summaryrefslogtreecommitdiffstats
path: root/tools
Commit message (Collapse)AuthorAgeFilesLines
...
* virtiofsd: Reset O_DIRECT flag during file openVivek Goyal2020-01-231-0/+14
| | | | | | | | | | | | | | | If an application wants to do direct IO and opens a file with O_DIRECT in guest, that does not necessarily mean that we need to bypass page cache on host as well. So reset this flag on host. If somebody needs to bypass page cache on host as well (and it is safe to do so), we can add a knob in daemon later to control this behavior. I check virtio-9p and they do reset O_DIRECT flag. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: convert more fprintf and perror to use fuse log infraEryu Guan2020-01-232-5/+11
| | | | | | | | Signed-off-by: Eryu Guan <eguan@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: do not always set FUSE_FLOCK_LOCKSPeng Tao2020-01-231-3/+8
| | | | | | | | | | Right now we always enable it regardless of given commandlines. Fix it by setting the flag relying on the lo->flock bit. Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: introduce inode refcount to prevent use-after-freeStefan Hajnoczi2020-01-231-23/+146
| | | | | | | | | | | | | | | | | | | | | | If thread A is using an inode it must not be deleted by thread B when processing a FUSE_FORGET request. The FUSE protocol itself already has a counter called nlookup that is used in FUSE_FORGET messages. We cannot trust this counter since the untrusted client can manipulate it via FUSE_FORGET messages. Introduce a new refcount to keep inodes alive for the required lifespan. lo_inode_put() must be called to release a reference. FUSE's nlookup counter holds exactly one reference so that the inode stays alive as long as the client still wants to remember it. Note that the lo_inode->is_symlink field is moved to avoid creating a hole in the struct due to struct field alignment. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: passthrough_ll: fix refcounting on remove/renameMiklos Szeredi2020-01-231-1/+49
| | | | | | Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: rename inode->refcount to inode->nlookupStefan Hajnoczi2020-01-231-12/+25
| | | | | | | | | | This reference counter plays a specific role in the FUSE protocol. It's not a generic object reference counter and the FUSE kernel code calls it "nlookup". Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: prevent races with lo_dirp_put()Stefan Hajnoczi2020-01-231-6/+35
| | | | | | | | | | | | Introduce lo_dirp_put() so that FUSE_RELEASEDIR does not cause use-after-free races with other threads that are accessing lo_dirp. Also make lo_releasedir() atomic to prevent FUSE_RELEASEDIR racing with itself. This prevents double-frees. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: make lo_release() atomicStefan Hajnoczi2020-01-231-4/+8
| | | | | | | | | | Hold the lock across both lo_map_get() and lo_map_remove() to prevent races between two FUSE_RELEASE requests. In this case I don't see a serious bug but it's safer to do things atomically. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: prevent fv_queue_thread() vs virtio_loop() racesStefan Hajnoczi2020-01-231-1/+33
| | | | | | | | | | | | | | | | | | | | | | We call into libvhost-user from the virtqueue handler thread and the vhost-user message processing thread without a lock. There is nothing protecting the virtqueue handler thread if the vhost-user message processing thread changes the virtqueue or memory table while it is running. This patch introduces a read-write lock. Virtqueue handler threads are readers. The vhost-user message processing thread is a writer. This will allow concurrency for multiqueue in the future while protecting against fv_queue_thread() vs virtio_loop() races. Note that the critical sections could be made smaller but it would be more invasive and require libvhost-user changes. Let's start simple and improve performance later, if necessary. Another option would be an RCU-style approach with lighter-weight primitives. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: use fuse_lowlevel_is_virtio() in fuse_session_destroy()Stefan Hajnoczi2020-01-231-3/+4
| | | | | | | | | vu_socket_path is NULL when --fd=FDNUM was used. Use fuse_lowlevel_is_virtio() instead. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Support remote posix locksVivek Goyal2020-01-232-0/+192
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Doing posix locks with-in guest kernel are not sufficient if a file/dir is being shared by multiple guests. So we need the notion of daemon doing the locks which are visible to rest of the guests. Given posix locks are per process, one can not call posix lock API on host, otherwise bunch of basic posix locks properties are broken. For example, If two processes (A and B) in guest open the file and take locks on different sections of file, if one of the processes closes the fd, it will close fd on virtiofsd and all posix locks on file will go away. This means if process A closes the fd, then locks of process B will go away too. Similar other problems exist too. This patch set tries to emulate posix locks while using open file description locks provided on Linux. Daemon provides two options (-o posix_lock, -o no_posix_lock) to enable or disable posix locking in daemon. By default it is enabled. There are few issues though. - GETLK() returns pid of process holding lock. As we are emulating locks using OFD, and these locks are not per process and don't return pid of process, so GETLK() in guest does not reuturn process pid. - As of now only F_SETLK is supported and not F_SETLKW. We can't block the thread in virtiofsd for arbitrary long duration as there is only one thread serving the queue. That means unlock request will not make it to daemon and F_SETLKW will block infinitely and bring virtio-fs to a halt. This is a solvable problem though and will require significant changes in virtiofsd and kernel. Left as a TODO item for now. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* Virtiofsd: fix memory leak on fuse queueinfoLiu Bo2020-01-231-0/+8
| | | | | | | | | | | | For fuse's queueinfo, both queueinfo array and queueinfos are allocated in fv_queue_set_started() but not cleaned up when the daemon process quits. This fixes the leak in proper places. Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Signed-off-by: Eric Ren <renzhen@linux.alibaba.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: fix incorrect error handling in lo_do_lookupEric Ren2020-01-231-1/+0Star
| | | | | | Signed-off-by: Eric Ren <renzhen@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: enable PARALLEL_DIROPS during INITLiu Bo2020-01-231-0/+3
| | | | | | | | lookup is a RO operations, PARALLEL_DIROPS can be enabled. Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Prevent multiply running with same vhost_user_socketMasayoshi Mizuma2020-01-232-1/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | virtiofsd can run multiply even if the vhost_user_socket is same path. ]# ./virtiofsd -o vhost_user_socket=/tmp/vhostqemu -o source=/tmp/share & [1] 244965 virtio_session_mount: Waiting for vhost-user socket connection... ]# ./virtiofsd -o vhost_user_socket=/tmp/vhostqemu -o source=/tmp/share & [2] 244966 virtio_session_mount: Waiting for vhost-user socket connection... ]# The user will get confused about the situation and maybe the cause of the unexpected problem. So it's better to prevent the multiple running. Create a regular file under localstatedir directory to exclude the vhost_user_socket. To create and lock the file, use qemu_write_pidfile() because the API has some sanity checks and file lock. Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Applied fixes from Stefan's review and moved osdep include Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: add helper for lo_data cleanupLiu Bo2020-01-231-16/+21
| | | | | | | | This offers an helper function for lo_data's cleanup. Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: fix memory leak on lo.sourceLiu Bo2020-01-231-3/+4
| | | | | | | | | valgrind reported that lo.source is leaked on quiting, but it was defined as (const char*) as it may point to a const string "/". Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: cleanup allocated resource in seLiu Bo2020-01-233-1/+15
| | | | | | | | | This cleans up unfreed resources in se on quiting, including se->virtio_dev, se->vu_socket_path, se->vu_socketfd. Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: fix error handling in main()Liu Bo2020-01-231-2/+3
| | | | | | | | | Neither fuse_parse_cmdline() nor fuse_opt_parse() goes to the right place to do cleanup. Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: support nanosecond resolution for file timestampJiufei Xue2020-01-231-0/+1
| | | | | | | | | | Define HAVE_STRUCT_STAT_ST_ATIM to 1 if `st_atim' is member of `struct stat' which means support nanosecond resolution for the file timestamp fields. Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Clean up inodes on destroyDr. David Alan Gilbert2020-01-231-0/+26
| | | | | | | | | Clear out our inodes and fd's on a 'destroy' - so we get rid of them if we reboot the guest. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: passthrough_ll: use hashtableMiklos Szeredi2020-01-231-36/+45
| | | | | | | | | | Improve performance of inode lookup by using a hash table. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: passthrough_ll: clean up cache related optionsMiklos Szeredi2020-01-232-11/+14
| | | | | | | | | | | | - Rename "cache=never" to "cache=none" to match 9p's similar option. - Rename CACHE_NORMAL constant to CACHE_AUTO to match the "cache=auto" option. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: extract root inode init into setup_root()Miklos Szeredi2020-01-231-10/+25
| | | | | | | | | | | Inititialize the root inode in a single place. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> dgilbert: with fix suggested by Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: fail when parent inode isn't known in lo_do_lookup()Miklos Szeredi2020-01-231-2/+12
| | | | | | | | | | | | | The Linux file handle APIs (struct export_operations) can access inodes that are not attached to parents because path name traversal is not performed. Refuse if there is no parent in lo_do_lookup(). Also clean up lo_do_lookup() while we're here. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: rename unref_inode() to unref_inode_lolocked()Miklos Szeredi2020-01-231-7/+8
| | | | | | | Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: passthrough_ll: control readdirplusMiklos Szeredi2020-01-232-1/+10
| | | | | | Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: passthrough_ll: disable readdirplus on cache=neverMiklos Szeredi2020-01-231-0/+4
| | | | | | | | | ...because the attributes sent in the READDIRPLUS reply would be discarded anyway. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: passthrough_ll: add renameat2 supportMiklos Szeredi2020-01-231-0/+10
| | | | | Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Kill threads when queues are stoppedDr. David Alan Gilbert2020-01-231-7/+44
| | | | | | | | | | Kill the threads we've started when the queues get stopped. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> With improvements by: Signed-off-by: Eryu Guan <eguan@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Handle hard rebootDr. David Alan Gilbert2020-01-231-1/+15
| | | | | | | | | | | | | Handle a mount hard reboot (without unmount) mount we get another 'init' which FUSE doesn't normally expect. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Handle reinitDr. David Alan Gilbert2020-01-231-0/+2
| | | | | | | | Allow init->destroy->init for mount->umount->mount Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG levelMasayoshi Mizuma2020-01-231-1/+8
| | | | | | | | | | | | | | | | | | | | virtiofsd has some threads, so we see a lot of logs with debug option. It would be useful for debugging if we can see the timestamp. Add nano second timestamp, which got by get_clock(), to the log with FUSE_LOG_DEBUG level if the syslog option isn't set. The log is like as: # ./virtiofsd -d -o vhost_user_socket=/tmp/vhostqemu0 -o source=/tmp/share0 -o cache=auto ... [5365943125463727] [ID: 00000002] fv_queue_thread: Start for queue 0 kick_fd 9 [5365943125568644] [ID: 00000002] fv_queue_thread: Waiting for Queue 0 event [5365943125573561] [ID: 00000002] fv_queue_thread: Got queue event on Queue 0 Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Add ID to the log with FUSE_LOG_DEBUG levelMasayoshi Mizuma2020-01-231-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | virtiofsd has some threads, so we see a lot of logs with debug option. It would be useful for debugging if we can identify the specific thread from the log. Add ID, which is got by gettid(), to the log with FUSE_LOG_DEBUG level so that we can grep the specific thread. The log is like as: ]# ./virtiofsd -d -o vhost_user_socket=/tmp/vhostqemu0 -o source=/tmp/share0 -o cache=auto ... [ID: 00000097] unique: 12696, success, outsize: 120 [ID: 00000097] virtio_send_msg: elem 18: with 2 in desc of length 120 [ID: 00000003] fv_queue_thread: Got queue event on Queue 1 [ID: 00000003] fv_queue_thread: Queue 1 gave evalue: 1 available: in: 65552 out: 80 [ID: 00000003] fv_queue_thread: Waiting for Queue 1 event [ID: 00000071] fv_queue_worker: elem 33: with 2 out desc of length 80 bad_in_num=0 bad_out_num=0 [ID: 00000071] unique: 12694, opcode: READ (15), nodeid: 2, insize: 80, pid: 2014 [ID: 00000071] lo_read(ino=2, size=65536, off=131072) Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> added rework as suggested by Daniel P. Berrangé during review Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: print log only when priority is high enoughEryu Guan2020-01-234-115/+87Star
| | | | | | | | | | | | | | | | | | | | Introduce "-o log_level=" command line option to specify current log level (priority), valid values are "debug info warn err", e.g. ./virtiofsd -o log_level=debug ... So only log priority higher than "debug" will be printed to stderr/syslog. And the default level is info. The "-o debug"/"-d" options are kept, and imply debug log level. Signed-off-by: Eryu Guan <eguan@linux.alibaba.com> dgilbert: Reworked for libfuse's log_func Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> with fix by: Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: add --syslog command-line optionStefan Hajnoczi2020-01-235-13/+76
| | | | | | | | | | | | Sometimes collecting output from stderr is inconvenient or does not fit within the overall logging architecture. Add syslog(3) support for cases where stderr cannot be used. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> dgilbert: Reworked as a logging function Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: fix libfuse information leaksStefan Hajnoczi2020-01-231-74/+76
| | | | | | | | | | | | | | | | Some FUSE message replies contain padding fields that are not initialized by libfuse. This is fine in traditional FUSE applications because the kernel is trusted. virtiofsd does not trust the guest and must not expose uninitialized memory. Use C struct initializers to automatically zero out memory. Not all of these code changes are strictly necessary but they will prevent future information leaks if the structs are extended. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: set maximum RLIMIT_NOFILE limitStefan Hajnoczi2020-01-231-0/+32
| | | | | | | | | | | virtiofsd can exceed the default open file descriptor limit easily on most systems. Take advantage of the fact that it runs as root to raise the limit. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Drop CAP_FSETID if client asked for itVivek Goyal2020-01-231-0/+105
| | | | | | | | | | | | | | If client requested killing setuid/setgid bits on file being written, drop CAP_FSETID capability so that setuid/setgid bits are cleared upon write automatically. pjdfstest chown/12.t needs this. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> dgilbert: reworked for libcap-ng Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: cap-ng helpersDr. David Alan Gilbert2020-01-231-0/+72
| | | | | | | | | | libcap-ng reads /proc during capng_get_caps_process, and virtiofsd's sandboxing doesn't have /proc mounted; thus we have to do the caps read before we sandbox it and save/restore the state. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: Parse flag FUSE_WRITE_KILL_PRIVVivek Goyal2020-01-232-2/+8
| | | | | | | | | | Caller can set FUSE_WRITE_KILL_PRIV in write_flags. Parse it and pass it to the filesystem. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: add seccomp whitelistStefan Hajnoczi2020-01-234-1/+171
| | | | | | | | | | | | | | | | | | | Only allow system calls that are needed by virtiofsd. All other system calls cause SIGSYS to be directed at the thread and the process will coredump. Restricting system calls reduces the kernel attack surface and limits what the process can do when compromised. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> with additional entries by: Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com> Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: piaojun <piaojun@huawei.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Eric Ren <renzhen@linux.alibaba.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: move to a new pid namespaceStefan Hajnoczi2020-01-231-48/+86
| | | | | | | | | | | | | | | | virtiofsd needs access to /proc/self/fd. Let's move to a new pid namespace so that a compromised process cannot see another other processes running on the system. One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child* processes and not the current process. Therefore we need to fork the pid 1 process that will actually run virtiofsd and leave a parent in waitpid(2). This is not the same thing as daemonization and parent processes should not notice a difference. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: move to an empty network namespaceStefan Hajnoczi2020-01-231-0/+14
| | | | | | | | | If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: sandbox mount namespaceStefan Hajnoczi2020-01-231-0/+89
| | | | | | | | | | | | | Use a mount namespace with the shared directory tree mounted at "/" and no other mounts. This prevents symlink escape attacks because symlink targets are resolved only against the shared directory and cannot go outside it. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: use /proc/self/fd/ O_PATH file descriptorStefan Hajnoczi2020-01-231-27/+103
| | | | | | | | | | | | Sandboxing will remove /proc from the mount namespace so we can no longer build string paths into "/proc/self/fd/...". Keep an O_PATH file descriptor so we can still re-open fds via /proc/self/fd. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: prevent ".." escape in lo_do_readdir()Stefan Hajnoczi2020-01-231-14/+22
| | | | | | | | | Construct a fake dirent for the root directory's ".." entry. This hides the parent directory from the FUSE client. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: prevent ".." escape in lo_do_lookup()Stefan Hajnoczi2020-01-231-1/+6
| | | | | | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: check input buffer size in fuse_lowlevel.c opsStefan Hajnoczi2020-01-231-125/+456
| | | | | | | | | | | | | | Each FUSE operation involves parsing the input buffer. Currently the code assumes the input buffer is large enough for the expected arguments. This patch uses fuse_mbuf_iter to check the size. Most operations are simple to convert. Some are more complicated due to variable-length inputs or different sizes depending on the protocol version. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
* virtiofsd: validate input buffer sizes in do_write_buf()Stefan Hajnoczi2020-01-231-19/+30
| | | | | | | | | | | There is a small change in behavior: if fuse_write_in->size doesn't match the input buffer size then the request is failed. Previously write requests with 1 fuse_buf element would truncate to fuse_write_in->size. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>