lib: Depend on composefs-rs

And expose some fsverity helpers. This is just to get the
ball rolling on integration.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

Cargo.lock

@@ -12,4 +12,4 @@ name = "ring"
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
-allow-git = []
+allow-git = ["https://github.com/containers/composefs-rs"]

deny.toml

@@ -23,6 +23,8 @@ ostree-ext = { path = "../ostree-ext", features = ["bootc"] }
 chrono = { workspace = true, features = ["serde"] }
 clap = { workspace = true, features = ["derive","cargo"] }
 clap_mangen = { workspace = true, optional = true }
+#composefs = "0.2.0"
+composefs = { git = "https://github.com/containers/composefs-rs", rev = "55ae2e9ba72f6afda4887d746e6b98f0a1875ac4" }
 cap-std-ext = { workspace = true, features = ["fs_utf8"] }
 hex = { workspace = true }
 fn-error-context = { workspace = true }

lib/Cargo.toml

@@ -13,6 +13,7 @@ use cap_std_ext::cap_std;
 use cap_std_ext::cap_std::fs::Dir;
 use clap::Parser;
 use clap::ValueEnum;
+use composefs::fsverity;
 use fn_error_context::context;
 use ostree::gio;
 use ostree_container::store::PrepareResult;
@@ -376,6 +377,21 @@ pub(crate) enum SchemaType {
     Progress,
 }
 
+/// Options for consistency checking
+#[derive(Debug, clap::Subcommand, PartialEq, Eq)]
+pub(crate) enum FsverityOpts {
+    /// Measure the fsverity digest of the target file.
+    Measure {
+        /// Path to file
+        path: Utf8PathBuf,
+    },
+    /// Enable fsverity on the target file.
+    Enable {
+        /// Ptah to file
+        path: Utf8PathBuf,
+    },
+}
+
 /// Hidden, internal only options
 #[derive(Debug, clap::Subcommand, PartialEq, Eq)]
 pub(crate) enum InternalsOpts {
@@ -392,6 +408,8 @@ pub(crate) enum InternalsOpts {
         #[clap(long)]
         of: SchemaType,
     },
+    #[clap(subcommand)]
+    Fsverity(FsverityOpts),
     /// Perform cleanup actions
     Cleanup,
     /// Proxy frontend for the `ostree-ext` CLI.
@@ -1113,6 +1131,24 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 )
                 .await
             }
+            // We don't depend on fsverity-utils today, so re-expose some helpful CLI tools.
+            InternalsOpts::Fsverity(args) => match args {
+                FsverityOpts::Measure { path } => {
+                    let fd =
+                        std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
+                    let digest =
+                        fsverity::measure_verity_digest::<_, fsverity::Sha256HashValue>(&fd)?;
+                    let digest = hex::encode(digest);
+                    println!("{digest}");
+                    Ok(())
+                }
+                FsverityOpts::Enable { path } => {
+                    let fd =
+                        std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
+                    fsverity::ioctl::fs_ioc_enable_verity::<_, fsverity::Sha256HashValue>(&fd)?;
+                    Ok(())
+                }
+            },
             InternalsOpts::FixupEtcFstab => crate::deploy::fixup_etc_fstab(&root),
             InternalsOpts::PrintJsonSchema { of } => {
                 let schema = match of {