diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_revert_special_symlink_names.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_revert_special_symlink_names.patch new file mode 100644 index 0000000000..74b2f894fe --- /dev/null +++ b/packages/by-name/microsoft/genpolicy/genpolicy_msft_revert_special_symlink_names.patch @@ -0,0 +1,110 @@ +From 76b9881f5004d0b577608dbaa218ba6682c2a3a0 Mon Sep 17 00:00:00 2001 +From: Markus Rudy +Date: Fri, 21 Jun 2024 16:59:57 +0200 +Subject: [PATCH] Revert "tarindex: Add special symlink name handling" + +This reverts commit 3951807d04ca2d350071d0ee05ebb18fa28bd95d, +which caused genpolicy to produce verity hashes that were not accepted +by AKS. +--- + src/tardev-snapshotter/tarindex/src/lib.rs | 38 ++++++++-------------- + 1 file changed, 13 insertions(+), 25 deletions(-) + +diff --git a/src/tardev-snapshotter/tarindex/src/lib.rs b/src/tardev-snapshotter/tarindex/src/lib.rs +index f4e0085a2..a46d35a47 100644 +--- a/src/tardev-snapshotter/tarindex/src/lib.rs ++++ b/src/tardev-snapshotter/tarindex/src/lib.rs +@@ -49,7 +49,6 @@ fn visit_breadth_first_mut( + fn read_all_entries( + reader: &mut (impl io::Read + io::Seek), + root: &mut Rc>, +- special_link: &mut Vec>, + mut cb: impl FnMut(&mut Rc>, &[u8], &Entry), + mut hardlink: impl FnMut(&mut Rc>, &[u8], &[u8]), + ) -> io::Result { +@@ -137,12 +136,18 @@ fn read_all_entries( + .link_name_bytes() + .unwrap_or(std::borrow::Cow::Borrowed(b"")); + if *hname != *name { +- special_link.push(name.to_vec()); +- entry_offset = 0; +- } else { +- entry_offset = f.raw_header_position() + 157; ++ // TODO: Handle this case by duplicating the full name. ++ eprintln!( ++ "Skipping symlink with long link name ({}, {} bytes, {}, {} bytes): {}", ++ String::from_utf8_lossy(&name), name.len(), ++ String::from_utf8_lossy(&hname), hname.len(), ++ String::from_utf8_lossy(&f.path_bytes()) ++ ); ++ continue; + } ++ + entry_size = name.len() as u64; ++ entry_offset = f.raw_header_position() + 157; + } + None => { + eprintln!( +@@ -301,11 +306,10 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re + mode: S_IFDIR | 0o555, + ..Entry::default() + })); +- let mut special_link = Vec::new(); ++ + let contents_size = read_all_entries( + data, + &mut root, +- &mut special_link, + |root, name, e| { + // Break the name into path components. + let mut path = if let Some(p) = clean_path(name) { +@@ -423,7 +427,6 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re + // Calculate the offsets for directory entries. + let inode_table_size: u64 = mem::size_of::() as u64 * ino_count; + let string_table_offset = init_direntry_offset(root.clone(), contents_size + inode_table_size)?; +- let mut symlink_offset = string_table_offset; + + // Write the i-node table. + visit_breadth_first_mut(root.clone(), |e| { +@@ -431,15 +434,6 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re + return Ok(()); + } + +- // Check for special symlink names +- let inode_offset = if (e.mode & S_IFMT) != S_IFLNK || e.offset != 0 { +- e.offset +- } else { +- let v = symlink_offset; +- symlink_offset += e.size; +- v +- }; +- + e.emitted = true; + let inode = Inode { + mode: e.mode.into(), +@@ -453,20 +447,14 @@ pub fn append_index(data: &mut (impl io::Read + io::Write + io::Seek)) -> io::Re + group: e.group.into(), + lmtime: (e.mtime as u32).into(), + size: e.size.into(), +- offset: inode_offset.into(), ++ offset: e.offset.into(), + }; + data.write_all(inode.as_bytes())?; + Ok(()) + })?; + + // Write the directory bodies. +- let mut end_offset = write_direntry_bodies(root.clone(), symlink_offset, data)?; +- +- // Duplicate special symlink names. +- for link_name in special_link.iter() { +- data.write_all(link_name.as_bytes())?; +- end_offset += link_name.len() as u64; +- } ++ let mut end_offset = write_direntry_bodies(root.clone(), string_table_offset, data)?; + + // Write the strings. + visit_breadth_first_mut(root, |e| { +-- +2.45.2 + diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_runtime_class_filter.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_runtime_class_filter.patch index a9b2788cb6..65447ba72e 100644 --- a/packages/by-name/microsoft/genpolicy/genpolicy_msft_runtime_class_filter.patch +++ b/packages/by-name/microsoft/genpolicy/genpolicy_msft_runtime_class_filter.patch @@ -1,3 +1,4 @@ +# TODO(burgerdev): git format-patch diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs index 04c88429c..4616551d1 100644 --- a/src/tools/genpolicy/src/daemon_set.rs diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix index f71fcfd8fd..0b559a1078 100644 --- a/packages/by-name/microsoft/genpolicy/package.nix +++ b/packages/by-name/microsoft/genpolicy/package.nix @@ -19,24 +19,26 @@ rustPlatform.buildRustPackage rec { pname = "genpolicy"; version = "3.2.0.azl1.genpolicy0"; - src = fetchFromGitHub { - owner = "microsoft"; - repo = "kata-containers"; - rev = "refs/tags/${version}"; - hash = "sha256-W36RJFf0MVRIBV4ahpv6pqdAwgRYrlqmu4Y/8qiILS8="; - }; - - patches = [ - # TODO(burgerdev): drop after Microsoft ported https://github.com/kata-containers/kata-containers/pull/9706 - (fetchpatch { - name = "genpolicy_device_support.patch"; - url = "https://github.com/kata-containers/kata-containers/commit/f61b43777834f097fcca26864ee634125d9266ef.patch"; - sha256 = "sha256-wBOyrFY4ZdWBjF5bIrHm7CFy6lVclcvwhF85wXpFZoc="; - }) - ./genpolicy_msft_runtime_class_filter.patch - ]; + src = applyPatches { + src = fetchFromGitHub { + owner = "microsoft"; + repo = "kata-containers"; + rev = "refs/tags/${version}"; + hash = "sha256-sFh2V7ylRDL6H50BcaHcgJAhrx4yvXzHNxtdQ9VYXdk="; + }; - patchFlags = [ "-p4" ]; + patches = [ + # TODO(burgerdev): drop after Microsoft reverted it + ./genpolicy_msft_revert_special_symlink_names.patch + # TODO(burgerdev): drop after Microsoft ported https://github.com/kata-containers/kata-containers/pull/9706 + (fetchpatch { + name = "genpolicy_device_support.patch"; + url = "https://github.com/kata-containers/kata-containers/commit/f61b43777834f097fcca26864ee634125d9266ef.patch"; + sha256 = "sha256-wBOyrFY4ZdWBjF5bIrHm7CFy6lVclcvwhF85wXpFZoc="; + }) + ./genpolicy_msft_runtime_class_filter.patch + ]; + }; sourceRoot = "${src.name}/src/tools/genpolicy"; @@ -64,7 +66,7 @@ rustPlatform.buildRustPackage rec { passthru = rec { settings = stdenvNoCC.mkDerivation { name = "${pname}-${version}-settings"; - inherit src sourceRoot patches patchFlags; + inherit src sourceRoot; phases = [ "unpackPhase" "patchPhase" "installPhase" ]; installPhase = '' @@ -82,7 +84,7 @@ rustPlatform.buildRustPackage rec { rules = stdenvNoCC.mkDerivation { name = "${pname}-${version}-rules"; - inherit src sourceRoot patches patchFlags; + inherit src sourceRoot; phases = [ "unpackPhase" "patchPhase" "installPhase" ]; installPhase = ''