On Tue, Apr 02, 2024 at 03:52:16PM -0700, Darrick J. Wong wrote:
> On Tue, Apr 02, 2024 at 04:00:06PM -0400, Colin Walters wrote:
> >
> >
> > On Fri, Mar 29, 2024, at 8:43 PM, Darrick J. Wong wrote:
> > > From: Darrick J. Wong <djwong@xxxxxxxxxx>
> > >
> > > There are more things that one can do with an open file descriptor on
> > > XFS -- query extended attributes, scan for metadata damage, repair
> > > metadata, etc. None of this is possible if the fsverity metadata are
> > > damaged, because that prevents the file from being opened.
> > >
> > > Ignore a selective set of error codes that we know fsverity_file_open to
> > > return if the verity descriptor is nonsense.
> > >
> > > Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
> > > ---
> > > fs/iomap/buffered-io.c | 8 ++++++++
> > > fs/xfs/xfs_file.c | 19 ++++++++++++++++++-
> > > 2 files changed, 26 insertions(+), 1 deletion(-)
> > >
> > >
> > > diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
> > > index 9f9d929dfeebc..e68a15b72dbdd 100644
> > > --- a/fs/iomap/buffered-io.c
> > > +++ b/fs/iomap/buffered-io.c
> > > @@ -487,6 +487,14 @@ static loff_t iomap_readpage_iter(const struct
> > > iomap_iter *iter,
> > > size_t poff, plen;
> > > sector_t sector;
> > >
> > > + /*
> > > + * If this verity file hasn't been activated, fail read attempts. This
> > > + * can happen if the calling filesystem allows files to be opened even
> > > + * with damaged verity metadata.
> > > + */
> > > + if (IS_VERITY(iter->inode) && !fsverity_active(iter->inode))
> > > + return -EIO;
> > > +
> > > if (iomap->type == IOMAP_INLINE)
> > > return iomap_read_inline_data(iter, folio);
> > >
> > > diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
> > > index c0b3e8146b753..36034eaefbf55 100644
> > > --- a/fs/xfs/xfs_file.c
> > > +++ b/fs/xfs/xfs_file.c
> > > @@ -1431,8 +1431,25 @@ xfs_file_open(
> > > FMODE_DIO_PARALLEL_WRITE | FMODE_CAN_ODIRECT;
> > >
> > > error = fsverity_file_open(inode, file);
> > > - if (error)
> > > + switch (error) {
> > > + case -EFBIG:
> > > + case -EINVAL:
> > > + case -EMSGSIZE:
> > > + case -EFSCORRUPTED:
> > > + /*
> > > + * Be selective about which fsverity errors we propagate to
> > > + * userspace; we still want to be able to open this file even
> > > + * if reads don't work. Someone might want to perform an
> > > + * online repair.
> > > + */
> > > + if (has_capability_noaudit(current, CAP_SYS_ADMIN))
> > > + break;
> >
> > As I understand it, fsverity (and dm-verity) are desirable in
> > high-safety and integrity requirement cases where the goal is for the
> > system to "fail closed" if errors in general are detected; anything
> > that would have the system be in an ill-defined state.
>
> Is "open() fails if verity metadata are trashed" a hard requirement?
>
> Reads will still fail due to (iomap) readahead returning EIO for a file
> that is IS_VERITY() && !fsverity_active(). This is (afaict) the state
> you end up with when the fsverity open fails. ext4/f2fs don't do that,
> but they also don't have online fsck so once a file's dead it's dead.
>
We really should have the same behavior on all filesystems, and that behavior
should be documented in Documentation/filesystems/fsverity.rst. I guess you
want this for XFS_IOC_SCRUB_METADATA? That takes in an inode number directly,
in xfs_scrub_metadata::sm_ino; does it even need to be executed on the same file
it's checking? Anyway, allowing the open means that the case of IS_VERITY() &&
!fsverity_active() needs to be handled later in any case when I/O may be done to
the file. We need to be super careful to ensure that all cases are handled.
Even just considering this patchset and XFS only, it looks like you got it wrong
in xfs_file_read_iter(). You're allowing direct I/O to files that have
IS_VERITY() && !fsverity_active().
This change also invalidates the documentation for fsverity_active() which is:
/**
* fsverity_active() - do reads from the inode need to go through fs-verity?
* @inode: inode to check
*
* This checks whether ->i_verity_info has been set.
*
* Filesystems call this from ->readahead() to check whether the pages need to
* be verified or not. Don't use IS_VERITY() for this purpose; it's subject to
* a race condition where the file is being read concurrently with
* FS_IOC_ENABLE_VERITY completing. (S_VERITY is set before ->i_verity_info.)
*
* Return: true if reads need to go through fs-verity, otherwise false
*/
I think that if you'd like to move forward with this, it would take a patchset
that brings the behavior to all filesystems and considers all callers of
fsverity_active().
Another consideration will be whether the fsverity builtin signature not
matching the file, not being trusted, or being malformed counts as "the fsverity
metadata being damaged".
- Eric
