// Copyright 2020 The gVisor Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package verity import ( "fmt" "io" "math/rand" "strconv" "testing" "time" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/context" "gvisor.dev/gvisor/pkg/fspath" "gvisor.dev/gvisor/pkg/sentry/arch" "gvisor.dev/gvisor/pkg/sentry/fsimpl/testutil" "gvisor.dev/gvisor/pkg/sentry/fsimpl/tmpfs" "gvisor.dev/gvisor/pkg/sentry/kernel" "gvisor.dev/gvisor/pkg/sentry/kernel/auth" "gvisor.dev/gvisor/pkg/sentry/vfs" "gvisor.dev/gvisor/pkg/syserror" "gvisor.dev/gvisor/pkg/usermem" ) // rootMerkleFilename is the name of the root Merkle tree file. const rootMerkleFilename = "root.verity" // maxDataSize is the maximum data size written to the file for test. const maxDataSize = 100000 // newVerityRoot creates a new verity mount, and returns the root. The // underlying file system is tmpfs. If the error is not nil, then cleanup // should be called when the root is no longer needed. func newVerityRoot(t *testing.T, hashAlg HashAlgorithm) (*vfs.VirtualFilesystem, vfs.VirtualDentry, *kernel.Task, error) { k, err := testutil.Boot() if err != nil { t.Fatalf("testutil.Boot: %v", err) } ctx := k.SupervisorContext() rand.Seed(time.Now().UnixNano()) vfsObj := &vfs.VirtualFilesystem{} if err := vfsObj.Init(ctx); err != nil { return nil, vfs.VirtualDentry{}, nil, fmt.Errorf("VFS init: %v", err) } vfsObj.MustRegisterFilesystemType("verity", FilesystemType{}, &vfs.RegisterFilesystemTypeOptions{ AllowUserMount: true, }) vfsObj.MustRegisterFilesystemType("tmpfs", tmpfs.FilesystemType{}, &vfs.RegisterFilesystemTypeOptions{ AllowUserMount: true, }) mntns, err := vfsObj.NewMountNamespace(ctx, auth.CredentialsFromContext(ctx), "", "verity", &vfs.MountOptions{ GetFilesystemOptions: vfs.GetFilesystemOptions{ InternalData: InternalFilesystemOptions{ RootMerkleFileName: rootMerkleFilename, LowerName: "tmpfs", Alg: hashAlg, AllowRuntimeEnable: true, NoCrashOnVerificationFailure: true, }, }, }) if err != nil { return nil, vfs.VirtualDentry{}, nil, fmt.Errorf("NewMountNamespace: %v", err) } root := mntns.Root() root.IncRef() // Use lowerRoot in the task as we modify the lower file system // directly in many tests. lowerRoot := root.Dentry().Impl().(*dentry).lowerVD tc := k.NewThreadGroup(nil, k.RootPIDNamespace(), kernel.NewSignalHandlers(), linux.SIGCHLD, k.GlobalInit().Limits()) task, err := testutil.CreateTask(ctx, "name", tc, mntns, lowerRoot, lowerRoot) if err != nil { t.Fatalf("testutil.CreateTask: %v", err) } t.Helper() t.Cleanup(func() { root.DecRef(ctx) mntns.DecRef(ctx) }) return vfsObj, root, task, nil } // newFileFD creates a new file in the verity mount, and returns the FD. The FD // points to a file that has random data generated. func newFileFD(ctx context.Context, vfsObj *vfs.VirtualFilesystem, root vfs.VirtualDentry, filePath string, mode linux.FileMode) (*vfs.FileDescription, int, error) { creds := auth.CredentialsFromContext(ctx) lowerRoot := root.Dentry().Impl().(*dentry).lowerVD // Create the file in the underlying file system. lowerFD, err := vfsObj.OpenAt(ctx, creds, &vfs.PathOperation{ Root: lowerRoot, Start: lowerRoot, Path: fspath.Parse(filePath), }, &vfs.OpenOptions{ Flags: linux.O_RDWR | linux.O_CREAT | linux.O_EXCL, Mode: linux.ModeRegular | mode, }) if err != nil { return nil, 0, err } // Generate random data to be written to the file. dataSize := rand.Intn(maxDataSize) + 1 data := make([]byte, dataSize) rand.Read(data) // Write directly to the underlying FD, since verity FD is read-only. n, err := lowerFD.Write(ctx, usermem.BytesIOSequence(data), vfs.WriteOptions{}) if err != nil { return nil, 0, err } if n != int64(len(data)) { return nil, 0, fmt.Errorf("lowerFD.Write got write length %d, want %d", n, len(data)) } lowerFD.DecRef(ctx) // Now open the verity file descriptor. fd, err := vfsObj.OpenAt(ctx, creds, &vfs.PathOperation{ Root: root, Start: root, Path: fspath.Parse(filePath), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, Mode: linux.ModeRegular | mode, }) return fd, dataSize, err } // corruptRandomBit randomly flips a bit in the file represented by fd. func corruptRandomBit(ctx context.Context, fd *vfs.FileDescription, size int) error { // Flip a random bit in the underlying file. randomPos := int64(rand.Intn(size)) byteToModify := make([]byte, 1) if _, err := fd.PRead(ctx, usermem.BytesIOSequence(byteToModify), randomPos, vfs.ReadOptions{}); err != nil { return fmt.Errorf("lowerFD.PRead: %v", err) } byteToModify[0] ^= 1 if _, err := fd.PWrite(ctx, usermem.BytesIOSequence(byteToModify), randomPos, vfs.WriteOptions{}); err != nil { return fmt.Errorf("lowerFD.PWrite: %v", err) } return nil } var hashAlgs = []HashAlgorithm{SHA256, SHA512} // TestOpen ensures that when a file is created, the corresponding Merkle tree // file and the root Merkle tree file exist. func TestOpen(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" if _, _, err := newFileFD(ctx, vfsObj, root, filename, 0644); err != nil { t.Fatalf("newFileFD: %v", err) } // Ensure that the corresponding Merkle tree file is created. lowerRoot := root.Dentry().Impl().(*dentry).lowerVD if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: lowerRoot, Start: lowerRoot, Path: fspath.Parse(merklePrefix + filename), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, }); err != nil { t.Errorf("OpenAt Merkle tree file %s: %v", merklePrefix+filename, err) } // Ensure the root merkle tree file is created. if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: lowerRoot, Start: lowerRoot, Path: fspath.Parse(merklePrefix + rootMerkleFilename), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, }); err != nil { t.Errorf("OpenAt root Merkle tree file %s: %v", merklePrefix+rootMerkleFilename, err) } } } // TestPReadUnmodifiedFileSucceeds ensures that pread from an untouched verity // file succeeds after enabling verity for it. func TestPReadUnmodifiedFileSucceeds(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, size, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file and confirm a normal read succeeds. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } buf := make([]byte, size) n, err := fd.PRead(ctx, usermem.BytesIOSequence(buf), 0 /* offset */, vfs.ReadOptions{}) if err != nil && err != io.EOF { t.Fatalf("fd.PRead: %v", err) } if n != int64(size) { t.Errorf("fd.PRead got read length %d, want %d", n, size) } } } // TestReadUnmodifiedFileSucceeds ensures that read from an untouched verity // file succeeds after enabling verity for it. func TestReadUnmodifiedFileSucceeds(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, size, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file and confirm a normal read succeeds. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } buf := make([]byte, size) n, err := fd.Read(ctx, usermem.BytesIOSequence(buf), vfs.ReadOptions{}) if err != nil && err != io.EOF { t.Fatalf("fd.Read: %v", err) } if n != int64(size) { t.Errorf("fd.PRead got read length %d, want %d", n, size) } } } // TestReopenUnmodifiedFileSucceeds ensures that reopen an untouched verity file // succeeds after enabling verity for it. func TestReopenUnmodifiedFileSucceeds(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file and confirms a normal read succeeds. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Ensure reopening the verity enabled file succeeds. if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, Path: fspath.Parse(filename), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, Mode: linux.ModeRegular, }); err != nil { t.Errorf("reopen enabled file failed: %v", err) } } } // TestOpenNonexistentFile ensures that opening a nonexistent file does not // trigger verification failure, even if the parent directory is verified. func TestOpenNonexistentFile(t *testing.T) { vfsObj, root, ctx, err := newVerityRoot(t, SHA256) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file and confirms a normal read succeeds. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Enable verity on the parent directory. parentFD, err := vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, }) if err != nil { t.Fatalf("OpenAt: %v", err) } if _, err := parentFD.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Ensure open an unexpected file in the parent directory fails with // ENOENT rather than verification failure. if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, Path: fspath.Parse(filename + "abc"), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, Mode: linux.ModeRegular, }); err != syserror.ENOENT { t.Errorf("OpenAt unexpected error: %v", err) } } // TestPReadModifiedFileFails ensures that read from a modified verity file // fails. func TestPReadModifiedFileFails(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, size, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Open a new lowerFD that's read/writable. lowerVD := fd.Impl().(*fileDescription).d.lowerVD lowerFD, err := vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: lowerVD, Start: lowerVD, }, &vfs.OpenOptions{ Flags: linux.O_RDWR, }) if err != nil { t.Fatalf("OpenAt: %v", err) } if err := corruptRandomBit(ctx, lowerFD, size); err != nil { t.Fatalf("corruptRandomBit: %v", err) } // Confirm that read from the modified file fails. buf := make([]byte, size) if _, err := fd.PRead(ctx, usermem.BytesIOSequence(buf), 0 /* offset */, vfs.ReadOptions{}); err == nil { t.Fatalf("fd.PRead succeeded, expected failure") } } } // TestReadModifiedFileFails ensures that read from a modified verity file // fails. func TestReadModifiedFileFails(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, size, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Open a new lowerFD that's read/writable. lowerVD := fd.Impl().(*fileDescription).d.lowerVD lowerFD, err := vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: lowerVD, Start: lowerVD, }, &vfs.OpenOptions{ Flags: linux.O_RDWR, }) if err != nil { t.Fatalf("OpenAt: %v", err) } if err := corruptRandomBit(ctx, lowerFD, size); err != nil { t.Fatalf("corruptRandomBit: %v", err) } // Confirm that read from the modified file fails. buf := make([]byte, size) if _, err := fd.Read(ctx, usermem.BytesIOSequence(buf), vfs.ReadOptions{}); err == nil { t.Fatalf("fd.Read succeeded, expected failure") } } } // TestModifiedMerkleFails ensures that read from a verity file fails if the // corresponding Merkle tree file is modified. func TestModifiedMerkleFails(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, size, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Open a new lowerMerkleFD that's read/writable. lowerMerkleVD := fd.Impl().(*fileDescription).d.lowerMerkleVD lowerMerkleFD, err := vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: lowerMerkleVD, Start: lowerMerkleVD, }, &vfs.OpenOptions{ Flags: linux.O_RDWR, }) if err != nil { t.Fatalf("OpenAt: %v", err) } // Flip a random bit in the Merkle tree file. stat, err := lowerMerkleFD.Stat(ctx, vfs.StatOptions{}) if err != nil { t.Errorf("lowerMerkleFD.Stat: %v", err) } if err := corruptRandomBit(ctx, lowerMerkleFD, int(stat.Size)); err != nil { t.Fatalf("corruptRandomBit: %v", err) } // Confirm that read from a file with modified Merkle tree fails. buf := make([]byte, size) if _, err := fd.PRead(ctx, usermem.BytesIOSequence(buf), 0 /* offset */, vfs.ReadOptions{}); err == nil { fmt.Println(buf) t.Fatalf("fd.PRead succeeded with modified Merkle file") } } } // TestModifiedParentMerkleFails ensures that open a verity enabled file in a // verity enabled directory fails if the hashes related to the target file in // the parent Merkle tree file is modified. func TestModifiedParentMerkleFails(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Enable verity on the parent directory. parentFD, err := vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, }) if err != nil { t.Fatalf("OpenAt: %v", err) } if _, err := parentFD.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } // Open a new lowerMerkleFD that's read/writable. parentLowerMerkleVD := fd.Impl().(*fileDescription).d.parent.lowerMerkleVD parentLowerMerkleFD, err := vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: parentLowerMerkleVD, Start: parentLowerMerkleVD, }, &vfs.OpenOptions{ Flags: linux.O_RDWR, }) if err != nil { t.Fatalf("OpenAt: %v", err) } // Flip a random bit in the parent Merkle tree file. // This parent directory contains only one child, so any random // modification in the parent Merkle tree should cause verification // failure when opening the child file. sizeString, err := parentLowerMerkleFD.GetXattr(ctx, &vfs.GetXattrOptions{ Name: childrenOffsetXattr, Size: sizeOfStringInt32, }) if err != nil { t.Fatalf("parentLowerMerkleFD.GetXattr: %v", err) } parentMerkleSize, err := strconv.Atoi(sizeString) if err != nil { t.Fatalf("Failed convert size to int: %v", err) } if err := corruptRandomBit(ctx, parentLowerMerkleFD, parentMerkleSize); err != nil { t.Fatalf("corruptRandomBit: %v", err) } parentLowerMerkleFD.DecRef(ctx) // Ensure reopening the verity enabled file fails. if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, Path: fspath.Parse(filename), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, Mode: linux.ModeRegular, }); err == nil { t.Errorf("OpenAt file with modified parent Merkle succeeded") } } } // TestUnmodifiedStatSucceeds ensures that stat of an untouched verity file // succeeds after enabling verity for it. func TestUnmodifiedStatSucceeds(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file and confirms stat succeeds. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("fd.Ioctl: %v", err) } if _, err := fd.Stat(ctx, vfs.StatOptions{}); err != nil { t.Errorf("fd.Stat: %v", err) } } } // TestModifiedStatFails checks that getting stat for a file with modified stat // should fail. func TestModifiedStatFails(t *testing.T) { for _, alg := range hashAlgs { vfsObj, root, ctx, err := newVerityRoot(t, alg) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("fd.Ioctl: %v", err) } lowerFD := fd.Impl().(*fileDescription).lowerFD // Change the stat of the underlying file, and check that stat fails. if err := lowerFD.SetStat(ctx, vfs.SetStatOptions{ Stat: linux.Statx{ Mask: uint32(linux.STATX_MODE), Mode: 0777, }, }); err != nil { t.Fatalf("lowerFD.SetStat: %v", err) } if _, err := fd.Stat(ctx, vfs.StatOptions{}); err == nil { t.Errorf("fd.Stat succeeded when it should fail") } } } // TestOpenDeletedFileFails ensures that opening a deleted verity enabled file // and/or the corresponding Merkle tree file fails with the verity error. func TestOpenDeletedFileFails(t *testing.T) { testCases := []struct { // The original file is removed if changeFile is true. changeFile bool // The Merkle tree file is removed if changeMerkleFile is true. changeMerkleFile bool }{ { changeFile: true, changeMerkleFile: false, }, { changeFile: false, changeMerkleFile: true, }, { changeFile: true, changeMerkleFile: true, }, } for _, tc := range testCases { t.Run(fmt.Sprintf("changeFile:%t, changeMerkleFile:%t", tc.changeFile, tc.changeMerkleFile), func(t *testing.T) { vfsObj, root, ctx, err := newVerityRoot(t, SHA256) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } rootLowerVD := root.Dentry().Impl().(*dentry).lowerVD if tc.changeFile { if err := vfsObj.UnlinkAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: rootLowerVD, Start: rootLowerVD, Path: fspath.Parse(filename), }); err != nil { t.Fatalf("UnlinkAt: %v", err) } } if tc.changeMerkleFile { if err := vfsObj.UnlinkAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: rootLowerVD, Start: rootLowerVD, Path: fspath.Parse(merklePrefix + filename), }); err != nil { t.Fatalf("UnlinkAt: %v", err) } } // Ensure reopening the verity enabled file fails. if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, Path: fspath.Parse(filename), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, Mode: linux.ModeRegular, }); err != syserror.EIO { t.Errorf("got OpenAt error: %v, expected EIO", err) } }) } } // TestOpenRenamedFileFails ensures that opening a renamed verity enabled file // and/or the corresponding Merkle tree file fails with the verity error. func TestOpenRenamedFileFails(t *testing.T) { testCases := []struct { // The original file is renamed if changeFile is true. changeFile bool // The Merkle tree file is renamed if changeMerkleFile is true. changeMerkleFile bool }{ { changeFile: true, changeMerkleFile: false, }, { changeFile: false, changeMerkleFile: true, }, { changeFile: true, changeMerkleFile: true, }, } for _, tc := range testCases { t.Run(fmt.Sprintf("changeFile:%t, changeMerkleFile:%t", tc.changeFile, tc.changeMerkleFile), func(t *testing.T) { vfsObj, root, ctx, err := newVerityRoot(t, SHA256) if err != nil { t.Fatalf("newVerityRoot: %v", err) } filename := "verity-test-file" fd, _, err := newFileFD(ctx, vfsObj, root, filename, 0644) if err != nil { t.Fatalf("newFileFD: %v", err) } // Enable verity on the file. var args arch.SyscallArguments args[1] = arch.SyscallArgument{Value: linux.FS_IOC_ENABLE_VERITY} if _, err := fd.Ioctl(ctx, nil /* uio */, args); err != nil { t.Fatalf("Ioctl: %v", err) } rootLowerVD := root.Dentry().Impl().(*dentry).lowerVD newFilename := "renamed-test-file" if tc.changeFile { if err := vfsObj.RenameAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: rootLowerVD, Start: rootLowerVD, Path: fspath.Parse(filename), }, &vfs.PathOperation{ Root: rootLowerVD, Start: rootLowerVD, Path: fspath.Parse(newFilename), }, &vfs.RenameOptions{}); err != nil { t.Fatalf("RenameAt: %v", err) } } if tc.changeMerkleFile { if err := vfsObj.RenameAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: rootLowerVD, Start: rootLowerVD, Path: fspath.Parse(merklePrefix + filename), }, &vfs.PathOperation{ Root: rootLowerVD, Start: rootLowerVD, Path: fspath.Parse(merklePrefix + newFilename), }, &vfs.RenameOptions{}); err != nil { t.Fatalf("UnlinkAt: %v", err) } } // Ensure reopening the verity enabled file fails. if _, err = vfsObj.OpenAt(ctx, auth.CredentialsFromContext(ctx), &vfs.PathOperation{ Root: root, Start: root, Path: fspath.Parse(filename), }, &vfs.OpenOptions{ Flags: linux.O_RDONLY, Mode: linux.ModeRegular, }); err != syserror.EIO { t.Errorf("got OpenAt error: %v, expected EIO", err) } }) } }