Do not require O_PATH flag to enable verity

Remove the hack in gVisor vfs that allows verity to bypass the O_PATH check, since ioctl is not allowed on fds opened with O_PATH in linux. Verity still opens the lowerFD with O_PATH to open it as a symlink, but the API no longer expects O_PATH to open a fd to be verity enabled. Now only O_FOLLOW should be specified when opening and enabling verity features. PiperOrigin-RevId: 384567833
author: Chong Cai <chongc@google.com> 2021-07-13 15:42:00 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-07-13 15:44:54 -0700
commit: d4dce953b7ac4705f5b52ac24c031170d701031b (patch)
tree: 486645acba552cf94fd1f7e8b083d4ad2e519064 /pkg/sentry/vfs/vfs.go
parent: c16e69a9d5ec3422b648a6d32842442925285a29 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/pkg/sentry/vfs/vfs.go b/pkg/sentry/vfs/vfs.go
index aeca262e3..eb3c60610 100644
--- a/pkg/sentry/vfs/vfs.go
+++ b/pkg/sentry/vfs/vfs.go
@@ -427,9 +427,7 @@ func (vfs *VirtualFilesystem) OpenAt(ctx context.Context, creds *auth.Credential
 	if opts.Flags&linux.O_DIRECTORY != 0 {
 		rp.mustBeDir = true
 	}
-	// Ignore O_PATH for verity, as verity performs extra operations on the fd for verification.
-	// The underlying filesystem that verity wraps opens the fd with O_PATH.
-	if opts.Flags&linux.O_PATH != 0 && rp.mount.fs.FilesystemType().Name() != "verity" {
+	if opts.Flags&linux.O_PATH != 0 {
 		vd, err := vfs.GetDentryAt(ctx, creds, pop, &GetDentryOptions{})
 		if err != nil {
 			return nil, err
author	Chong Cai <chongc@google.com>	2021-07-13 15:42:00 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-07-13 15:44:54 -0700
commit	d4dce953b7ac4705f5b52ac24c031170d701031b (patch)
tree	486645acba552cf94fd1f7e8b083d4ad2e519064 /pkg/sentry/vfs/vfs.go
parent	c16e69a9d5ec3422b648a6d32842442925285a29 (diff)