From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, miklos@szeredi.hu, qemu-devel@nongnu.org
Subject: Re: [Virtio-fs] [PATCH v7 5/7] virtiofsd: Add capability to change/restore umask
Date: Mon, 28 Jun 2021 19:51:36 +0100 [thread overview]
Message-ID: <YNoaOCN1G+HqQ8S5@work-vm> (raw)
In-Reply-To: <20210628184636.GH1803896@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> On Mon, Jun 28, 2021 at 07:36:18PM +0100, Dr. David Alan Gilbert wrote:
> > * Vivek Goyal (vgoyal@redhat.com) wrote:
> > > On Mon, Jun 28, 2021 at 05:12:13PM +0100, Dr. David Alan Gilbert wrote:
> > > > * Vivek Goyal (vgoyal@redhat.com) wrote:
> > > > > When parent directory has default acl and a file is created in that
> > > > > directory, then umask is ignored and final file permissions are
> > > > > determined using default acl instead. (man 2 umask).
> > > > >
> > > > > Currently, fuse applies the umask and sends modified mode in create
> > > > > request accordingly. fuse server can set FUSE_DONT_MASK and tell
> > > > > fuse client to not apply umask and fuse server will take care of
> > > > > it as needed.
> > > > >
> > > > > With posix acls enabled, requirement will be that we want umask
> > > > > to determine final file mode if parent directory does not have
> > > > > default acl.
> > > > >
> > > > > So if posix acls are enabled, opt in for FUSE_DONT_MASK. virtiofsd
> > > > > will set umask of the thread doing file creation. And host kernel
> > > > > should use that umask if parent directory does not have default
> > > > > acls, otherwise umask does not take affect.
> > > > >
> > > > > Miklos mentioned that we already call unshare(CLONE_FS) for
> > > > > every thread. That means umask has now become property of per
> > > > > thread and it should be ok to manipulate it in file creation path.
> > > > >
> > > > > This patch only adds capability to change umask and restore it. It
> > > > > does not enable it yet. Next few patches will add capability to enable it
> > > > > based on if user enabled posix_acl or not.
> > > > >
> > > > > This should fix fstest generic/099.
> > > > >
> > > > > Reported-by: Luis Henriques <lhenriques@suse.de>
> > > > > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > > > > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> > > > > ---
> > > > > tools/virtiofsd/passthrough_ll.c | 22 ++++++++++++++++------
> > > > > 1 file changed, 16 insertions(+), 6 deletions(-)
> > > > >
> > > > > diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> > > > > index 9f5cd98fb5..0c9084ea15 100644
> > > > > --- a/tools/virtiofsd/passthrough_ll.c
> > > > > +++ b/tools/virtiofsd/passthrough_ll.c
> > > > > @@ -122,6 +122,7 @@ struct lo_inode {
> > > > > struct lo_cred {
> > > > > uid_t euid;
> > > > > gid_t egid;
> > > > > + mode_t umask;
> > > > > };
> > > > >
> > > > > enum {
> > > > > @@ -172,6 +173,8 @@ struct lo_data {
> > > > > /* An O_PATH file descriptor to /proc/self/fd/ */
> > > > > int proc_self_fd;
> > > > > int user_killpriv_v2, killpriv_v2;
> > > > > + /* If set, virtiofsd is responsible for setting umask during creation */
> > > > > + bool change_umask;
> > > > > };
> > > > >
> > > > > static const struct fuse_opt lo_opts[] = {
> > > > > @@ -1134,7 +1137,8 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
> > > > > * ownership of caller.
> > > > > * TODO: What about selinux context?
> > > > > */
> > > > > -static int lo_change_cred(fuse_req_t req, struct lo_cred *old)
> > > > > +static int lo_change_cred(fuse_req_t req, struct lo_cred *old,
> > > > > + bool change_umask)
> > > > > {
> > > > > int res;
> > > > >
> > > > > @@ -1154,11 +1158,14 @@ static int lo_change_cred(fuse_req_t req, struct lo_cred *old)
> > > > > return errno_save;
> > > > > }
> > > > >
> > > > > + if (change_umask) {
> > > > > + old->umask = umask(req->ctx.umask);
> > > > > + }
> > > > > return 0;
> > > > > }
> > > > >
> > > > > /* Regain Privileges */
> > > > > -static void lo_restore_cred(struct lo_cred *old)
> > > > > +static void lo_restore_cred(struct lo_cred *old, bool restore_umask)
> > > > > {
> > > > > int res;
> > > > >
> > > > > @@ -1173,6 +1180,9 @@ static void lo_restore_cred(struct lo_cred *old)
> > > > > fuse_log(FUSE_LOG_ERR, "setegid(%u): %m\n", old->egid);
> > > > > exit(1);
> > > > > }
> > > > > +
> > > > > + if (restore_umask)
> > > > > + umask(old->umask);
> > > > > }
> > > > >
> > > > > static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
> > > > > @@ -1202,7 +1212,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
> > > > > return;
> > > > > }
> > > > >
> > > > > - saverr = lo_change_cred(req, &old);
> > > > > + saverr = lo_change_cred(req, &old, lo->change_umask && !S_ISLNK(mode));
> > > >
> > > > Can you explain what these ISLNK checks are for (insid mknod_symlink, so
> > > > is that always true or irrelevant?)
> > >
> > > I think I put this check in because if we are creating symlink then we
> > > don't have to change umask as symlink will always get a some fix
> > > mode (usually 777) and umask will not have an affect. So this is
> > > just an optimization to avoid switching umask in some cases. I
> > > can't think of any other reason.
> >
> > But this is in 'lo_mknod_symlink' - so when do we call that except for
> > making symlinks?
>
> I think it is called for other mknod paths as well and not limited to
> symlink only.
>
>
> static void lo_mknod(fuse_req_t req, fuse_ino_t parent, const char *name,
> mode_t mode, dev_t rdev)
> {
> lo_mknod_symlink(req, parent, name, mode, rdev, NULL);
> }
>
> static void lo_mkdir(fuse_req_t req, fuse_ino_t parent, const char *name,
> mode_t mode)
> {
> lo_mknod_symlink(req, parent, name, S_IFDIR | mode, 0, NULL);
> }
>
> static void lo_symlink(fuse_req_t req, const char *link, fuse_ino_t parent,
> const char *name)
> {
> lo_mknod_symlink(req, parent, name, S_IFLNK, 0, link);
> }
Oh, I see, yeh that confused me - it all then goes through
mknod_wrapper.
Right,
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Vivek
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, miklos@szeredi.hu, qemu-devel@nongnu.org,
lhenriques@suse.de
Subject: Re: [PATCH v7 5/7] virtiofsd: Add capability to change/restore umask
Date: Mon, 28 Jun 2021 19:51:36 +0100 [thread overview]
Message-ID: <YNoaOCN1G+HqQ8S5@work-vm> (raw)
In-Reply-To: <20210628184636.GH1803896@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> On Mon, Jun 28, 2021 at 07:36:18PM +0100, Dr. David Alan Gilbert wrote:
> > * Vivek Goyal (vgoyal@redhat.com) wrote:
> > > On Mon, Jun 28, 2021 at 05:12:13PM +0100, Dr. David Alan Gilbert wrote:
> > > > * Vivek Goyal (vgoyal@redhat.com) wrote:
> > > > > When parent directory has default acl and a file is created in that
> > > > > directory, then umask is ignored and final file permissions are
> > > > > determined using default acl instead. (man 2 umask).
> > > > >
> > > > > Currently, fuse applies the umask and sends modified mode in create
> > > > > request accordingly. fuse server can set FUSE_DONT_MASK and tell
> > > > > fuse client to not apply umask and fuse server will take care of
> > > > > it as needed.
> > > > >
> > > > > With posix acls enabled, requirement will be that we want umask
> > > > > to determine final file mode if parent directory does not have
> > > > > default acl.
> > > > >
> > > > > So if posix acls are enabled, opt in for FUSE_DONT_MASK. virtiofsd
> > > > > will set umask of the thread doing file creation. And host kernel
> > > > > should use that umask if parent directory does not have default
> > > > > acls, otherwise umask does not take affect.
> > > > >
> > > > > Miklos mentioned that we already call unshare(CLONE_FS) for
> > > > > every thread. That means umask has now become property of per
> > > > > thread and it should be ok to manipulate it in file creation path.
> > > > >
> > > > > This patch only adds capability to change umask and restore it. It
> > > > > does not enable it yet. Next few patches will add capability to enable it
> > > > > based on if user enabled posix_acl or not.
> > > > >
> > > > > This should fix fstest generic/099.
> > > > >
> > > > > Reported-by: Luis Henriques <lhenriques@suse.de>
> > > > > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > > > > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
> > > > > ---
> > > > > tools/virtiofsd/passthrough_ll.c | 22 ++++++++++++++++------
> > > > > 1 file changed, 16 insertions(+), 6 deletions(-)
> > > > >
> > > > > diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> > > > > index 9f5cd98fb5..0c9084ea15 100644
> > > > > --- a/tools/virtiofsd/passthrough_ll.c
> > > > > +++ b/tools/virtiofsd/passthrough_ll.c
> > > > > @@ -122,6 +122,7 @@ struct lo_inode {
> > > > > struct lo_cred {
> > > > > uid_t euid;
> > > > > gid_t egid;
> > > > > + mode_t umask;
> > > > > };
> > > > >
> > > > > enum {
> > > > > @@ -172,6 +173,8 @@ struct lo_data {
> > > > > /* An O_PATH file descriptor to /proc/self/fd/ */
> > > > > int proc_self_fd;
> > > > > int user_killpriv_v2, killpriv_v2;
> > > > > + /* If set, virtiofsd is responsible for setting umask during creation */
> > > > > + bool change_umask;
> > > > > };
> > > > >
> > > > > static const struct fuse_opt lo_opts[] = {
> > > > > @@ -1134,7 +1137,8 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
> > > > > * ownership of caller.
> > > > > * TODO: What about selinux context?
> > > > > */
> > > > > -static int lo_change_cred(fuse_req_t req, struct lo_cred *old)
> > > > > +static int lo_change_cred(fuse_req_t req, struct lo_cred *old,
> > > > > + bool change_umask)
> > > > > {
> > > > > int res;
> > > > >
> > > > > @@ -1154,11 +1158,14 @@ static int lo_change_cred(fuse_req_t req, struct lo_cred *old)
> > > > > return errno_save;
> > > > > }
> > > > >
> > > > > + if (change_umask) {
> > > > > + old->umask = umask(req->ctx.umask);
> > > > > + }
> > > > > return 0;
> > > > > }
> > > > >
> > > > > /* Regain Privileges */
> > > > > -static void lo_restore_cred(struct lo_cred *old)
> > > > > +static void lo_restore_cred(struct lo_cred *old, bool restore_umask)
> > > > > {
> > > > > int res;
> > > > >
> > > > > @@ -1173,6 +1180,9 @@ static void lo_restore_cred(struct lo_cred *old)
> > > > > fuse_log(FUSE_LOG_ERR, "setegid(%u): %m\n", old->egid);
> > > > > exit(1);
> > > > > }
> > > > > +
> > > > > + if (restore_umask)
> > > > > + umask(old->umask);
> > > > > }
> > > > >
> > > > > static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
> > > > > @@ -1202,7 +1212,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
> > > > > return;
> > > > > }
> > > > >
> > > > > - saverr = lo_change_cred(req, &old);
> > > > > + saverr = lo_change_cred(req, &old, lo->change_umask && !S_ISLNK(mode));
> > > >
> > > > Can you explain what these ISLNK checks are for (insid mknod_symlink, so
> > > > is that always true or irrelevant?)
> > >
> > > I think I put this check in because if we are creating symlink then we
> > > don't have to change umask as symlink will always get a some fix
> > > mode (usually 777) and umask will not have an affect. So this is
> > > just an optimization to avoid switching umask in some cases. I
> > > can't think of any other reason.
> >
> > But this is in 'lo_mknod_symlink' - so when do we call that except for
> > making symlinks?
>
> I think it is called for other mknod paths as well and not limited to
> symlink only.
>
>
> static void lo_mknod(fuse_req_t req, fuse_ino_t parent, const char *name,
> mode_t mode, dev_t rdev)
> {
> lo_mknod_symlink(req, parent, name, mode, rdev, NULL);
> }
>
> static void lo_mkdir(fuse_req_t req, fuse_ino_t parent, const char *name,
> mode_t mode)
> {
> lo_mknod_symlink(req, parent, name, S_IFDIR | mode, 0, NULL);
> }
>
> static void lo_symlink(fuse_req_t req, const char *link, fuse_ino_t parent,
> const char *name)
> {
> lo_mknod_symlink(req, parent, name, S_IFLNK, 0, link);
> }
Oh, I see, yeh that confused me - it all then goes through
mknod_wrapper.
Right,
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> Vivek
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2021-06-28 18:51 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-22 15:08 [Virtio-fs] [PATCH v7 0/7] virtiofsd: Add support to enable/disable posix acls Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 1/7] virtiofsd: Fix fuse setxattr() API change issue Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-28 14:46 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 14:46 ` Dr. David Alan Gilbert
2021-06-28 14:54 ` [Virtio-fs] " Vivek Goyal
2021-06-29 12:44 ` Greg Kurz
2021-06-30 10:17 ` Dr. David Alan Gilbert
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 2/7] virtiofsd: Fix xattr operations overwriting errno Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-28 15:31 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 15:31 ` Dr. David Alan Gilbert
2021-06-29 13:03 ` [Virtio-fs] " Greg Kurz
2021-06-29 13:03 ` Greg Kurz
2021-06-29 13:22 ` Vivek Goyal
2021-06-29 13:22 ` Vivek Goyal
2021-06-29 14:35 ` Greg Kurz
2021-06-29 14:35 ` Greg Kurz
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 3/7] virtiofsd: Add support for extended setxattr Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-28 15:49 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 15:49 ` Dr. David Alan Gilbert
2021-06-28 18:28 ` [Virtio-fs] " Vivek Goyal
2021-06-28 18:28 ` Vivek Goyal
2021-06-28 18:34 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 18:34 ` Dr. David Alan Gilbert
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 4/7] virtiofsd: Add umask to seccom allow list Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 5/7] virtiofsd: Add capability to change/restore umask Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-28 16:12 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 16:12 ` Dr. David Alan Gilbert
2021-06-28 18:12 ` [Virtio-fs] " Vivek Goyal
2021-06-28 18:12 ` Vivek Goyal
2021-06-28 18:36 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 18:36 ` Dr. David Alan Gilbert
2021-06-28 18:46 ` [Virtio-fs] " Vivek Goyal
2021-06-28 18:46 ` Vivek Goyal
2021-06-28 18:51 ` Dr. David Alan Gilbert [this message]
2021-06-28 18:51 ` Dr. David Alan Gilbert
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 6/7] virtiofsd: Switch creds, drop FSETID for system.posix_acl_access xattr Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-28 17:37 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 17:37 ` Dr. David Alan Gilbert
2021-06-28 17:55 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 17:55 ` Dr. David Alan Gilbert
2021-06-22 15:08 ` [Virtio-fs] [PATCH v7 7/7] virtiofsd: Add an option to enable/disable posix acls Vivek Goyal
2021-06-22 15:08 ` Vivek Goyal
2021-06-28 18:26 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-06-28 18:26 ` Dr. David Alan Gilbert
2021-06-30 18:53 ` [Virtio-fs] [PATCH v7 0/7] virtiofsd: Add support " Dr. David Alan Gilbert
2021-06-30 18:53 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YNoaOCN1G+HqQ8S5@work-vm \
--to=dgilbert@redhat.com \
--cc=miklos@szeredi.hu \
--cc=qemu-devel@nongnu.org \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.