search

microsoft / integrity-vhd

Tooling to deterministically convert tar files in to files systems with integrity information.
MIT License
2 stars 0 forks source link

Handle images with empty layers #15

Closed DomAyre closed 2 weeks ago

DomAyre commented 2 weeks ago

We see a bug where getting hashes for an image which includes a layer that does nothing (such as chmod-ing files which already have those permissions) causes a layer hash which is a blank string.

The root cause is that when checking for layers in the image, we treat TarReader.Next() returning an io.EOF as not a tar file rather than a valid but empty tar file, therefore we don't attempt to generate a hash for it

DomAyre commented 2 weeks ago

Tested with known offenders mcr.microsoft.com/aci/skr:2.7

@DomAyre ➜ /workspaces/hcsshim/cmd/dmverity-vhd (main) $ go run . -d roothash -i mcr.microsoft.com/aci/skr:2.7
Layer 0 root hash: c2d669f165d21e3547d7a9452df3f1e602a92f15395be781b8b05e38c0959f49
Layer 1 root hash: ea92f7f56267bb282023d097e9809488ec9141f01135dd771607d1bf6c6622f5
Layer 2 root hash: 9fe14782c961dc911f0c49c227448d805772a9ac3f1e285366d72eb24d98cc95
Layer 3 root hash: b01b044a9ba42f1da128bdb46e21bf04466fb2cc36d24e22751c75922a943e40
Layer 4 root hash: b98267f62b738736c201e8173fbc8d723bd46743e17ab3194479e35cc98dfd7f
Layer 5 root hash: 
@DomAyre ➜ /workspaces/hcsshim/cmd/dmverity-vhd (fix-empty-layer) $ go run . -d roothash -i mcr.microsoft.com/aci/skr:2.7
Layer 0 root hash: c2d669f165d21e3547d7a9452df3f1e602a92f15395be781b8b05e38c0959f49
Layer 1 root hash: ea92f7f56267bb282023d097e9809488ec9141f01135dd771607d1bf6c6622f5
Layer 2 root hash: 9fe14782c961dc911f0c49c227448d805772a9ac3f1e285366d72eb24d98cc95
Layer 3 root hash: b01b044a9ba42f1da128bdb46e21bf04466fb2cc36d24e22751c75922a943e40
Layer 4 root hash: b98267f62b738736c201e8173fbc8d723bd46743e17ab3194479e35cc98dfd7f
Layer 5 root hash: 8b4842f06982817534a75bcf71865213b09dfa8313229c384e5201dadbd75e25

privacysandbox.azurecr.io/services/seller_frontend_service:2024-11-08-nontee

@DomAyre ➜ /workspaces/hcsshim/cmd/dmverity-vhd (main) $ go run . -d roothash -i privacysandbox.azurecr.io/services/seller_frontend_service:2024-11-08-nontee
Layer 0 root hash: d826fe0c21484d6be4710a198199046a2d17a491f9511bb6512eb3bb158303b4
Layer 1 root hash: 2b06720205ae9cce3d5bf55632ed3a986c0f0aa368a221b1e2819b09379ccabd
Layer 2 root hash: fb812b87e2cce4afa853e13adf637cfbd4472a61e6e51755fe4ccd96110e196d
Layer 3 root hash: 8458679155560a1139039e2f69647a8f26586c4cdacec60c235f183e1c9f8bba
Layer 4 root hash: 2d7e8c03df81c746421fd25ea2ffb92e8cdb84a53b1b30b054838e7d6420e4c8
Layer 5 root hash: e2cb6aa1b1e23110bf14d2180c2f596801e4c492df67f4fdcb435722addebb88
Layer 6 root hash: d044c5937eff07b6d2daf2fd3d2470cc995ab3ebe842f138fd85d9612a14a90f
Layer 7 root hash: 
@DomAyre ➜ /workspaces/hcsshim/cmd/dmverity-vhd (fix-empty-layer) $ go run . -d roothash -i privacysandbox.azurecr.io/services/seller_frontend_service:2024-11-08-nontee
Layer 0 root hash: d826fe0c21484d6be4710a198199046a2d17a491f9511bb6512eb3bb158303b4
Layer 1 root hash: 2b06720205ae9cce3d5bf55632ed3a986c0f0aa368a221b1e2819b09379ccabd
Layer 2 root hash: fb812b87e2cce4afa853e13adf637cfbd4472a61e6e51755fe4ccd96110e196d
Layer 3 root hash: 8458679155560a1139039e2f69647a8f26586c4cdacec60c235f183e1c9f8bba
Layer 4 root hash: 2d7e8c03df81c746421fd25ea2ffb92e8cdb84a53b1b30b054838e7d6420e4c8
Layer 5 root hash: e2cb6aa1b1e23110bf14d2180c2f596801e4c492df67f4fdcb435722addebb88
Layer 6 root hash: d044c5937eff07b6d2daf2fd3d2470cc995ab3ebe842f138fd85d9612a14a90f
Layer 7 root hash: 8b4842f06982817534a75bcf71865213b09dfa8313229c384e5201dadbd75e25