Implement walk in gvisor verity fs

Implement walk directories in gvisor verity file system. For each step,
the child dentry is verified against a verified parent root hash.

PiperOrigin-RevId: 329358747

1 files changed, 19 insertions, 0 deletions

diff --git a/pkg/sentry/fsimpl/verity/verity.go b/pkg/sentry/fsimpl/verity/verity.go
index 1c5b07aa5..eedb5f484 100644
--- a/pkg/sentry/fsimpl/verity/verity.go
+++ b/pkg/sentry/fsimpl/verity/verity.go
@@ -41,6 +41,18 @@ const Name = "verity"
 // tree file for "/foo" is "/.merkle.verity.foo".
 const merklePrefix = ".merkle.verity."
 
+// merkleoffsetInParentXattr is the extended attribute name specifying the
+// offset of child root hash in its parent's Merkle tree.
+const merkleOffsetInParentXattr = "user.merkle.offset"
+
+// merkleSizeXattr is the extended attribute name specifying the size of data
+// hashed by the corresponding Merkle tree. For a file, it's the size of the
+// whole file. For a directory, it's the size of all its children's root hashes.
+const merkleSizeXattr = "user.merkle.size"
+
+// sizeOfInt32 is the size in bytes for a 32 bit integer in extended attributes.
+const sizeOfInt32 = 4
+
 // noCrashOnVerificationFailure indicates whether the sandbox should panic
 // whenever verification fails. If true, an error is returned instead of
 // panicking. This should only be set for tests.
@@ -48,6 +60,11 @@ const merklePrefix = ".merkle.verity."
 // flag.
 var noCrashOnVerificationFailure bool
 
+// verityMu synchronizes enabling verity files, protects files or directories
+// from being enabled by different threads simultaneously. It also ensures that
+// verity does not access files that are being enabled.
+var verityMu sync.RWMutex
+
 // FilesystemType implements vfs.FilesystemType.
 type FilesystemType struct{}
 
@@ -215,6 +232,8 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt
 	copy(d.rootHash, iopts.RootHash)
 	d.vfsd.Init(d)
 
+	fs.rootDentry = d
+
 	return &fs.vfsfs, &d.vfsd, nil
 }