From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, qemu-devel@nongnu.org
Subject: Re: [Virtio-fs] [PATCH v5 8/9] virtiofsd: Create new file using O_TMPFILE and set security context
Date: Mon, 7 Feb 2022 12:23:56 +0000 [thread overview]
Message-ID: <YgEPXBy6bPfCPjc1@work-vm> (raw)
In-Reply-To: <20220202193935.268777-9-vgoyal@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> If guest and host policies can't work with each other, then guest security
> context (selinux label) needs to be set into an xattr. Say remap guest
> security.selinux xattr to trusted.virtiofs.security.selinux.
>
> That means setting "fscreate" is not going to help as that's ony useful
> for security.selinux xattr on host.
>
> So we need another method which is atomic. Use O_TMPFILE to create new
> file, set xattr and then linkat() to proper place.
>
> But this works only for regular files. So dir, symlinks will continue
> to be non-atomic.
>
> Also if host filesystem does not support O_TMPFILE, we fallback to
> non-atomic behavior.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
> tools/virtiofsd/passthrough_ll.c | 80 ++++++++++++++++++++++++++++----
> 1 file changed, 72 insertions(+), 8 deletions(-)
>
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index acb99aa2fc..43c9b6dbe5 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -2153,14 +2153,29 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
>
> static int do_create_nosecctx(fuse_req_t req, struct lo_inode *parent_inode,
> const char *name, mode_t mode,
> - struct fuse_file_info *fi, int *open_fd)
> + struct fuse_file_info *fi, int *open_fd,
> + bool tmpfile)
> {
> int err, fd;
> struct lo_cred old = {};
> struct lo_data *lo = lo_data(req);
> int flags;
>
> - flags = fi->flags | O_CREAT | O_EXCL;
> + if (tmpfile) {
> + flags = fi->flags | O_TMPFILE;
> + /*
> + * Don't use O_EXCL as we want to link file later. Also reset O_CREAT
> + * otherwise openat() returns -EINVAL.
> + */
> + flags &= ~(O_CREAT | O_EXCL);
> +
> + /* O_TMPFILE needs either O_RDWR or O_WRONLY */
> + if ((flags & O_ACCMODE) == O_RDONLY) {
> + flags |= O_RDWR;
> + }
> + } else {
> + flags = fi->flags | O_CREAT | O_EXCL;
> + }
>
> err = lo_change_cred(req, &old, lo->change_umask);
> if (err) {
> @@ -2191,7 +2206,7 @@ static int do_create_secctx_fscreate(fuse_req_t req,
> return err;
> }
>
> - err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd);
> + err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd, false);
>
> close_reset_proc_fscreate(fscreate_fd);
> if (!err) {
> @@ -2200,6 +2215,44 @@ static int do_create_secctx_fscreate(fuse_req_t req,
> return err;
> }
>
> +static int do_create_secctx_tmpfile(fuse_req_t req,
> + struct lo_inode *parent_inode,
> + const char *name, mode_t mode,
> + struct fuse_file_info *fi,
> + const char *secctx_name, int *open_fd)
> +{
> + int err, fd = -1;
> + struct lo_data *lo = lo_data(req);
> + char procname[64];
> +
> + err = do_create_nosecctx(req, parent_inode, ".", mode, fi, &fd, true);
> + if (err) {
> + return err;
> + }
> +
> + err = fsetxattr(fd, secctx_name, req->secctx.ctx, req->secctx.ctxlen, 0);
> + if (err) {
> + err = errno;
> + goto out;
> + }
> +
> + /* Security context set on file. Link it in place */
> + sprintf(procname, "%d", fd);
> + FCHDIR_NOFAIL(lo->proc_self_fd);
> + err = linkat(AT_FDCWD, procname, parent_inode->fd, name,
> + AT_SYMLINK_FOLLOW);
> + err = err == -1 ? errno : 0;
> + FCHDIR_NOFAIL(lo->root.fd);
> +
> +out:
> + if (!err) {
> + *open_fd = fd;
> + } else if (fd != -1) {
> + close(fd);
> + }
> + return err;
> +}
> +
> static int do_create_secctx_noatomic(fuse_req_t req,
> struct lo_inode *parent_inode,
> const char *name, mode_t mode,
> @@ -2208,7 +2261,7 @@ static int do_create_secctx_noatomic(fuse_req_t req,
> {
> int err = 0, fd = -1;
>
> - err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd);
> + err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd, false);
> if (err) {
> goto out;
> }
> @@ -2250,20 +2303,31 @@ static int do_lo_create(fuse_req_t req, struct lo_inode *parent_inode,
> if (secctx_enabled) {
> /*
> * If security.selinux has not been remapped and selinux is enabled,
> - * use fscreate to set context before file creation.
> - * Otherwise fallback to non-atomic method of file creation
> - * and xattr settting.
> + * use fscreate to set context before file creation. If not, use
> + * tmpfile method for regular files. Otherwise fallback to
> + * non-atomic method of file creation and xattr settting.
> */
> if (!mapped_name && lo->use_fscreate) {
> err = do_create_secctx_fscreate(req, parent_inode, name, mode, fi,
> open_fd);
> goto out;
> + } else if (S_ISREG(mode)) {
> + err = do_create_secctx_tmpfile(req, parent_inode, name, mode, fi,
> + ctxname, open_fd);
> + /*
> + * If filesystem does not support O_TMPFILE, fallback to non-atomic
> + * method.
> + */
> + if (!err || err != EOPNOTSUPP) {
> + goto out;
> + }
> }
>
> err = do_create_secctx_noatomic(req, parent_inode, name, mode, fi,
> ctxname, open_fd);
> } else {
> - err = do_create_nosecctx(req, parent_inode, name, mode, fi, open_fd);
> + err = do_create_nosecctx(req, parent_inode, name, mode, fi, open_fd,
> + false);
> }
>
> out:
> --
> 2.34.1
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
WARNING: multiple messages have this Message-ID (diff)
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>
Cc: virtio-fs@redhat.com, mszeredi@redhat.com, qemu-devel@nongnu.org
Subject: Re: [PATCH v5 8/9] virtiofsd: Create new file using O_TMPFILE and set security context
Date: Mon, 7 Feb 2022 12:23:56 +0000 [thread overview]
Message-ID: <YgEPXBy6bPfCPjc1@work-vm> (raw)
In-Reply-To: <20220202193935.268777-9-vgoyal@redhat.com>
* Vivek Goyal (vgoyal@redhat.com) wrote:
> If guest and host policies can't work with each other, then guest security
> context (selinux label) needs to be set into an xattr. Say remap guest
> security.selinux xattr to trusted.virtiofs.security.selinux.
>
> That means setting "fscreate" is not going to help as that's ony useful
> for security.selinux xattr on host.
>
> So we need another method which is atomic. Use O_TMPFILE to create new
> file, set xattr and then linkat() to proper place.
>
> But this works only for regular files. So dir, symlinks will continue
> to be non-atomic.
>
> Also if host filesystem does not support O_TMPFILE, we fallback to
> non-atomic behavior.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
> tools/virtiofsd/passthrough_ll.c | 80 ++++++++++++++++++++++++++++----
> 1 file changed, 72 insertions(+), 8 deletions(-)
>
> diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
> index acb99aa2fc..43c9b6dbe5 100644
> --- a/tools/virtiofsd/passthrough_ll.c
> +++ b/tools/virtiofsd/passthrough_ll.c
> @@ -2153,14 +2153,29 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
>
> static int do_create_nosecctx(fuse_req_t req, struct lo_inode *parent_inode,
> const char *name, mode_t mode,
> - struct fuse_file_info *fi, int *open_fd)
> + struct fuse_file_info *fi, int *open_fd,
> + bool tmpfile)
> {
> int err, fd;
> struct lo_cred old = {};
> struct lo_data *lo = lo_data(req);
> int flags;
>
> - flags = fi->flags | O_CREAT | O_EXCL;
> + if (tmpfile) {
> + flags = fi->flags | O_TMPFILE;
> + /*
> + * Don't use O_EXCL as we want to link file later. Also reset O_CREAT
> + * otherwise openat() returns -EINVAL.
> + */
> + flags &= ~(O_CREAT | O_EXCL);
> +
> + /* O_TMPFILE needs either O_RDWR or O_WRONLY */
> + if ((flags & O_ACCMODE) == O_RDONLY) {
> + flags |= O_RDWR;
> + }
> + } else {
> + flags = fi->flags | O_CREAT | O_EXCL;
> + }
>
> err = lo_change_cred(req, &old, lo->change_umask);
> if (err) {
> @@ -2191,7 +2206,7 @@ static int do_create_secctx_fscreate(fuse_req_t req,
> return err;
> }
>
> - err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd);
> + err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd, false);
>
> close_reset_proc_fscreate(fscreate_fd);
> if (!err) {
> @@ -2200,6 +2215,44 @@ static int do_create_secctx_fscreate(fuse_req_t req,
> return err;
> }
>
> +static int do_create_secctx_tmpfile(fuse_req_t req,
> + struct lo_inode *parent_inode,
> + const char *name, mode_t mode,
> + struct fuse_file_info *fi,
> + const char *secctx_name, int *open_fd)
> +{
> + int err, fd = -1;
> + struct lo_data *lo = lo_data(req);
> + char procname[64];
> +
> + err = do_create_nosecctx(req, parent_inode, ".", mode, fi, &fd, true);
> + if (err) {
> + return err;
> + }
> +
> + err = fsetxattr(fd, secctx_name, req->secctx.ctx, req->secctx.ctxlen, 0);
> + if (err) {
> + err = errno;
> + goto out;
> + }
> +
> + /* Security context set on file. Link it in place */
> + sprintf(procname, "%d", fd);
> + FCHDIR_NOFAIL(lo->proc_self_fd);
> + err = linkat(AT_FDCWD, procname, parent_inode->fd, name,
> + AT_SYMLINK_FOLLOW);
> + err = err == -1 ? errno : 0;
> + FCHDIR_NOFAIL(lo->root.fd);
> +
> +out:
> + if (!err) {
> + *open_fd = fd;
> + } else if (fd != -1) {
> + close(fd);
> + }
> + return err;
> +}
> +
> static int do_create_secctx_noatomic(fuse_req_t req,
> struct lo_inode *parent_inode,
> const char *name, mode_t mode,
> @@ -2208,7 +2261,7 @@ static int do_create_secctx_noatomic(fuse_req_t req,
> {
> int err = 0, fd = -1;
>
> - err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd);
> + err = do_create_nosecctx(req, parent_inode, name, mode, fi, &fd, false);
> if (err) {
> goto out;
> }
> @@ -2250,20 +2303,31 @@ static int do_lo_create(fuse_req_t req, struct lo_inode *parent_inode,
> if (secctx_enabled) {
> /*
> * If security.selinux has not been remapped and selinux is enabled,
> - * use fscreate to set context before file creation.
> - * Otherwise fallback to non-atomic method of file creation
> - * and xattr settting.
> + * use fscreate to set context before file creation. If not, use
> + * tmpfile method for regular files. Otherwise fallback to
> + * non-atomic method of file creation and xattr settting.
> */
> if (!mapped_name && lo->use_fscreate) {
> err = do_create_secctx_fscreate(req, parent_inode, name, mode, fi,
> open_fd);
> goto out;
> + } else if (S_ISREG(mode)) {
> + err = do_create_secctx_tmpfile(req, parent_inode, name, mode, fi,
> + ctxname, open_fd);
> + /*
> + * If filesystem does not support O_TMPFILE, fallback to non-atomic
> + * method.
> + */
> + if (!err || err != EOPNOTSUPP) {
> + goto out;
> + }
> }
>
> err = do_create_secctx_noatomic(req, parent_inode, name, mode, fi,
> ctxname, open_fd);
> } else {
> - err = do_create_nosecctx(req, parent_inode, name, mode, fi, open_fd);
> + err = do_create_nosecctx(req, parent_inode, name, mode, fi, open_fd,
> + false);
> }
>
> out:
> --
> 2.34.1
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
next prev parent reply other threads:[~2022-02-07 12:23 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-02 19:39 [Virtio-fs] [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 1/9] virtiofsd: Fix breakage due to fuse_init_in size change Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 2/9] linux-headers: Update headers to v5.17-rc1 Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 3/9] virtiofsd: Parse extended "struct fuse_init_in" Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-03 18:56 ` [Virtio-fs] " Dr. David Alan Gilbert
2022-02-03 18:56 ` Dr. David Alan Gilbert
2022-02-07 13:31 ` [Virtio-fs] " Vivek Goyal
2022-02-07 13:31 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 4/9] virtiofsd: Extend size of fuse_conn_info->capable and ->want fields Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 5/9] virtiofsd, fuse_lowlevel.c: Add capability to parse security context Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-03 19:41 ` [Virtio-fs] " Dr. David Alan Gilbert
2022-02-03 19:41 ` Dr. David Alan Gilbert
2022-02-07 13:47 ` [Virtio-fs] " Vivek Goyal
2022-02-07 13:47 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 6/9] virtiofsd: Move core file creation code in separate function Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 7/9] virtiofsd: Create new file with fscreate set Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-07 11:38 ` [Virtio-fs] " Dr. David Alan Gilbert
2022-02-07 11:38 ` Dr. David Alan Gilbert
2022-02-07 14:07 ` [Virtio-fs] " Vivek Goyal
2022-02-07 14:07 ` Vivek Goyal
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 8/9] virtiofsd: Create new file using O_TMPFILE and set security context Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-07 12:23 ` Dr. David Alan Gilbert [this message]
2022-02-07 12:23 ` Dr. David Alan Gilbert
2022-02-02 19:39 ` [Virtio-fs] [PATCH v5 9/9] virtiofsd: Add an option to enable/disable security label Vivek Goyal
2022-02-02 19:39 ` Vivek Goyal
2022-02-07 12:40 ` [Virtio-fs] " Dr. David Alan Gilbert
2022-02-07 12:40 ` Dr. David Alan Gilbert
2022-02-07 14:13 ` [Virtio-fs] " Vivek Goyal
2022-02-07 14:13 ` Vivek Goyal
2022-02-07 12:49 ` [Virtio-fs] [PATCH v5 0/9] virtiofsd: Add support for file security context at file creation Dr. David Alan Gilbert
2022-02-07 12:49 ` Dr. David Alan Gilbert
2022-02-07 14:30 ` [Virtio-fs] " Vivek Goyal
2022-02-07 14:30 ` Vivek Goyal
2022-02-07 16:06 ` [Virtio-fs] " Dr. David Alan Gilbert
2022-02-07 16:06 ` Dr. David Alan Gilbert
2022-02-07 13:05 ` [Virtio-fs] " Daniel P. Berrangé
2022-02-07 13:05 ` Daniel P. Berrangé
2022-02-07 13:24 ` [Virtio-fs] " Vivek Goyal
2022-02-07 13:24 ` Vivek Goyal
2022-02-07 13:30 ` [Virtio-fs] " Daniel P. Berrangé
2022-02-07 13:30 ` Daniel P. Berrangé
2022-02-07 14:50 ` [Virtio-fs] " Vivek Goyal
2022-02-07 14:50 ` Vivek Goyal
2022-02-07 21:19 ` [Virtio-fs] " Vivek Goyal
2022-02-07 21:19 ` Vivek Goyal
2022-02-07 21:34 ` [Virtio-fs] " Daniel Walsh
2022-02-07 21:34 ` Daniel Walsh
2022-02-08 8:59 ` [Virtio-fs] " Daniel P. Berrangé
2022-02-08 8:59 ` Daniel P. Berrangé
2022-02-09 10:24 ` [Virtio-fs] " German Maglione
2022-02-09 15:08 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YgEPXBy6bPfCPjc1@work-vm \
--to=dgilbert@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.