On Tue, Apr 02, 2024 at 04:45:58PM -0700, Eric Biggers wrote:
> On Tue, Apr 02, 2024 at 03:52:16PM -0700, Darrick J. Wong wrote:
> > On Tue, Apr 02, 2024 at 04:00:06PM -0400, Colin Walters wrote:
> > >
> > >
> > > On Fri, Mar 29, 2024, at 8:43 PM, Darrick J. Wong wrote:
> > > > From: Darrick J. Wong <djwong@xxxxxxxxxx>
> > > >
> > > > There are more things that one can do with an open file descriptor on
> > > > XFS -- query extended attributes, scan for metadata damage, repair
> > > > metadata, etc. None of this is possible if the fsverity metadata are
> > > > damaged, because that prevents the file from being opened.
> > > >
> > > > Ignore a selective set of error codes that we know fsverity_file_open to
> > > > return if the verity descriptor is nonsense.
> > > >
> > > > Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
> > > > ---
> > > > fs/iomap/buffered-io.c | 8 ++++++++
> > > > fs/xfs/xfs_file.c | 19 ++++++++++++++++++-
> > > > 2 files changed, 26 insertions(+), 1 deletion(-)
> > > >
> > > >
> > > > diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
> > > > index 9f9d929dfeebc..e68a15b72dbdd 100644
> > > > --- a/fs/iomap/buffered-io.c
> > > > +++ b/fs/iomap/buffered-io.c
> > > > @@ -487,6 +487,14 @@ static loff_t iomap_readpage_iter(const struct
> > > > iomap_iter *iter,
> > > > size_t poff, plen;
> > > > sector_t sector;
> > > >
> > > > + /*
> > > > + * If this verity file hasn't been activated, fail read attempts. This
> > > > + * can happen if the calling filesystem allows files to be opened even
> > > > + * with damaged verity metadata.
> > > > + */
> > > > + if (IS_VERITY(iter->inode) && !fsverity_active(iter->inode))
> > > > + return -EIO;
> > > > +
> > > > if (iomap->type == IOMAP_INLINE)
> > > > return iomap_read_inline_data(iter, folio);
> > > >
> > > > diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
> > > > index c0b3e8146b753..36034eaefbf55 100644
> > > > --- a/fs/xfs/xfs_file.c
> > > > +++ b/fs/xfs/xfs_file.c
> > > > @@ -1431,8 +1431,25 @@ xfs_file_open(
> > > > FMODE_DIO_PARALLEL_WRITE | FMODE_CAN_ODIRECT;
> > > >
> > > > error = fsverity_file_open(inode, file);
> > > > - if (error)
> > > > + switch (error) {
> > > > + case -EFBIG:
> > > > + case -EINVAL:
> > > > + case -EMSGSIZE:
> > > > + case -EFSCORRUPTED:
> > > > + /*
> > > > + * Be selective about which fsverity errors we propagate to
> > > > + * userspace; we still want to be able to open this file even
> > > > + * if reads don't work. Someone might want to perform an
> > > > + * online repair.
> > > > + */
> > > > + if (has_capability_noaudit(current, CAP_SYS_ADMIN))
> > > > + break;
> > >
> > > As I understand it, fsverity (and dm-verity) are desirable in
> > > high-safety and integrity requirement cases where the goal is for the
> > > system to "fail closed" if errors in general are detected; anything
> > > that would have the system be in an ill-defined state.
> >
> > Is "open() fails if verity metadata are trashed" a hard requirement?
> >
> > Reads will still fail due to (iomap) readahead returning EIO for a file
> > that is IS_VERITY() && !fsverity_active(). This is (afaict) the state
> > you end up with when the fsverity open fails. ext4/f2fs don't do that,
> > but they also don't have online fsck so once a file's dead it's dead.
> >
>
> We really should have the same behavior on all filesystems, and that behavior
> should be documented in Documentation/filesystems/fsverity.rst. I guess you
> want this for XFS_IOC_SCRUB_METADATA?
Yes. xfs_scrub tries to open every regular file that it can, but if the
fsverity metadata is too badly damaged then the open() returns EMSGSIZE
or EINVAL or something. The EMSGSIZE is particularly nasty since it's
not listed in the openat() manpage as a possible error code, which
surprised me.
> That takes in an inode number directly,
> in xfs_scrub_metadata::sm_ino; does it even need to be executed on the same file
> it's checking?
<nod> The metadata repairs themselves can use scrub-by-handle mode, so
it's not *so* hard to handle it gracefully.
> Anyway, allowing the open means that the case of IS_VERITY() &&
> !fsverity_active() needs to be handled later in any case when I/O may be done to
> the file. We need to be super careful to ensure that all cases are handled.
I /think/ most everything else is gated on IS_VERITY, right?
> Even just considering this patchset and XFS only, it looks like you got it wrong
> in xfs_file_read_iter(). You're allowing direct I/O to files that have
> IS_VERITY() && !fsverity_active().
Ahaha, yeah, that needs to be changed to:
else if ((iocb->ki_flags & IOCB_DIRECT) && !IS_VERITY(inode))
ret = xfs_file_dio_read(iocb, to);
Good catch.
> This change also invalidates the documentation for fsverity_active() which is:
>
> /**
> * fsverity_active() - do reads from the inode need to go through fs-verity?
> * @inode: inode to check
> *
> * This checks whether ->i_verity_info has been set.
> *
> * Filesystems call this from ->readahead() to check whether the pages need to
> * be verified or not. Don't use IS_VERITY() for this purpose; it's subject to
> * a race condition where the file is being read concurrently with
> * FS_IOC_ENABLE_VERITY completing. (S_VERITY is set before ->i_verity_info.)
> *
> * Return: true if reads need to go through fs-verity, otherwise false
> */
>
> I think that if you'd like to move forward with this, it would take a patchset
> that brings the behavior to all filesystems and considers all callers of
> fsverity_active().
<nod> If you think it's a reasonable thing to allow, then I'll of course
apply it to btr/ext4/f2fs.
> Another consideration will be whether the fsverity builtin signature not
> matching the file, not being trusted, or being malformed counts as "the fsverity
> metadata being damaged".
<shrug> Can you easily check that in the open routine? I figured that
signature validation problems would manifest as read errors.
--D
> - Eric
>
