Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / be57a039071a451763adc6c3456b7d79ca1999bb^! / . / metropolis / test / launch / launch.go
commitbe57a039071a451763adc6c3456b7d79ca1999bb[log] [tgz]
authorSerge Bazanski <serge@nexantic.com>Tue May 11 13:41:52 2021 +0200
committerLeopold Schabel <leo@nexantic.com>Tue May 11 13:42:23 2021 +0200
tree391ebab65e54c88c0b101a137371b283c5fd3812
parent3536e4d4923e76486167c85c2b09a1cf4ca5502d [diff] [blame]
m/test/launch: fix TPM tempdir permissions, wrap errors

On Linux, the following generally fails:

    $ cd /tmp
    $ mkdir test
    $ cd test/
    $ chmod 644 .
    $ touch foo
    touch: cannot touch 'foo': Permission denied

This changes our launch code to create a temporary TPM directory with
755 instead of 644 permissions, preventing a situation like above
manifesting in our new CI.

This didn't manifest before as we always ran builds through podman, and
there this behaviour doesn't appear to hold, probably because we are uid
0 there:

    $ podman exec -it monogon-dev bash
    bash-5.0# id
    uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:spc_t:s0
    bash-5.0# cd /tmp/
    bash-5.0# mkdir test
    bash-5.0# cd test/
    bash-5.0# chmod 644 .
    bash-5.0# touch foo

We also drive-by some unwrapped error returns to be a bit more helpful.

Test Plan: Tested on new CI, manually.

X-Origin-Diff: phab/D773
GitOrigin-RevId: 5a55a7878109717f0c17251a659dfc6ee04b94f4

diff --git a/metropolis/test/launch/launch.go b/metropolis/test/launch/launch.go
index 85e0a21..df36685 100644
--- a/metropolis/test/launch/launch.go
+++ b/metropolis/test/launch/launch.go

@@ -67,19 +67,19 @@
 func copyFile(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
-		return err
+		return fmt.Errorf("when opening source: %w", err)
 	}
 	defer in.Close()
 
 	out, err := os.Create(dst)
 	if err != nil {
-		return err
+		return fmt.Errorf("when creating destination: %w", err)
 	}
 	defer out.Close()
 
 	_, err = io.Copy(out, in)
 	if err != nil {
-		return err
+		return fmt.Errorf("when copying file: %w", err)
 	}
 	return out.Close()
 }
@@ -198,7 +198,7 @@
 	// Copy TPM state into a temporary directory since it's being modified by the emulator
 	tpmTargetDir := filepath.Join(tempDir, "tpm")
 	tpmSrcDir := "metropolis/node/tpm"
-	if err := os.Mkdir(tpmTargetDir, 0644); err != nil {
+	if err := os.Mkdir(tpmTargetDir, 0755); err != nil {
 		return fmt.Errorf("failed to create TPM state directory: %w", err)
 	}
 	tpmFiles, err := ioutil.ReadDir(tpmSrcDir)
@@ -207,8 +207,10 @@
 	}
 	for _, file := range tpmFiles {
 		name := file.Name()
-		if err := copyFile(filepath.Join(tpmSrcDir, name), filepath.Join(tpmTargetDir, name)); err != nil {
-			return fmt.Errorf("failed to copy TPM directory: %w", err)
+		src := filepath.Join(tpmSrcDir, name)
+		target := filepath.Join(tpmTargetDir, name)
+		if err := copyFile(src, target); err != nil {
+			return fmt.Errorf("failed to copy TPM directory: file %q to %q: %w", src, target, err)
 		}
 	}