9pfs: deprecate 'proxy' backend

As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p
'proxy' fs driver is in bad shape. Using the 'proxy' backend was already
discouraged for safet

9pfs: deprecate 'proxy' backend

As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p
'proxy' fs driver is in bad shape. Using the 'proxy' backend was already
discouraged for safety reasons before and we recommended to use the
'local' backend (preferably in conjunction with its 'mapped' security
model) instead, but now it is time to officially deprecate the 'proxy'
backend.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1qDkmw-0007M1-8f@lizzy.crudebyte.com>

show more ...

9pfs: deprecate 'proxy' backend

As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p
'proxy' fs driver is in bad shape. Using the 'proxy' backend was already
discouraged for safet

9pfs: deprecate 'proxy' backend

As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p
'proxy' fs driver is in bad shape. Using the 'proxy' backend was already
discouraged for safety reasons before and we recommended to use the
'local' backend (preferably in conjunction with its 'mapped' security
model) instead, but now it is time to officially deprecate the 'proxy'
backend.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1qDkmw-0007M1-8f@lizzy.crudebyte.com>

show more ...

9pfs: prevent opening special files (CVE-2023-2861)

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
m

9pfs: prevent opening special files (CVE-2023-2861)

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

- Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
security model.

or

- Using 9p 'proxy' fs driver (which is running its helper daemon as
root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>

show more ...

fsdev/virtfs-proxy-helper: Use g_mkdir()

Use g_mkdir() to create a directory on all platforms.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyt

fsdev/virtfs-proxy-helper: Use g_mkdir()

Use g_mkdir() to create a directory on all platforms.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20220927110632.1973965-27-bmeng.cn@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

fsdev/virtfs-proxy-helper: Use g_mkdir()

Use g_mkdir() to create a directory on all platforms.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyt

fsdev/virtfs-proxy-helper: Use g_mkdir()

Use g_mkdir() to create a directory on all platforms.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Message-Id: <20220927110632.1973965-27-bmeng.cn@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

Remove qemu-common.h include from most units

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-33-marcandre.lureau@redhat.com>
Signed-off-by: Paolo B

Remove qemu-common.h include from most units

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220323155743.1585078-33-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

Replace GCC_FMT_ATTR with G_GNUC_PRINTF

One less qemu-specific macro. It also helps to make some headers/units
only depend on glib, and thus moved in standalone projects eventually.

Signed-off-by:

Replace GCC_FMT_ATTR with G_GNUC_PRINTF

One less qemu-specific macro. It also helps to make some headers/units
only depend on glib, and thus moved in standalone projects eventually.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>

show more ...

qemu/: fix some comment spelling errors

I found that there are many spelling errors in the comments of qemu,
so I used the spellcheck tool to check the spelling errors
and finally found some spellin

qemu/: fix some comment spelling errors

I found that there are many spelling errors in the comments of qemu,
so I used the spellcheck tool to check the spelling errors
and finally found some spelling errors in the folder.

Signed-off-by: zhaolichang <zhaolichang@huawei.com>
Reviewed-by: Alex Bennee <alex.bennee@linaro.org>
Message-Id: <20200917075029.313-2-zhaolichang@huawei.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

show more ...

virtfs-proxy-helper: Make the helper_opts[] array const

Reduce a bit the memory footprint by making the helper_opts[]
array const.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by

virtfs-proxy-helper: Make the helper_opts[] array const

Reduce a bit the memory footprint by making the helper_opts[]
array const.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Acked-by: Greg Kurz <groug@kaod.org>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20200305010446.17029-4-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>

show more ...

virtfs-proxy-helper.c: remove 'err_out' label in setugid()

'err_out' can be removed and be replaced by 'return -errno'
in its only instance in the function.

CC: Greg Kurz <groug@kaod.org>
Signed-of

virtfs-proxy-helper.c: remove 'err_out' label in setugid()

'err_out' can be removed and be replaced by 'return -errno'
in its only instance in the function.

CC: Greg Kurz <groug@kaod.org>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Acked-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

virtfs-proxy-helper: switch from libcap to libcap-ng

virtfs-proxy-helper is the only user of libcap; everyone else is using
the simpler libcap-ng API. Switch and remove the configure code to
detect

virtfs-proxy-helper: switch from libcap to libcap-ng

virtfs-proxy-helper is the only user of libcap; everyone else is using
the simpler libcap-ng API. Switch and remove the configure code to
detect libcap.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug: - drop remaining -lcap from Makefile
- fix error message in configure]
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

use g_path_get_basename instead of basename

basename(3) and dirname(3) modify their argument and may return
pointers to statically allocated memory which may be overwritten by
subsequent calls.
g_pa

use g_path_get_basename instead of basename

basename(3) and dirname(3) modify their argument and may return
pointers to statically allocated memory which may be overwritten by
subsequent calls.
g_path_get_basename and g_path_get_dirname have no such issues, and
therefore more preferable.

Signed-off-by: Julia Suvorova <jusual@mail.ru>
Message-Id: <1519888086-4207-1-git-send-email-jusual@mail.ru>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

show more ...

fsdev: fix memory leak in main()

@rpath and @sock_name are not freed and leaked.

[groug, not really leaked since the program exits just after that. But it
is always good practice to free allocated

fsdev: fix memory leak in main()

@rpath and @sock_name are not freed and leaked.

[groug, not really leaked since the program exits just after that. But it
is always good practice to free allocated memory]

Signed-off-by: Zhipeng Lu <lu.zhipeng@zte.com.cn>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

9pfs: assume utimensat() and futimens() are present

The utimensat() and futimens() syscalls have been around for ages (ie,
glibc 2.6 and linux 2.6.22), and the decision was already taken to
switch t

9pfs: assume utimensat() and futimens() are present

The utimensat() and futimens() syscalls have been around for ages (ie,
glibc 2.6 and linux 2.6.22), and the decision was already taken to
switch to utimensat() anyway when fixing CVE-2016-9602 in 2.9.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>

show more ...

fsdev: fix virtfs-proxy-helper cwd

Since chroot() doesn't change the current directory, it is indeed a good
practice to chdir() to the target directory and then then chroot(), or
to chroot() to the

fsdev: fix virtfs-proxy-helper cwd

Since chroot() doesn't change the current directory, it is indeed a good
practice to chdir() to the target directory and then then chroot(), or
to chroot() to the target directory and then chdir("/").

The current code does neither of them actually. Let's go for the latter.

This doesn't fix any security issue since all of this takes place before
the helper begins to process requests.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>

show more ...

9pfs: Clean up includes

Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-

9pfs: Clean up includes

Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1453832250-766-18-git-send-email-peter.maydell@linaro.org

show more ...

fsdev: rename virtio-9p-marshal.{c,h} to 9p-iov-marshal.{c,h}

And rename v9fs_marshal to v9fs_iov_marshal, v9fs_unmarshal to
v9fs_iov_unmarshal.

The rationale behind this change is that, this marsh

fsdev: rename virtio-9p-marshal.{c,h} to 9p-iov-marshal.{c,h}

And rename v9fs_marshal to v9fs_iov_marshal, v9fs_unmarshal to
v9fs_iov_unmarshal.

The rationale behind this change is that, this marshalling interface is
used both by virtio and proxy helper. Renaming files and functions to
reflect the true nature of this interface.

Xen transport is going to have its own marshalling interface.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

show more ...

9pfs: rename virtio-9p-proxy.{c,h} to 9p-proxy.{c,h}

Those two files are not virtio specific. Rename them to use generic
names.

Fix includes in various C files. Change define guards and comments
in

9pfs: rename virtio-9p-proxy.{c,h} to 9p-proxy.{c,h}

Those two files are not virtio specific. Rename them to use generic
names.

Fix includes in various C files. Change define guards and comments
in header files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

show more ...

fsdev-proxy-helper: avoid TOC/TOU race

There is a minor time of check/time of use race between statfs and chroot.
It can be fixed easily by stat-ing the root after it has been changed.

Signed-off-b

fsdev-proxy-helper: avoid TOC/TOU race

There is a minor time of check/time of use race between statfs and chroot.
It can be fixed easily by stat-ing the root after it has been changed.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>

show more ...

virtfs-proxy-helper: fail gracefully if socket path is too long

Replace the assertion check with graceful failure when the socket path
is too long. Programs should not crash on invalid input. Prin

virtfs-proxy-helper: fail gracefully if socket path is too long

Replace the assertion check with graceful failure when the socket path
is too long. Programs should not crash on invalid input. Print an
error message and exit properly.

Cc: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

show more ...

virtfs-proxy-helper: add missing long option terminator

The getopt_long(3) long options array must have a zeroed terminator.

This patch solves a segmentation fault when an unknown command-line
opti

virtfs-proxy-helper: add missing long option terminator

The getopt_long(3) long options array must have a zeroed terminator.

This patch solves a segmentation fault when an unknown command-line
option is encountered:

$ fsdev/virtfs-proxy-helper --help
Segmentation fault (core dumped)

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

show more ...

Fix typos in comments

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Viswesh <visweshn92@gmail.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

virtfs-proxy: Fix possible overflow

It's detected by coverity. The socket name specified
should fit in the sockadd_un.sun_path. If not abort.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>

virtfs-proxy: Fix possible overflow

It's detected by coverity. The socket name specified
should fit in the sockadd_un.sun_path. If not abort.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

show more ...

fsdev/virtfs-proxy-helper: Fix improper use of negative value

It's detected by coverity. Check the return value of proxy_marshal.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-b

fsdev/virtfs-proxy-helper: Fix improper use of negative value

It's detected by coverity. Check the return value of proxy_marshal.

Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com>
Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

show more ...

virtfs-proxy-helper: Fix possible socket leak.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>