verity

package
v0.0.0-...-9a2cfe9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 29, 2021 License: Apache-2.0, MIT Imports: 28 Imported by: 0

Documentation

Overview

Package verity provides a filesystem implementation that is a wrapper of another file system. The verity file system provides integrity check for the underlying file system by providing verification for path traversals and each read. The verity file system is read-only, except for one case: when allowRuntimeEnable is true, additional Merkle files can be generated using the FS_IOC_ENABLE_VERITY ioctl.

Lock order:

filesystem.renameMu

dentry.cachingMu
  filesystem.cacheMu
    dentry.dirMu
      fileDescription.mu
        filesystem.verityMu
          dentry.hashMu

Locking dentry.dirMu in multiple dentries requires that parent dentries are locked before child dentries, and that filesystem.renameMu is locked to stabilize this relationship.

Index

Constants

View Source
const (
	// Name is the default filesystem name.
	Name = "verity"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type FileReadWriteSeeker

type FileReadWriteSeeker struct {
	FD    *vfs.FileDescription
	Ctx   context.Context
	ROpts vfs.ReadOptions
	WOpts vfs.WriteOptions
}

FileReadWriteSeeker is a helper struct to pass a vfs.FileDescription as io.Reader/io.Writer/io.ReadSeeker/io.ReaderAt/io.WriterAt/etc.

func (*FileReadWriteSeeker) Read

func (f *FileReadWriteSeeker) Read(p []byte) (int, error)

Read implements io.ReadWriteSeeker.Read.

func (*FileReadWriteSeeker) ReadAt

func (f *FileReadWriteSeeker) ReadAt(p []byte, off int64) (int, error)

ReadAt implements io.ReaderAt.ReadAt.

func (*FileReadWriteSeeker) Seek

func (f *FileReadWriteSeeker) Seek(offset int64, whence int) (int64, error)

Seek implements io.ReadWriteSeeker.Seek.

func (*FileReadWriteSeeker) Write

func (f *FileReadWriteSeeker) Write(p []byte) (int, error)

Write implements io.ReadWriteSeeker.Write.

func (*FileReadWriteSeeker) WriteAt

func (f *FileReadWriteSeeker) WriteAt(p []byte, off int64) (int, error)

WriteAt implements io.WriterAt.WriteAt.

type FilesystemType

type FilesystemType struct{}

FilesystemType implements vfs.FilesystemType.

+stateify savable

func (FilesystemType) GetFilesystem

func (fstype FilesystemType) GetFilesystem(ctx context.Context, vfsObj *vfs.VirtualFilesystem, creds *auth.Credentials, source string, opts vfs.GetFilesystemOptions) (*vfs.Filesystem, *vfs.Dentry, error)

GetFilesystem implements vfs.FilesystemType.GetFilesystem.

func (FilesystemType) Name

func (FilesystemType) Name() string

Name implements vfs.FilesystemType.Name.

func (FilesystemType) Release

func (FilesystemType) Release(ctx context.Context)

Release implements vfs.FilesystemType.Release.

type HashAlgorithm

type HashAlgorithm int

HashAlgorithm is a type specifying the algorithm used to hash the file content.

const (
	SHA256 HashAlgorithm = iota
	SHA512
)

Currently supported hashing algorithms include SHA256 and SHA512.

type InternalFilesystemOptions

type InternalFilesystemOptions struct {
	// LowerName is the name of the filesystem wrapped by verity fs.
	LowerName string

	// Alg is the algorithms used to hash the files in the verity file
	// system.
	Alg HashAlgorithm

	// AllowRuntimeEnable specifies whether the verity file system allows
	// enabling verification for files (i.e. building Merkle trees) during
	// runtime.
	AllowRuntimeEnable bool

	// LowerGetFSOptions is the file system option for the lower layer file
	// system wrapped by verity file system.
	LowerGetFSOptions vfs.GetFilesystemOptions

	// Action specifies the action on an integrity violation.
	Action ViolationAction
}

InternalFilesystemOptions may be passed as vfs.GetFilesystemOptions.InternalData to FilesystemType.GetFilesystem.

+stateify savable

type ViolationAction

type ViolationAction int

ViolationAction is a type specifying the action when an integrity violation is detected.

const (
	// PanicOnViolation terminates the sentry on detected violation.
	PanicOnViolation ViolationAction = 0
	// ErrorOnViolation returns an error from the violating system call on
	// detected violation.
	ErrorOnViolation = 1
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL