Clear Merkle tree files in RuntimeEnable mode

The Merkle tree files need to be cleared before enabling to avoid redundant content. PiperOrigin-RevId: 362409591
author: Chong Cai <chongc@google.com> 2021-03-11 17:01:13 -0800
committer: gVisor bot <gvisor-bot@google.com> 2021-03-11 17:03:15 -0800
commit: df64c3a60f439dec81fd7c96690318588520eb87 (patch)
tree: 5c3034fa13dfa73029b57c64387482a2f40d5023 /pkg/sentry/fsimpl/verity/verity.go
parent: c5667022b6617d732e0c0bcb8ca3b58d588ceafb (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/pkg/sentry/fsimpl/verity/verity.go b/pkg/sentry/fsimpl/verity/verity.go
index 24c7331bc..0d9b0ee2c 100644
--- a/pkg/sentry/fsimpl/verity/verity.go
+++ b/pkg/sentry/fsimpl/verity/verity.go
@@ -311,6 +311,24 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt
 		d.DecRef(ctx)
 		return nil, nil, alertIntegrityViolation("Failed to find root Merkle file")
 	}
+
+	// Clear the Merkle tree file if they are to be generated at runtime.
+	// TODO(b/182315468): Optimize the Merkle tree generate process to
+	// allow only updating certain files/directories.
+	if fs.allowRuntimeEnable {
+		lowerMerkleFD, err := vfsObj.OpenAt(ctx, fs.creds, &vfs.PathOperation{
+			Root:  lowerMerkleVD,
+			Start: lowerMerkleVD,
+		}, &vfs.OpenOptions{
+			Flags: linux.O_RDWR | linux.O_TRUNC,
+			Mode:  0644,
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+		lowerMerkleFD.DecRef(ctx)
+	}
+
 	d.lowerMerkleVD = lowerMerkleVD
 
 	// Get metadata from the underlying file system.
author	Chong Cai <chongc@google.com>	2021-03-11 17:01:13 -0800
committer	gVisor bot <gvisor-bot@google.com>	2021-03-11 17:03:15 -0800
commit	df64c3a60f439dec81fd7c96690318588520eb87 (patch)
tree	5c3034fa13dfa73029b57c64387482a2f40d5023 /pkg/sentry/fsimpl/verity/verity.go
parent	c5667022b6617d732e0c0bcb8ca3b58d588ceafb (diff)