Re: [PATCH] tools/virtiofsd: add support for --socket-group

["Daniel P. Berrangé" <berrange@redhat.com>]

On Thu, Mar 12, 2020 at 10:41:42AM +0000, Alex Bennée wrote:
> If you like running QEMU as a normal user (very common for TCG runs)
> but you have to run virtiofsd as a root user you run into connection
> problems. Adding support for an optional --socket-group allows the
> users to keep using the command line.

If we're going to support this, then I think we need to put it in
the vhost-user.rst specification so we standardize across backends. 



> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>


> 
> ---
> v1
>   - tweak documentation and commentary
> ---
>  docs/tools/virtiofsd.rst        |  4 ++++
>  tools/virtiofsd/fuse_i.h        |  1 +
>  tools/virtiofsd/fuse_lowlevel.c |  6 ++++++
>  tools/virtiofsd/fuse_virtio.c   | 20 ++++++++++++++++++--
>  4 files changed, 29 insertions(+), 2 deletions(-)
> 
> diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
> index 378594c422a..5a8246b74f8 100644
> --- a/docs/tools/virtiofsd.rst
> +++ b/docs/tools/virtiofsd.rst
> @@ -85,6 +85,10 @@ Options
>  
>    Listen on vhost-user UNIX domain socket at PATH.
>  
> +.. option:: --socket-group=GROUP
> +
> +  Set the vhost-user UNIX domain socket gid to GROUP.
> +
>  .. option:: --fd=FDNUM
>  
>    Accept connections from vhost-user UNIX domain socket file descriptor FDNUM.
> diff --git a/tools/virtiofsd/fuse_i.h b/tools/virtiofsd/fuse_i.h
> index 1240828208a..492e002181e 100644
> --- a/tools/virtiofsd/fuse_i.h
> +++ b/tools/virtiofsd/fuse_i.h
> @@ -68,6 +68,7 @@ struct fuse_session {
>      size_t bufsize;
>      int error;
>      char *vu_socket_path;
> +    char *vu_socket_group;
>      int   vu_listen_fd;
>      int   vu_socketfd;
>      struct fv_VuDev *virtio_dev;
> diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
> index 2dd36ec03b6..4d1ba2925d1 100644
> --- a/tools/virtiofsd/fuse_lowlevel.c
> +++ b/tools/virtiofsd/fuse_lowlevel.c
> @@ -2523,6 +2523,7 @@ static const struct fuse_opt fuse_ll_opts[] = {
>      LL_OPTION("--debug", debug, 1),
>      LL_OPTION("allow_root", deny_others, 1),
>      LL_OPTION("--socket-path=%s", vu_socket_path, 0),
> +    LL_OPTION("--socket-group=%s", vu_socket_group, 0),
>      LL_OPTION("--fd=%d", vu_listen_fd, 0),
>      LL_OPTION("--thread-pool-size=%d", thread_pool_size, 0),
>      FUSE_OPT_END
> @@ -2630,6 +2631,11 @@ struct fuse_session *fuse_session_new(struct fuse_args *args,
>                   "fuse: --socket-path and --fd cannot be given together\n");
>          goto out4;
>      }
> +    if (se->vu_socket_group && !se->vu_socket_path) {
> +        fuse_log(FUSE_LOG_ERR,
> +                 "fuse: --socket-group can only be used with --socket-path\n");
> +        goto out4;
> +    }
>  
>      se->bufsize = FUSE_MAX_MAX_PAGES * getpagesize() + FUSE_BUFFER_HEADER_SIZE;
>  
> diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c
> index 3b6d16a0417..331f9fc65c5 100644
> --- a/tools/virtiofsd/fuse_virtio.c
> +++ b/tools/virtiofsd/fuse_virtio.c
> @@ -31,6 +31,8 @@
>  #include <sys/socket.h>
>  #include <sys/types.h>
>  #include <sys/un.h>
> +#include <sys/types.h>
> +#include <grp.h>
>  #include <unistd.h>
>  
>  #include "contrib/libvhost-user/libvhost-user.h"
> @@ -924,15 +926,29 @@ static int fv_create_listen_socket(struct fuse_session *se)
>  
>      /*
>       * Unfortunately bind doesn't let you set the mask on the socket,
> -     * so set umask to 077 and restore it later.
> +     * so set umask appropriately and restore it later.
>       */
> -    old_umask = umask(0077);
> +    if (se->vu_socket_group) {
> +        old_umask = umask(S_IROTH | S_IWOTH | S_IXOTH);
> +    } else {
> +        old_umask = umask(S_IRGRP | S_IWGRP | S_IXGRP | S_IROTH | S_IWOTH | S_IXOTH);
> +    }
>      if (bind(listen_sock, (struct sockaddr *)&un, addr_len) == -1) {
>          fuse_log(FUSE_LOG_ERR, "vhost socket bind: %m\n");
>          close(listen_sock);
>          umask(old_umask);
>          return -1;
>      }
> +    if (se->vu_socket_group) {
> +        struct group *g = getgrnam(se->vu_socket_group);
> +        if (g) {
> +            if (!chown(se->vu_socket_path, -1, g->gr_gid)) {
> +                fuse_log(FUSE_LOG_WARNING,
> +                         "vhost socket failed to set group to %s (%d)\n",
> +                         se->vu_socket_group, g->gr_gid);
> +            }
> +        }
> +    }
>      umask(old_umask);
>  
>      if (listen(listen_sock, 1) == -1) {
> -- 
> 2.20.1
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|