Re: [PATCH 00/52] [RFC] virtio-fs: shared file system for virtual machines

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vivek Goyal <vgoyal@redhat.com>
To: Piotr Jurkiewicz <piotr.jerzy.jurkiewicz@gmail.com>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	kvm@vger.kernel.org, miklos@szeredi.hu, stefanha@redhat.com,
	dgilbert@redhat.com, sweil@redhat.com, swhiteho@redhat.com
Subject: Re: [PATCH 00/52] [RFC] virtio-fs: shared file system for virtual machines
Date: Wed, 12 Dec 2018 16:25:53 -0500	[thread overview]
Message-ID: <20181212212553.GB23229@redhat.com> (raw)
In-Reply-To: <dc2e6e0f-ab00-a114-0fc1-e787293a73cf@gmail.com>

On Wed, Dec 12, 2018 at 06:07:40PM +0100, Piotr Jurkiewicz wrote:
> Currently, virtio-9p cannot be used with overlayfs in order to obtain
> Docker-like experience (but with separate kernel) because of file attributes
> problems. I wrote an email about that to qemu-devel almost year ago, but it
> received no attention (I attach its contents below.).
> 
> Will virtio-fs avoid these problems? I assume it will be transparent from
> the point of view of file attributes, and not enforce any kind of security
> filtering?

Hi Piotr,

So you want to use virtio-fs as upper/ layer of a overlay filesystem
inside guest? Interesting. I have not tried that.

As of now I think we are not doing any filtering of file attributes
and it might just work. Give it a try. Having said that, I suspect
that security model of virtio-fs most likely will evolve.

Thanks
Vivek
> 
> Piotr Jurkiewicz
> 
> ----
> 
> 1. Upper filesystem must support the creation of trusted.* extended
> attributes.
> 
> 9pfs has support for getting/setting xattrs, but calls operating on
> attributes other than user.* and system.posix_acl_* are dropped.
> 
> 2. Upper filesystem must provide valid d_type in readdir responses.
> 
> This works, but only in case of 'passtrough' and 'none' security models. In
> the case of 'mapped-xattr' and 'mapped-file' models, d_type is being zeroed
> to DT_UNKNOWN during readdir() call.
> 
> All these limitations can be resolved pretty easily, but requires some
> design decisions. I can prepare appropriate patches.
> 
> Ad. 1.
> 
> Why are operations on attributes other than than user.* and
> system.posix_acl_* forbidden? Is this due to security reasons?
> 
> If so, can we map all of them to user.virtfs namespace, similarly as
> system.posix_acl_* are being mapped to user.virtfs.system.posix_acl_* in
> 'mapping' mode already? This way any trusted/security/system attributes will
> be effective only when mounted via virtfs inside VM.
> 
> Ad. 2.
> 
> local_readdir() can fill entry->d_type with the right DT_* value by
> obtaining file type from mapping and translating it with IFTODT() macro.
> This would, however, require reading 'user.virtfs.mode' for each direntry
> during readdir() call, what can affect performance. If so, this behavior
> would probably need to be controlled with some runtime option.
> 
> 'mapped-xattr' and 'mapped-file' models are essential for running qemu with
> overlayfs as non-root, because overlayfs creates device nodes, what is
> possible for unprivileged user only with these models.

next prev parent reply	other threads:[~2018-12-12 21:25 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-12 17:07 [PATCH 00/52] [RFC] virtio-fs: shared file system for virtual machines Piotr Jurkiewicz
2018-12-12 21:25 ` Vivek Goyal [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-12-10 17:12 Vivek Goyal
2018-12-11 12:54 ` Stefan Hajnoczi
2018-12-12 20:30 ` Konrad Rzeszutek Wilk
2018-12-12 21:22   ` Vivek Goyal
2019-02-12 15:56 ` Aneesh Kumar K.V
2019-02-12 18:57   ` Vivek Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181212212553.GB23229@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=dgilbert@redhat.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=piotr.jerzy.jurkiewicz@gmail.com \
    --cc=stefanha@redhat.com \
    --cc=sweil@redhat.com \
    --cc=swhiteho@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.