Documentation
¶
Overview ¶
Package verity provides a filesystem implementation that is a wrapper of another file system. The verity file system provides integrity check for the underlying file system by providing verification for path traversals and each read. The verity file system is read-only, except for one case: when allowRuntimeEnable is true, additional Merkle files can be generated using the FS_IOC_ENABLE_VERITY ioctl.
Lock order:
filesystem.renameMu
dentry.cachingMu
filesystem.cacheMu
dentry.dirMu
fileDescription.mu
filesystem.verityMu
dentry.hashMu
Locking dentry.dirMu in multiple dentries requires that parent dentries are locked before child dentries, and that filesystem.renameMu is locked to stabilize this relationship.
Index ¶
- Constants
- type FileReadWriteSeeker
- func (f *FileReadWriteSeeker) Read(p []byte) (int, error)
- func (f *FileReadWriteSeeker) ReadAt(p []byte, off int64) (int, error)
- func (f *FileReadWriteSeeker) Seek(offset int64, whence int) (int64, error)
- func (f *FileReadWriteSeeker) Write(p []byte) (int, error)
- func (f *FileReadWriteSeeker) WriteAt(p []byte, off int64) (int, error)
- type FilesystemType
- type HashAlgorithm
- type InternalFilesystemOptions
- type ViolationAction
Constants ¶
const (
// Name is the default filesystem name.
Name = "verity"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type FileReadWriteSeeker ¶
type FileReadWriteSeeker struct {
FD *vfs.FileDescription
Ctx context.Context
ROpts vfs.ReadOptions
WOpts vfs.WriteOptions
}
FileReadWriteSeeker is a helper struct to pass a vfs.FileDescription as io.Reader/io.Writer/io.ReadSeeker/io.ReaderAt/io.WriterAt/etc.
func (*FileReadWriteSeeker) Read ¶
func (f *FileReadWriteSeeker) Read(p []byte) (int, error)
Read implements io.ReadWriteSeeker.Read.
func (*FileReadWriteSeeker) ReadAt ¶
func (f *FileReadWriteSeeker) ReadAt(p []byte, off int64) (int, error)
ReadAt implements io.ReaderAt.ReadAt.
func (*FileReadWriteSeeker) Seek ¶
func (f *FileReadWriteSeeker) Seek(offset int64, whence int) (int64, error)
Seek implements io.ReadWriteSeeker.Seek.
type FilesystemType ¶
type FilesystemType struct{}
FilesystemType implements vfs.FilesystemType.
+stateify savable
func (FilesystemType) GetFilesystem ¶
func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.VirtualFilesystem, creds *auth.Credentials, source string, opts vfs.GetFilesystemOptions) (*vfs.Filesystem, *vfs.Dentry, error)
GetFilesystem implements vfs.FilesystemType.GetFilesystem.
func (FilesystemType) Name ¶
func (FilesystemType) Name() string
Name implements vfs.FilesystemType.Name.
func (FilesystemType) Release ¶
func (FilesystemType) Release(ctx context.Context)
Release implements vfs.FilesystemType.Release.
type HashAlgorithm ¶
type HashAlgorithm int
HashAlgorithm is a type specifying the algorithm used to hash the file content.
const ( SHA256 HashAlgorithm = iota SHA512 )
Currently supported hashing algorithms include SHA256 and SHA512.
type InternalFilesystemOptions ¶
type InternalFilesystemOptions struct {
// LowerName is the name of the filesystem wrapped by verity fs.
LowerName string
// Alg is the algorithms used to hash the files in the verity file
// system.
Alg HashAlgorithm
// AllowRuntimeEnable specifies whether the verity file system allows
// enabling verification for files (i.e. building Merkle trees) during
// runtime.
AllowRuntimeEnable bool
// LowerGetFSOptions is the file system option for the lower layer file
// system wrapped by verity file system.
LowerGetFSOptions vfs.GetFilesystemOptions
// Action specifies the action on an integrity violation.
Action ViolationAction
}
InternalFilesystemOptions may be passed as vfs.GetFilesystemOptions.InternalData to FilesystemType.GetFilesystem.
+stateify savable
type ViolationAction ¶
type ViolationAction int
ViolationAction is a type specifying the action when an integrity violation is detected.
const ( // PanicOnViolation terminates the sentry on detected violation. PanicOnViolation ViolationAction = 0 // ErrorOnViolation returns an error from the violating system call on // detected violation. ErrorOnViolation = 1 )
Source Files