Re: [PATCH v3 05/28] fs: add FS_XFLAG_VERITY for fs-verity sealed inodes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 06, 2023 at 08:48:59PM +0200, Andrey Albershteyn wrote:
> Add extended file attribute FS_XFLAG_VERITY for inodes sealed with
> fs-verity.
> 
> Signed-off-by: Andrey Albershteyn <aalbersh@xxxxxxxxxx>
> ---
>  Documentation/filesystems/fsverity.rst | 9 +++++++++
>  include/uapi/linux/fs.h                | 1 +
>  2 files changed, 10 insertions(+)
> 
> diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
> index 13e4b18e5dbb..af889512c6ac 100644
> --- a/Documentation/filesystems/fsverity.rst
> +++ b/Documentation/filesystems/fsverity.rst
> @@ -326,6 +326,15 @@ the file has fs-verity enabled.  This can perform better than
>  FS_IOC_GETFLAGS and FS_IOC_MEASURE_VERITY because it doesn't require
>  opening the file, and opening verity files can be expensive.
>  
> +Extended file attributes
> +------------------------
> +
> +For fs-verity sealed files the FS_XFLAG_VERITY extended file
> +attribute is set. The attribute can be observed via lsattr.
> +
> +    [root@vm:~]# lsattr /mnt/test/foo
> +    --------------------V- /mnt/test/foo
> +

There's currently nowhere in the documentation or code that uses the phrase
"fs-verity sealed file".  It's instead called a verity file, or a file that has
fs-verity enabled.  I suggest we try to avoid inconsistent terminology.

Also, it should be mentioned which kernel versions this works on.

See for example what the statx section of the documentation says just above the
new section that you're adding:

    Since Linux v5.5, the statx() system call sets STATX_ATTR_VERITY if
    the file has fs-verity enabled.

Also, is FS_XFLAG_VERITY going to work on all filesystems?  The existing ways to
query the verity flag work on all filesystems.  Hopefully any new API will too.

Also, "Extended file attributes" is easily confused with, well, extended file
attributes (xattrs).  It should be made clear that this is talking about the
FS_IOC_FSGETXATTR ioctl, not real xattrs.

Also, it should be made clear that FS_XFLAG_VERITY cannot be set using
FS_IOC_FSSETXATTR.  See e.g. how the existing documentation says that
FS_IOC_GETFLAGS can get FS_VERITY_FL but FS_IOC_SETFLAGS cannot set it.

- Eric
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux