genpolicy-msft: revert problematic tarindex commit

(cherry picked from commit c490d2d) Signed-off-by: Markus Rudy <[email protected]>
edgelesssys · Jun 24, 2024 · 5c54b38 · 5c54b38
1 parent 7332790
commit 5c54b38
Show file tree

Hide file tree

Showing 3 changed files with 132 additions and 19 deletions.
diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_revert_special_symlink_names.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_revert_special_symlink_names.patch
@@ -0,0 +1,110 @@
+From 76b9881f5004d0b577608dbaa218ba6682c2a3a0 Mon Sep 17 00:00:00 2001
+From: Markus Rudy <[email protected]>
+Date: Fri, 21 Jun 2024 16:59:57 +0200
+Subject: [PATCH] Revert "tarindex: Add special symlink name handling"
+
+This reverts commit 3951807d04ca2d350071d0ee05ebb18fa28bd95d,
+which caused genpolicy to produce verity hashes that were not accepted
+by AKS.
+---
+ src/tardev-snapshotter/tarindex/src/lib.rs | 38 ++++++++--------------
+ 1 file changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/src/tardev-snapshotter/tarindex/src/lib.rs b/src/tardev-snapshotter/tarindex/src/lib.rs
+index f4e0085a2..a46d35a47 100644
+--- a/src/tardev-snapshotter/tarindex/src/lib.rs
++++ b/src/tardev-snapshotter/tarindex/src/lib.rs
+@@ -49,7 +49,6 @@ fn visit_breadth_first_mut(
+ fn read_all_entries(
+     reader: &mut (impl io::Read + io::Seek),
+     root: &mut Rc<RefCell<Entry>>,
+-    special_link: &mut Vec<Vec<u8>>,
+     mut cb: impl FnMut(&mut Rc<RefCell<Entry>>, &[u8], &Entry),
+     mut hardlink: impl FnMut(&mut Rc<RefCell<Entry>>, &[u8], &[u8]),
+ ) -> io::Result<u64> {
+@@ -137,12 +136,18 @@ fn read_all_entries(
+                             .link_name_bytes()
+                             .unwrap_or(std::borrow::Cow::Borrowed(b""));
+                         if *hname != *name {
+-                            special_link.push(name.to_vec());
+-                            entry_offset = 0;
+-                        } else {
+-                            entry_offset = f.raw_header_position() + 157;
++                            // TODO: Handle this case by duplicating the full name.
++                            eprintln!(
++                                "Skipping symlink with long link name ({}, {} bytes, {}, {} bytes): {}",
++                                String::from_utf8_lossy(&name), name.len(),
++                                String::from_utf8_lossy(&hname), hname.len(),
++                                String::from_utf8_lossy(&f.path_bytes())
++                            );
++                            continue;
+                         }
++
+                         entry_size = name.len() as u64;
++                        entry_offset = f.raw_header_position() + 157;
+                     }
+                     None => {
+                         eprintln!(
+@@ -301,11 +306,10 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re
+         mode: S_IFDIR | 0o555,
+         ..Entry::default()
+     }));
+-    let mut special_link = Vec::new();
++
+     let contents_size = read_all_entries(
+         data,
+         &mut root,
+-        &mut special_link,
+         |root, name, e| {
+             // Break the name into path components.
+             let mut path = if let Some(p) = clean_path(name) {
+@@ -423,7 +427,6 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re
+     // Calculate the offsets for directory entries.
+     let inode_table_size: u64 = mem::size_of::<Inode>() as u64 * ino_count;
+     let string_table_offset = init_direntry_offset(root.clone(), contents_size + inode_table_size)?;
+-    let mut symlink_offset = string_table_offset;
+
+     // Write the i-node table.
+     visit_breadth_first_mut(root.clone(), |e| {
+@@ -431,15 +434,6 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re
+             return Ok(());
+         }
+
+-        // Check for special symlink names
+-        let inode_offset = if (e.mode & S_IFMT) != S_IFLNK || e.offset != 0 {
+-            e.offset
+-        } else {
+-            let v = symlink_offset;
+-            symlink_offset += e.size;
+-            v
+-        };
+-
+         e.emitted = true;
+         let inode = Inode {
+             mode: e.mode.into(),
+@@ -453,20 +447,14 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re
+             group: e.group.into(),
+             lmtime: (e.mtime as u32).into(),
+             size: e.size.into(),
+-            offset: inode_offset.into(),
++            offset: e.offset.into(),
+         };
+         data.write_all(inode.as_bytes())?;
+         Ok(())
+     })?;
+
+     // Write the directory bodies.
+-    let mut end_offset = write_direntry_bodies(root.clone(), symlink_offset, data)?;
+-
+-    // Duplicate special symlink names.
+-    for link_name in special_link.iter() {
+-        data.write_all(link_name.as_bytes())?;
+-        end_offset += link_name.len() as u64;
+-    }
++    let mut end_offset = write_direntry_bodies(root.clone(), string_table_offset, data)?;
+
+     // Write the strings.
+     visit_breadth_first_mut(root, |e| {
+-- 
+2.45.2
+
diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_runtime_class_filter.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_runtime_class_filter.patch
@@ -1,3 +1,4 @@
+# TODO(burgerdev): git format-patch
 diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs
 index 04c88429c..4616551d1 100644
 --- a/src/tools/genpolicy/src/daemon_set.rs

diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
@@ -19,24 +19,26 @@ rustPlatform.buildRustPackage rec {
   pname = "genpolicy";
   version = "3.2.0.azl1.genpolicy0";
 
-  src = fetchFromGitHub {
-    owner = "microsoft";
-    repo = "kata-containers";
-    rev = "refs/tags/${version}";
-    hash = "sha256-W36RJFf0MVRIBV4ahpv6pqdAwgRYrlqmu4Y/8qiILS8=";
-  };
-
-  patches = [
-    # TODO(burgerdev): drop after Microsoft ported https://github.com/kata-containers/kata-containers/pull/9706
-    (fetchpatch {
-      name = "genpolicy_device_support.patch";
-      url = "https://github.com/kata-containers/kata-containers/commit/f61b43777834f097fcca26864ee634125d9266ef.patch";
-      sha256 = "sha256-wBOyrFY4ZdWBjF5bIrHm7CFy6lVclcvwhF85wXpFZoc=";
-    })
-    ./genpolicy_msft_runtime_class_filter.patch
-  ];
+  src = applyPatches {
+    src = fetchFromGitHub {
+      owner = "microsoft";
+      repo = "kata-containers";
+      rev = "refs/tags/${version}";
+      hash = "sha256-sFh2V7ylRDL6H50BcaHcgJAhrx4yvXzHNxtdQ9VYXdk=";
+    };
 
-  patchFlags = [ "-p4" ];
+    patches = [
+      # TODO(burgerdev): drop after Microsoft reverted it
+      ./genpolicy_msft_revert_special_symlink_names.patch
+      # TODO(burgerdev): drop after Microsoft ported https://github.com/kata-containers/kata-containers/pull/9706
+      (fetchpatch {
+        name = "genpolicy_device_support.patch";
+        url = "https://github.com/kata-containers/kata-containers/commit/f61b43777834f097fcca26864ee634125d9266ef.patch";
+        sha256 = "sha256-wBOyrFY4ZdWBjF5bIrHm7CFy6lVclcvwhF85wXpFZoc=";
+      })
+      ./genpolicy_msft_runtime_class_filter.patch
+    ];
+  };
 
   sourceRoot = "${src.name}/src/tools/genpolicy";
 
@@ -64,7 +66,7 @@ rustPlatform.buildRustPackage rec {
   passthru = rec {
     settings = stdenvNoCC.mkDerivation {
       name = "${pname}-${version}-settings";
-      inherit src sourceRoot patches patchFlags;
+      inherit src sourceRoot;
 
       phases = [ "unpackPhase" "patchPhase" "installPhase" ];
       installPhase = ''
@@ -82,7 +84,7 @@ rustPlatform.buildRustPackage rec {
 
     rules = stdenvNoCC.mkDerivation {
       name = "${pname}-${version}-rules";
-      inherit src sourceRoot patches patchFlags;
+      inherit src sourceRoot;
 
       phases = [ "unpackPhase" "patchPhase" "installPhase" ];
       installPhase = ''