From 451c5f46a3577ad163fb603df3ff1e4e9c894bef Mon Sep 17 00:00:00 2001
From: Mahati Chamarthy <mahati.chamarthy@gmail.com>
Date: Tue, 2 Dec 2025 09:26:14 +0000
Subject: [PATCH] CWCOW: Handle container remove request

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
---
 internal/gcs-sidecar/handlers.go | 53 +++++++++++++++++---------------
 internal/uvm/cimfs.go            |  1 +
 internal/uvm/combine_layers.go   | 31 ++++++++++++++-----
 3 files changed, 54 insertions(+), 31 deletions(-)

diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
index 0ea47b79e3..8a44a6c2ae 100644
--- a/internal/gcs-sidecar/handlers.go
+++ b/internal/gcs-sidecar/handlers.go
@@ -653,33 +653,38 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			return nil
 
 		case guestresource.ResourceTypeCWCOWCombinedLayers:
-
-			if modifyGuestSettingsRequest.RequestType == guestrequest.RequestTypeRemove {
-				return fmt.Errorf("not implemented")
-			}
-
 			settings := modifyGuestSettingsRequest.Settings.(*guestresource.CWCOWCombinedLayers)
-			containerID := settings.ContainerID
-			log.G(ctx).Tracef("CWCOWCombinedLayers:: ContainerID: %v, ContainerRootPath: %v, Layers: %v, ScratchPath: %v",
-				containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath)
+			switch modifyGuestSettingsRequest.RequestType {
+			case guestrequest.RequestTypeAdd:
+				containerID := settings.ContainerID
+				log.G(ctx).Tracef("CWCOWCombinedLayers:: ContainerID: %v, ContainerRootPath: %v, Layers: %v, ScratchPath: %v",
+					containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath)
+
+				//Since unencrypted scratch is not an option, always pass true
+				if err := b.hostState.securityPolicyEnforcer.EnforceScratchMountPolicy(ctx, settings.CombinedLayers.ContainerRootPath, true); err != nil {
+					return fmt.Errorf("scratch mounting denied by policy: %w", err)
+				}
+				// The following two folders are expected to be present in the scratch.
+				// But since we have just formatted the scratch we would need to
+				// create them manually.
+				sandboxStateDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, sandboxStateDirName)
+				err = os.Mkdir(sandboxStateDirectory, 0777)
+				if err != nil {
+					return fmt.Errorf("failed to create sandboxStateDirectory: %w", err)
+				}
 
-			//Since unencrypted scratch is not an option, always pass true
-			if err := b.hostState.securityPolicyEnforcer.EnforceScratchMountPolicy(ctx, settings.CombinedLayers.ContainerRootPath, true); err != nil {
-				return fmt.Errorf("scratch mounting denied by policy: %w", err)
-			}
-			// The following two folders are expected to be present in the scratch.
-			// But since we have just formatted the scratch we would need to
-			// create them manually.
-			sandboxStateDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, sandboxStateDirName)
-			err = os.Mkdir(sandboxStateDirectory, 0777)
-			if err != nil {
-				return fmt.Errorf("failed to create sandboxStateDirectory: %w", err)
-			}
+				hivesDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, hivesDirName)
+				err = os.Mkdir(hivesDirectory, 0777)
+				if err != nil {
+					return fmt.Errorf("failed to create hivesDirectory: %w", err)
+				}
+
+			case guestrequest.RequestTypeRemove:
+				log.G(ctx).Tracef("CWCOWCombinedLayers: Remove")
+				if err := b.hostState.securityPolicyEnforcer.EnforceScratchUnmountPolicy(ctx, settings.CombinedLayers.ContainerRootPath); err != nil {
+					return fmt.Errorf("scratch unmounting denied by policy: %w", err)
+				}
 
-			hivesDirectory := filepath.Join(settings.CombinedLayers.ContainerRootPath, hivesDirName)
-			err = os.Mkdir(hivesDirectory, 0777)
-			if err != nil {
-				return fmt.Errorf("failed to create hivesDirectory: %w", err)
 			}
 
 			// Reconstruct WCOWCombinedLayers{} req before forwarding to GCS
diff --git a/internal/uvm/cimfs.go b/internal/uvm/cimfs.go
index c1e8704883..becc19d808 100644
--- a/internal/uvm/cimfs.go
+++ b/internal/uvm/cimfs.go
@@ -35,6 +35,7 @@ func (umb *UVMMountedBlockCIMs) MountedVolumePath() string {
 }
 
 func (umb *UVMMountedBlockCIMs) Release(ctx context.Context) error {
+	log.G(ctx).Tracef("UVMWCOWBlockCIMs : Release")
 	umb.host.blockCIMMountLock.Lock()
 	defer umb.host.blockCIMMountLock.Unlock()
 
diff --git a/internal/uvm/combine_layers.go b/internal/uvm/combine_layers.go
index b577f706f3..8c68c21fe9 100644
--- a/internal/uvm/combine_layers.go
+++ b/internal/uvm/combine_layers.go
@@ -85,15 +85,32 @@ func (uvm *UtilityVM) CombineLayersLCOW(ctx context.Context, containerID string,
 //
 // NOTE: `rootfsPath` is the path from within the UVM.
 func (uvm *UtilityVM) RemoveCombinedLayersWCOW(ctx context.Context, rootfsPath string) error {
-	msr := &hcsschema.ModifySettingRequest{
-		GuestRequest: guestrequest.ModificationRequest{
-			ResourceType: guestresource.ResourceTypeCombinedLayers,
-			RequestType:  guestrequest.RequestTypeRemove,
-			Settings: guestresource.WCOWCombinedLayers{
-				ContainerRootPath: rootfsPath,
+	var msr *hcsschema.ModifySettingRequest
+
+	if uvm.HasConfidentialPolicy() {
+		msr = &hcsschema.ModifySettingRequest{
+			GuestRequest: guestrequest.ModificationRequest{
+				ResourceType: guestresource.ResourceTypeCWCOWCombinedLayers,
+				RequestType:  guestrequest.RequestTypeRemove,
+				Settings: guestresource.CWCOWCombinedLayers{
+					CombinedLayers: guestresource.WCOWCombinedLayers{
+						ContainerRootPath: rootfsPath,
+					},
+				},
 			},
-		},
+		}
+	} else {
+		msr = &hcsschema.ModifySettingRequest{
+			GuestRequest: guestrequest.ModificationRequest{
+				ResourceType: guestresource.ResourceTypeCombinedLayers,
+				RequestType:  guestrequest.RequestTypeRemove,
+				Settings: guestresource.WCOWCombinedLayers{
+					ContainerRootPath: rootfsPath,
+				},
+			},
+		}
 	}
+
 	return uvm.modify(ctx, msr)
 }