virtiofsd: prevent ".." escape in lo_do_readdir()

Construct a fake dirent for the root directory's ".." entry. This hides
the parent directory from the FUSE client.

Signed-off-by: Stefan Hajnoczi

virtiofsd: prevent ".." escape in lo_do_readdir()

Construct a fake dirent for the root directory's ".." entry. This hides
the parent directory from the FUSE client.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: prevent ".." escape in lo_do_lookup()

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redha

virtiofsd: prevent ".." escape in lo_do_lookup()

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: check input buffer size in fuse_lowlevel.c ops

Each FUSE operation involves parsing the input buffer. Currently the
code assumes the input buffer is large enough for the expected
argumen

virtiofsd: check input buffer size in fuse_lowlevel.c ops

Each FUSE operation involves parsing the input buffer. Currently the
code assumes the input buffer is large enough for the expected
arguments. This patch uses fuse_mbuf_iter to check the size.

Most operations are simple to convert. Some are more complicated due to
variable-length inputs or different sizes depending on the protocol
version.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: validate input buffer sizes in do_write_buf()

There is a small change in behavior: if fuse_write_in->size doesn't
match the input buffer size then the request is failed. Previously
write

virtiofsd: validate input buffer sizes in do_write_buf()

There is a small change in behavior: if fuse_write_in->size doesn't
match the input buffer size then the request is failed. Previously
write requests with 1 fuse_buf element would truncate to
fuse_write_in->size.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Sergio Lopez <slp@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: add fuse_mbuf_iter API

Introduce an API for consuming bytes from a buffer with size checks.
All FUSE operations will be converted to use this safe API instead of
void *inarg.

Signed-off-

virtiofsd: add fuse_mbuf_iter API

Introduce an API for consuming bytes from a buffer with size checks.
All FUSE operations will be converted to use this safe API instead of
void *inarg.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Pass write iov's all the way through

Pass the write iov pointing to guest RAM all the way through rather
than copying the data.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com

virtiofsd: Pass write iov's all the way through

Pass the write iov pointing to guest RAM all the way through rather
than copying the data.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Plumb fuse_bufvec through to do_write_buf

Let fuse_session_process_buf_int take a fuse_bufvec * instead of a
fuse_buf; and then through to do_write_buf - where in the best
case it can pa

virtiofsd: Plumb fuse_bufvec through to do_write_buf

Let fuse_session_process_buf_int take a fuse_bufvec * instead of a
fuse_buf; and then through to do_write_buf - where in the best
case it can pass that straight through to op.write_buf without copying
(other than skipping a header).

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: validate path components

Several FUSE requests contain single path components. A correct FUSE
client sends well-formed path components but there is currently no input
validation in case

virtiofsd: validate path components

Several FUSE requests contain single path components. A correct FUSE
client sends well-formed path components but there is currently no input
validation in case something went wrong or the client is malicious.

Refuse ".", "..", and paths containing '/' when we expect a path
component.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: passthrough_ll: add fallback for racy ops

We have two operations that cannot be done race-free on a symlink in
certain cases: utimes and link.

Add racy fallback for these if the race-fre

virtiofsd: passthrough_ll: add fallback for racy ops

We have two operations that cannot be done race-free on a symlink in
certain cases: utimes and link.

Add racy fallback for these if the race-free method doesn't work. We do
our best to avoid races even in this case:

- get absolute path by reading /proc/self/fd/NN symlink

- lookup parent directory: after this we are safe against renames in
ancestors

- lookup name in parent directory, and verify that we got to the original
inode, if not retry the whole thing

Both utimes(2) and link(2) hold i_lock on the inode across the operation,
so a racing rename/delete by this fuse instance is not possible, only from
other entities changing the filesystem.

If the "norace" option is given, then disable the racy fallbacks.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: passthrough_ll: add fd_map to hide file descriptors

Do not expose file descriptor numbers to clients. This prevents the
abuse of internal file descriptors (like stdin/stdout).

Signed-of

virtiofsd: passthrough_ll: add fd_map to hide file descriptors

Do not expose file descriptor numbers to clients. This prevents the
abuse of internal file descriptors (like stdin/stdout).

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Fix from:
Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
dgilbert:
Added lseek
Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers

Do not expose lo_dirp pointers to clients.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé

virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers

Do not expose lo_dirp pointers to clients.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers

Do not expose lo_inode pointers to clients.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Masayoshi Mizuma <m.mi

virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers

Do not expose lo_inode pointers to clients.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: passthrough_ll: add lo_map for ino/fh indirection

A layer of indirection is needed because passthrough_ll cannot expose
pointers or file descriptor numbers to untrusted clients. Maliciou

virtiofsd: passthrough_ll: add lo_map for ino/fh indirection

A layer of indirection is needed because passthrough_ll cannot expose
pointers or file descriptor numbers to untrusted clients. Malicious
clients could send invalid pointers or file descriptors in order to
crash or exploit the file system daemon.

lo_map provides an integer key->value mapping. This will be used for
ino and fh fields in the patches that follow.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: passthrough_ll: create new files in caller's context

We need to create files in the caller's context. Otherwise after
creating a file, the caller might not be able to do file operations o

virtiofsd: passthrough_ll: create new files in caller's context

We need to create files in the caller's context. Otherwise after
creating a file, the caller might not be able to do file operations on
that file.

Changed effective uid/gid to caller's uid/gid, create file and then
switch back to uid/gid 0.

Use syscall(setresuid, ...) otherwise glibc does some magic to change EUID
in all threads, which is not what we want.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: add --print-capabilities option

Add the --print-capabilities option as per vhost-user.rst "Backend
programs conventions". Currently there are no advertised features.

Signed-off-by: Stef

virtiofsd: add --print-capabilities option

Add the --print-capabilities option as per vhost-user.rst "Backend
programs conventions". Currently there are no advertised features.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: add vhost-user.json file

Install a vhost-user.json file describing virtiofsd. This allows
libvirt and other management tools to enumerate vhost-user backend
programs.

Signed-off-by: Ste

virtiofsd: add vhost-user.json file

Install a vhost-user.json file describing virtiofsd. This allows
libvirt and other management tools to enumerate vhost-user backend
programs.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: make -f (foreground) the default

According to vhost-user.rst "Backend program conventions", backend
programs should run in the foregound by default. Follow the
conventions so libvirt and

virtiofsd: make -f (foreground) the default

According to vhost-user.rst "Backend program conventions", backend
programs should run in the foregound by default. Follow the
conventions so libvirt and other management tools can control virtiofsd
in a standard way.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: add --fd=FDNUM fd passing option

Although --socket-path=PATH is useful for manual invocations, management
tools typically create the UNIX domain socket themselves and pass it to
the vhost

virtiofsd: add --fd=FDNUM fd passing option

Although --socket-path=PATH is useful for manual invocations, management
tools typically create the UNIX domain socket themselves and pass it to
the vhost-user device backend. This way QEMU can be launched
immediately with a valid socket. No waiting for the vhost-user device
backend is required when fd passing is used.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Fast path for virtio read

Readv the data straight into the guests buffer.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
With fix by:
Signed-off-by: Eryu Guan <eguan@linux.a

virtiofsd: Fast path for virtio read

Readv the data straight into the guests buffer.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
With fix by:
Signed-off-by: Eryu Guan <eguan@linux.alibaba.com>
Reviewed-by: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Add Makefile wiring for virtiofsd contrib

Wire up the building of the virtiofsd in tools.

virtiofsd relies on Linux-specific system calls and seccomp. Anyone
wishing to port it to other

virtiofsd: Add Makefile wiring for virtiofsd contrib

Wire up the building of the virtiofsd in tools.

virtiofsd relies on Linux-specific system calls and seccomp. Anyone
wishing to port it to other host operating systems should do so
carefully and without reducing security.

Only allow building on Linux hosts.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Keep track of replies

Keep track of whether we sent a reply to a request; this is a bit
paranoid but it means:
a) We should always recycle an element even if there was an error
in

virtiofsd: Keep track of replies

Keep track of whether we sent a reply to a request; this is a bit
paranoid but it means:
a) We should always recycle an element even if there was an error
in the request
b) Never try and send two replies on one queue element

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Send replies to messages

Route fuse out messages back through the same queue elements
that had the command that triggered the request.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@red

virtiofsd: Send replies to messages

Route fuse out messages back through the same queue elements
that had the command that triggered the request.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Start reading commands from queue

Pop queue elements off queues, copy the data from them and
pass that to fuse.

Note: 'out' in a VuVirtqElement is from QEMU
'in' in libfuse is

virtiofsd: Start reading commands from queue

Pop queue elements off queues, copy the data from them and
pass that to fuse.

Note: 'out' in a VuVirtqElement is from QEMU
'in' in libfuse is into the daemon

So we read from the out iov's to get a fuse_in_header

When we get a kick we've got to read all the elements until the queue
is empty.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Poll kick_fd for queue

In the queue thread poll the kick_fd we're passed.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com

virtiofsd: Poll kick_fd for queue

In the queue thread poll the kick_fd we're passed.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...

virtiofsd: Start queue threads

Start a thread for each queue when we get notified it's been started.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
fix by:
Signed-off-by: Jun Piao <pia

virtiofsd: Start queue threads

Start a thread for each queue when we get notified it's been started.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
fix by:
Signed-off-by: Jun Piao <piaojun@huawei.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

show more ...