summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/fsimpl/verity
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-04-12 22:37:59 +0000
committergVisor bot <gvisor-bot@google.com>2021-04-12 22:37:59 +0000
commit90200050a949a3c0f93776d9ebb2e0684a058a46 (patch)
tree0c25f798f67c1c70047ca7e9499ab26cddc98136 /pkg/sentry/fsimpl/verity
parentbee6d2d33fc8f117aa4a941a436316b0e44eae4d (diff)
parentc4c6a71fb9d5ed51d0e9e2d6a78eaabf96174849 (diff)
Merge release-20210408.0-24-gc4c6a71fb (automated)
Diffstat (limited to 'pkg/sentry/fsimpl/verity')
-rw-r--r--pkg/sentry/fsimpl/verity/filesystem.go4
-rw-r--r--pkg/sentry/fsimpl/verity/verity.go2
2 files changed, 6 insertions, 0 deletions
diff --git a/pkg/sentry/fsimpl/verity/filesystem.go b/pkg/sentry/fsimpl/verity/filesystem.go
index b14a7e863..e1dde5ced 100644
--- a/pkg/sentry/fsimpl/verity/filesystem.go
+++ b/pkg/sentry/fsimpl/verity/filesystem.go
@@ -229,6 +229,8 @@ func (fs *filesystem) verifyChildLocked(ctx context.Context, parent *dentry, chi
return nil, err
}
+ defer parentMerkleFD.DecRef(ctx)
+
// dataSize is the size of raw data for the Merkle tree. For a file,
// dataSize is the size of the whole file. For a directory, dataSize is
// the size of all its children's hashes.
@@ -337,6 +339,8 @@ func (fs *filesystem) verifyStatAndChildrenLocked(ctx context.Context, d *dentry
return err
}
+ defer fd.DecRef(ctx)
+
merkleSize, err := fd.GetXattr(ctx, &vfs.GetXattrOptions{
Name: merkleSizeXattr,
Size: sizeOfStringInt32,
diff --git a/pkg/sentry/fsimpl/verity/verity.go b/pkg/sentry/fsimpl/verity/verity.go
index 06f2c211c..6b1bfaba3 100644
--- a/pkg/sentry/fsimpl/verity/verity.go
+++ b/pkg/sentry/fsimpl/verity/verity.go
@@ -494,6 +494,8 @@ func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.Virt
return nil, nil, err
}
+ defer lowerMerkleFD.DecRef(ctx)
+
childrenNames := make([]byte, size)
if _, err := lowerMerkleFD.PRead(ctx, usermem.BytesIOSequence(childrenNames), int64(off), vfs.ReadOptions{}); err != nil {
return nil, nil, alertIntegrityViolation(fmt.Sprintf("Failed to read root children map: %v", err))