Change verity mu to be per file system

verity Mu should be per file system instead of global, so that enabling and verifying in different file systems won't block each other. Also Lock verity Mu in PRead. PiperOrigin-RevId: 336779356
author: Chong Cai <chongc@google.com> 2020-10-12 17:28:58 -0700
committer: gVisor bot <gvisor-bot@google.com> 2020-10-12 17:35:22 -0700
commit: 4885931ac342e033b39ba9645b8e6a584f4d9844 (patch)
tree: 9ad6acafd0a00951247a22de497eb9e40fd1a07b /pkg/sentry/fsimpl/verity/filesystem.go
parent: ef90fe173380a8d769c699aec08737ef56f43c3e (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/pkg/sentry/fsimpl/verity/filesystem.go b/pkg/sentry/fsimpl/verity/filesystem.go
index 34e2c9d7c..3b3c8725f 100644
--- a/pkg/sentry/fsimpl/verity/filesystem.go
+++ b/pkg/sentry/fsimpl/verity/filesystem.go
@@ -174,8 +174,8 @@ func (fs *filesystem) verifyChild(ctx context.Context, parent *dentry, child *de
 		return nil, err
 	}
 
-	verityMu.RLock()
-	defer verityMu.RUnlock()
+	fs.verityMu.RLock()
+	defer fs.verityMu.RUnlock()
 	// Read the offset of the child from the extended attributes of the
 	// corresponding Merkle tree file.
 	// This is the offset of the hash for child in its parent's Merkle tree
@@ -302,8 +302,8 @@ func (fs *filesystem) verifyStat(ctx context.Context, d *dentry, stat linux.Stat
 		return err
 	}
 
-	verityMu.RLock()
-	defer verityMu.RUnlock()
+	fs.verityMu.RLock()
+	defer fs.verityMu.RUnlock()
 
 	fd, err := vfsObj.OpenAt(ctx, fs.creds, &vfs.PathOperation{
 		Root:  d.lowerMerkleVD,
author	Chong Cai <chongc@google.com>	2020-10-12 17:28:58 -0700
committer	gVisor bot <gvisor-bot@google.com>	2020-10-12 17:35:22 -0700
commit	4885931ac342e033b39ba9645b8e6a584f4d9844 (patch)
tree	9ad6acafd0a00951247a22de497eb9e40fd1a07b /pkg/sentry/fsimpl/verity/filesystem.go
parent	ef90fe173380a8d769c699aec08737ef56f43c3e (diff)