Bump containers/common to latest main

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
2025-12-10 07:42:12 +08:00 · 2024-01-29 16:30:55 -05:00
parent 174631f726
commit d202acd861
56 changed files with 1930 additions and 1119 deletions
--- a/vendor/github.com/containers/storage/drivers/overlay/composefs.go
+++ b/vendor/github.com/containers/storage/drivers/overlay/composefs.go
@@ -7,15 +7,13 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
-	"io/fs"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"sync"
-	"syscall"
-	"unsafe"

 	"github.com/containers/storage/pkg/chunked/dump"
+	"github.com/containers/storage/pkg/fsverity"
 	"github.com/containers/storage/pkg/loopback"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -34,72 +32,6 @@ func getComposeFsHelper() (string, error) {
 	return composeFsHelperPath, composeFsHelperErr
 }

-func enableVerity(description string, fd int) error {
-	enableArg := unix.FsverityEnableArg{
-		Version:        1,
-		Hash_algorithm: unix.FS_VERITY_HASH_ALG_SHA256,
-		Block_size:     4096,
-	}
-
-	_, _, e1 := syscall.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.FS_IOC_ENABLE_VERITY), uintptr(unsafe.Pointer(&enableArg)))
-	if e1 != 0 && !errors.Is(e1, unix.EEXIST) {
-		return fmt.Errorf("failed to enable verity for %q: %w", description, e1)
-	}
-	return nil
-}
-
-type verityDigest struct {
-	Fsv unix.FsverityDigest
-	Buf [64]byte
-}
-
-func measureVerity(description string, fd int) (string, error) {
-	var digest verityDigest
-	digest.Fsv.Size = 64
-	_, _, e1 := syscall.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.FS_IOC_MEASURE_VERITY), uintptr(unsafe.Pointer(&digest)))
-	if e1 != 0 {
-		return "", fmt.Errorf("failed to measure verity for %q: %w", description, e1)
-	}
-	return fmt.Sprintf("%x", digest.Buf[:digest.Fsv.Size]), nil
-}
-
-func enableVerityRecursive(root string) (map[string]string, error) {
-	digests := make(map[string]string)
-	walkFn := func(path string, d fs.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-		if !d.Type().IsRegular() {
-			return nil
-		}
-
-		f, err := os.Open(path)
-		if err != nil {
-			return err
-		}
-		defer f.Close()
-
-		if err := enableVerity(path, int(f.Fd())); err != nil {
-			return err
-		}
-
-		verity, err := measureVerity(path, int(f.Fd()))
-		if err != nil {
-			return err
-		}
-
-		relPath, err := filepath.Rel(root, path)
-		if err != nil {
-			return err
-		}
-
-		digests[relPath] = verity
-		return nil
-	}
-	err := filepath.WalkDir(root, walkFn)
-	return digests, err
-}
-
 func getComposefsBlob(dataDir string) string {
 	return filepath.Join(dataDir, "composefs.blob")
 }
@@ -151,7 +83,7 @@ func generateComposeFsBlob(verityDigests map[string]string, toc interface{}, com
 		return err
 	}

-	if err := enableVerity("manifest file", int(newFd.Fd())); err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
+	if err := fsverity.EnableVerity("manifest file", int(newFd.Fd())); err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
 		logrus.Warningf("%s", err)
 	}

--- a/vendor/github.com/containers/storage/drivers/overlay/overlay.go
+++ b/vendor/github.com/containers/storage/drivers/overlay/overlay.go
@@ -82,7 +82,8 @@ const (
 	lowerFile  = "lower"
 	maxDepth   = 500

-	tocArtifact = "toc"
+	tocArtifact             = "toc"
+	fsVerityDigestsArtifact = "fs-verity-digests"

 	// idLength represents the number of random characters
 	// which can be used to create the unique link identifier
@@ -2085,7 +2086,13 @@ func (d *Driver) ApplyDiffWithDiffer(id, parent string, options *graphdriver.App
 		if err != nil {
 			return graphdriver.DriverWithDifferOutput{}, err
 		}
-
+		perms := defaultPerms
+		if d.options.forceMask != nil {
+			perms = *d.options.forceMask
+		}
+		if err := os.Chmod(applyDir, perms); err != nil {
+			return graphdriver.DriverWithDifferOutput{}, err
+		}
 	} else {
 		var err error
 		applyDir, err = d.getDiffPath(id)
@@ -2101,6 +2108,7 @@ func (d *Driver) ApplyDiffWithDiffer(id, parent string, options *graphdriver.App
 	}
 	if d.usingComposefs {
 		differOptions.Format = graphdriver.DifferOutputFormatFlat
+		differOptions.UseFsVerity = graphdriver.DifferFsVerityEnabled
 	}
 	out, err := differ.ApplyDiff(applyDir, &archive.TarOptions{
 		UIDMaps:           idMappings.UIDs(),
@@ -2120,23 +2128,33 @@ func (d *Driver) ApplyDiffFromStagingDirectory(id, parent, stagingDirectory stri
 	if filepath.Dir(stagingDirectory) != d.getStagingDir() {
 		return fmt.Errorf("%q is not a staging directory", stagingDirectory)
 	}
-
-	if d.usingComposefs {
-		// FIXME: move this logic into the differ so we don't have to open
-		// the file twice.
-		verityDigests, err := enableVerityRecursive(stagingDirectory)
-		if err != nil && !errors.Is(err, unix.ENOTSUP) && !errors.Is(err, unix.ENOTTY) {
-			logrus.Warningf("%s", err)
-		}
-		toc := diffOutput.Artifacts[tocArtifact]
-		if err := generateComposeFsBlob(verityDigests, toc, d.getComposefsData(id)); err != nil {
-			return err
-		}
-	}
 	diffPath, err := d.getDiffPath(id)
 	if err != nil {
 		return err
 	}
+
+	// If the current layer doesn't set the mode for the parent, override it with the parent layer's mode.
+	if d.options.forceMask == nil && diffOutput.RootDirMode == nil && parent != "" {
+		parentDiffPath, err := d.getDiffPath(parent)
+		if err != nil {
+			return err
+		}
+		parentSt, err := os.Stat(parentDiffPath)
+		if err != nil {
+			return err
+		}
+		if err := os.Chmod(stagingDirectory, parentSt.Mode()); err != nil {
+			return err
+		}
+	}
+
+	if d.usingComposefs {
+		toc := diffOutput.Artifacts[tocArtifact]
+		verityDigests := diffOutput.Artifacts[fsVerityDigestsArtifact].(map[string]string)
+		if err := generateComposeFsBlob(verityDigests, toc, d.getComposefsData(id)); err != nil {
+			return err
+		}
+	}
 	if err := os.RemoveAll(diffPath); err != nil && !os.IsNotExist(err) {
 		return err
 	}