Return integrity failure only if enabled

If the parent is not enabled in verity stepLocked(), failure to find the child dentry could just mean an incorrect path. PiperOrigin-RevId: 367733412
author: Chong Cai <chongc@google.com> 2021-04-09 17:35:32 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-04-09 17:37:47 -0700
commit: ea7faa50579d3d76c6cbb1f7ffba4e16eebf1885 (patch)
tree: 51c02a986a3c053138d5245d6674ce30e0075fc7
parent: 7420821a7b5fe15f3666bb4971796cd45fc5ff38 (diff)
1 files changed, 23 insertions, 22 deletions
diff --git a/pkg/sentry/fsimpl/verity/filesystem.go b/pkg/sentry/fsimpl/verity/filesystem.go
index 214ffd095..b14a7e863 100644
--- a/pkg/sentry/fsimpl/verity/filesystem.go
+++ b/pkg/sentry/fsimpl/verity/filesystem.go
@@ -553,7 +553,7 @@ func (fs *filesystem) lookupAndVerifyLocked(ctx context.Context, parent *dentry,
 	}
 
 	childVD, err := parent.getLowerAt(ctx, vfsObj, name)
-	if err == syserror.ENOENT {
+	if parent.verityEnabled() && err == syserror.ENOENT {
 		return nil, alertIntegrityViolation(fmt.Sprintf("file %s expected but not found", parentPath+"/"+name))
 	}
 	if err != nil {
@@ -565,30 +565,31 @@ func (fs *filesystem) lookupAndVerifyLocked(ctx context.Context, parent *dentry,
 	defer childVD.DecRef(ctx)
 
 	childMerkleVD, err := parent.getLowerAt(ctx, vfsObj, merklePrefix+name)
-	if err == syserror.ENOENT {
-		if !fs.allowRuntimeEnable {
-			return nil, alertIntegrityViolation(fmt.Sprintf("Merkle file for %s expected but not found", parentPath+"/"+name))
-		}
-		childMerkleFD, err := vfsObj.OpenAt(ctx, fs.creds, &vfs.PathOperation{
-			Root:  parent.lowerVD,
-			Start: parent.lowerVD,
-			Path:  fspath.Parse(merklePrefix + name),
-		}, &vfs.OpenOptions{
-			Flags: linux.O_RDWR | linux.O_CREAT,
-			Mode:  0644,
-		})
-		if err != nil {
-			return nil, err
-		}
-		childMerkleFD.DecRef(ctx)
-		childMerkleVD, err = parent.getLowerAt(ctx, vfsObj, merklePrefix+name)
-		if err != nil {
+	if err != nil {
+		if err == syserror.ENOENT {
+			if parent.verityEnabled() {
+				return nil, alertIntegrityViolation(fmt.Sprintf("Merkle file for %s expected but not found", parentPath+"/"+name))
+			}
+			childMerkleFD, err := vfsObj.OpenAt(ctx, fs.creds, &vfs.PathOperation{
+				Root:  parent.lowerVD,
+				Start: parent.lowerVD,
+				Path:  fspath.Parse(merklePrefix + name),
+			}, &vfs.OpenOptions{
+				Flags: linux.O_RDWR | linux.O_CREAT,
+				Mode:  0644,
+			})
+			if err != nil {
+				return nil, err
+			}
+			childMerkleFD.DecRef(ctx)
+			childMerkleVD, err = parent.getLowerAt(ctx, vfsObj, merklePrefix+name)
+			if err != nil {
+				return nil, err
+			}
+		} else {
 			return nil, err
 		}
 	}
-	if err != nil && err != syserror.ENOENT {
-		return nil, err
-	}
 
 	// Clear the Merkle tree file if they are to be generated at runtime.
 	// TODO(b/182315468): Optimize the Merkle tree generate process to
author	Chong Cai <chongc@google.com>	2021-04-09 17:35:32 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-04-09 17:37:47 -0700
commit	ea7faa50579d3d76c6cbb1f7ffba4e16eebf1885 (patch)
tree	51c02a986a3c053138d5245d6674ce30e0075fc7
parent	7420821a7b5fe15f3666bb4971796cd45fc5ff38 (diff)