From d4dce953b7ac4705f5b52ac24c031170d701031b Mon Sep 17 00:00:00 2001 From: Chong Cai Date: Tue, 13 Jul 2021 15:42:00 -0700 Subject: Do not require O_PATH flag to enable verity Remove the hack in gVisor vfs that allows verity to bypass the O_PATH check, since ioctl is not allowed on fds opened with O_PATH in linux. Verity still opens the lowerFD with O_PATH to open it as a symlink, but the API no longer expects O_PATH to open a fd to be verity enabled. Now only O_FOLLOW should be specified when opening and enabling verity features. PiperOrigin-RevId: 384567833 --- pkg/sentry/vfs/vfs.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'pkg/sentry/vfs/vfs.go') diff --git a/pkg/sentry/vfs/vfs.go b/pkg/sentry/vfs/vfs.go index aeca262e3..eb3c60610 100644 --- a/pkg/sentry/vfs/vfs.go +++ b/pkg/sentry/vfs/vfs.go @@ -427,9 +427,7 @@ func (vfs *VirtualFilesystem) OpenAt(ctx context.Context, creds *auth.Credential if opts.Flags&linux.O_DIRECTORY != 0 { rp.mustBeDir = true } - // Ignore O_PATH for verity, as verity performs extra operations on the fd for verification. - // The underlying filesystem that verity wraps opens the fd with O_PATH. - if opts.Flags&linux.O_PATH != 0 && rp.mount.fs.FilesystemType().Name() != "verity" { + if opts.Flags&linux.O_PATH != 0 { vd, err := vfs.GetDentryAt(ctx, creds, pop, &GetDentryOptions{}) if err != nil { return nil, err -- cgit v1.2.3