752272da | 05-Mar-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: prevent ".." escape in lo_do_readdir()
Construct a fake dirent for the root directory's ".." entry. This hides the parent directory from the FUSE client.
Signed-off-by: Stefan Hajnoczi
virtiofsd: prevent ".." escape in lo_do_readdir()
Construct a fake dirent for the root directory's ".." entry. This hides the parent directory from the FUSE client.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
854684bc | 04-Mar-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: prevent ".." escape in lo_do_lookup()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redha
virtiofsd: prevent ".." escape in lo_do_lookup()
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
70995754 | 28-Feb-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: check input buffer size in fuse_lowlevel.c ops
Each FUSE operation involves parsing the input buffer. Currently the code assumes the input buffer is large enough for the expected argumen
virtiofsd: check input buffer size in fuse_lowlevel.c ops
Each FUSE operation involves parsing the input buffer. Currently the code assumes the input buffer is large enough for the expected arguments. This patch uses fuse_mbuf_iter to check the size.
Most operations are simple to convert. Some are more complicated due to variable-length inputs or different sizes depending on the protocol version.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
0ba8c3c6 | 28-Feb-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: validate input buffer sizes in do_write_buf()
There is a small change in behavior: if fuse_write_in->size doesn't match the input buffer size then the request is failed. Previously write
virtiofsd: validate input buffer sizes in do_write_buf()
There is a small change in behavior: if fuse_write_in->size doesn't match the input buffer size then the request is failed. Previously write requests with 1 fuse_buf element would truncate to fuse_write_in->size.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Sergio Lopez <slp@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
dad157e8 | 28-Feb-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: add fuse_mbuf_iter API
Introduce an API for consuming bytes from a buffer with size checks. All FUSE operations will be converted to use this safe API instead of void *inarg.
Signed-off-
virtiofsd: add fuse_mbuf_iter API
Introduce an API for consuming bytes from a buffer with size checks. All FUSE operations will be converted to use this safe API instead of void *inarg.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
e17f7a58 | 04-Jan-2019 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Pass write iov's all the way through
Pass the write iov pointing to guest RAM all the way through rather than copying the data.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com
virtiofsd: Pass write iov's all the way through
Pass the write iov pointing to guest RAM all the way through rather than copying the data.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Xiao Yang <yangx.jy@cn.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
469f9d2f | 04-Jan-2019 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Plumb fuse_bufvec through to do_write_buf
Let fuse_session_process_buf_int take a fuse_bufvec * instead of a fuse_buf; and then through to do_write_buf - where in the best case it can pa
virtiofsd: Plumb fuse_bufvec through to do_write_buf
Let fuse_session_process_buf_int take a fuse_bufvec * instead of a fuse_buf; and then through to do_write_buf - where in the best case it can pass that straight through to op.write_buf without copying (other than skipping a header).
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
25dae28c | 26-Feb-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: validate path components
Several FUSE requests contain single path components. A correct FUSE client sends well-formed path components but there is currently no input validation in case
virtiofsd: validate path components
Several FUSE requests contain single path components. A correct FUSE client sends well-formed path components but there is currently no input validation in case something went wrong or the client is malicious.
Refuse ".", "..", and paths containing '/' when we expect a path component.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
5fe319a7 | 14-Nov-2018 |
Miklos Szeredi <mszeredi@redhat.com> |
virtiofsd: passthrough_ll: add fallback for racy ops
We have two operations that cannot be done race-free on a symlink in certain cases: utimes and link.
Add racy fallback for these if the race-fre
virtiofsd: passthrough_ll: add fallback for racy ops
We have two operations that cannot be done race-free on a symlink in certain cases: utimes and link.
Add racy fallback for these if the race-free method doesn't work. We do our best to avoid races even in this case:
- get absolute path by reading /proc/self/fd/NN symlink
- lookup parent directory: after this we are safe against renames in ancestors
- lookup name in parent directory, and verify that we got to the original inode, if not retry the whole thing
Both utimes(2) and link(2) hold i_lock on the inode across the operation, so a racing rename/delete by this fuse instance is not possible, only from other entities changing the filesystem.
If the "norace" option is given, then disable the racy fallbacks.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
73b4d19d | 31-Jan-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: passthrough_ll: add fd_map to hide file descriptors
Do not expose file descriptor numbers to clients. This prevents the abuse of internal file descriptors (like stdin/stdout).
Signed-of
virtiofsd: passthrough_ll: add fd_map to hide file descriptors
Do not expose file descriptor numbers to clients. This prevents the abuse of internal file descriptors (like stdin/stdout).
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Fix from: Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com> dgilbert: Added lseek Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
b39bce12 | 31-Jan-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers
Do not expose lo_dirp pointers to clients.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé
virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers
Do not expose lo_dirp pointers to clients.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
92fb57b8 | 31-Jan-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers
Do not expose lo_inode pointers to clients.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Masayoshi Mizuma <m.mi
virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers
Do not expose lo_inode pointers to clients.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
25c13572 | 31-Jan-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
A layer of indirection is needed because passthrough_ll cannot expose pointers or file descriptor numbers to untrusted clients. Maliciou
virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
A layer of indirection is needed because passthrough_ll cannot expose pointers or file descriptor numbers to untrusted clients. Malicious clients could send invalid pointers or file descriptors in order to crash or exploit the file system daemon.
lo_map provides an integer key->value mapping. This will be used for ino and fh fields in the patches that follow.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
929cfb7a | 15-Aug-2018 |
Vivek Goyal <vgoyal@redhat.com> |
virtiofsd: passthrough_ll: create new files in caller's context
We need to create files in the caller's context. Otherwise after creating a file, the caller might not be able to do file operations o
virtiofsd: passthrough_ll: create new files in caller's context
We need to create files in the caller's context. Otherwise after creating a file, the caller might not be able to do file operations on that file.
Changed effective uid/gid to caller's uid/gid, create file and then switch back to uid/gid 0.
Use syscall(setresuid, ...) otherwise glibc does some magic to change EUID in all threads, which is not what we want.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
45018fbb | 27-Aug-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: add --print-capabilities option
Add the --print-capabilities option as per vhost-user.rst "Backend programs conventions". Currently there are no advertised features.
Signed-off-by: Stef
virtiofsd: add --print-capabilities option
Add the --print-capabilities option as per vhost-user.rst "Backend programs conventions". Currently there are no advertised features.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
315616ed | 27-Aug-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: add vhost-user.json file
Install a vhost-user.json file describing virtiofsd. This allows libvirt and other management tools to enumerate vhost-user backend programs.
Signed-off-by: Ste
virtiofsd: add vhost-user.json file
Install a vhost-user.json file describing virtiofsd. This allows libvirt and other management tools to enumerate vhost-user backend programs.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
0bbd3175 | 27-Aug-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: make -f (foreground) the default
According to vhost-user.rst "Backend program conventions", backend programs should run in the foregound by default. Follow the conventions so libvirt and
virtiofsd: make -f (foreground) the default
According to vhost-user.rst "Backend program conventions", backend programs should run in the foregound by default. Follow the conventions so libvirt and other management tools can control virtiofsd in a standard way.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
cee8e35d | 25-Jun-2019 |
Stefan Hajnoczi <stefanha@redhat.com> |
virtiofsd: add --fd=FDNUM fd passing option
Although --socket-path=PATH is useful for manual invocations, management tools typically create the UNIX domain socket themselves and pass it to the vhost
virtiofsd: add --fd=FDNUM fd passing option
Although --socket-path=PATH is useful for manual invocations, management tools typically create the UNIX domain socket themselves and pass it to the vhost-user device backend. This way QEMU can be launched immediately with a valid socket. No waiting for the vhost-user device backend is required when fd passing is used.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
eb49d187 | 15-Aug-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Fast path for virtio read
Readv the data straight into the guests buffer.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> With fix by: Signed-off-by: Eryu Guan <eguan@linux.a
virtiofsd: Fast path for virtio read
Readv the data straight into the guests buffer.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> With fix by: Signed-off-by: Eryu Guan <eguan@linux.alibaba.com> Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
81bfc42d | 07-Feb-2019 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Add Makefile wiring for virtiofsd contrib
Wire up the building of the virtiofsd in tools.
virtiofsd relies on Linux-specific system calls and seccomp. Anyone wishing to port it to other
virtiofsd: Add Makefile wiring for virtiofsd contrib
Wire up the building of the virtiofsd in tools.
virtiofsd relies on Linux-specific system calls and seccomp. Anyone wishing to port it to other host operating systems should do so carefully and without reducing security.
Only allow building on Linux hosts.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Liam Merwick <liam.merwick@oracle.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
2f65e69a | 21-Jun-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Keep track of replies
Keep track of whether we sent a reply to a request; this is a bit paranoid but it means: a) We should always recycle an element even if there was an error in
virtiofsd: Keep track of replies
Keep track of whether we sent a reply to a request; this is a bit paranoid but it means: a) We should always recycle an element even if there was an error in the request b) Never try and send two replies on one queue element
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
df57ba91 | 18-Jun-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Send replies to messages
Route fuse out messages back through the same queue elements that had the command that triggered the request.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@red
virtiofsd: Send replies to messages
Route fuse out messages back through the same queue elements that had the command that triggered the request.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
b509e122 | 14-Jun-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Start reading commands from queue
Pop queue elements off queues, copy the data from them and pass that to fuse.
Note: 'out' in a VuVirtqElement is from QEMU 'in' in libfuse is
virtiofsd: Start reading commands from queue
Pop queue elements off queues, copy the data from them and pass that to fuse.
Note: 'out' in a VuVirtqElement is from QEMU 'in' in libfuse is into the daemon
So we read from the out iov's to get a fuse_in_header
When we get a kick we've got to read all the elements until the queue is empty.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
5dcd1f56 | 14-Jun-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Poll kick_fd for queue
In the queue thread poll the kick_fd we're passed.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com
virtiofsd: Poll kick_fd for queue
In the queue thread poll the kick_fd we're passed.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|
e4c55a3c | 13-Jun-2018 |
Dr. David Alan Gilbert <dgilbert@redhat.com> |
virtiofsd: Start queue threads
Start a thread for each queue when we get notified it's been started.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> fix by: Signed-off-by: Jun Piao <pia
virtiofsd: Start queue threads
Start a thread for each queue when we get notified it's been started.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> fix by: Signed-off-by: Jun Piao <piaojun@huawei.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
show more ...
|