Skip to content

Commit

Permalink
overlay, composefs: add fs-verity to files
Browse files Browse the repository at this point in the history
at the moment it is a best-effort implementation to enable fs-verity
for the composefs blob as well as for the data files.

Signed-off-by: Giuseppe Scrivano <[email protected]>
  • Loading branch information
giuseppe committed Jun 23, 2023
1 parent fcac1dd commit 6de5c18
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 17 deletions.
4 changes: 4 additions & 0 deletions drivers/overlay/composefs_notsupported.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,7 @@ func generateComposeFsBlob(toc []byte, destFile string) error {
func mountErofsBlob(blobFile, mountPoint string) error {
return fmt.Errorf("composefs is not supported")
}

func enableVerityRecursive(path string) error {
return fmt.Errorf("composefs is not supported")
}
96 changes: 79 additions & 17 deletions drivers/overlay/composefs_supported.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,18 @@
package overlay

import (
"errors"
"fmt"
"io/fs"
"os"
"os/exec"
"path/filepath"
"sync"
"syscall"
"unsafe"

"github.com/containers/storage/pkg/loopback"
"github.com/sirupsen/logrus"
"golang.org/x/sys/unix"
)

Expand All @@ -31,6 +37,43 @@ func composeFsSupported() bool {
return err == nil
}

func enableVerity(description string, fd int) error {
enableArg := unix.FsverityEnableArg{
Version: 1,
Hash_algorithm: unix.FS_VERITY_HASH_ALG_SHA256,
Block_size: 4096,
}

_, _, e1 := syscall.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.FS_IOC_ENABLE_VERITY), uintptr(unsafe.Pointer(&enableArg)))
if e1 != 0 {
return fmt.Errorf("failed to enable verity for %q: %w", description, e1)
}
return nil
}

func enableVerityRecursive(path string) error {
walkFn := func(path string, d fs.DirEntry, err error) error {
if err != nil {
return err
}
if !d.Type().IsRegular() {
return nil
}

f, err := os.Open(path)
if err != nil {
return err
}
defer f.Close()

if err := enableVerity(path, int(f.Fd())); err != nil {
return err
}
return nil
}
return filepath.WalkDir(path, walkFn)
}

func generateComposeFsBlob(toc []byte, destFile string) error {
writerJson, err := getComposeFsHelper()
if err != nil {
Expand All @@ -41,33 +84,52 @@ func generateComposeFsBlob(toc []byte, destFile string) error {
if err != nil {
return fmt.Errorf("failed to open output file: %w", err)
}
defer unix.Close(outFd)

fd, err := unix.MemfdCreate("json-toc", unix.MFD_ALLOW_SEALING)
newFd, err := unix.Open(fmt.Sprintf("/proc/self/fd/%d", outFd), unix.O_RDONLY, 0)
if err != nil {
return fmt.Errorf("failed to create memfd: %w", err)
unix.Close(outFd)
return fmt.Errorf("failed to dup output file: %w", err)
}
defer unix.Close(fd)
defer unix.Close(newFd)

if err := unix.Ftruncate(fd, int64(len(toc))); err != nil {
return fmt.Errorf("failed to truncate memfd: %w", err)
}
err = func() error {
defer unix.Close(outFd)

buf := toc
for len(buf) > 0 {
n, err := unix.Write(fd, buf)
fd, err := unix.MemfdCreate("json-toc", unix.MFD_ALLOW_SEALING)
if err != nil {
return fmt.Errorf("failed to write to memfd: %w", err)
return fmt.Errorf("failed to create memfd: %w", err)
}
buf = buf[n:]
defer unix.Close(fd)

if err := unix.Ftruncate(fd, int64(len(toc))); err != nil {
return fmt.Errorf("failed to truncate memfd: %w", err)
}

buf := toc
for len(buf) > 0 {
n, err := unix.Write(fd, buf)
if err != nil {
return fmt.Errorf("failed to write to memfd: %w", err)
}
buf = buf[n:]
}

cmd := exec.Command(writerJson, "--format=erofs", fmt.Sprintf("--out=/proc/self/fd/%d", outFd), fmt.Sprintf("/proc/self/fd/%d", fd))
cmd.ExtraFiles = []*os.File{os.NewFile(uintptr(fd), "fd"), os.NewFile(uintptr(outFd), "outFd")}
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
return fmt.Errorf("failed to convert json to erofs: %w", err)
}
return nil
}()
if err != nil {
return err
}

cmd := exec.Command(writerJson, "--format=erofs", fmt.Sprintf("--out=/proc/self/fd/%d", outFd), fmt.Sprintf("/proc/self/fd/%d", fd))
cmd.ExtraFiles = []*os.File{os.NewFile(uintptr(fd), "fd"), os.NewFile(uintptr(outFd), "outFd")}
cmd.Stderr = os.Stderr
if err := cmd.Run(); err != nil {
return fmt.Errorf("failed to convert json to erofs: %w", err)
if err := enableVerity("manifest file", newFd); err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
logrus.Warningf("%s", err)
}

return nil
}

Expand Down
5 changes: 5 additions & 0 deletions drivers/overlay/overlay.go
Original file line number Diff line number Diff line change
Expand Up @@ -2064,6 +2064,11 @@ func (d *Driver) ApplyDiffFromStagingDirectory(id, parent, stagingDirectory stri
}

if d.useComposeFs() {
// FIXME: move this logic into the differ so we don't have to open
// the file twice.
if err := enableVerityRecursive(stagingDirectory); err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
logrus.Warningf("%s", err)
}
toc := diffOutput.BigData[zstdChunkedManifest]
if err := generateComposeFsBlob(toc, d.getErofsBlob(id)); err != nil {
return err
Expand Down

0 comments on commit 6de5c18

Please sign in to comment.