Vivek Goyal [Mon, 10 Jun 2019 19:22:06 +0000 (15:22 -0400)]
virtiofsd: Support remote posix locks
Doing posix locks with-in guest kernel are not sufficient if a file/dir
is being shared by multiple guests. So we need the notion of daemon doing
the locks which are visible to rest of the guests.
Given posix locks are per process, one can not call posix lock API on host,
otherwise bunch of basic posix locks properties are broken. For example,
If two processes (A and B) in guest open the file and take locks on different
sections of file, if one of the processes closes the fd, it will close
fd on virtiofsd and all posix locks on file will go away. This means if
process A closes the fd, then locks of process B will go away too.
Similar other problems exist too.
This patch set tries to emulate posix locks while using open file
description locks provided on Linux.
Daemon provides two options (-o posix_lock, -o no_posix_lock) to enable
or disable posix locking in daemon. By default it is enabled.
There are few issues though.
- GETLK() returns pid of process holding lock. As we are emulating locks
using OFD, and these locks are not per process and don't return pid
of process, so GETLK() in guest does not reuturn process pid.
- As of now only F_SETLK is supported and not F_SETLKW. We can't block
the thread in virtiofsd for arbitrary long duration as there is only
one thread serving the queue. That means unlock request will not make
it to daemon and F_SETLKW will block infinitely and bring virtio-fs
to a halt. This is a solvable problem though and will require significant
changes in virtiofsd and kernel. Left as a TODO item for now.
The user will get confused about the situation and maybe the cause of the
unexpected problem. So it's better to prevent the multiple running.
Create a regular file under localstatedir directory to exclude the
vhost_user_socket. To create and lock the file, use qemu_write_pidfile()
because the API has some sanity checks and file lock.
Miklos Szeredi [Wed, 20 Nov 2019 14:14:29 +0000 (14:14 +0000)]
virtiofsd: fail when parent inode isn't known in lo_do_lookup()
The Linux file handle APIs (struct export_operations) can access inodes
that are not attached to parents because path name traversal is not
performed. Refuse if there is no parent in lo_do_lookup().
contrib/libvhost-user: Protect slave fd with mutex
In future patches we'll be performing commands on the slave-fd driven
by commands on queues, since those queues will be driven by individual
threads we need to make sure they don't attempt to use the slave-fd
for multiple commands in parallel.
virtiofsd: Add ID to the log with FUSE_LOG_DEBUG level
virtiofsd has some threads, so we see a lot of logs with debug option.
It would be useful for debugging if we can identify the specific thread
from the log.
Add ID, which is got by gettid(), to the log with FUSE_LOG_DEBUG level
so that we can grep the specific thread.
Signed-off-by: Masayoshi Mizuma <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
added rework as suggested by Daniel P. Berrangé during review Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
Stefan Hajnoczi [Wed, 26 Jun 2019 09:25:54 +0000 (10:25 +0100)]
virtiofsd: add --syslog command-line option
Sometimes collecting output from stderr is inconvenient or does not fit
within the overall logging architecture. Add syslog(3) support for
cases where stderr cannot be used.
Stefan Hajnoczi [Fri, 22 Nov 2019 11:31:30 +0000 (11:31 +0000)]
virtiofsd: fix libfuse information leaks
Some FUSE message replies contain padding fields that are not
initialized by libfuse. This is fine in traditional FUSE applications
because the kernel is trusted. virtiofsd does not trust the guest and
must not expose uninitialized memory.
Use C struct initializers to automatically zero out memory. Not all of
these code changes are strictly necessary but they will prevent future
information leaks if the structs are extended.
Stefan Hajnoczi [Fri, 22 Mar 2019 15:54:13 +0000 (15:54 +0000)]
virtiofsd: set maximum RLIMIT_NOFILE limit
virtiofsd can exceed the default open file descriptor limit easily on
most systems. Take advantage of the fact that it runs as root to raise
the limit.
Vivek Goyal [Tue, 13 Aug 2019 19:29:44 +0000 (15:29 -0400)]
virtiofsd: Drop CAP_FSETID if client asked for it
If client requested killing setuid/setgid bits on file being written, drop
CAP_FSETID capability so that setuid/setgid bits are cleared upon write
automatically.
libcap-ng reads /proc during capng_get_caps_process, and virtiofsd's
sandboxing doesn't have /proc mounted; thus we have to do the
caps read before we sandbox it and save/restore the state.
Stefan Hajnoczi [Wed, 16 Oct 2019 16:01:57 +0000 (17:01 +0100)]
virtiofsd: move to a new pid namespace
virtiofsd needs access to /proc/self/fd. Let's move to a new pid
namespace so that a compromised process cannot see another other
processes running on the system.
One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child*
processes and not the current process. Therefore we need to fork the
pid 1 process that will actually run virtiofsd and leave a parent in
waitpid(2). This is not the same thing as daemonization and parent
processes should not notice a difference.
Stefan Hajnoczi [Thu, 28 Feb 2019 16:38:31 +0000 (16:38 +0000)]
virtiofsd: check input buffer size in fuse_lowlevel.c ops
Each FUSE operation involves parsing the input buffer. Currently the
code assumes the input buffer is large enough for the expected
arguments. This patch uses fuse_mbuf_iter to check the size.
Most operations are simple to convert. Some are more complicated due to
variable-length inputs or different sizes depending on the protocol
version.
Stefan Hajnoczi [Thu, 28 Feb 2019 11:25:32 +0000 (11:25 +0000)]
virtiofsd: validate input buffer sizes in do_write_buf()
There is a small change in behavior: if fuse_write_in->size doesn't
match the input buffer size then the request is failed. Previously
write requests with 1 fuse_buf element would truncate to
fuse_write_in->size.
Stefan Hajnoczi [Thu, 28 Feb 2019 10:30:20 +0000 (10:30 +0000)]
virtiofsd: add fuse_mbuf_iter API
Introduce an API for consuming bytes from a buffer with size checks.
All FUSE operations will be converted to use this safe API instead of
void *inarg.
virtiofsd: Plumb fuse_bufvec through to do_write_buf
Let fuse_session_process_buf_int take a fuse_bufvec * instead of a
fuse_buf; and then through to do_write_buf - where in the best
case it can pass that straight through to op.write_buf without copying
(other than skipping a header).
Stefan Hajnoczi [Tue, 26 Feb 2019 17:58:59 +0000 (17:58 +0000)]
virtiofsd: validate path components
Several FUSE requests contain single path components. A correct FUSE
client sends well-formed path components but there is currently no input
validation in case something went wrong or the client is malicious.
Refuse ".", "..", and paths containing '/' when we expect a path
component.
Miklos Szeredi [Wed, 14 Nov 2018 15:52:03 +0000 (16:52 +0100)]
virtiofsd: passthrough_ll: add fallback for racy ops
We have two operations that cannot be done race-free on a symlink in
certain cases: utimes and link.
Add racy fallback for these if the race-free method doesn't work. We do
our best to avoid races even in this case:
- get absolute path by reading /proc/self/fd/NN symlink
- lookup parent directory: after this we are safe against renames in
ancestors
- lookup name in parent directory, and verify that we got to the original
inode, if not retry the whole thing
Both utimes(2) and link(2) hold i_lock on the inode across the operation,
so a racing rename/delete by this fuse instance is not possible, only from
other entities changing the filesystem.
If the "norace" option is given, then disable the racy fallbacks.
Stefan Hajnoczi [Thu, 31 Jan 2019 04:49:39 +0000 (12:49 +0800)]
virtiofsd: passthrough_ll: add lo_map for ino/fh indirection
A layer of indirection is needed because passthrough_ll cannot expose
pointers or file descriptor numbers to untrusted clients. Malicious
clients could send invalid pointers or file descriptors in order to
crash or exploit the file system daemon.
lo_map provides an integer key->value mapping. This will be used for
ino and fh fields in the patches that follow.
Stefan Hajnoczi [Tue, 27 Aug 2019 09:54:34 +0000 (10:54 +0100)]
virtiofsd: make -f (foreground) the default
According to vhost-user.rst "Backend program conventions", backend
programs should run in the foregound by default. Follow the
conventions so libvirt and other management tools can control virtiofsd
in a standard way.
Stefan Hajnoczi [Tue, 25 Jun 2019 16:18:00 +0000 (17:18 +0100)]
virtiofsd: add --fd=FDNUM fd passing option
Although --socket-path=PATH is useful for manual invocations, management
tools typically create the UNIX domain socket themselves and pass it to
the vhost-user device backend. This way QEMU can be launched
immediately with a valid socket. No waiting for the vhost-user device
backend is required when fd passing is used.
virtiofsd: Add Makefile wiring for virtiofsd contrib
Wire up the building of the virtiofsd in tools.
virtiofsd relies on Linux-specific system calls and seccomp. Anyone
wishing to port it to other host operating systems should do so
carefully and without reducing security.
Keep track of whether we sent a reply to a request; this is a bit
paranoid but it means:
a) We should always recycle an element even if there was an error
in the request
b) Never try and send two replies on one queue element
Vivek Goyal [Thu, 30 Aug 2018 18:22:10 +0000 (14:22 -0400)]
virtiofsd: Make fsync work even if only inode is passed in
If caller has not sent file handle in request, then using inode, retrieve
the fd opened using O_PATH and use that to open file again and issue
fsync. This will be needed when dax_flush() calls fsync. At that time
we only have inode information (and not file).
Xiao Yang [Mon, 13 Jan 2020 09:37:34 +0000 (17:37 +0800)]
vitriofsd/passthrough_ll: fix fallocate() ifdefs
1) Use correct CONFIG_FALLOCATE macro to check if fallocate() is supported.(i.e configure
script sets CONFIG_FALLOCATE intead of HAVE_FALLOCATE if fallocate() is supported)
2) Replace HAVE_POSIX_FALLOCATE with CONFIG_POSIX_FALLOCATE.
Signed-off-by: Xiao Yang <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
Merged from two of Xiao Yang's patches
virtiofsd: Fix common header and define for QEMU builds
All of the fuse files include config.h and define GNU_SOURCE
where we don't have either under our build - remove them.
Fixup path to the kernel's fuse.h in the QEMUs world.
QEMU's compiler enables warnings/errors for ignored values
and the (void) trick used in the fuse code isn't enough.
Turn all the return values into a return value on the function.
Stefan Hajnoczi [Thu, 28 Feb 2019 11:22:58 +0000 (11:22 +0000)]
virtiofsd: remove unused notify reply support
Notify reply support is unused by virtiofsd. The code would need to be
updated to validate input buffer sizes. Remove this unused code since
changes to it are untestable.
Stefan Hajnoczi [Fri, 8 Mar 2019 13:24:31 +0000 (13:24 +0000)]
virtiofsd: remove mountpoint dummy argument
Classic FUSE file system daemons take a mountpoint argument but
virtiofsd exposes a vhost-user UNIX domain socket instead. The
mountpoint argument is not used by virtiofsd but the user is still
required to pass a dummy argument on the command-line.
Remove the mountpoint argument to clean up the command-line.
passthrough_ll is one of the examples in the upstream fuse project
and is the main part of our daemon here. It passes through requests
from fuse to the underlying filesystem, using syscalls as directly
as possible.
From libfuse fuse-3.8.0
Signed-off-by: Dr. David Alan Gilbert <[email protected]>
Fixed up 'GPL' to 'GPLv2' as per Dan's comments and consistent
with the 'LICENSE' file in libfuse; patch sent to libfuse to fix
it upstream. Reviewed-by: Daniel P. Berrangé <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]>
fuse_lowlevel is one of the largest files from the library
and does most of the work. Add it separately to keep the diff
sizes small.
Again this is from upstream fuse-3.8.0
* remotes/vivier2/tags/linux-user-for-5.0-pull-request:
linux-user: Add support for read/clear RTC voltage low detector using ioctls
linux-user: Add support for getting/setting RTC PLL correction using ioctls
linux-user: Add support for getting/setting RTC wakeup alarm using ioctls
linux-user: Add support for getting/setting RTC periodic interrupt and epoch using ioctls
linux-user: Add support for getting/setting RTC time and alarm using ioctls
linux-user: Add support for enabling/disabling RTC features using ioctls
linux-user: Add support for TYPE_LONG and TYPE_ULONG in do_ioctl()
linux-user: Add support for KCOV_INIT_TRACE ioctl
linux-user: Add support for KCOV_<ENABLE|DISABLE> ioctls
configure: Detect kcov support and introduce CONFIG_KCOV
linux-user: Add support for FDFMT<BEG|TRK|END> ioctls
linux-user: Add support for FD<SETEMSGTRESH|SETMAXERRS|GETMAXERRS> ioctls
linux-user: Add support for FS_IOC32_<GET|SET>VERSION ioctls
linux-user: Add support for FS_IOC32_<GET|SET>FLAGS ioctls
linux-user: Add support for FS_IOC_<GET|SET>VERSION ioctls
linux-user: Reserve space for brk
linux-user:Fix align mistake when mmap guest space
Peter Maydell [Thu, 23 Jan 2020 13:01:14 +0000 (13:01 +0000)]
Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20200121' into staging
Remove another limit to NB_MMU_MODES.
Fix compilation using uclibc.
Fix defaulting of -accel parameters.
Tidy cputlb basic routines.
Adjust git.orderfile for decodetree.
# gpg: Signature made Wed 22 Jan 2020 02:44:18 GMT
# gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F
# gpg: issuer "[email protected]"
# gpg: Good signature from "Richard Henderson <[email protected]>" [full]
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A 05C0 64DF 38E8 AF7E 215F
* remotes/rth/tags/pull-tcg-20200121:
scripts/git.orderfile: Display decodetree before C source
cputlb: Hoist timestamp outside of loops over tlbs
cputlb: Initialize tlbs as flushed
cputlb: Partially merge tlb_dyn_init into tlb_init
cputlb: Split out tlb_mmu_flush_locked
cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
cputlb: Hoist tlb portions in tlb_mmu_resize_locked
cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
cputlb: Make tlb_n_entries private to cputlb.c
cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
vl: Only choose enabled accelerators in configure_accelerators
vl: Remove useless test in configure_accelerators
vl: Reduce scope of variables in configure_accelerators
vl: Remove unused variable in configure_accelerators
util/cacheinfo: fix crash when compiling with uClibc
cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
Filip Bozuta [Wed, 15 Jan 2020 19:36:40 +0000 (20:36 +0100)]
linux-user: Add support for read/clear RTC voltage low detector using ioctls
This patch implements functionalities of following ioctls:
RTC_VL_READ - Read voltage low detection information
Read the voltage low for RTCs that support voltage low.
The third ioctl's' argument points to an int in which
the voltage low is returned.
RTC_VL_CLR - Clear voltage low information
Clear the information about voltage low for RTCs that
support voltage low. The third ioctl(2) argument is
ignored.
Implementation notes:
Since one ioctl has a pointer to 'int' as its third agrument,
and another ioctl has NULL as its third argument, their
implementation was straightforward.
Filip Bozuta [Wed, 15 Jan 2020 19:36:39 +0000 (20:36 +0100)]
linux-user: Add support for getting/setting RTC PLL correction using ioctls
This patch implements functionalities of following ioctls:
RTC_PLL_GET - Getting PLL correction
Read the PLL correction for RTCs that support PLL. The PLL correction
is returned in the following structure:
struct rtc_pll_info {
int pll_ctrl; /* placeholder for fancier control */
int pll_value; /* get/set correction value */
int pll_max; /* max +ve (faster) adjustment value */
int pll_min; /* max -ve (slower) adjustment value */
int pll_posmult; /* factor for +ve correction */
int pll_negmult; /* factor for -ve correction */
long pll_clock; /* base PLL frequency */
};
A pointer to this structure should be passed as the third
ioctl's argument.
RTC_PLL_SET - Setting PLL correction
Sets the PLL correction for RTCs that support PLL. The PLL correction
that is set is specified by the rtc_pll_info structure pointed to by
the third ioctl's' argument.
Implementation notes:
All ioctls in this patch have a pointer to a structure rtc_pll_info
as their third argument. All elements of this structure are of
type 'int', except the last one that is of type 'long'. That is
the reason why a separate target structure (target_rtc_pll_info)
is defined in linux-user/syscall_defs. The rest of the
implementation is straightforward.
The enabled flag is used to enable or disable the alarm
interrupt, or to read its current status; when using these
calls, RTC_AIE_ON and RTC_AIE_OFF are not used. The pending
flag is used by RTC_WKALM_RD to report a pending interrupt
(so it's mostly useless on Linux, except when talking to the
RTC managed by EFI firmware). The time field is as used with
RTC_ALM_READ and RTC_ALM_SET except that the tm_mday, tm_mon,
and tm_year fields are also valid. A pointer to this structure
should be passed as the third ioctl's argument.
Implementation notes:
All ioctls in this patch have a pointer to a structure
rtc_wkalrm as their third argument. That is the reason why
corresponding definition is added in linux-user/syscall_types.h.
Since all elements of this structure are either of type
'unsigned char' or 'struct rtc_time' (that was covered in one
of previous patches), the rest of the implementation is
straightforward.
Read and set the frequency for periodic interrupts, for RTCs
that support periodic interrupts. The periodic interrupt must
be separately enabled or disabled using the RTC_PIE_ON,
RTC_PIE_OFF requests. The third ioctl's argument is an
unsigned long * or an unsigned long, respectively. The value
is the frequency in interrupts per second. The set of allow‐
able frequencies is the multiples of two in the range 2 to
8192. Only a privileged process (i.e., one having the
CAP_SYS_RESOURCE capability) can set frequencies above the
value specified in /proc/sys/dev/rtc/max-user-freq. (This
file contains the value 64 by default.)
Many RTCs encode the year in an 8-bit register which is either
interpreted as an 8-bit binary number or as a BCD number. In
both cases, the number is interpreted relative to this RTC's
Epoch. The RTC's Epoch is initialized to 1900 on most systems
but on Alpha and MIPS it might also be initialized to 1952,
1980, or 2000, depending on the value of an RTC register for
the year. With some RTCs, these operations can be used to
read or to set the RTC's Epoch, respectively. The third
ioctl's argument is an unsigned long * or an unsigned long,
respectively, and the value returned (or assigned) is the
Epoch. To set the RTC's Epoch the process must be privileged
(i.e., have the CAP_SYS_TIME capability).
Implementation notes:
All ioctls in this patch have a pointer to 'ulong' as their
third argument. That is the reason why corresponding parts
of added code in linux-user/syscall_defs.h contain special
handling related to 'ulong' type: they use 'abi_ulong' type
to make sure that ioctl's code is calculated correctly for
both 32-bit and 64-bit targets. Also, 'MK_PTR(TYPE_ULONG)'
is used for the similar reason in linux-user/ioctls.h.
Filip Bozuta [Wed, 15 Jan 2020 19:36:36 +0000 (20:36 +0100)]
linux-user: Add support for getting/setting RTC time and alarm using ioctls
This patch implements functionalities of following ioctls:
RTC_RD_TIME - Getting RTC time
Returns this RTC's time in the following structure:
struct rtc_time {
int tm_sec;
int tm_min;
int tm_hour;
int tm_mday;
int tm_mon;
int tm_year;
int tm_wday; /* unused */
int tm_yday; /* unused */
int tm_isdst; /* unused */
};
The fields in this structure have the same meaning and ranges
as the tm structure described in gmtime man page. A pointer
to this structure should be passed as the third ioctl's argument.
RTC_SET_TIME - Setting RTC time
Sets this RTC's time to the time specified by the rtc_time
structure pointed to by the third ioctl's argument. To set
the RTC's time the process must be privileged (i.e., have the
CAP_SYS_TIME capability).
RTC_ALM_READ, RTC_ALM_SET - Getting/Setting alarm time
Read and set the alarm time, for RTCs that support alarms.
The alarm interrupt must be separately enabled or disabled
using the RTC_AIE_ON, RTC_AIE_OFF requests. The third
ioctl's argument is a pointer to a rtc_time structure. Only
the tm_sec, tm_min, and tm_hour fields of this structure are
used.
Implementation notes:
All ioctls in this patch have pointer to a structure rtc_time
as their third argument. That is the reason why corresponding
definition is added in linux-user/syscall_types.h. Since all
elements of this structure are of type 'int', the rest of the
implementation is straightforward.
Enable or disable the periodic interrupt, for RTCs that sup‐
port these periodic interrupts. The third ioctl's argument
is ignored. Only a privileged process (i.e., one having the
CAP_SYS_RESOURCE capability) can enable the periodic interrupt
if the frequency is currently set above the value specified in
/proc/sys/dev/rtc/max-user-freq.
Enable or disable the Watchdog interrupt, for RTCs that sup-
port this Watchdog interrupt. The third ioctl's argument is
ignored.
Implementation notes:
Since all of involved ioctls have NULL as their third argument,
their implementation was straightforward.
The line '#include <linux/rtc.h>' was added to recognize
preprocessor definitions for these ioctls. This needs to be
done only once in this series of commits. Also, the content
of this file (with respect to ioctl definitions) remained
unchanged for a long time, therefore there is no need to
worry about supporting older Linux kernel version.
Filip Bozuta [Wed, 15 Jan 2020 19:36:47 +0000 (20:36 +0100)]
linux-user: Add support for TYPE_LONG and TYPE_ULONG in do_ioctl()
Function "do_ioctl()" located in file "syscall.c" was missing
an option for TYPE_LONG and TYPE_ULONG. This caused some ioctls
to not be recognised because they had the third argument that was
of type 'long' or 'unsigned long'.
For example:
Since implemented ioctls RTC_IRQP_SET and RTC_EPOCH_SET
are of type IOW(writing type) that have unsigned long as
their third argument, they were not recognised in QEMU
before the changes of this patch.
KCOV_INIT_TRACE ioctl plays the role in kernel coverage tracing.
This ioctl's third argument is of type 'unsigned long', and the
implementation in QEMU is straightforward.
linux-user: Add support for KCOV_<ENABLE|DISABLE> ioctls
KCOV_ENABLE and KCOV_DISABLE play the role in kernel coverage
tracing. These ioctls do not use the third argument of ioctl()
system call and are straightforward to implement in QEMU.
configure: Detect kcov support and introduce CONFIG_KCOV
kcov is kernel code coverage tracing tool. It requires kernel 4.4+
compiled with certain kernel options.
This patch checks if kcov header "sys/kcov.h" is present on build
machine, and stores the result in variable CONFIG_KCOV, meant to
be used in linux-user code related to the support for three ioctls
that were introduced at the same time as the mentioned header
(their definition was a part of the first version of that header).
projects / qemu.git / log