On Wed, Jan 28, 2026 at 09:38:53PM +0000, Matthew Wilcox wrote:
> On Mon, Jan 26, 2026 at 12:12:06PM -0800, Eric Biggers wrote:
> > When CONFIG_FS_VERITY=n, there can still be inodes that have fsverity
> > enabled, since they might have already been present on the filesystem.
> > The S_VERITY flag and the corresponding IS_VERITY() macro are being used
> > to identify such inodes and handle them appropriately.
> >
> > Consider fsverity_file_open() for example:
> >
> > static inline int fsverity_file_open(struct inode *inode, struct file *filp)
> > {
> > if (IS_VERITY(inode))
> > return __fsverity_file_open(inode, filp);
> > return 0;
> > }
> >
> > When CONFIG_FS_VERITY=n, __fsverity_file_open() resolves to the stub:
> >
> > static inline int __fsverity_file_open(struct inode *inode, struct file
> > *filp)
> > {
> > return -EOPNOTSUPP;
> > }
> >
> > So the result is that on a kernel that doesn't have fsverity support
> > enabled, trying to open an fsverity file fails with EOPNOTSUPP.
>
> ... why? If the user has built a kernel without VERITY support enabled,
> they're no longer allowed to open files with verity metadata? I can't
> see the harm in allowing them to read these files, they're just not
> protected against these files being corrupted.
Reading could be allowed, in principle. But open and truncate would
still need to deny writes, and the code to do that uses IS_VERITY(). So
it still wouldn't allow S_VERITY to be defined to 0, unless these checks
were updated to use the filesystem-specific flags as I mentioned.
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
