Return error from fsverity IsSupported method

Signed-off-by: James Jenkins <James.Jenkins@ibm.com>
containerd · Mar 27, 2024 · 26cc644 · 26cc644
1 parent aa28f9e
commit 26cc644
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 12 deletions.
diff --git a/pkg/fsverity/fsverity_linux.go b/pkg/fsverity/fsverity_linux.go
@@ -1,5 +1,3 @@
-//go:build linux
-
 /*
    Copyright The containerd Authors.
 
@@ -48,29 +46,33 @@ const (
 )
 
 var (
-	once      sync.Once
-	supported bool
+	once         sync.Once
+	supported    bool
+	supportedErr error
 )
 
-func IsSupported(rootPath string) bool {
+func IsSupported(rootPath string) (bool, error) {
 	once.Do(func() {
 		minKernelVersion := kernelversion.KernelVersion{Kernel: 5, Major: 4}
 		s, err := kernelversion.GreaterEqualThan(minKernelVersion)
 		if err != nil {
 			supported = s
+			supportedErr = err
 			return
 		}
 
 		integrityDir := filepath.Join(rootPath, "integrity")
 		if err = os.MkdirAll(integrityDir, 0755); err != nil {
 			supported = false
+			supportedErr = err
 			return
 		}
 
 		digestPath := filepath.Join(integrityDir, "supported")
 		digestFile, err := os.Create(digestPath)
 		if err != nil {
 			supported = false
+			supportedErr = err
 			return
 		}
 
@@ -80,25 +82,27 @@ func IsSupported(rootPath string) bool {
 		eerr := Enable(digestPath)
 		if eerr != nil {
 			supported = false
+			supportedErr = eerr
 			return
 		}
 
 		supported = true
+		supportedErr = nil
 	})
-	return supported
+	return supported, supportedErr
 }
 
 func IsEnabled(path string) (bool, error) {
 	f, err := os.Open(path)
 	if err != nil {
-		return false, fmt.Errorf("error opening file: %s", err)
+		return false, err
 	}
 
 	var attr int
 
 	_, _, flagErr := unix.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(unix.FS_IOC_GETFLAGS), uintptr(unsafe.Pointer(&attr)))
 	if flagErr != 0 {
-		return false, fmt.Errorf("error getting inode flags: %s", flagErr)
+		return false, fmt.Errorf("error getting inode flags: %w", flagErr)
 	}
 
 	if attr&unix.FS_VERITY_FL == unix.FS_VERITY_FL {
@@ -111,7 +115,7 @@ func IsEnabled(path string) (bool, error) {
 func Enable(path string) error {
 	f, err := os.Open(path)
 	if err != nil {
-		return fmt.Errorf("error opening file: %s", err.Error())
+		return err
 	}
 
 	var args = &fsverityEnableArg{}
@@ -137,7 +141,7 @@ func Enable(path string) error {
 
 	_, _, errno := unix.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(unix.FS_IOC_ENABLE_VERITY), uintptr(unsafe.Pointer(args)))
 	if errno != 0 {
-		return fmt.Errorf("enable fsverity failed: %d", errno)
+		return fmt.Errorf("enable fsverity failed: %w", errno)
 	}
 
 	return nil

diff --git a/plugins/content/local/writer.go b/plugins/content/local/writer.go
@@ -140,12 +140,16 @@ func (w *writer) Commit(ctx context.Context, size int64, expected digest.Digest,
 
 	// Enable content blob integrity verification if supported
 
-	if integritySupported := fsverity.IsSupported(w.s.root); integritySupported {
+	var (
+		integritySupported bool
+		supportErr         error
+	)
+	if integritySupported, supportErr = fsverity.IsSupported(w.s.root); integritySupported {
 		if err := fsverity.Enable(target); err != nil {
 			log.G(ctx).Warnf("failed to enable integrity of blob %v: %s", target, err.Error())
 		}
 	} else {
-		log.G(ctx).Warnf("fsverity integrity verification is not supported")
+		log.G(ctx).Warnf("fsverity integrity verification is not supported: %s", supportErr.Error())
 	}
 
 	// Ingest has now been made available in the content store, attempt to complete