Deprecate local file support in authfs
Local file was supported during early development, but it's not actually
used.
The names in FileConfig enum are renamed to make linter happy (which
is reasonable since all files are now remote).
Bug: 203251769
Test: atest AuthFsHostTest authfs_device_test_src_lib
Change-Id: I9f1f800453695c84fe4fc15a89b5a434fdaa0331
diff --git a/authfs/src/main.rs b/authfs/src/main.rs
index ecb0e68..a6956e2 100644
--- a/authfs/src/main.rs
+++ b/authfs/src/main.rs
@@ -22,18 +22,16 @@
//! each read of file block can be verified individually only when needed.
//!
//! AuthFS only serve files that are specifically configured. A file configuration may include the
-//! source (e.g. local file or remote file server), verification method (e.g. certificate for
-//! fs-verity verification, or no verification if expected to mount over dm-verity), and file ID.
-//! Regardless of the actual file name, the exposed file names through AuthFS are currently integer,
-//! e.g. /mountpoint/42.
+//! source (e.g. remote file server), verification method (e.g. certificate for fs-verity
+//! verification, or no verification if expected to mount over dm-verity), and file ID. Regardless
+//! of the actual file name, the exposed file names through AuthFS are currently integer, e.g.
+//! /mountpoint/42.
use anyhow::{bail, Context, Result};
use log::error;
use std::collections::BTreeMap;
use std::convert::TryInto;
-use std::fs::File;
-use std::io::Read;
-use std::path::{Path, PathBuf};
+use std::path::PathBuf;
use structopt::StructOpt;
mod auth;
@@ -44,7 +42,7 @@
mod fusefs;
use auth::FakeAuthenticator;
-use file::{LocalFileReader, RemoteFileEditor, RemoteFileReader, RemoteMerkleTreeReader};
+use file::{RemoteFileEditor, RemoteFileReader, RemoteMerkleTreeReader};
use fsverity::{VerifiedFileEditor, VerifiedFileReader};
use fusefs::{FileConfig, Inode};
@@ -83,27 +81,11 @@
#[structopt(long, parse(try_from_str = parse_remote_new_rw_file_option))]
remote_new_rw_file: Vec<OptionRemoteRwFile>,
- /// Debug only. A read-only local file with integrity check. Can be multiple.
- #[structopt(long, parse(try_from_str = parse_local_file_ro_option))]
- local_ro_file: Vec<OptionLocalFileRo>,
-
- /// Debug only. A read-only local file without integrity check. Can be multiple.
- #[structopt(long, parse(try_from_str = parse_local_ro_file_unverified_ro_option))]
- local_ro_file_unverified: Vec<OptionLocalRoFileUnverified>,
-
/// Enable debugging features.
#[structopt(long)]
debug: bool,
}
-impl Args {
- fn has_remote_files(&self) -> bool {
- !self.remote_ro_file.is_empty()
- || !self.remote_ro_file_unverified.is_empty()
- || !self.remote_new_rw_file.is_empty()
- }
-}
-
struct OptionRemoteRoFile {
ino: Inode,
@@ -129,30 +111,6 @@
remote_id: i32,
}
-struct OptionLocalFileRo {
- ino: Inode,
-
- /// Local path of the backing file.
- file_path: PathBuf,
-
- /// Local path of the backing file's fs-verity Merkle tree dump.
- merkle_tree_dump_path: PathBuf,
-
- /// Local path of fs-verity signature for the backing file.
- signature_path: PathBuf,
-
- /// Certificate to verify the authenticity of the file's fs-verity signature.
- /// TODO(170494765): Implement PKCS#7 signature verification.
- _certificate_path: PathBuf,
-}
-
-struct OptionLocalRoFileUnverified {
- ino: Inode,
-
- /// Local path of the backing file.
- file_path: PathBuf,
-}
-
fn parse_remote_ro_file_option(option: &str) -> Result<OptionRemoteRoFile> {
let strs: Vec<&str> = option.split(':').collect();
if strs.len() != 3 {
@@ -187,31 +145,6 @@
})
}
-fn parse_local_file_ro_option(option: &str) -> Result<OptionLocalFileRo> {
- let strs: Vec<&str> = option.split(':').collect();
- if strs.len() != 5 {
- bail!("Invalid option: {}", option);
- }
- Ok(OptionLocalFileRo {
- ino: strs[0].parse::<Inode>()?,
- file_path: PathBuf::from(strs[1]),
- merkle_tree_dump_path: PathBuf::from(strs[2]),
- signature_path: PathBuf::from(strs[3]),
- _certificate_path: PathBuf::from(strs[4]),
- })
-}
-
-fn parse_local_ro_file_unverified_ro_option(option: &str) -> Result<OptionLocalRoFileUnverified> {
- let strs: Vec<&str> = option.split(':').collect();
- if strs.len() != 2 {
- bail!("Invalid option: {}", option);
- }
- Ok(OptionLocalRoFileUnverified {
- ino: strs[0].parse::<Inode>()?,
- file_path: PathBuf::from(strs[1]),
- })
-}
-
fn new_config_remote_verified_file(
service: file::VirtFdService,
remote_id: i32,
@@ -220,7 +153,7 @@
let signature = service.readFsveritySignature(remote_id).context("Failed to read signature")?;
let authenticator = FakeAuthenticator::always_succeed();
- Ok(FileConfig::RemoteVerifiedReadonly {
+ Ok(FileConfig::VerifiedReadonly {
reader: VerifiedFileReader::new(
&authenticator,
RemoteFileReader::new(service.clone(), remote_id),
@@ -238,30 +171,7 @@
file_size: u64,
) -> Result<FileConfig> {
let reader = RemoteFileReader::new(service, remote_id);
- Ok(FileConfig::RemoteUnverifiedReadonly { reader, file_size })
-}
-
-fn new_config_local_ro_file(
- protected_file: &Path,
- merkle_tree_dump: &Path,
- signature: &Path,
-) -> Result<FileConfig> {
- let file = File::open(&protected_file)?;
- let file_size = file.metadata()?.len();
- let file_reader = LocalFileReader::new(file)?;
- let merkle_tree_reader = LocalFileReader::new(File::open(merkle_tree_dump)?)?;
- let authenticator = FakeAuthenticator::always_succeed();
- let mut sig = Vec::new();
- let _ = File::open(signature)?.read_to_end(&mut sig)?;
- let reader =
- VerifiedFileReader::new(&authenticator, file_reader, file_size, sig, merkle_tree_reader)?;
- Ok(FileConfig::LocalVerifiedReadonly { reader, file_size })
-}
-
-fn new_config_local_ro_file_unverified(file_path: &Path) -> Result<FileConfig> {
- let reader = LocalFileReader::new(File::open(file_path)?)?;
- let file_size = reader.len();
- Ok(FileConfig::LocalUnverifiedReadonly { reader, file_size })
+ Ok(FileConfig::UnverifiedReadonly { reader, file_size })
}
fn new_config_remote_new_verified_file(
@@ -269,58 +179,41 @@
remote_id: i32,
) -> Result<FileConfig> {
let remote_file = RemoteFileEditor::new(service, remote_id);
- Ok(FileConfig::RemoteVerifiedNew { editor: VerifiedFileEditor::new(remote_file) })
+ Ok(FileConfig::VerifiedNew { editor: VerifiedFileEditor::new(remote_file) })
}
fn prepare_file_pool(args: &Args) -> Result<BTreeMap<Inode, FileConfig>> {
let mut file_pool = BTreeMap::new();
- if args.has_remote_files() {
- let service = file::get_rpc_binder_service(args.cid)?;
+ let service = file::get_rpc_binder_service(args.cid)?;
- for config in &args.remote_ro_file {
- file_pool.insert(
- config.ino,
- new_config_remote_verified_file(
- service.clone(),
- config.remote_id,
- service.getFileSize(config.remote_id)?.try_into()?,
- )?,
- );
- }
-
- for config in &args.remote_ro_file_unverified {
- file_pool.insert(
- config.ino,
- new_config_remote_unverified_file(
- service.clone(),
- config.remote_id,
- service.getFileSize(config.remote_id)?.try_into()?,
- )?,
- );
- }
-
- for config in &args.remote_new_rw_file {
- file_pool.insert(
- config.ino,
- new_config_remote_new_verified_file(service.clone(), config.remote_id)?,
- );
- }
- }
-
- for config in &args.local_ro_file {
+ for config in &args.remote_ro_file {
file_pool.insert(
config.ino,
- new_config_local_ro_file(
- &config.file_path,
- &config.merkle_tree_dump_path,
- &config.signature_path,
+ new_config_remote_verified_file(
+ service.clone(),
+ config.remote_id,
+ service.getFileSize(config.remote_id)?.try_into()?,
)?,
);
}
- for config in &args.local_ro_file_unverified {
- file_pool.insert(config.ino, new_config_local_ro_file_unverified(&config.file_path)?);
+ for config in &args.remote_ro_file_unverified {
+ file_pool.insert(
+ config.ino,
+ new_config_remote_unverified_file(
+ service.clone(),
+ config.remote_id,
+ service.getFileSize(config.remote_id)?.try_into()?,
+ )?,
+ );
+ }
+
+ for config in &args.remote_new_rw_file {
+ file_pool.insert(
+ config.ino,
+ new_config_remote_new_verified_file(service.clone(), config.remote_id)?,
+ );
}
Ok(file_pool)