[PATCH v4 0/1] linux-user: add openat2 support in linux-user

[PATCH v4 0/1] linux-user: add openat2 support in linux-user

[Michael Vogt]

Hi,

This is v4 of the openat2 support in linux-user. Thanks again for the
excellent second round of feedback from Richard Henderson.

The code is identical to the previous v3 and I only fixed two typos in
the commit message. I'm sending v4 because in v3 I forgot to add
"--threaded" when generating the coverletter/patch which makes it a bit
awkward to review and it does not show up properly on
e.g. https://patchew.org/QEMU/. My apologies for this mistake.

This version tries to be closer to the kernels behavior, i.e. now
do_openat2() uses a new copy_struct_from_user() helper that is very
similar to the kernels. This lead me to also drop incuding openat2.h
(as was originally suggested in the v1 review). It now contains it as
a copy named `struct open_how_ver0` and with that we can LOG_UNIMP if
the struct ever grows and qemu-user needs updating.

To answer the question why "maybe_do_fake_open()" uses a
"use_returned_fd" bool instead of just returning "-1": I wanted to be
as close as possible to the previous behavior and maybe_fake_open()
could in theory return "-1" for failures in memfd_create() or
mkstemp() or fake_open->fill(). In those cases the old code in
do_guest_openat() failed and returned the error but the new code would
just see a -1 and continue trying to open a special file that should
have been faked. Maybe I did overthink this as it's very
corner-case-y. Advise is welcome here, happy to change back or
simplify in other ways.

Thanks again,
 Michael

v3 -> v4:
- fix typos in the commit message

v2 -> v3:
- fix coding style (braches)
- improve argument args/naming in do_openat2()
- merge do_openat2/do_guest_openat2
- do size checks first in do_openat2
- add "copy_struct_from_user" and use in "do_openat2()"
- drop using openat2.h and create "struct open_how_v0"
- log if open_how guest struct is bigger than our supported struct

v1 -> v2:
- do not include <sys/syscall.h>
- drop do_guest_openat2 from qemu.h and make static
- drop "safe" from do_guest_openat2
- ensure maybe_do_fake_open() is correct about when the result should
  be used or not
- Extract do_openat2() helper from do_syscall1()
- Call user_unlock* if a lock call fails
- Fix silly incorrect use of "target_open_how" when "open_how" is required
- Fix coding style comments
- Fix validation of arg4 in openat2
- Fix missing zero initialization of open_how
- Define target_open_how with abi_* types
- Warn about unimplemented size if "size" of openat2 is bigger than
  target_open_how


Michael Vogt (1):
  linux-user: add openat2 support in linux-user

 linux-user/syscall.c      | 116 ++++++++++++++++++++++++++++++++++++--
 linux-user/syscall_defs.h |   7 +++
 2 files changed, 119 insertions(+), 4 deletions(-)

-- 
2.45.2

[PATCH v4 1/1] linux-user: add openat2 support in linux-user

[Michael Vogt]

This commit adds support for the `openat2()` syscall in the
`linux-user` userspace emulator.

It is implemented by extracting a new helper `maybe_do_fake_open()`
out of the exiting `do_guest_openat()` and share that with the
new `do_guest_openat2()`. Unfortunately we cannot just make
do_guest_openat2() a superset of do_guest_openat() because the
openat2() syscall is stricter with the argument checking and
will return an error for invalid flags or mode combinations (which
open()/openat() will ignore).

The implementation is similar to SYSCALL_DEFINE(openat2), i.e.
a new `copy_struct_from_user()` is used that works the same
as the kernels version to support backwards-compatibility
for struct syscall argument.

Instead of including openat2.h we create a copy of `open_how`
as `open_how_ver0` to ensure that if the structure grows we
can log a LOG_UNIMP warning.

Note that in this commit using openat2() for a "faked" file in
/proc will ignore the "resolve" flags. This is not great but it
seems similar to the exiting behavior when openat() is called
with a dirfd to "/proc". Here too the fake file lookup may
not catch the special file because "realpath()" is used to
determine if the path is in /proc. Alternatively to ignoring
we could simply fail with `-TARGET_ENOSYS` (or similar) if
`resolve` flags are passed and we found something that looks
like a file in /proc that needs faking.

Signed-off-by: Michael Vogt <mvogt@redhat.com>
Buglink: https://github.com/osbuild/bootc-image-builder/issues/619
---
 linux-user/syscall.c      | 116 ++++++++++++++++++++++++++++++++++++--
 linux-user/syscall_defs.h |   7 +++
 2 files changed, 119 insertions(+), 4 deletions(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 9d5415674d..83c944508b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -602,6 +602,34 @@ static int check_zeroed_user(abi_long addr, size_t ksize, size_t usize)
     return 1;
 }
 
+/*
+ * Copies a target struct to a host struct, in a way that guarantees
+ * backwards-compatibility for struct syscall arguments.
+ *
+ * Similar to kernels uaccess.h:copy_struct_from_user()
+ */
+static int
+copy_struct_from_user(void *dst, size_t ksize, abi_ptr src, size_t usize)
+{
+    size_t size = MIN(ksize, usize);
+    size_t rest = MAX(ksize, usize) - size;
+
+    /* Deal with trailing bytes. */
+    if (usize < ksize) {
+        memset(dst + size, 0, rest);
+    } else if (usize > ksize) {
+        int ret = check_zeroed_user(src, ksize, usize);
+        if (ret <= 0) {
+            return ret ?: -TARGET_E2BIG;
+        }
+    }
+    /* Copy the interoperable parts of the struct. */
+    if (copy_from_user(dst, src, size)) {
+        return -TARGET_EFAULT;
+    }
+    return 0;
+}
+
 #define safe_syscall0(type, name) \
 static type safe_##name(void) \
 { \
@@ -653,6 +681,15 @@ safe_syscall3(ssize_t, read, int, fd, void *, buff, size_t, count)
 safe_syscall3(ssize_t, write, int, fd, const void *, buff, size_t, count)
 safe_syscall4(int, openat, int, dirfd, const char *, pathname, \
               int, flags, mode_t, mode)
+
+struct open_how_ver0 {
+    __u64 flags;
+    __u64 mode;
+    __u64 resolve;
+};
+safe_syscall4(int, openat2, int, dirfd, const char *, pathname, \
+              const struct open_how_ver0 *, how, size_t, size)
+
 #if defined(TARGET_NR_wait4) || defined(TARGET_NR_waitpid)
 safe_syscall4(pid_t, wait4, pid_t, pid, int *, status, int, options, \
               struct rusage *, rusage)
@@ -8334,8 +8371,9 @@ static int open_net_route(CPUArchState *cpu_env, int fd)
 }
 #endif
 
-int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
-                    int flags, mode_t mode, bool safe)
+static int maybe_do_fake_open(CPUArchState *cpu_env, int dirfd,
+                              const char *fname, int flags, mode_t mode,
+                              bool safe, bool *use_returned_fd)
 {
     g_autofree char *proc_name = NULL;
     const char *pathname;
@@ -8362,6 +8400,7 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
 #endif
         { NULL, NULL, NULL }
     };
+    *use_returned_fd = true;
 
     /* if this is a file from /proc/ filesystem, expand full name */
     proc_name = realpath(fname, NULL);
@@ -8418,13 +8457,77 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
         return fd;
     }
 
+    *use_returned_fd = false;
+    return -1;
+}
+
+int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
+                    int flags, mode_t mode, bool safe)
+{
+    bool use_returned_fd;
+    int fd = maybe_do_fake_open(cpu_env, dirfd, fname, flags, mode, safe,
+                                &use_returned_fd);
+    if (use_returned_fd) {
+        return fd;
+    }
+
     if (safe) {
-        return safe_openat(dirfd, path(pathname), flags, mode);
+        return safe_openat(dirfd, path(fname), flags, mode);
     } else {
-        return openat(dirfd, path(pathname), flags, mode);
+        return openat(dirfd, path(fname), flags, mode);
     }
 }
 
+
+static int do_openat2(CPUArchState *cpu_env, abi_long dirfd,
+                      abi_ptr guest_pathname, abi_ptr guest_open_how,
+                      abi_long guest_size)
+{
+    struct open_how_ver0 how = {0};
+    int ret;
+
+    if (guest_size < sizeof(struct target_open_how_ver0)) {
+        return -TARGET_EINVAL;
+    }
+    ret = copy_struct_from_user(&how, sizeof(how), guest_open_how, guest_size);
+    if (ret) {
+        if (ret == -TARGET_E2BIG) {
+            qemu_log_mask(LOG_UNIMP,
+                          "Unimplemented openat2 open_how size: %lu\n",
+                          guest_size);
+        }
+        return ret;
+    }
+    char *pathname = lock_user_string(guest_pathname);
+    if (!pathname) {
+        return -TARGET_EFAULT;
+    }
+
+    how.flags = target_to_host_bitmask(how.flags, fcntl_flags_tbl);
+    how.mode = tswap64(how.mode);
+    how.resolve = tswap64(how.resolve);
+
+    /*
+     * Ideally we would pass "how->resolve" flags into this helper too but
+     * the lookup for files that need faking is based on "realpath()" so
+     * neither a dirfd for "proc" nor restrictions via "resolve" flags can
+     * be honored right now.
+     */
+    bool use_returned_fd;
+    int fd = maybe_do_fake_open(cpu_env, dirfd, pathname, how.flags, how.mode,
+                                true, &use_returned_fd);
+    if (use_returned_fd) {
+        return fd;
+    } else {
+        ret = get_errno(safe_openat2(dirfd, pathname, &how,
+                                     sizeof(struct open_how_ver0)));
+    }
+
+    fd_trans_unregister(ret);
+    unlock_user(pathname, guest_pathname, 0);
+    return ret;
+}
+
 ssize_t do_guest_readlink(const char *pathname, char *buf, size_t bufsiz)
 {
     ssize_t ret;
@@ -9197,6 +9300,11 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
         fd_trans_unregister(ret);
         unlock_user(p, arg2, 0);
         return ret;
+#if defined(TARGET_NR_openat2)
+    case TARGET_NR_openat2:
+        ret = do_openat2(cpu_env, arg1, arg2, arg3, arg4);
+        return ret;
+#endif
 #if defined(TARGET_NR_name_to_handle_at) && defined(CONFIG_OPEN_BY_HANDLE)
     case TARGET_NR_name_to_handle_at:
         ret = do_name_to_handle_at(arg1, arg2, arg3, arg4, arg5);
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index a00b617cae..74abcb4613 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2754,4 +2754,11 @@ struct target_sched_param {
     abi_int sched_priority;
 };
 
+/* from kernel's include/uapi/linux/openat2.h */
+struct target_open_how_ver0 {
+    abi_ullong flags;
+    abi_ullong mode;
+    abi_ullong resolve;
+};
+
 #endif
-- 
2.45.2

Re: [PATCH v4 0/1] linux-user: add openat2 support in linux-user

[Michael Vogt]

[-- Attachment #1: Type: text/plain, Size: 3232 bytes --]

friendly ping (see also
https://patchew.org/QEMU/cover.1725607795.git.mvogt@redhat.com/)

Please let me know if there is anything I can do to make this easier to
review or if I should split or help otherwise.

On Fri, Sep 6, 2024 at 9:39 AM Michael Vogt <michael.vogt@gmail.com> wrote:

> Hi,
>
> This is v4 of the openat2 support in linux-user. Thanks again for the
> excellent second round of feedback from Richard Henderson.
>
> The code is identical to the previous v3 and I only fixed two typos in
> the commit message. I'm sending v4 because in v3 I forgot to add
> "--threaded" when generating the coverletter/patch which makes it a bit
> awkward to review and it does not show up properly on
> e.g. https://patchew.org/QEMU/. My apologies for this mistake.
>
> This version tries to be closer to the kernels behavior, i.e. now
> do_openat2() uses a new copy_struct_from_user() helper that is very
> similar to the kernels. This lead me to also drop incuding openat2.h
> (as was originally suggested in the v1 review). It now contains it as
> a copy named `struct open_how_ver0` and with that we can LOG_UNIMP if
> the struct ever grows and qemu-user needs updating.
>
> To answer the question why "maybe_do_fake_open()" uses a
> "use_returned_fd" bool instead of just returning "-1": I wanted to be
> as close as possible to the previous behavior and maybe_fake_open()
> could in theory return "-1" for failures in memfd_create() or
> mkstemp() or fake_open->fill(). In those cases the old code in
> do_guest_openat() failed and returned the error but the new code would
> just see a -1 and continue trying to open a special file that should
> have been faked. Maybe I did overthink this as it's very
> corner-case-y. Advise is welcome here, happy to change back or
> simplify in other ways.
>
> Thanks again,
>  Michael
>
> v3 -> v4:
> - fix typos in the commit message
>
> v2 -> v3:
> - fix coding style (braches)
> - improve argument args/naming in do_openat2()
> - merge do_openat2/do_guest_openat2
> - do size checks first in do_openat2
> - add "copy_struct_from_user" and use in "do_openat2()"
> - drop using openat2.h and create "struct open_how_v0"
> - log if open_how guest struct is bigger than our supported struct
>
> v1 -> v2:
> - do not include <sys/syscall.h>
> - drop do_guest_openat2 from qemu.h and make static
> - drop "safe" from do_guest_openat2
> - ensure maybe_do_fake_open() is correct about when the result should
>   be used or not
> - Extract do_openat2() helper from do_syscall1()
> - Call user_unlock* if a lock call fails
> - Fix silly incorrect use of "target_open_how" when "open_how" is required
> - Fix coding style comments
> - Fix validation of arg4 in openat2
> - Fix missing zero initialization of open_how
> - Define target_open_how with abi_* types
> - Warn about unimplemented size if "size" of openat2 is bigger than
>   target_open_how
>
>
> Michael Vogt (1):
>   linux-user: add openat2 support in linux-user
>
>  linux-user/syscall.c      | 116 ++++++++++++++++++++++++++++++++++++--
>  linux-user/syscall_defs.h |   7 +++
>  2 files changed, 119 insertions(+), 4 deletions(-)
>
> --
> 2.45.2
>
>

[-- Attachment #2: Type: text/html, Size: 4007 bytes --]

Re: [PATCH v4 1/1] linux-user: add openat2 support in linux-user

[Laurent Vivier]

Le 06/09/2024 à 09:39, Michael Vogt a écrit :
> This commit adds support for the `openat2()` syscall in the
> `linux-user` userspace emulator.
> 
> It is implemented by extracting a new helper `maybe_do_fake_open()`
> out of the exiting `do_guest_openat()` and share that with the
> new `do_guest_openat2()`. Unfortunately we cannot just make
> do_guest_openat2() a superset of do_guest_openat() because the
> openat2() syscall is stricter with the argument checking and
> will return an error for invalid flags or mode combinations (which
> open()/openat() will ignore).
> 
> The implementation is similar to SYSCALL_DEFINE(openat2), i.e.
> a new `copy_struct_from_user()` is used that works the same
> as the kernels version to support backwards-compatibility
> for struct syscall argument.
> 
> Instead of including openat2.h we create a copy of `open_how`
> as `open_how_ver0` to ensure that if the structure grows we
> can log a LOG_UNIMP warning.
> 
> Note that in this commit using openat2() for a "faked" file in
> /proc will ignore the "resolve" flags. This is not great but it
> seems similar to the exiting behavior when openat() is called
> with a dirfd to "/proc". Here too the fake file lookup may
> not catch the special file because "realpath()" is used to
> determine if the path is in /proc. Alternatively to ignoring
> we could simply fail with `-TARGET_ENOSYS` (or similar) if
> `resolve` flags are passed and we found something that looks
> like a file in /proc that needs faking.
> 
> Signed-off-by: Michael Vogt <mvogt@redhat.com>
> Buglink: https://github.com/osbuild/bootc-image-builder/issues/619
> ---
>   linux-user/syscall.c      | 116 ++++++++++++++++++++++++++++++++++++--
>   linux-user/syscall_defs.h |   7 +++
>   2 files changed, 119 insertions(+), 4 deletions(-)
> 
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 9d5415674d..83c944508b 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -602,6 +602,34 @@ static int check_zeroed_user(abi_long addr, size_t ksize, size_t usize)
>       return 1;
>   }
>   
> +/*
> + * Copies a target struct to a host struct, in a way that guarantees
> + * backwards-compatibility for struct syscall arguments.
> + *
> + * Similar to kernels uaccess.h:copy_struct_from_user()
> + */
> +static int
> +copy_struct_from_user(void *dst, size_t ksize, abi_ptr src, size_t usize)
> +{
> +    size_t size = MIN(ksize, usize);
> +    size_t rest = MAX(ksize, usize) - size;
> +
> +    /* Deal with trailing bytes. */
> +    if (usize < ksize) {
> +        memset(dst + size, 0, rest);
> +    } else if (usize > ksize) {
> +        int ret = check_zeroed_user(src, ksize, usize);
> +        if (ret <= 0) {
> +            return ret ?: -TARGET_E2BIG;
> +        }
> +    }
> +    /* Copy the interoperable parts of the struct. */
> +    if (copy_from_user(dst, src, size)) {
> +        return -TARGET_EFAULT;
> +    }
> +    return 0;
> +}
> +
>   #define safe_syscall0(type, name) \
>   static type safe_##name(void) \
>   { \
> @@ -653,6 +681,15 @@ safe_syscall3(ssize_t, read, int, fd, void *, buff, size_t, count)
>   safe_syscall3(ssize_t, write, int, fd, const void *, buff, size_t, count)
>   safe_syscall4(int, openat, int, dirfd, const char *, pathname, \
>                 int, flags, mode_t, mode)
> +
> +struct open_how_ver0 {
> +    __u64 flags;
> +    __u64 mode;
> +    __u64 resolve;
> +};
> +safe_syscall4(int, openat2, int, dirfd, const char *, pathname, \
> +              const struct open_how_ver0 *, how, size_t, size)
> +
>   #if defined(TARGET_NR_wait4) || defined(TARGET_NR_waitpid)
>   safe_syscall4(pid_t, wait4, pid_t, pid, int *, status, int, options, \
>                 struct rusage *, rusage)
> @@ -8334,8 +8371,9 @@ static int open_net_route(CPUArchState *cpu_env, int fd)
>   }
>   #endif
>   
> -int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
> -                    int flags, mode_t mode, bool safe)
> +static int maybe_do_fake_open(CPUArchState *cpu_env, int dirfd,
> +                              const char *fname, int flags, mode_t mode,
> +                              bool safe, bool *use_returned_fd)
>   {
>       g_autofree char *proc_name = NULL;
>       const char *pathname;
> @@ -8362,6 +8400,7 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
>   #endif
>           { NULL, NULL, NULL }
>       };
> +    *use_returned_fd = true;
>   
>       /* if this is a file from /proc/ filesystem, expand full name */
>       proc_name = realpath(fname, NULL);
> @@ -8418,13 +8457,77 @@ int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,
>           return fd;
>       }
>   
> +    *use_returned_fd = false;
> +    return -1;
> +}

I don't think you need the flag, you can return -2 in this case.
  >= 0 we found a fake file, use the fd
-1 -> error
-2 -> no fake file, no error, use your own fd

> +
> +int do_guest_openat(CPUArchState *cpu_env, int dirfd, const char *fname,

perhaps you can keep "pathname" for the parameter name rather than "fname" to have no change on the 
openat()/safe_openat() line (clearer diff?)?

> +                    int flags, mode_t mode, bool safe)
> +{
> +    bool use_returned_fd;
> +    int fd = maybe_do_fake_open(cpu_env, dirfd, fname, flags, mode, safe,
> +                                &use_returned_fd);
> +    if (use_returned_fd) {
> +        return fd;
> +    } > +
>       if (safe) {
> -        return safe_openat(dirfd, path(pathname), flags, mode);
> +        return safe_openat(dirfd, path(fname), flags, mode);
>       } else {
> -        return openat(dirfd, path(pathname), flags, mode);
> +        return openat(dirfd, path(fname), flags, mode);
>       }
>   }
>   
> +
> +static int do_openat2(CPUArchState *cpu_env, abi_long dirfd,
> +                      abi_ptr guest_pathname, abi_ptr guest_open_how,
> +                      abi_long guest_size)
> +{
> +    struct open_how_ver0 how = {0};
> +    int ret;
> +
> +    if (guest_size < sizeof(struct target_open_how_ver0)) {
> +        return -TARGET_EINVAL;
> +    }
> +    ret = copy_struct_from_user(&how, sizeof(how), guest_open_how, guest_size);
> +    if (ret) {
> +        if (ret == -TARGET_E2BIG) {
> +            qemu_log_mask(LOG_UNIMP,
> +                          "Unimplemented openat2 open_how size: %lu\n",
> +                          guest_size);
> +        }
> +        return ret;
> +    }
> +    char *pathname = lock_user_string(guest_pathname);
> +    if (!pathname) {
> +        return -TARGET_EFAULT;
> +    }
> +
> +    how.flags = target_to_host_bitmask(how.flags, fcntl_flags_tbl);
> +    how.mode = tswap64(how.mode);
> +    how.resolve = tswap64(how.resolve);
> +
> +    /*
> +     * Ideally we would pass "how->resolve" flags into this helper too but
> +     * the lookup for files that need faking is based on "realpath()" so
> +     * neither a dirfd for "proc" nor restrictions via "resolve" flags can
> +     * be honored right now.
> +     */
> +    bool use_returned_fd;

If I remember correctly QEMU coding style don't put declaration in the middle of the code.

> +    int fd = maybe_do_fake_open(cpu_env, dirfd, pathname, how.flags, how.mode,
> +                                true, &use_returned_fd);
> +    if (use_returned_fd) {
> +        return fd;

this need to be get_errno(fd).

> +    } else {
> +        ret = get_errno(safe_openat2(dirfd, pathname, &how,
> +                                     sizeof(struct open_how_ver0)));
> +    }
> +
> +    fd_trans_unregister(ret);
> +    unlock_user(pathname, guest_pathname, 0);
> +    return ret;
> +}
> +
>   ssize_t do_guest_readlink(const char *pathname, char *buf, size_t bufsiz)
>   {
>       ssize_t ret;
> @@ -9197,6 +9300,11 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
>           fd_trans_unregister(ret);
>           unlock_user(p, arg2, 0);
>           return ret;
> +#if defined(TARGET_NR_openat2)
> +    case TARGET_NR_openat2:
> +        ret = do_openat2(cpu_env, arg1, arg2, arg3, arg4);
> +        return ret;
> +#endif
>   #if defined(TARGET_NR_name_to_handle_at) && defined(CONFIG_OPEN_BY_HANDLE)
>       case TARGET_NR_name_to_handle_at:
>           ret = do_name_to_handle_at(arg1, arg2, arg3, arg4, arg5);
> diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
> index a00b617cae..74abcb4613 100644
> --- a/linux-user/syscall_defs.h
> +++ b/linux-user/syscall_defs.h
> @@ -2754,4 +2754,11 @@ struct target_sched_param {
>       abi_int sched_priority;
>   };
>   
> +/* from kernel's include/uapi/linux/openat2.h */
> +struct target_open_how_ver0 {
> +    abi_ullong flags;
> +    abi_ullong mode;
> +    abi_ullong resolve;
> +};
> +
>   #endif

The rest looks good.

Thanks,
Laurent