OCI: Verify layer checksum while applying

This means we verify the exact data we use, which is what was signed. In particular, this means in the system-helper we don't open us up to the user manipulating the file while it is being applied.
2017-03-28 15:17:37 +02:00 · 2017-03-28 15:17:37 +02:00 · 759eee8cea
parent 980bd48f0e
commit 759eee8cea
1 changed files with 13 additions and 5 deletions
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@ -4490,6 +4490,8 @@ flatpak_pull_from_oci (OstreeRepo   *repo,
      OstreeRepoImportArchiveOptions opts = { 0, };
      free_read_archive struct archive *a = NULL;
      glnx_fd_close int layer_fd = -1;
+      g_autoptr(GChecksum) checksum = g_checksum_new (G_CHECKSUM_SHA256);
+      const char *layer_checksum;

      opts.autocreate_parents = TRUE;
      opts.ignore_unsupported_content = TRUE;
@ -4507,11 +4509,9 @@ flatpak_pull_from_oci (OstreeRepo   *repo,
      archive_read_support_compression_all (a);
 #endif
      archive_read_support_format_all (a);
-      if (archive_read_open_fd (a, layer_fd, 8192) != ARCHIVE_OK)
-        {
-          propagate_libarchive_error (error, a);
-          goto error;
-        }
+
+      if (!flatpak_archive_read_open_fd_with_checksum (a, layer_fd, checksum, error))
+        goto error;

      if (!ostree_repo_import_archive_to_mtree (repo, &opts, a, archive_mtree, NULL, cancellable, error))
        goto error;
@ -4522,6 +4522,14 @@ flatpak_pull_from_oci (OstreeRepo   *repo,
          goto error;
        }

+      layer_checksum = g_checksum_get_string (checksum);
+      if (!g_str_has_prefix (layer->digest, "sha256:") ||
+          strcmp (layer->digest + strlen ("sha256:"), layer_checksum) != 0)
+        {
+          flatpak_fail (error, "Wrong layer checksum, expected %s, was %s\n", layer->digest, layer_checksum);
+          goto error;
+        }
+
      progress_data.pulled_layers++;
      progress_data.previous_layers_size += layer->size;
    }