h>
-/*
- * /proc/sys/fs/verity/require_signatures
- * If 1, all verity files must have a valid builtin signature.
- */
-static int fsverity_require_signatures;
+extern int fsverity_require_signatures;
/*
* Keyring that contains the trusted X.509 certificates.
@@ -87,49 +83,9 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
return 0;
}
-#ifdef CONFIG_SYSCTL
-static struct ctl_table_header *fsverity_sysctl_header;
-
-static const struct ctl_path fsverity_sysctl_path[] = {
- { .procname = "fs", },
- { .procname = "verity", },
- { }
-};
-
-static struct ctl_table fsverity_sysctl_table[] = {
- {
- .procname = "require_signatures",
- .data = &fsverity_require_signatures,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = SYSCTL_ZERO,
- .extra2 = SYSCTL_ONE,
- },
- { }
-};
-
-static int __init fsverity_sysctl_init(void)
-{
- fsverity_sysctl_header = register_sysctl_paths(fsverity_sysctl_path,
- fsverity_sysctl_table);
- if (!fsverity_sysctl_header) {
- pr_err("sysctl registration failed!\n");
- return -ENOMEM;
- }
- return 0;
-}
-#else /* !CONFIG_SYSCTL */
-static inline int __init fsverity_sysctl_init(void)
-{
- return 0;
-}
-#endif /* !CONFIG_SYSCTL */
-
int __init fsverity_init_signature(void)
{
struct key *ring;
- int err;
ring = keyring_alloc(".fs-verity", KUIDT_INIT(0), KGIDT_INIT(0),
current_cred(), KEY_POS_SEARCH |
@@ -139,14 +95,6 @@ int __init fsverity_init_signature(void)
if (IS_ERR(ring))
return PTR_ERR(ring);
- err = fsverity_sysctl_init();
- if (err)
- goto err_put_ring;
-
fsverity_keyring = ring;
return 0;
-
-err_put_ring:
- key_put(ring);
- return err;
}
diff --git a/fs/verity/sysctl.c b/fs/verity/sysctl.c
new file mode 100644
index 000000000000..3ba7b02282db
--- /dev/null
+++ b/fs/verity/sysctl.c
@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "fsverity_private.h"
+
+#include <linux/sysctl.h>
+
+/*
+ * /proc/sys/fs/verity/require_signatures
+ * If 1, all verity files must have a valid builtin signature.
+ */
+int fsverity_require_signatures;
+
+#ifdef CONFIG_SYSCTL
+static struct ctl_table_header *fsverity_sysctl_header;
+
+static const struct ctl_path fsverity_sysctl_path[] = {
+ { .procname = "fs", },
+ { .procname = "verity", },
+ { }
+};
+
+static struct ctl_table fsverity_sysctl_table[] = {
+ {
+ .procname = "require_signatures",
+ .data = &fsverity_require_signatures,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
+ { }
+};
+
+int __init fsverity_sysctl_init(void)
+{
+ fsverity_sysctl_header = register_sysctl_paths(fsverity_sysctl_path,
+ fsverity_sysctl_table);
+ if (!fsverity_sysctl_header) {
+ pr_err("sysctl registration failed!\n");
+ return -ENOMEM;
+ }
+ return 0;
+}
+
+void __init fsverity_exit_sysctl(void)
+{
+ unregister_sysctl_table(fsverity_sysctl_header);
+ fsverity_sysctl_header = NULL;
+}
+#endif /* !CONFIG_SYSCTL */
--
2.30.2
|