a21ba54d | 29-Jul-2022 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Disable killpriv_v2 by default
We are having bunch of issues with killpriv_v2 enabled by default. First of all it relies on clearing suid/sgid bits as needed by dropping capability CAP_FS
virtiofsd: Disable killpriv_v2 by default
We are having bunch of issues with killpriv_v2 enabled by default. First of all it relies on clearing suid/sgid bits as needed by dropping capability CAP_FSETID. This does not work for remote filesystems like NFS (and possibly others).
Secondly, we are noticing other issues related to clearing of SGID which leads to failures for xfstests generic/355 and generic/193.
Thirdly, there are other issues w.r.t caching of metadata (suid/sgid) bits in fuse client with killpriv_v2 enabled. Guest can cache that data for sometime even if cleared on server.
Second and Third issue are fixable. Just that it might take a little while to get it fixed in kernel. First one will probably not see any movement for a long time.
Given these issues, killpriv_v2 does not seem to be a good candidate for enabling by default. We have already disabled it by default in rust version of virtiofsd.
Hence this patch disabled killpriv_v2 by default. User can choose to enable it by passing option "-o killpriv_v2".
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <YuPd0itNIAz4tQRt@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
45b04ef4 | 15-Feb-2022 |
Greg Kurz <groug@kaod.org> |
virtiofsd: Add basic support for FUSE_SYNCFS request
Honor the expected behavior of syncfs() to synchronously flush all data and metadata to disk on linux systems.
If virtiofsd is started with '-o
virtiofsd: Add basic support for FUSE_SYNCFS request
Honor the expected behavior of syncfs() to synchronously flush all data and metadata to disk on linux systems.
If virtiofsd is started with '-o announce_submounts', the client is expected to send a FUSE_SYNCFS request for each individual submount. In this case, we just create a new file descriptor on the submount inode with lo_inode_open(), call syncfs() on it and close it. The intermediary file is needed because O_PATH descriptors aren't backed by an actual file and syncfs() would fail with EBADF.
If virtiofsd is started without '-o announce_submounts' or if the client doesn't have the FUSE_CAP_SUBMOUNTS capability, the client only sends a single FUSE_SYNCFS request for the root inode. The server would thus need to track submounts internally and call syncfs() on each of them. This will be implemented later.
Note that syncfs() might suffer from a time penalty if the submounts are being hammered by some unrelated workload on the host. The only solution to prevent that is to avoid shared mounts.
Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <20220215181529.164070-2-groug@kaod.org> Reviewed-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
963061dc | 08-Feb-2022 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Add an option to enable/disable security label
Provide an option "-o security_label/no_security_label" to enable/disable security label functionality. By default these are turned off.
If
virtiofsd: Add an option to enable/disable security label
Provide an option "-o security_label/no_security_label" to enable/disable security label functionality. By default these are turned off.
If enabled, server will indicate to client that it is capable of handling one security label during file creation. Typically this is expected to be a SELinux label. File server will set this label on the file. It will try to set it atomically wherever possible. But its not possible in all the cases.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20220208204813.682906-11-vgoyal@redhat.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
a675c9a6 | 08-Feb-2022 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Create new file using O_TMPFILE and set security context
If guest and host policies can't work with each other, then guest security context (selinux label) needs to be set into an xattr.
virtiofsd: Create new file using O_TMPFILE and set security context
If guest and host policies can't work with each other, then guest security context (selinux label) needs to be set into an xattr. Say remap guest security.selinux xattr to trusted.virtiofs.security.selinux.
That means setting "fscreate" is not going to help as that's ony useful for security.selinux xattr on host.
So we need another method which is atomic. Use O_TMPFILE to create new file, set xattr and then linkat() to proper place.
But this works only for regular files. So dir, symlinks will continue to be non-atomic.
Also if host filesystem does not support O_TMPFILE, we fallback to non-atomic behavior.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20220208204813.682906-10-vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
0c3f81e1 | 08-Feb-2022 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Create new file with security context
This patch adds support for creating new file with security context as sent by client. It basically takes three paths.
- If no security context enab
virtiofsd: Create new file with security context
This patch adds support for creating new file with security context as sent by client. It basically takes three paths.
- If no security context enabled, then it continues to create files without security context.
- If security context is enabled and but security.selinux has not been remapped, then it uses /proc/thread-self/attr/fscreate knob to set security context and then create the file. This will make sure that newly created file gets the security context as set in "fscreate" and this is atomic w.r.t file creation.
This is useful and host and guest SELinux policies don't conflict and can work with each other. In that case, guest security.selinux xattr is not remapped and it is passthrough as "security.selinux" xattr on host.
- If security context is enabled but security.selinux xattr has been remapped to something else, then it first creates the file and then uses setxattr() to set the remapped xattr with the security context. This is a non-atomic operation w.r.t file creation.
This mode will be most versatile and allow host and guest to have their own separate SELinux xattrs and have their own separate SELinux policies.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20220208204813.682906-9-vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
cb282e55 | 08-Feb-2022 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Add helpers to work with /proc/self/task/tid/attr/fscreate
Soon we will be able to create and also set security context on the file atomically using /proc/self/task/tid/attr/fscreate knob
virtiofsd: Add helpers to work with /proc/self/task/tid/attr/fscreate
Soon we will be able to create and also set security context on the file atomically using /proc/self/task/tid/attr/fscreate knob. If this knob is available on the system, first set the knob with the desired context and then create the file. It will be created with the context set in fscreate. This works basically for SELinux and its per thread.
This patch just introduces the helper functions. Subsequent patches will make use of these helpers.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20220208204813.682906-8-vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> dgilbert: Manually merged gettid syscall number fixup from Vivek
show more ...
|
81489726 | 08-Feb-2022 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Move core file creation code in separate function
Move core file creation bits in a separate function. Soon this is going to get more complex as file creation need to set security context
virtiofsd: Move core file creation code in separate function
Move core file creation bits in a separate function. Soon this is going to get more complex as file creation need to set security context also. And there will be multiple modes of file creation in next patch.
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Message-Id: <20220208204813.682906-7-vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|