Commit a6528a96 authored by Eric Biggers's avatar Eric Biggers
Browse files

fsverity: optimize fsverity_file_open() on non-verity files 



Make fsverity_file_open() an inline function that does the IS_VERITY()
check, then (if needed) calls __fsverity_file_open() to do the real
work.  This reduces the overhead on non-verity files.

Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Acked-by: default avatarDave Chinner <dchinner@redhat.com>
Link: https://lore.kernel.org/r/20221214224304.145712-2-ebiggers@kernel.org
parent 88603b6d

fs/verity/open.c

+2 −18
Original line number Diff line number Diff line
@@ -325,24 +325,8 @@ static int ensure_verity_info(struct inode *inode) 
	return err;

}



/**

 * fsverity_file_open() - prepare to open a verity file

 * @inode: the inode being opened

 * @filp: the struct file being set up

 *

 * When opening a verity file, deny the open if it is for writing.  Otherwise,

 * set up the inode's ->i_verity_info if not already done.

 *

 * When combined with fscrypt, this must be called after fscrypt_file_open().

 * Otherwise, we won't have the key set up to decrypt the verity metadata.

 *

 * Return: 0 on success, -errno on failure

 */

int fsverity_file_open(struct inode *inode, struct file *filp)

int __fsverity_file_open(struct inode *inode, struct file *filp)

{

	if (!IS_VERITY(inode))

		return 0;



	if (filp->f_mode & FMODE_WRITE) {

		pr_debug("Denying opening verity file (ino %lu) for write\n",

			 inode->i_ino);
@@ -351,7 +335,7 @@ int fsverity_file_open(struct inode *inode, struct file *filp) 


	return ensure_verity_info(inode);

}

EXPORT_SYMBOL_GPL(fsverity_file_open);

EXPORT_SYMBOL_GPL(__fsverity_file_open);



/**

 * fsverity_prepare_setattr() - prepare to change a verity inode's attributes

include/linux/fsverity.h

+23 −3
Original line number Diff line number Diff line
@@ -148,7 +148,7 @@ int fsverity_get_digest(struct inode *inode, 


/* open.c */



int fsverity_file_open(struct inode *inode, struct file *filp);

int __fsverity_file_open(struct inode *inode, struct file *filp);

int fsverity_prepare_setattr(struct dentry *dentry, struct iattr *attr);

void fsverity_cleanup_inode(struct inode *inode);
@@ -193,9 +193,9 @@ static inline int fsverity_get_digest(struct inode *inode, 


/* open.c */



static inline int fsverity_file_open(struct inode *inode, struct file *filp)

static inline int __fsverity_file_open(struct inode *inode, struct file *filp)

{

	return IS_VERITY(inode) ? -EOPNOTSUPP : 0;

	return -EOPNOTSUPP;

}



static inline int fsverity_prepare_setattr(struct dentry *dentry,
@@ -254,4 +254,24 @@ static inline bool fsverity_active(const struct inode *inode) 
	return fsverity_get_info(inode) != NULL;

}



/**

 * fsverity_file_open() - prepare to open a verity file

 * @inode: the inode being opened

 * @filp: the struct file being set up

 *

 * When opening a verity file, deny the open if it is for writing.  Otherwise,

 * set up the inode's ->i_verity_info if not already done.

 *

 * When combined with fscrypt, this must be called after fscrypt_file_open().

 * Otherwise, we won't have the key set up to decrypt the verity metadata.

 *

 * Return: 0 on success, -errno on failure

 */

static inline int fsverity_file_open(struct inode *inode, struct file *filp)

{

	if (IS_VERITY(inode))

		return __fsverity_file_open(inode, filp);

	return 0;

}



#endif	/* _LINUX_FSVERITY_H */