Skip FS_IOC_GETFLAGS.

It's OK to just do an FS_IOC_MEASURE_VERITY on a file even if we don't
know it's in fs-verity; it returns an appropriate error code.

Bug: 190166662
Test: Create a spurious non-verity file, see it is detected.
Change-Id: I392289b11b674b760d9217258ca01b5305b0eee4

1 files changed, 6 insertions, 15 deletions

diff --git a/ondevice-signing/VerityUtils.cpp b/ondevice-signing/VerityUtils.cpp
index 36f85b50..543e5a49 100644
--- a/ondevice-signing/VerityUtils.cpp
+++ b/ondevice-signing/VerityUtils.cpp
@@ -210,29 +210,20 @@ Result<std::map<std::string, std::string>> addFilesToVerityRecursive(const std::
     return digests;
 }
 
-Result<std::string> readVerityDigest(int fd) {
+Result<std::string> isFileInVerity(int fd) {
     auto d = makeUniqueWithTrailingData<fsverity_digest>(FS_VERITY_MAX_DIGEST_SIZE);
     d->digest_size = FS_VERITY_MAX_DIGEST_SIZE;
     auto ret = ioctl(fd, FS_IOC_MEASURE_VERITY, d.get());
     if (ret < 0) {
-        return ErrnoError() << "Failed to FS_IOC_MEASURE_VERITY";
+        if (errno == ENODATA) {
+            return Error() << "File is not in fs-verity";
+        } else {
+            return ErrnoError() << "Failed to FS_IOC_MEASURE_VERITY";
+        }
     }
     return toHex({&d->digest[0], &d->digest[d->digest_size]});
 }
 
-Result<std::string> isFileInVerity(int fd) {
-    unsigned int flags;
-    int ret = ioctl(fd, FS_IOC_GETFLAGS, &flags);
-    if (ret < 0) {
-        return ErrnoError() << "Failed to FS_IOC_GETFLAGS";
-    }
-    if (!(flags & FS_VERITY_FL)) {
-        return Error() << "File is not in fs-verity";
-    }
-
-    return readVerityDigest(fd);
-}
-
 Result<std::string> isFileInVerity(const std::string& path) {
     unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
     if (!fd.ok()) {