diff options
| author | Chong Cai <chongc@google.com> | 2021-04-30 13:25:00 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-04-30 13:26:51 -0700 |
| commit | ea89cd38a11fc63b3ff397c9f5901fa541c8acb4 (patch) | |
| tree | 8846381b9dfea9818da586fcebeb4d39a74cdfa4 /pkg/sentry/fsimpl/verity | |
| parent | c958c5a4f103725ddbb87f6db66cca9beb06cb84 (diff) | |
Do not return content if verity translate fails
If verification fails for translating mmapped memory, the content should
not be returned. This is not an issue for panic mode, but for error mode
we should return empty content along with the error.
PiperOrigin-RevId: 371393519
Diffstat (limited to 'pkg/sentry/fsimpl/verity')
| -rw-r--r-- | pkg/sentry/fsimpl/verity/verity.go | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/pkg/sentry/fsimpl/verity/verity.go b/pkg/sentry/fsimpl/verity/verity.go index 2ebdfb167..31d34ef60 100644 --- a/pkg/sentry/fsimpl/verity/verity.go +++ b/pkg/sentry/fsimpl/verity/verity.go @@ -1328,7 +1328,7 @@ func (fd *fileDescription) TestPOSIX(ctx context.Context, uid fslock.UniqueID, t func (fd *fileDescription) Translate(ctx context.Context, required, optional memmap.MappableRange, at hostarch.AccessType) ([]memmap.Translation, error) { ts, err := fd.lowerMappable.Translate(ctx, required, optional, at) if err != nil { - return ts, err + return nil, err } // dataSize is the size of the whole file. @@ -1341,17 +1341,17 @@ func (fd *fileDescription) Translate(ctx context.Context, required, optional mem // contains the expected xattrs. If the xattr does not exist, it // indicates unexpected modifications to the file system. if err == syserror.ENODATA { - return ts, fd.d.fs.alertIntegrityViolation(fmt.Sprintf("Failed to get xattr %s: %v", merkleSizeXattr, err)) + return nil, fd.d.fs.alertIntegrityViolation(fmt.Sprintf("Failed to get xattr %s: %v", merkleSizeXattr, err)) } if err != nil { - return ts, err + return nil, err } // The dataSize xattr should be an integer. If it's not, it indicates // unexpected modifications to the file system. size, err := strconv.Atoi(dataSize) if err != nil { - return ts, fd.d.fs.alertIntegrityViolation(fmt.Sprintf("Failed to convert xattr %s to int: %v", merkleSizeXattr, err)) + return nil, fd.d.fs.alertIntegrityViolation(fmt.Sprintf("Failed to convert xattr %s to int: %v", merkleSizeXattr, err)) } merkleReader := FileReadWriteSeeker{ @@ -1384,7 +1384,7 @@ func (fd *fileDescription) Translate(ctx context.Context, required, optional mem DataAndTreeInSameFile: false, }) if err != nil { - return ts, fd.d.fs.alertIntegrityViolation(fmt.Sprintf("Verification failed: %v", err)) + return nil, fd.d.fs.alertIntegrityViolation(fmt.Sprintf("Verification failed: %v", err)) } } return ts, err |