bfc50a6e | 15-Nov-2018 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: passthrough_ll: use hashtable
Improve performance of inode lookup by using a hash table.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbe
virtiofsd: passthrough_ll: use hashtable
Improve performance of inode lookup by using a hash table.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
230e777b | 15-Nov-2018 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: passthrough_ll: clean up cache related options
- Rename "cache=never" to "cache=none" to match 9p's similar option.
- Rename CACHE_NORMAL constant to CACHE_AUTO to match the "cache=aut
virtiofsd: passthrough_ll: clean up cache related options
- Rename "cache=never" to "cache=none" to match 9p's similar option.
- Rename CACHE_NORMAL constant to CACHE_AUTO to match the "cache=auto" option.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
3ca8a2b1 | 20-Nov-2019 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: extract root inode init into setup_root()
Inititialize the root inode in a single place.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redh
virtiofsd: extract root inode init into setup_root()
Inititialize the root inode in a single place.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> dgilbert: with fix suggested by Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
9de4fab5 | 20-Nov-2019 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: fail when parent inode isn't known in lo_do_lookup()
The Linux file handle APIs (struct export_operations) can access inodes that are not attached to parents because path name traversal i
virtiofsd: fail when parent inode isn't known in lo_do_lookup()
The Linux file handle APIs (struct export_operations) can access inodes that are not attached to parents because path name traversal is not performed. Refuse if there is no parent in lo_do_lookup().
Also clean up lo_do_lookup() while we're here.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
95d27157 | 20-Nov-2019 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: rename unref_inode() to unref_inode_lolocked()
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <be
virtiofsd: rename unref_inode() to unref_inode_lolocked()
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
59aef494 | 16-Aug-2018 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: passthrough_ll: control readdirplus
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert
virtiofsd: passthrough_ll: control readdirplus
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
ddcbabcb | 16-Aug-2018 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: passthrough_ll: disable readdirplus on cache=never
...because the attributes sent in the READDIRPLUS reply would be discarded anyway.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
virtiofsd: passthrough_ll: disable readdirplus on cache=never
...because the attributes sent in the READDIRPLUS reply would be discarded anyway.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
f0ab7d6f | 15-Aug-2018 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: passthrough_ll: add renameat2 support
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> |
10477ac4 | 23-Nov-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Kill threads when queues are stopped
Kill the threads we've started when the queues get stopped.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> With improvements by: Signed-
virtiofsd: Kill threads when queues are stopped
Kill the threads we've started when the queues get stopped.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> With improvements by: Signed-off-by: Eryu Guan <eguan@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
e8556f49 | 22-Nov-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Handle hard reboot
Handle a mount hard reboot (without unmount) mount
we get another 'init' which FUSE doesn't normally expect.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@red
virtiofsd: Handle hard reboot
Handle a mount hard reboot (without unmount) mount
we get another 'init' which FUSE doesn't normally expect.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
c806d643 | 21-Nov-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Handle reinit
Allow init->destroy->init for mount->umount->mount
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed
virtiofsd: Handle reinit
Allow init->destroy->init for mount->umount->mount
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
50fb955a | 06-Nov-2019 |
Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> |
virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG level
virtiofsd has some threads, so we see a lot of logs with debug option. It would be useful for debugging if we can see the timestamp.
Ad
virtiofsd: Add timestamp to the log with FUSE_LOG_DEBUG level
virtiofsd has some threads, so we see a lot of logs with debug option. It would be useful for debugging if we can see the timestamp.
Add nano second timestamp, which got by get_clock(), to the log with FUSE_LOG_DEBUG level if the syslog option isn't set.
The log is like as:
# ./virtiofsd -d -o vhost_user_socket=/tmp/vhostqemu0 -o source=/tmp/share0 -o cache=auto ... [5365943125463727] [ID: 00000002] fv_queue_thread: Start for queue 0 kick_fd 9 [5365943125568644] [ID: 00000002] fv_queue_thread: Waiting for Queue 0 event [5365943125573561] [ID: 00000002] fv_queue_thread: Got queue event on Queue 0
Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
36f38469 | 06-Nov-2019 |
Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> |
virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level
virtiofsd has some threads, so we see a lot of logs with debug option. It would be useful for debugging if we can identify the specific thread
virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level
virtiofsd has some threads, so we see a lot of logs with debug option. It would be useful for debugging if we can identify the specific thread from the log.
Add ID, which is got by gettid(), to the log with FUSE_LOG_DEBUG level so that we can grep the specific thread.
The log is like as:
]# ./virtiofsd -d -o vhost_user_socket=/tmp/vhostqemu0 -o source=/tmp/share0 -o cache=auto ... [ID: 00000097] unique: 12696, success, outsize: 120 [ID: 00000097] virtio_send_msg: elem 18: with 2 in desc of length 120 [ID: 00000003] fv_queue_thread: Got queue event on Queue 1 [ID: 00000003] fv_queue_thread: Queue 1 gave evalue: 1 available: in: 65552 out: 80 [ID: 00000003] fv_queue_thread: Waiting for Queue 1 event [ID: 00000071] fv_queue_worker: elem 33: with 2 out desc of length 80 bad_in_num=0 bad_out_num=0 [ID: 00000071] unique: 12694, opcode: READ (15), nodeid: 2, insize: 80, pid: 2014 [ID: 00000071] lo_read(ino=2, size=65536, off=131072)
Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> added rework as suggested by Daniel P. Berrangé during review Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
d240314a | 09-Aug-2019 |
Eryu Guan <eguan@linux.alibaba.com> |
virtiofsd: print log only when priority is high enough
Introduce "-o log_level=" command line option to specify current log level (priority), valid values are "debug info warn err", e.g.
./virt
virtiofsd: print log only when priority is high enough
Introduce "-o log_level=" command line option to specify current log level (priority), valid values are "debug info warn err", e.g.
./virtiofsd -o log_level=debug ...
So only log priority higher than "debug" will be printed to stderr/syslog. And the default level is info.
The "-o debug"/"-d" options are kept, and imply debug log level.
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com> dgilbert: Reworked for libfuse's log_func Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> with fix by: Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
f185621d | 26-Jun-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: add --syslog command-line option
Sometimes collecting output from stderr is inconvenient or does not fit within the overall logging architecture. Add syslog(3) support for cases where st
virtiofsd: add --syslog command-line option
Sometimes collecting output from stderr is inconvenient or does not fit within the overall logging architecture. Add syslog(3) support for cases where stderr cannot be used.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> dgilbert: Reworked as a logging function Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
3db2876a | 22-Nov-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: fix libfuse information leaks
Some FUSE message replies contain padding fields that are not initialized by libfuse. This is fine in traditional FUSE applications because the kernel is tr
virtiofsd: fix libfuse information leaks
Some FUSE message replies contain padding fields that are not initialized by libfuse. This is fine in traditional FUSE applications because the kernel is trusted. virtiofsd does not trust the guest and must not expose uninitialized memory.
Use C struct initializers to automatically zero out memory. Not all of these code changes are strictly necessary but they will prevent future information leaks if the structs are extended.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
01a6dc95 | 22-Mar-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: set maximum RLIMIT_NOFILE limit
virtiofsd can exceed the default open file descriptor limit easily on most systems. Take advantage of the fact that it runs as root to raise the limit.
S
virtiofsd: set maximum RLIMIT_NOFILE limit
virtiofsd can exceed the default open file descriptor limit easily on most systems. Take advantage of the fact that it runs as root to raise the limit.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
ee884652 | 13-Aug-2019 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Drop CAP_FSETID if client asked for it
If client requested killing setuid/setgid bits on file being written, drop CAP_FSETID capability so that setuid/setgid bits are cleared upon write a
virtiofsd: Drop CAP_FSETID if client asked for it
If client requested killing setuid/setgid bits on file being written, drop CAP_FSETID capability so that setuid/setgid bits are cleared upon write automatically.
pjdfstest chown/12.t needs this.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> dgilbert: reworked for libcap-ng Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
2405f3c0 | 03-Dec-2019 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: cap-ng helpers
libcap-ng reads /proc during capng_get_caps_process, and virtiofsd's sandboxing doesn't have /proc mounted; thus we have to do the caps read before we sandbox it and save/r
virtiofsd: cap-ng helpers
libcap-ng reads /proc during capng_get_caps_process, and virtiofsd's sandboxing doesn't have /proc mounted; thus we have to do the caps read before we sandbox it and save/restore the state.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
f779bc52 | 13-Aug-2019 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV
Caller can set FUSE_WRITE_KILL_PRIV in write_flags. Parse it and pass it to the filesystem.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Mi
virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV
Caller can set FUSE_WRITE_KILL_PRIV in write_flags. Parse it and pass it to the filesystem.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
4f8bde99 | 13-Mar-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: add seccomp whitelist
Only allow system calls that are needed by virtiofsd. All other system calls cause SIGSYS to be directed at the thread and the process will coredump.
Restricting s
virtiofsd: add seccomp whitelist
Only allow system calls that are needed by virtiofsd. All other system calls cause SIGSYS to be directed at the thread and the process will coredump.
Restricting system calls reduces the kernel attack surface and limits what the process can do when compromised.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> with additional entries by: Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com> Signed-off-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: piaojun <piaojun@huawei.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Eric Ren <renzhen@linux.alibaba.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
8e1d4ef2 | 16-Oct-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: move to a new pid namespace
virtiofsd needs access to /proc/self/fd. Let's move to a new pid namespace so that a compromised process cannot see another other processes running on the sys
virtiofsd: move to a new pid namespace
virtiofsd needs access to /proc/self/fd. Let's move to a new pid namespace so that a compromised process cannot see another other processes running on the system.
One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child* processes and not the current process. Therefore we need to fork the pid 1 process that will actually run virtiofsd and leave a parent in waitpid(2). This is not the same thing as daemonization and parent processes should not notice a difference.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
d74830d1 | 16-Oct-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: move to an empty network namespace
If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking.
Signed-off-by: Stefan Hajnoczi
virtiofsd: move to an empty network namespace
If the process is compromised there should be no network access. Use an empty network namespace to sandbox networking.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
5baa3b8e | 12-Mar-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: sandbox mount namespace
Use a mount namespace with the shared directory tree mounted at "/" and no other mounts.
This prevents symlink escape attacks because symlink targets are resolved
virtiofsd: sandbox mount namespace
Use a mount namespace with the shared directory tree mounted at "/" and no other mounts.
This prevents symlink escape attacks because symlink targets are resolved only against the shared directory and cannot go outside it.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Peng Tao <tao.peng@linux.alibaba.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
9f59d175 | 12-Mar-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: use /proc/self/fd/ O_PATH file descriptor
Sandboxing will remove /proc from the mount namespace so we can no longer build string paths into "/proc/self/fd/...".
Keep an O_PATH file descr
virtiofsd: use /proc/self/fd/ O_PATH file descriptor
Sandboxing will remove /proc from the mount namespace so we can no longer build string paths into "/proc/self/fd/...".
Keep an O_PATH file descriptor so we can still re-open fds via /proc/self/fd.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|