diff options
author | Chong Cai <chongc@google.com> | 2021-08-11 19:06:12 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-08-11 19:09:05 -0700 |
commit | 5456fa6477eee26c553aa84311b3044f1af0d9a1 (patch) | |
tree | 77700c7827afc15f092ed27c57b7efb631bcf8a3 | |
parent | d51bc877f40d2acbf5b83895f636186c87463ab1 (diff) |
Popluate verity directory children names
We were relying on children adding its name to parent's dentry to
populate parent's children list. However, this may not work since the
parent dentry could be destroyed if its reference count drops to zero.
In that case, a new dentry will be created when enabling the parent and
it does not contain the children names info. Therefore we need to
populate the child names list again to avoid missing children in the
directory.
PiperOrigin-RevId: 390270227
-rw-r--r-- | pkg/sentry/fsimpl/verity/verity.go | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/pkg/sentry/fsimpl/verity/verity.go b/pkg/sentry/fsimpl/verity/verity.go index c5fa9855b..d05fa8390 100644 --- a/pkg/sentry/fsimpl/verity/verity.go +++ b/pkg/sentry/fsimpl/verity/verity.go @@ -1091,6 +1091,21 @@ func (fd *fileDescription) enableVerity(ctx context.Context) (uintptr, error) { return 0, fd.d.fs.alertIntegrityViolation("Unexpected verity fd: missing expected underlying fds") } + // Populate children names here. We cannot rely on the children + // dentries to populate parent dentry's children names, because the + // parent dentry may be destroyed before users enable verity if its ref + // count drops to zero. + if fd.d.isDir() { + if err := fd.IterDirents(ctx, vfs.IterDirentsCallbackFunc(func(dirent vfs.Dirent) error { + if dirent.Name != "." && dirent.Name != ".." { + fd.d.childrenNames[dirent.Name] = struct{}{} + } + return nil + })); err != nil { + return 0, err + } + } + hash, dataSize, err := fd.generateMerkleLocked(ctx) if err != nil { return 0, err @@ -1118,9 +1133,6 @@ func (fd *fileDescription) enableVerity(ctx context.Context) (uintptr, error) { }); err != nil { return 0, err } - - // Add the current child's name to parent's childrenNames. - fd.d.parent.childrenNames[fd.d.name] = struct{}{} } // Record the size of the data being hashed for fd. |