From: "M. Mohan Kumar" <mohan@in.ibm.com>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: qemu-devel@nongnu.org
Subject: [Qemu-devel] Re: [V7 PATCH 9/9] virtio-9p: Chroot environment for other functions
Date: Wed, 9 Mar 2011 13:40:52 +0530 [thread overview]
Message-ID: <201103091340.53088.mohan@in.ibm.com> (raw)
In-Reply-To: <AANLkTik0KiEtc5_g+fUue=_ox-ZC2O4PQhHvvcb_hHPq@mail.gmail.com>
Thanks Stefan for your review!
On Friday 04 March 2011 5:22:00 pm Stefan Hajnoczi wrote:
>
> Is this code supposed to build on non-Linux hosts? If so, then please
> confirm that the *at() system calls used are standard and available on
> other hosts (e.g. FreeBSD, Darwin, Solaris).
>
No, this (virtio-9p) is not supported on non-linux hosts.
> > +/*
> > + * Returns file descriptor of dirname(path)
> > + * This fd can be used by *at functions
> > + */
> > +static int get_dirfd(FsContext *fs_ctx, const char *path)
> > +{
> > + V9fsFileObjectRequest request;
> > + int fd;
> > + char *dpath = qemu_strdup(path);
> > +
> > + fd = fill_fileobjectrequest(&request, dirname(dpath), NULL);
> > + if (fd < 0) {
> > + return fd;
> > + }
>
> Leaks dpath, fails to set errno, and does not return -1.
Will fix in next patchset.
>
> > @@ -545,53 +621,146 @@ static int local_link(FsContext *fs_ctx, const
> > char *oldpath,
> >
> > static int local_truncate(FsContext *ctx, const char *path, off_t size)
> > {
> > - return truncate(rpath(ctx, path), size);
> > + if (ctx->fs_sm == SM_PASSTHROUGH) {
> > + int fd, retval;
> > + fd = passthrough_open(ctx, path, O_RDWR);
> > + if (fd < 0) {
> > + return -1;
> > + }
> > + retval = ftruncate(fd, size);
> > + close(fd);
> > + return retval;
>
> This is an example of where errno is not guaranteed to be preserved.
> When ftruncate(2) fails close(2) is allowed to affect errno and we
> cannot rely on it holding the ftruncate(2) error code. Please check
> for other cases of this.
Will fix in next patchset.
>
> > static int local_rename(FsContext *ctx, const char *oldpath,
> > const char *newpath)
> > {
> > - char *tmp;
> > - int err;
> > -
> > - tmp = qemu_strdup(rpath(ctx, oldpath));
> > + int err, serrno = 0;
> >
> > - err = rename(tmp, rpath(ctx, newpath));
> > - if (err == -1) {
> > - int serrno = errno;
> > - qemu_free(tmp);
> > + if (ctx->fs_sm == SM_PASSTHROUGH) {
> > + int opfd, npfd;
> > + char *old_tmppath, *new_tmppath;
> > + opfd = get_dirfd(ctx, oldpath);
> > + if (opfd < 0) {
> > + return -1;
> > + }
> > + npfd = get_dirfd(ctx, newpath);
> > + if (npfd < 0) {
> > + close(opfd);
> > + return -1;
> > + }
> > + old_tmppath = qemu_strdup(oldpath);
> > + new_tmppath = qemu_strdup(newpath);
> > + err = renameat(opfd, basename(old_tmppath),
> > + npfd, basename(new_tmppath));
> > + if (err == -1) {
> > + serrno = errno;
> > + }
> > + close(npfd);
> > + close(opfd);
> > + qemu_free(old_tmppath);
> > + qemu_free(new_tmppath);
> > errno = serrno;
>
> Why can't this be done as a chroot worker operation in a single syscall?
Ok, in next patchset, T_RENAME & T_REMOVE types will be added.
>
> > -static int local_utimensat(FsContext *s, const char *path,
> > - const struct timespec *buf)
> > +static int local_utimensat(FsContext *fs_ctx, const char *path,
> > + const struct timespec *buf)
> > {
> > - return qemu_utimensat(AT_FDCWD, rpath(s, path), buf,
> > AT_SYMLINK_NOFOLLOW); + if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
> > + int fd, retval;
> > + fd = passthrough_open(fs_ctx, path, O_RDONLY | O_NONBLOCK);
>
> This follows symlinks but the SM_PASSTHROUGH case below does not?
Will fix.
>
> > + if (fd < 0) {
> > + return -1;
> > + }
> > + retval = futimens(fd, buf);
> > + close(fd);
> > + return retval;
> > + } else {
> > + return utimensat(AT_FDCWD, rpath(fs_ctx, path), buf,
> > + AT_SYMLINK_NOFOLLOW);
> > + }
> > }
> >
> > -static int local_remove(FsContext *ctx, const char *path)
> > -{
> > - return remove(rpath(ctx, path));
> > +static int local_remove(FsContext *fs_ctx, const char *path)
> > + {
> > + if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
> > + int pfd, err, serrno, flags;
> > + char *old_path;
> > + struct stat stbuf;
> > + pfd = get_dirfd(fs_ctx, path);
> > + if (pfd < 0) {
> > + return -1;
> > + }
> > + old_path = qemu_strdup(path);
> > + err = fstatat(pfd, basename(old_path), &stbuf,
> > AT_SYMLINK_NOFOLLOW); + if (err < 0) {
>
> old_path and pfd are leaked.
>
> > + return -1;
> > + }
> > + serrno = flags = 0;
> > + if ((stbuf.st_mode & S_IFMT) == S_IFDIR) {
> > + flags = AT_REMOVEDIR;
> > + } else {
> > + flags = 0;
> > + }
> > + err = unlinkat(pfd, basename(old_path), flags);
> > + if (err == -1) {
> > + serrno = errno;
> > + }
> > + qemu_free(old_path);
> > + close(pfd);
> > + errno = serrno;
> > + return err;
>
> Why is SM_PASSTHROUGH so complicated...
>
> > + } else {
> > + return remove(rpath(fs_ctx, path));
>
> ...but this so simple?
>
> Could we just send a remove operation to the chroot worker instead?
>
----
M. Mohan Kumar
next prev parent reply other threads:[~2011-03-09 8:11 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-04 9:25 [Qemu-devel] [V7 PATCH 0/9] virtio-9p: Use chroot to safely access files in passthrough security model M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 1/9] Implement qemu_read_full M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 2/9] virtio-9p: Enable CONFIG_THREAD if CONFIG_VIRTFS is enabled M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 3/9] virtio-9p: Provide chroot worker side interfaces M. Mohan Kumar
2011-03-04 10:53 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-08 5:10 ` Venkateswararao Jujjuri (JV)
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 4/9] virtio-9p: Add qemu side interfaces for chroot environment M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 5/9] virtio-9p: Add support to open a file in " M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 6/9] virtio-9p: Create support " M. Mohan Kumar
2011-03-04 10:28 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 7/9] virtio-9p: Support for creating special files M. Mohan Kumar
2011-03-04 11:06 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-09 8:08 ` M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 8/9] virtio-9p: Move file post creation changes to none security model M. Mohan Kumar
2011-03-04 9:25 ` [Qemu-devel] [V7 PATCH 9/9] virtio-9p: Chroot environment for other functions M. Mohan Kumar
2011-03-04 11:52 ` [Qemu-devel] " Stefan Hajnoczi
2011-03-09 8:10 ` M. Mohan Kumar [this message]
2011-03-11 17:12 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201103091340.53088.mohan@in.ibm.com \
--to=mohan@in.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.