summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/fsimpl/verity/filesystem.go
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-02-11 17:09:49 -0800
committergVisor bot <gvisor-bot@google.com>2021-02-11 17:12:23 -0800
commit4314bb0b2b96cc3a84e8dead29812ccb1bfcebe2 (patch)
tree87a64c02d827ab777be01dd9fe67604c2030a5da /pkg/sentry/fsimpl/verity/filesystem.go
parentc39284f457383dabd52f468a10072ca6d2211cbb (diff)
Internal change.
PiperOrigin-RevId: 357090170
Diffstat (limited to 'pkg/sentry/fsimpl/verity/filesystem.go')
-rw-r--r--pkg/sentry/fsimpl/verity/filesystem.go18
1 files changed, 13 insertions, 5 deletions
diff --git a/pkg/sentry/fsimpl/verity/filesystem.go b/pkg/sentry/fsimpl/verity/filesystem.go
index a4ad625bb..9057d2b4e 100644
--- a/pkg/sentry/fsimpl/verity/filesystem.go
+++ b/pkg/sentry/fsimpl/verity/filesystem.go
@@ -426,6 +426,17 @@ func (fs *filesystem) verifyStatAndChildrenLocked(ctx context.Context, d *dentry
params.DataAndTreeInSameFile = true
}
+ if d.isSymlink() {
+ target, err := vfsObj.ReadlinkAt(ctx, d.fs.creds, &vfs.PathOperation{
+ Root: d.lowerVD,
+ Start: d.lowerVD,
+ })
+ if err != nil {
+ return err
+ }
+ params.SymlinkTarget = target
+ }
+
if _, err := merkletree.Verify(params); err != nil && err != io.EOF {
return alertIntegrityViolation(fmt.Sprintf("Verification stat for %s failed: %v", childPath, err))
}
@@ -433,6 +444,7 @@ func (fs *filesystem) verifyStatAndChildrenLocked(ctx context.Context, d *dentry
d.uid = stat.UID
d.gid = stat.GID
d.size = uint32(size)
+ d.symlinkTarget = params.SymlinkTarget
return nil
}
@@ -934,11 +946,7 @@ func (fs *filesystem) ReadlinkAt(ctx context.Context, rp *vfs.ResolvingPath) (st
if err != nil {
return "", err
}
- //TODO(b/162787271): Provide integrity check for ReadlinkAt.
- return fs.vfsfs.VirtualFilesystem().ReadlinkAt(ctx, d.fs.creds, &vfs.PathOperation{
- Root: d.lowerVD,
- Start: d.lowerVD,
- })
+ return d.readlink(ctx)
}
// RenameAt implements vfs.FilesystemImpl.RenameAt.