[Qemu-devel] PATCH-V7 0/10] virtio-9p:Introducing security model for VirtFS

[Qemu-devel] PATCH-V7 0/10] virtio-9p:Introducing security model for VirtFS

[Venkateswararao Jujjuri (JV)]

This patch series introduces the security model for VirtFS.

Brief description of this patch series:

It introduces two type of security models for VirtFS.
They are: mapped and passthrough.

The following is common to both security models.

* Client's VFS determines/enforces the access control.
  Largely server should never return EACCESS.

* Client sends gid/mode-bit information as part of creation only.

Testing
-------
All the releavent tests of "Tuxera Posix test suite"
passed for both mapped and passthrough security models.

Changes from V6
---------------
o Introduced config check for attr/xattr (--enable-attr/--disable-attr)
o Defined a new config option CONFIG_VIRTFS, which will be set if 
  CONFIG_LINUX and CONFIG_ATTR are defined. VirtFS code is compiled
  only under CONFIG_VIRTFS.

Changes from V5
---------------
o After symlink creation used lchown to set the correct uid/gid
o local_chown uses lchown()

Changes from V4
---------------
o Most of the cosmetic changes proposed by Aneesh.
o Divided into more number of patches and added more explanation to each patch.

Changes from V3
---------------
o Return NULL instead of exit(1) on failure in virtio_9p_init()
o Capitalized sm_passthrough, sm_mappe
o Added handling for EINTR for read/write.
o Corrected default permissions for mkdir in mapped mode.
o Added additional error handling.

Changes from V2
---------------
o Removed warnings resulting from chmod/chown.
o Added code to fail normally if secuirty_model option is not specified.

Changes from V1
---------------
o Added support for chmod and chown.
o Used chmod/chown to set credentials instead of setuid/setgid.
o Fixed a bug where uid used instated of uid.


Security model: mapped
----------------------

VirtFS server(QEMU) intercepts and maps all the file object create requests.
Files on the fileserver will be created with QEMU's user credentials and the
client-user's credentials are stored in extended attributes.
During getattr() server extracts the client-user's credentials from extended
attributes and sends to the client.

Given that only the user space extended attributes are available to regular
files, special files are created as regular files on the fileserver and the
appropriate mode bits are stored in xattrs and will be extracted during
getattr.

If the extended attributes are missing, server sends back the filesystem
stat() unaltered. This provision will make the files created on the
fileserver usable to client.

Points to be considered

* Filesystem will be VirtFS'ized. Meaning, other filesystems may not
 understand the credentials of the files created under this model.

* Regular utilities like 'df' may not report required results in this model.
 Need for special reporting utilities which can understand this security model.


Security model : passthrough
----------------------------

In this security model, VirtFS server passes down all requests to the
underlying filesystem. File system objects on the fileserver will be created
with client-user's credentials. This is done by setting setuid()/setgid()
during creation or ch* after file creation. At the end of create protocol
request, files on the fileserver will be owned by cleint-user's uid/gid.

Points to be considered

  * Fileserver should always run as 'root'.
  * Root squashing may be needed. Will be for future work.
  * Potential for user credential clash between guest's user space IDs and
    host's user space IDs.

It also adds security model attribute to -fsdev device and to -virtfs shortcut.

Usage examples:
-fsdev local,id=jvrao,path=/tmp/,security_model=mapped
-virtfs local,path=/tmp/,security_model=passthrough,mnt_tag=v_tmp.

--
Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

[Qemu-devel] [PATCH-V7 01/10] virtio-9p: Introduces an option to specify the security model.

[Venkateswararao Jujjuri (JV)]

The new option is:

-fsdev fstype,id=myid,path=/share_path/,security_model=[mapped|passthrough]
-virtfs fstype,path=/share_path/,security_model=[mapped|passthrough],mnt_tag=tag

In the case of mapped security model, files are created with QEMU user
credentials and the client-user's credentials are saved in extended attributes.
Whereas in the case of passthrough security model, files on the
filesystem are directly created with client-user's credentials.

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 fsdev/qemu-fsdev.c |    9 ++++++++-
 fsdev/qemu-fsdev.h |    1 +
 hw/virtio-9p.c     |    9 +++++++++
 qemu-config.c      |    6 ++++++
 qemu-options.hx    |   15 +++++++++++----
 vl.c               |   18 +++++++++++++++---
 6 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/fsdev/qemu-fsdev.c b/fsdev/qemu-fsdev.c
index 813e1f7..ad69b0e 100644
--- a/fsdev/qemu-fsdev.c
+++ b/fsdev/qemu-fsdev.c
@@ -34,7 +34,7 @@ int qemu_fsdev_add(QemuOpts *opts)
         return -1;
     }
 
-     for (i = 0; i < ARRAY_SIZE(FsTypes); i++) {
+    for (i = 0; i < ARRAY_SIZE(FsTypes); i++) {
         if (strcmp(FsTypes[i].name, qemu_opt_get(opts, "fstype")) == 0) {
             break;
         }
@@ -46,10 +46,17 @@ int qemu_fsdev_add(QemuOpts *opts)
         return -1;
     }
 
+    if (qemu_opt_get(opts, "security_model") == NULL) {
+        fprintf(stderr, "fsdev: No security_model specified.\n");
+        return -1;
+    }
+
     fsle = qemu_malloc(sizeof(*fsle));
 
     fsle->fse.fsdev_id = qemu_strdup(qemu_opts_id(opts));
     fsle->fse.path = qemu_strdup(qemu_opt_get(opts, "path"));
+    fsle->fse.security_model = qemu_strdup(qemu_opt_get(opts,
+                "security_model"));
     fsle->fse.ops = FsTypes[i].ops;
 
     QTAILQ_INSERT_TAIL(&fstype_entries, fsle, next);
diff --git a/fsdev/qemu-fsdev.h b/fsdev/qemu-fsdev.h
index b50fbe0..6c27881 100644
--- a/fsdev/qemu-fsdev.h
+++ b/fsdev/qemu-fsdev.h
@@ -40,6 +40,7 @@ typedef struct FsTypeTable {
 typedef struct FsTypeEntry {
     char *fsdev_id;
     char *path;
+    char *security_model;
     FileOperations *ops;
 } FsTypeEntry;
 
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 038bb39..2530488 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -2253,6 +2253,15 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
         exit(1);
     }
 
+    if (!strcmp(fse->security_model, "passthrough") &&
+                !strcmp(fse->security_model, "mapped")) {
+        /* user haven't specified a correct security option */
+        fprintf(stderr, "one of the following must be specified as the"
+                "security option:\n\t security_model=passthrough \n\t "
+                "security_model=mapped\n");
+        return NULL;
+    }
+
     if (lstat(fse->path, &stat)) {
         fprintf(stderr, "share path %s does not exist\n", fse->path);
         exit(1);
diff --git a/qemu-config.c b/qemu-config.c
index 5a4e61b..95abe61 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -163,6 +163,9 @@ QemuOptsList qemu_fsdev_opts = {
         }, {
             .name = "path",
             .type = QEMU_OPT_STRING,
+        }, {
+            .name = "security_model",
+            .type = QEMU_OPT_STRING,
         },
         { /*End of list */ }
     },
@@ -184,6 +187,9 @@ QemuOptsList qemu_virtfs_opts = {
         }, {
             .name = "mount_tag",
             .type = QEMU_OPT_STRING,
+        }, {
+            .name = "security_model",
+            .type = QEMU_OPT_STRING,
         },
 
         { /*End of list */ }
diff --git a/qemu-options.hx b/qemu-options.hx
index a6928b7..d1d2272 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -486,7 +486,7 @@ ETEXI
 DEFHEADING(File system options:)
 
 DEF("fsdev", HAS_ARG, QEMU_OPTION_fsdev,
-    "-fsdev local,id=id,path=path\n",
+    "-fsdev local,id=id,path=path,security_model=[mapped|passthrough]\n",
     QEMU_ARCH_ALL)
 
 STEXI
@@ -502,7 +502,7 @@ The specific Fstype will determine the applicable options.
 
 Options to each backend are described below.
 
-@item -fsdev local ,id=@var{id} ,path=@var{path}
+@item -fsdev local ,id=@var{id} ,path=@var{path} ,security_model=@var{security_model}
 
 Create a file-system-"device" for local-filesystem.
 
@@ -510,6 +510,9 @@ Create a file-system-"device" for local-filesystem.
 
 @option{path} specifies the path to be exported. @option{path} is required.
 
+@option{security_model} specifies the security model to be followed.
+@option{security_model} is required.
+
 @end table
 ETEXI
 #endif
@@ -518,7 +521,7 @@ ETEXI
 DEFHEADING(Virtual File system pass-through options:)
 
 DEF("virtfs", HAS_ARG, QEMU_OPTION_virtfs,
-    "-virtfs local,path=path,mount_tag=tag\n",
+    "-virtfs local,path=path,mount_tag=tag,security_model=[mapped|passthrough]\n",
     QEMU_ARCH_ALL)
 
 STEXI
@@ -534,7 +537,7 @@ The specific Fstype will determine the applicable options.
 
 Options to each backend are described below.
 
-@item -virtfs local ,path=@var{path} ,mount_tag=@var{mount_tag}
+@item -virtfs local ,path=@var{path} ,mount_tag=@var{mount_tag} ,security_model=@var{security_model}
 
 Create a Virtual file-system-pass through for local-filesystem.
 
@@ -542,6 +545,10 @@ Create a Virtual file-system-pass through for local-filesystem.
 
 @option{path} specifies the path to be exported. @option{path} is required.
 
+@option{security_model} specifies the security model to be followed.
+@option{security_model} is required.
+
+
 @option{mount_tag} specifies the tag with which the exported file is mounted.
 @option{mount_tag} is required.
 
diff --git a/vl.c b/vl.c
index 7121cd0..98491ae 100644
--- a/vl.c
+++ b/vl.c
@@ -3094,10 +3094,21 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
                 }
 
-                len = strlen(",id=,path=");
+                if (qemu_opt_get(opts, "fstype") == NULL ||
+                        qemu_opt_get(opts, "mount_tag") == NULL ||
+                        qemu_opt_get(opts, "path") == NULL ||
+                        qemu_opt_get(opts, "security_model") == NULL) {
+                    fprintf(stderr, "Usage: -virtfs fstype,path=/share_path/,"
+                            "security_model=[mapped|passthrough],"
+                            "mnt_tag=tag.\n");
+                    exit(1);
+                }
+
+                len = strlen(",id=,path=,security_model=");
                 len += strlen(qemu_opt_get(opts, "fstype"));
                 len += strlen(qemu_opt_get(opts, "mount_tag"));
                 len += strlen(qemu_opt_get(opts, "path"));
+                len += strlen(qemu_opt_get(opts, "security_model"));
                 arg_fsdev = qemu_malloc((len + 1) * sizeof(*arg_fsdev));
 
                 if (!arg_fsdev) {
@@ -3106,10 +3117,11 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
                 }
 
-                sprintf(arg_fsdev, "%s,id=%s,path=%s",
+                sprintf(arg_fsdev, "%s,id=%s,path=%s,security_model=%s",
                                 qemu_opt_get(opts, "fstype"),
                                 qemu_opt_get(opts, "mount_tag"),
-                                qemu_opt_get(opts, "path"));
+                                qemu_opt_get(opts, "path"),
+                                qemu_opt_get(opts, "security_model"));
 
                 len = strlen("virtio-9p-pci,fsdev=,mount_tag=");
                 len += 2*strlen(qemu_opt_get(opts, "mount_tag"));
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 02/10] virtio-9p: Make infrastructure for the new security model.

[Venkateswararao Jujjuri (JV)]

This patch adds required infrastructure for the new security model.

- A new configure option for attr/xattr.
- if CONFIG_VIRTFS will be defined if both CONFIG_LINUX and CONFIG_ATTR defined.
- Defines routines related to both security models.

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 Makefile.objs        |    6 ++--
 Makefile.target      |    2 +-
 configure            |   37 ++++++++++++++++++++++++++++
 hw/file-op-9p.h      |   20 +++++++++++++++
 hw/virtio-9p-local.c |   65 +++++++++++++++++++++++---------------------------
 hw/virtio-9p.c       |   23 ++++++++++++-----
 hw/virtio-pci.c      |    4 +-
 vl.c                 |    8 +++---
 8 files changed, 113 insertions(+), 52 deletions(-)

diff --git a/Makefile.objs b/Makefile.objs
index 9796dcb..f2640e6 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -35,8 +35,8 @@ net-nested-$(CONFIG_SLIRP) += slirp.o
 net-nested-$(CONFIG_VDE) += vde.o
 net-obj-y += $(addprefix net/, $(net-nested-y))
 
-fsdev-nested-$(CONFIG_LINUX) = qemu-fsdev.o
-fsdev-obj-$(CONFIG_LINUX) += $(addprefix fsdev/, $(fsdev-nested-y))
+fsdev-nested-$(CONFIG_VIRTFS) = qemu-fsdev.o
+fsdev-obj-$(CONFIG_VIRTFS) += $(addprefix fsdev/, $(fsdev-nested-y))
 
 ######################################################################
 # libqemu_common.a: Target independent part of system emulation. The
@@ -231,7 +231,7 @@ sound-obj-$(CONFIG_CS4231A) += cs4231a.o
 adlib.o fmopl.o: QEMU_CFLAGS += -DBUILD_Y8950=0
 hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
 
-hw-obj-$(CONFIG_LINUX) += virtio-9p-debug.o virtio-9p-local.o
+hw-obj-$(CONFIG_VIRTFS) += virtio-9p-debug.o virtio-9p-local.o
 
 ######################################################################
 # libdis
diff --git a/Makefile.target b/Makefile.target
index d06c679..36b64d4 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -169,7 +169,7 @@ obj-y += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
 obj-$(CONFIG_VIRTIO_PCI) += virtio-pci.o
 obj-y += vhost_net.o
 obj-$(CONFIG_VHOST_NET) += vhost.o
-obj-$(CONFIG_LINUX) += virtio-9p.o
+obj-$(CONFIG_VIRTFS) += virtio-9p.o
 obj-y += rwhandler.o
 obj-$(CONFIG_KVM) += kvm.o kvm-all.o
 obj-$(CONFIG_NO_KVM) += kvm-stub.o
diff --git a/configure b/configure
index 653c8d2..9533b15 100755
--- a/configure
+++ b/configure
@@ -265,6 +265,7 @@ vnc_tls=""
 vnc_sasl=""
 xen=""
 linux_aio=""
+attr=""
 vhost_net=""
 
 gprof="no"
@@ -644,6 +645,10 @@ for opt do
   ;;
   --enable-linux-aio) linux_aio="yes"
   ;;
+  --disable-attr) attr="no"
+  ;;
+  --enable-attr) attr="yes"
+  ;;
   --enable-io-thread) io_thread="yes"
   ;;
   --disable-blobs) blobs="no"
@@ -819,6 +824,8 @@ echo "  --disable-vde            disable support for vde network"
 echo "  --enable-vde             enable support for vde network"
 echo "  --disable-linux-aio      disable Linux AIO support"
 echo "  --enable-linux-aio       enable Linux AIO support"
+echo "  --disable-attr           disables attr and xattr support"
+echo "  --enable-attr            enable attr and xattr support"
 echo "  --enable-io-thread       enable IO thread"
 echo "  --disable-blobs          disable installing provided firmware blobs"
 echo "  --kerneldir=PATH         look for kernel includes in PATH"
@@ -1600,6 +1607,27 @@ EOF
 fi
 
 ##########################################
+# attr probe
+
+if test "$attr" != "no" ; then
+  cat > $TMPC <<EOF
+#include <stdio.h>
+#include <sys/types.h>
+#include <attr/xattr.h>
+int main(void) { getxattr(NULL, NULL, NULL, 0); setxattr(NULL, NULL, NULL, 0, 0); return 0; }
+EOF
+  if compile_prog "" "-lattr" ; then
+    attr=yes
+    LIBS="-lattr $LIBS"
+  else
+    if test "$attr" = "yes" ; then
+      feature_not_found "ATTR"
+    fi
+    attr=no
+  fi
+fi
+
+##########################################
 # iovec probe
 cat > $TMPC <<EOF
 #include <sys/types.h>
@@ -2034,6 +2062,7 @@ echo "PIE user targets  $user_pie"
 echo "vde support       $vde"
 echo "IO thread         $io_thread"
 echo "Linux AIO support $linux_aio"
+echo "ATTR/XATTR support $attr"
 echo "Install blobs     $blobs"
 echo "KVM support       $kvm"
 echo "fdt support       $fdt"
@@ -2238,6 +2267,14 @@ fi
 if test "$linux_aio" = "yes" ; then
   echo "CONFIG_LINUX_AIO=y" >> $config_host_mak
 fi
+if test "$attr" = "yes" ; then
+  echo "CONFIG_ATTR=y" >> $config_host_mak
+fi
+if test "$linux" = "yes" ; then
+  if test "$attr" = "yes" ; then
+    echo "CONFIG_VIRTFS=y" >> $config_host_mak
+  fi
+fi
 if test "$blobs" = "yes" ; then
   echo "INSTALL_BLOBS=yes" >> $config_host_mak
 fi
diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index f84767f..307bd1e 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -18,13 +18,33 @@
 #include <utime.h>
 #include <sys/stat.h>
 #include <sys/uio.h>
+#include <sys/vfs.h>
+#define SM_LOCAL_MODE_BITS    0600
+#define SM_LOCAL_DIR_MODE_BITS    0700
+
+typedef enum
+{
+    SM_PASSTHROUGH = 1, /* uid/gid set on fileserver files */
+    SM_MAPPED,  /* uid/gid part of xattr */
+} SecModel;
+
+typedef struct FsCred
+{
+    uid_t   fc_uid;
+    gid_t   fc_gid;
+    mode_t  fc_mode;
+    dev_t   fc_rdev;
+} FsCred;
 
 typedef struct FsContext
 {
     char *fs_root;
+    SecModel fs_sm;
     uid_t uid;
 } FsContext;
 
+extern void cred_init(FsCred *);
+
 typedef struct FileOperations
 {
     int (*lstat)(FsContext *, const char *, struct stat *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 1afb731..056b4ba 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -17,6 +17,7 @@
 #include <grp.h>
 #include <sys/socket.h>
 #include <sys/un.h>
+#include <attr/xattr.h>
 
 static const char *rpath(FsContext *ctx, const char *path)
 {
@@ -31,45 +32,37 @@ static int local_lstat(FsContext *ctx, const char *path, struct stat *stbuf)
     return lstat(rpath(ctx, path), stbuf);
 }
 
-static int local_setuid(FsContext *ctx, uid_t uid)
+static int local_set_xattr(const char *path, FsCred *credp)
 {
-    struct passwd *pw;
-    gid_t groups[33];
-    int ngroups;
-    static uid_t cur_uid = -1;
-
-    if (cur_uid == uid) {
-        return 0;
-    }
-
-    if (setreuid(0, 0)) {
-        return -1;
-    }
-
-    pw = getpwuid(uid);
-    if (pw == NULL) {
-        return -1;
-    }
-
-    ngroups = 33;
-    if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1) {
-        return -1;
+    int err;
+    if (credp->fc_uid != -1) {
+        err = setxattr(path, "user.virtfs.uid", &credp->fc_uid, sizeof(uid_t),
+                0);
+        if (err) {
+            return err;
+        }
     }
-
-    if (setgroups(ngroups, groups)) {
-        return -1;
+    if (credp->fc_gid != -1) {
+        err = setxattr(path, "user.virtfs.gid", &credp->fc_gid, sizeof(gid_t),
+                0);
+        if (err) {
+            return err;
+        }
     }
-
-    if (setregid(-1, pw->pw_gid)) {
-        return -1;
+    if (credp->fc_mode != -1) {
+        err = setxattr(path, "user.virtfs.mode", &credp->fc_mode,
+                sizeof(mode_t), 0);
+        if (err) {
+            return err;
+        }
     }
-
-    if (setreuid(-1, uid)) {
-        return -1;
+    if (credp->fc_rdev != -1) {
+        err = setxattr(path, "user.virtfs.rdev", &credp->fc_rdev,
+                sizeof(dev_t), 0);
+        if (err) {
+            return err;
+        }
     }
-
-    cur_uid = uid;
-
     return 0;
 }
 
@@ -183,6 +176,7 @@ static int local_open2(FsContext *ctx, const char *path, int flags, mode_t mode)
     return open(rpath(ctx, path), flags, mode);
 }
 
+
 static int local_symlink(FsContext *ctx, const char *oldpath,
                             const char *newpath)
 {
@@ -259,12 +253,13 @@ static int local_remove(FsContext *ctx, const char *path)
 
 static int local_fsync(FsContext *ctx, int fd)
 {
+    if (0) /* Just to supress the warning. Will be removed in next patch. */
+        (void)local_set_xattr(NULL, NULL);
     return fsync(fd);
 }
 
 FileOperations local_ops = {
     .lstat = local_lstat,
-    .setuid = local_setuid,
     .readlink = local_readlink,
     .close = local_close,
     .closedir = local_closedir,
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 2530488..a7ba4b6 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -67,14 +67,17 @@ static int omode_to_uflags(int8_t mode)
     return ret;
 }
 
-static int v9fs_do_lstat(V9fsState *s, V9fsString *path, struct stat *stbuf)
+void cred_init(FsCred *credp)
 {
-    return s->ops->lstat(&s->ctx, path->data, stbuf);
+    credp->fc_uid = -1;
+    credp->fc_gid = -1;
+    credp->fc_mode = -1;
+    credp->fc_rdev = -1;
 }
 
-static int v9fs_do_setuid(V9fsState *s, uid_t uid)
+static int v9fs_do_lstat(V9fsState *s, V9fsString *path, struct stat *stbuf)
 {
-    return s->ops->setuid(&s->ctx, uid);
+    return s->ops->lstat(&s->ctx, path->data, stbuf);
 }
 
 static ssize_t v9fs_do_readlink(V9fsState *s, V9fsString *path, V9fsString *buf)
@@ -348,7 +351,6 @@ static V9fsFidState *lookup_fid(V9fsState *s, int32_t fid)
 
     for (f = s->fid_list; f; f = f->next) {
         if (f->fid == fid) {
-            v9fs_do_setuid(s, f->uid);
             return f;
         }
     }
@@ -2253,8 +2255,15 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
         exit(1);
     }
 
-    if (!strcmp(fse->security_model, "passthrough") &&
-                !strcmp(fse->security_model, "mapped")) {
+    if (!strcmp(fse->security_model, "passthrough")) {
+        /* Files on the Fileserver set to client user credentials */
+        s->ctx.fs_sm = SM_PASSTHROUGH;
+    } else if (!strcmp(fse->security_model, "mapped")) {
+        /* Files on the fileserver are set to QEMU credentials.
+         * Client user credentials are saved in extended attributes.
+         */
+        s->ctx.fs_sm = SM_MAPPED;
+    } else {
         /* user haven't specified a correct security option */
         fprintf(stderr, "one of the following must be specified as the"
                 "security option:\n\t security_model=passthrough \n\t "
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 7ddf612..51fe2f5 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -642,7 +642,7 @@ static int virtio_balloon_init_pci(PCIDevice *pci_dev)
     return 0;
 }
 
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_VIRTFS
 static int virtio_9p_init_pci(PCIDevice *pci_dev)
 {
     VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
@@ -713,7 +713,7 @@ static PCIDeviceInfo virtio_info[] = {
         },
         .qdev.reset = virtio_pci_reset,
     },{
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_VIRTFS
         .qdev.name = "virtio-9p-pci",
         .qdev.size = sizeof(VirtIOPCIProxy),
         .init      = virtio_9p_init_pci,
diff --git a/vl.c b/vl.c
index 98491ae..938ca0a 100644
--- a/vl.c
+++ b/vl.c
@@ -149,7 +149,7 @@ int main(int argc, char **argv)
 #include "qemu-option.h"
 #include "qemu-config.h"
 #include "qemu-objects.h"
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_VIRTFS
 #include "fsdev/qemu-fsdev.h"
 #endif
 
@@ -2299,7 +2299,7 @@ static int chardev_init_func(QemuOpts *opts, void *opaque)
     return 0;
 }
 
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_VIRTFS
 static int fsdev_init_func(QemuOpts *opts, void *opaque)
 {
     int ret;
@@ -3075,7 +3075,7 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
                 }
                 break;
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_VIRTFS
             case QEMU_OPTION_fsdev:
                 opts = qemu_opts_parse(&qemu_fsdev_opts, optarg, 1);
                 if (!opts) {
@@ -3510,7 +3510,7 @@ int main(int argc, char **argv, char **envp)
 
     if (qemu_opts_foreach(&qemu_chardev_opts, chardev_init_func, NULL, 1) != 0)
         exit(1);
-#ifdef CONFIG_LINUX
+#ifdef CONFIG_VIRTFS
     if (qemu_opts_foreach(&qemu_fsdev_opts, fsdev_init_func, NULL, 1) != 0) {
         exit(1);
     }
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 03/10] virtio-9p: Security model for chmod

[Venkateswararao Jujjuri (JV)]

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    2 +-
 hw/virtio-9p-local.c |   11 +++++++----
 hw/virtio-9p.c       |    5 ++++-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 307bd1e..1c8d89b 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -49,7 +49,7 @@ typedef struct FileOperations
 {
     int (*lstat)(FsContext *, const char *, struct stat *);
     ssize_t (*readlink)(FsContext *, const char *, char *, size_t);
-    int (*chmod)(FsContext *, const char *, mode_t);
+    int (*chmod)(FsContext *, const char *, FsCred *);
     int (*chown)(FsContext *, const char *, uid_t, gid_t);
     int (*mknod)(FsContext *, const char *, mode_t, dev_t);
     int (*mksock)(FsContext *, const char *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 056b4ba..9bdcf02 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -129,9 +129,14 @@ static ssize_t local_writev(FsContext *ctx, int fd, const struct iovec *iov,
     return writev(fd, iov, iovcnt);
 }
 
-static int local_chmod(FsContext *ctx, const char *path, mode_t mode)
+static int local_chmod(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
-    return chmod(rpath(ctx, path), mode);
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        return local_set_xattr(rpath(fs_ctx, path), credp);
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        return chmod(rpath(fs_ctx, path), credp->fc_mode);
+    }
+    return -1;
 }
 
 static int local_mknod(FsContext *ctx, const char *path, mode_t mode, dev_t dev)
@@ -253,8 +258,6 @@ static int local_remove(FsContext *ctx, const char *path)
 
 static int local_fsync(FsContext *ctx, int fd)
 {
-    if (0) /* Just to supress the warning. Will be removed in next patch. */
-        (void)local_set_xattr(NULL, NULL);
     return fsync(fd);
 }
 
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index a7ba4b6..24291f4 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -154,7 +154,10 @@ static int v9fs_do_writev(V9fsState *s, int fd, const struct iovec *iov,
 
 static int v9fs_do_chmod(V9fsState *s, V9fsString *path, mode_t mode)
 {
-    return s->ops->chmod(&s->ctx, path->data, mode);
+    FsCred cred;
+    cred_init(&cred);
+    cred.fc_mode = mode;
+    return s->ops->chmod(&s->ctx, path->data, &cred);
 }
 
 static int v9fs_do_mknod(V9fsState *s, V9fsString *path, mode_t mode, dev_t dev)
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 04/10] virtio-9p: Security model for chown

[Venkateswararao Jujjuri (JV)]

mapped model changes the owner in the extended attributes.
passthrough model does the change through lchown() as the
server don't need to follow the link and client will send the
actual filesystem object.

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    2 +-
 hw/virtio-9p-local.c |    9 +++++++--
 hw/virtio-9p.c       |    9 +++++++--
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 1c8d89b..a53cd35 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -50,7 +50,7 @@ typedef struct FileOperations
     int (*lstat)(FsContext *, const char *, struct stat *);
     ssize_t (*readlink)(FsContext *, const char *, char *, size_t);
     int (*chmod)(FsContext *, const char *, FsCred *);
-    int (*chown)(FsContext *, const char *, uid_t, gid_t);
+    int (*chown)(FsContext *, const char *, FsCred *);
     int (*mknod)(FsContext *, const char *, mode_t, dev_t);
     int (*mksock)(FsContext *, const char *);
     int (*utime)(FsContext *, const char *, const struct utimbuf *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 9bdcf02..1d7cb32 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -240,9 +240,14 @@ static int local_rename(FsContext *ctx, const char *oldpath,
 
 }
 
-static int local_chown(FsContext *ctx, const char *path, uid_t uid, gid_t gid)
+static int local_chown(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
-    return chown(rpath(ctx, path), uid, gid);
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        return local_set_xattr(rpath(fs_ctx, path), credp);
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        return lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
+    }
+    return -1;
 }
 
 static int local_utime(FsContext *ctx, const char *path,
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 24291f4..fa459c9 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -209,7 +209,12 @@ static int v9fs_do_rename(V9fsState *s, V9fsString *oldpath,
 
 static int v9fs_do_chown(V9fsState *s, V9fsString *path, uid_t uid, gid_t gid)
 {
-    return s->ops->chown(&s->ctx, path->data, uid, gid);
+    FsCred cred;
+    cred_init(&cred);
+    cred.fc_uid = uid;
+    cred.fc_gid = gid;
+
+    return s->ops->chown(&s->ctx, path->data, &cred);
 }
 
 static int v9fs_do_utime(V9fsState *s, V9fsString *path,
@@ -2014,7 +2019,7 @@ static void v9fs_wstat_post_utime(V9fsState *s, V9fsWstatState *vs, int err)
         goto out;
     }
 
-    if (vs->v9stat.n_gid != -1) {
+    if (vs->v9stat.n_gid != -1 || vs->v9stat.n_uid != -1) {
         if (v9fs_do_chown(s, &vs->fidp->path, vs->v9stat.n_uid,
                     vs->v9stat.n_gid)) {
             err = -errno;
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 05/10] virtio-9p: Implemented Security model for lstat and fstat

[Venkateswararao Jujjuri (JV)]

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/virtio-9p-local.c |   62 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 58 insertions(+), 4 deletions(-)

diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 1d7cb32..74c81a6 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -27,9 +27,38 @@ static const char *rpath(FsContext *ctx, const char *path)
     return buffer;
 }
 
-static int local_lstat(FsContext *ctx, const char *path, struct stat *stbuf)
+
+static int local_lstat(FsContext *fs_ctx, const char *path, struct stat *stbuf)
 {
-    return lstat(rpath(ctx, path), stbuf);
+    int err;
+    err =  lstat(rpath(fs_ctx, path), stbuf);
+    if (err) {
+        return err;
+    }
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        /* Actual credentials are part of extended attrs */
+        uid_t tmp_uid;
+        gid_t tmp_gid;
+        mode_t tmp_mode;
+        dev_t tmp_dev;
+        if (getxattr(rpath(fs_ctx, path), "user.virtfs.uid", &tmp_uid,
+                    sizeof(uid_t)) > 0) {
+            stbuf->st_uid = tmp_uid;
+        }
+        if (getxattr(rpath(fs_ctx, path), "user.virtfs.gid", &tmp_gid,
+                    sizeof(gid_t)) > 0) {
+            stbuf->st_gid = tmp_gid;
+        }
+        if (getxattr(rpath(fs_ctx, path), "user.virtfs.mode", &tmp_mode,
+                    sizeof(mode_t)) > 0) {
+            stbuf->st_mode = tmp_mode;
+        }
+        if (getxattr(rpath(fs_ctx, path), "user.virtfs.rdev", &tmp_dev,
+                        sizeof(dev_t)) > 0) {
+                stbuf->st_rdev = tmp_dev;
+        }
+    }
+    return err;
 }
 
 static int local_set_xattr(const char *path, FsCred *credp)
@@ -171,9 +200,34 @@ static int local_mkdir(FsContext *ctx, const char *path, mode_t mode)
     return mkdir(rpath(ctx, path), mode);
 }
 
-static int local_fstat(FsContext *ctx, int fd, struct stat *stbuf)
+static int local_fstat(FsContext *fs_ctx, int fd, struct stat *stbuf)
 {
-    return fstat(fd, stbuf);
+    int err;
+    err = fstat(fd, stbuf);
+    if (err) {
+        return err;
+    }
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        /* Actual credentials are part of extended attrs */
+        uid_t tmp_uid;
+        gid_t tmp_gid;
+        mode_t tmp_mode;
+        dev_t tmp_dev;
+
+        if (fgetxattr(fd, "user.virtfs.uid", &tmp_uid, sizeof(uid_t)) > 0) {
+            stbuf->st_uid = tmp_uid;
+        }
+        if (fgetxattr(fd, "user.virtfs.gid", &tmp_gid, sizeof(gid_t)) > 0) {
+            stbuf->st_gid = tmp_gid;
+        }
+        if (fgetxattr(fd, "user.virtfs.mode", &tmp_mode, sizeof(mode_t)) > 0) {
+            stbuf->st_mode = tmp_mode;
+        }
+        if (fgetxattr(fd, "user.virtfs.rdev", &tmp_dev, sizeof(dev_t)) > 0) {
+                stbuf->st_rdev = tmp_dev;
+        }
+    }
+    return err;
 }
 
 static int local_open2(FsContext *ctx, const char *path, int flags, mode_t mode)
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 06/10] virtio-9p: Security model for create/open2

[Venkateswararao Jujjuri (JV)]

In the mapped security model, VirtFS server intercepts and maps
the file object create and get/set attribute requests. Files on the fileserver
will be created with VirtFS servers (QEMU) user credentials and the
client-users credentials are stored in extended attributes. On the request
to get attributes, server extracts the client-users credentials
from extended attributes and sends them to the client.

On Host/Fileserver:
-rw-------. 2 virfsuid virtfsgid 0 2010-05-11 09:19 afile

On Guest/Client:
-rw-r--r-- 2 guestuser guestuser 0 2010-05-11 12:19 afile

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    2 +-
 hw/virtio-9p-local.c |   51 ++++++++++++++++++++++++++++++++++++++++++++++++-
 hw/virtio-9p.c       |   16 ++++++++++----
 3 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index a53cd35..b345189 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -62,7 +62,7 @@ typedef struct FileOperations
     int (*closedir)(FsContext *, DIR *);
     DIR *(*opendir)(FsContext *, const char *);
     int (*open)(FsContext *, const char *, int);
-    int (*open2)(FsContext *, const char *, int, mode_t);
+    int (*open2)(FsContext *, const char *, int, FsCred *);
     void (*rewinddir)(FsContext *, DIR *);
     off_t (*telldir)(FsContext *, DIR *);
     struct dirent *(*readdir)(FsContext *, DIR *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 74c81a6..bb5140e 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -95,6 +95,18 @@ static int local_set_xattr(const char *path, FsCred *credp)
     return 0;
 }
 
+static int local_post_create_passthrough(FsContext *fs_ctx, const char *path,
+        FsCred *credp)
+{
+    if (chmod(rpath(fs_ctx, path), credp->fc_mode & 07777) < 0) {
+        return -1;
+    }
+    if (chown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid) < 0) {
+        return -1;
+    }
+    return 0;
+}
+
 static ssize_t local_readlink(FsContext *ctx, const char *path,
                                 char *buf, size_t bufsz)
 {
@@ -230,9 +242,44 @@ static int local_fstat(FsContext *fs_ctx, int fd, struct stat *stbuf)
     return err;
 }
 
-static int local_open2(FsContext *ctx, const char *path, int flags, mode_t mode)
+static int local_open2(FsContext *fs_ctx, const char *path, int flags,
+        FsCred *credp)
 {
-    return open(rpath(ctx, path), flags, mode);
+    int fd = -1;
+    int err = -1;
+    int serrno = 0;
+
+    /* Determine the security model */
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        fd = open(rpath(fs_ctx, path), flags, SM_LOCAL_MODE_BITS);
+        if (fd == -1) {
+            return fd;
+        }
+        credp->fc_mode = credp->fc_mode|S_IFREG;
+        /* Set cleint credentials in xattr */
+        err = local_set_xattr(rpath(fs_ctx, path), credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        fd = open(rpath(fs_ctx, path), flags, credp->fc_mode);
+        if (fd == -1) {
+            return fd;
+        }
+        err = local_post_create_passthrough(fs_ctx, path, credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    }
+    return fd;
+
+err_end:
+    close(fd);
+    remove(rpath(fs_ctx, path));
+    errno = serrno;
+    return err;
 }
 
 
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index fa459c9..49a3065 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -180,9 +180,17 @@ static int v9fs_do_fstat(V9fsState *s, int fd, struct stat *stbuf)
     return s->ops->fstat(&s->ctx, fd, stbuf);
 }
 
-static int v9fs_do_open2(V9fsState *s, V9fsString *path, int flags, mode_t mode)
+static int v9fs_do_open2(V9fsState *s, V9fsCreateState *vs)
 {
-    return s->ops->open2(&s->ctx, path->data, flags, mode);
+    FsCred cred;
+    int flags;
+
+    cred_init(&cred);
+    cred.fc_uid = vs->fidp->uid;
+    cred.fc_mode = vs->perm & 0777;
+    flags = omode_to_uflags(vs->mode) | O_CREAT;
+
+    return s->ops->open2(&s->ctx, vs->fullname.data, flags, &cred);
 }
 
 static int v9fs_do_symlink(V9fsState *s, V9fsString *oldpath,
@@ -1815,9 +1823,7 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         err = v9fs_do_mksock(s, &vs->fullname);
         v9fs_create_post_mksock(s, vs, err);
     } else {
-        vs->fidp->fd = v9fs_do_open2(s, &vs->fullname,
-                                omode_to_uflags(vs->mode) | O_CREAT,
-                                vs->perm & 0777);
+        vs->fidp->fd = v9fs_do_open2(s, vs);
         v9fs_create_post_open2(s, vs, err);
     }
 
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 07/10] virtio-9p: Security model for mkdir

[Venkateswararao Jujjuri (JV)]

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    2 +-
 hw/virtio-9p-local.c |   35 +++++++++++++++++++++++++++++++++--
 hw/virtio-9p.c       |   12 +++++++++---
 3 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index b345189..12223de 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -70,7 +70,7 @@ typedef struct FileOperations
     ssize_t (*readv)(FsContext *, int, const struct iovec *, int);
     ssize_t (*writev)(FsContext *, int, const struct iovec *, int);
     off_t (*lseek)(FsContext *, int, off_t, int);
-    int (*mkdir)(FsContext *, const char *, mode_t);
+    int (*mkdir)(FsContext *, const char *, FsCred *);
     int (*fstat)(FsContext *, int, struct stat *);
     int (*rename)(FsContext *, const char *, const char *);
     int (*truncate)(FsContext *, const char *, off_t);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index bb5140e..e99eff9 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -207,9 +207,40 @@ static int local_mksock(FsContext *ctx2, const char *path)
     return 0;
 }
 
-static int local_mkdir(FsContext *ctx, const char *path, mode_t mode)
+static int local_mkdir(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
-    return mkdir(rpath(ctx, path), mode);
+    int err = -1;
+    int serrno = 0;
+
+    /* Determine the security model */
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        err = mkdir(rpath(fs_ctx, path), SM_LOCAL_DIR_MODE_BITS);
+        if (err == -1) {
+            return err;
+        }
+        credp->fc_mode = credp->fc_mode|S_IFDIR;
+        err = local_set_xattr(rpath(fs_ctx, path), credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        err = mkdir(rpath(fs_ctx, path), credp->fc_mode);
+        if (err == -1) {
+            return err;
+        }
+        err = local_post_create_passthrough(fs_ctx, path, credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    }
+    return err;
+
+err_end:
+    remove(rpath(fs_ctx, path));
+    errno = serrno;
+    return err;
 }
 
 static int local_fstat(FsContext *fs_ctx, int fd, struct stat *stbuf)
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 49a3065..005f725 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -170,9 +170,15 @@ static int v9fs_do_mksock(V9fsState *s, V9fsString *path)
     return s->ops->mksock(&s->ctx, path->data);
 }
 
-static int v9fs_do_mkdir(V9fsState *s, V9fsString *path, mode_t mode)
+static int v9fs_do_mkdir(V9fsState *s, V9fsCreateState *vs)
 {
-    return s->ops->mkdir(&s->ctx, path->data, mode);
+    FsCred cred;
+
+    cred_init(&cred);
+    cred.fc_uid = vs->fidp->uid;
+    cred.fc_mode = vs->perm & 0777;
+
+    return s->ops->mkdir(&s->ctx, vs->fullname.data, &cred);
 }
 
 static int v9fs_do_fstat(V9fsState *s, int fd, struct stat *stbuf)
@@ -1776,7 +1782,7 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
     }
 
     if (vs->perm & P9_STAT_MODE_DIR) {
-        err = v9fs_do_mkdir(s, &vs->fullname, vs->perm & 0777);
+        err = v9fs_do_mkdir(s, vs);
         v9fs_create_post_mkdir(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SYMLINK) {
         err = v9fs_do_symlink(s, &vs->extension, &vs->fullname);
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 08/10] virtio-9p: Security model for symlink and readlink

[Venkateswararao Jujjuri (JV)]

Mapped mode stores extended attributes in the user space of the extended
attributes. Given that the user space extended attributes are available
to regular files only, special files are created as regular files on the
fileserver and appropriate mode bits are added to the extended attributes.
This method presents all special files and symlinks as regular files on the
fileserver while they are represented as special files on the guest mount.

Implemntation of symlink in mapped security model:

A regular file is created and the link target is written to it.
readlink() reads it back from the file.

On Guest/Client:
lrwxrwxrwx 1 root root 6 2010-05-11 12:20 asymlink -> afile

On Host/Fileserver:
-rw-------. 1 root root 6 2010-05-11 09:20 asymlink
afile

Under passthrough model, it just calls underlying symlink() readlink()
system calls are used.

Under both security models, client user credentials are changed
after the filesystem objec creation.

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    2 +-
 hw/virtio-9p-local.c |   75 ++++++++++++++++++++++++++++++++++++++++++++++----
 hw/virtio-9p.c       |   13 ++++++--
 3 files changed, 79 insertions(+), 11 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 12223de..0808630 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -55,7 +55,7 @@ typedef struct FileOperations
     int (*mksock)(FsContext *, const char *);
     int (*utime)(FsContext *, const char *, const struct utimbuf *);
     int (*remove)(FsContext *, const char *);
-    int (*symlink)(FsContext *, const char *, const char *);
+    int (*symlink)(FsContext *, const char *, const char *, FsCred *);
     int (*link)(FsContext *, const char *, const char *);
     int (*setuid)(FsContext *, uid_t);
     int (*close)(FsContext *, int);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index e99eff9..711f2b5 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -107,10 +107,25 @@ static int local_post_create_passthrough(FsContext *fs_ctx, const char *path,
     return 0;
 }
 
-static ssize_t local_readlink(FsContext *ctx, const char *path,
-                                char *buf, size_t bufsz)
+static ssize_t local_readlink(FsContext *fs_ctx, const char *path,
+        char *buf, size_t bufsz)
 {
-    return readlink(rpath(ctx, path), buf, bufsz);
+    ssize_t tsize = -1;
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        int fd;
+        fd = open(rpath(fs_ctx, path), O_RDONLY);
+        if (fd == -1) {
+            return -1;
+        }
+        do {
+            tsize = read(fd, (void *)buf, bufsz);
+        } while (tsize == -1 && errno == EINTR);
+        close(fd);
+        return tsize;
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        tsize = readlink(rpath(fs_ctx, path), buf, bufsz);
+    }
+    return tsize;
 }
 
 static int local_close(FsContext *ctx, int fd)
@@ -314,10 +329,58 @@ err_end:
 }
 
 
-static int local_symlink(FsContext *ctx, const char *oldpath,
-                            const char *newpath)
+static int local_symlink(FsContext *fs_ctx, const char *oldpath,
+        const char *newpath, FsCred *credp)
 {
-    return symlink(oldpath, rpath(ctx, newpath));
+    int err = -1;
+    int serrno = 0;
+
+    /* Determine the security model */
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        int fd;
+        ssize_t oldpath_size, write_size;
+        fd = open(rpath(fs_ctx, newpath), O_CREAT|O_EXCL|O_RDWR,
+                SM_LOCAL_MODE_BITS);
+        if (fd == -1) {
+            return fd;
+        }
+        /* Write the oldpath (target) to the file. */
+        oldpath_size = strlen(oldpath) + 1;
+        do {
+            write_size = write(fd, (void *)oldpath, oldpath_size);
+        } while (write_size == -1 && errno == EINTR);
+
+        if (write_size != oldpath_size) {
+            serrno = errno;
+            close(fd);
+            err = -1;
+            goto err_end;
+        }
+        close(fd);
+        /* Set cleint credentials in symlink's xattr */
+        credp->fc_mode = credp->fc_mode|S_IFLNK;
+        err = local_set_xattr(rpath(fs_ctx, newpath), credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        err = symlink(oldpath, rpath(fs_ctx, newpath));
+        if (err) {
+            return err;
+        }
+        err = lchown(rpath(fs_ctx, newpath), credp->fc_uid, credp->fc_gid);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    }
+    return err;
+
+err_end:
+    remove(rpath(fs_ctx, newpath));
+    errno = serrno;
+    return err;
 }
 
 static int local_link(FsContext *ctx, const char *oldpath, const char *newpath)
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 005f725..1a25e96 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -199,10 +199,15 @@ static int v9fs_do_open2(V9fsState *s, V9fsCreateState *vs)
     return s->ops->open2(&s->ctx, vs->fullname.data, flags, &cred);
 }
 
-static int v9fs_do_symlink(V9fsState *s, V9fsString *oldpath,
-                            V9fsString *newpath)
+static int v9fs_do_symlink(V9fsState *s, V9fsCreateState *vs)
 {
-    return s->ops->symlink(&s->ctx, oldpath->data, newpath->data);
+    FsCred cred;
+    cred_init(&cred);
+    cred.fc_uid = vs->fidp->uid;
+    cred.fc_mode = vs->perm | 0777;
+
+    return s->ops->symlink(&s->ctx, vs->extension.data, vs->fullname.data,
+            &cred);
 }
 
 static int v9fs_do_link(V9fsState *s, V9fsString *oldpath, V9fsString *newpath)
@@ -1785,7 +1790,7 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         err = v9fs_do_mkdir(s, vs);
         v9fs_create_post_mkdir(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SYMLINK) {
-        err = v9fs_do_symlink(s, &vs->extension, &vs->fullname);
+        err = v9fs_do_symlink(s, vs);
         v9fs_create_post_perms(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_LINK) {
         int32_t nfid = atoi(vs->extension.data);
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 09/10] virtio-9p: Implement Security model for mknod

[Venkateswararao Jujjuri (JV)]

Mapped mode stores extended attributes in the user space of the extended
attributes. Given that the user space extended attributes are available
to regular files only, special files are created as regular files on the
fileserver and appropriate mode bits are added to the extended attributes.
This method presents all special files and symlinks as regular files on the
fileserver while they are represented as special files on the guest mount.

On Host/Fileserver:
-rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:36 afifo
-rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:32 blkdev
-rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:33 chardev

On Guest/Client:
prw-r--r-- 1 guestuser guestuser 0 2010-05-11 12:36 afifo
brw-r--r-- 1 guestuser guestuser 0, 0 2010-05-11 12:32 blkdev
crw-r--r-- 1 guestuser guestuser 4, 5 2010-05-11 12:33 chardev

In the passthrough securit model, specifal files are directly created
on the fileserver. But the user credential

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    2 +-
 hw/virtio-9p-local.c |   34 ++++++++++++++++++++++++++++++++--
 hw/virtio-9p.c       |   14 ++++++++++----
 3 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 0808630..5bc61b5 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -51,7 +51,7 @@ typedef struct FileOperations
     ssize_t (*readlink)(FsContext *, const char *, char *, size_t);
     int (*chmod)(FsContext *, const char *, FsCred *);
     int (*chown)(FsContext *, const char *, FsCred *);
-    int (*mknod)(FsContext *, const char *, mode_t, dev_t);
+    int (*mknod)(FsContext *, const char *, FsCred *);
     int (*mksock)(FsContext *, const char *);
     int (*utime)(FsContext *, const char *, const struct utimbuf *);
     int (*remove)(FsContext *, const char *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 711f2b5..791a8ba 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -195,9 +195,39 @@ static int local_chmod(FsContext *fs_ctx, const char *path, FsCred *credp)
     return -1;
 }
 
-static int local_mknod(FsContext *ctx, const char *path, mode_t mode, dev_t dev)
+static int local_mknod(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
-    return mknod(rpath(ctx, path), mode, dev);
+    int err = -1;
+    int serrno = 0;
+
+    /* Determine the security model */
+    if (fs_ctx->fs_sm == SM_MAPPED) {
+        err = mknod(rpath(fs_ctx, path), SM_LOCAL_MODE_BITS|S_IFREG, 0);
+        if (err == -1) {
+            return err;
+        }
+        local_set_xattr(rpath(fs_ctx, path), credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+        err = mknod(rpath(fs_ctx, path), credp->fc_mode, credp->fc_rdev);
+        if (err == -1) {
+            return err;
+        }
+        err = local_post_create_passthrough(fs_ctx, path, credp);
+        if (err == -1) {
+            serrno = errno;
+            goto err_end;
+        }
+    }
+    return err;
+
+err_end:
+    remove(rpath(fs_ctx, path));
+    errno = serrno;
+    return err;
 }
 
 static int local_mksock(FsContext *ctx2, const char *path)
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 1a25e96..d276db3 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -160,9 +160,15 @@ static int v9fs_do_chmod(V9fsState *s, V9fsString *path, mode_t mode)
     return s->ops->chmod(&s->ctx, path->data, &cred);
 }
 
-static int v9fs_do_mknod(V9fsState *s, V9fsString *path, mode_t mode, dev_t dev)
+static int v9fs_do_mknod(V9fsState *s, V9fsCreateState *vs, mode_t mode,
+        dev_t dev)
 {
-    return s->ops->mknod(&s->ctx, path->data, mode, dev);
+    FsCred cred;
+    cred_init(&cred);
+    cred.fc_uid = vs->fidp->uid;
+    cred.fc_mode = mode;
+    cred.fc_rdev = dev;
+    return s->ops->mknod(&s->ctx, vs->fullname.data, &cred);
 }
 
 static int v9fs_do_mksock(V9fsState *s, V9fsString *path)
@@ -1825,10 +1831,10 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         }
 
         nmode |= vs->perm & 0777;
-        err = v9fs_do_mknod(s, &vs->fullname, nmode, makedev(major, minor));
+        err = v9fs_do_mknod(s, vs, nmode, makedev(major, minor));
         v9fs_create_post_perms(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_NAMED_PIPE) {
-        err = v9fs_do_mknod(s, &vs->fullname, S_IFIFO | (vs->mode & 0777), 0);
+        err = v9fs_do_mknod(s, vs, S_IFIFO | (vs->perm & 0777), 0);
         v9fs_post_create(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SOCKET) {
         err = v9fs_do_mksock(s, &vs->fullname);
-- 
1.6.5.2

[Qemu-devel] [PATCH-V7 10/10] virtio-9p: Implement Security model for mksock using mknod.

[Venkateswararao Jujjuri (JV)]

This patch uses mknod to create socket.

On Host/Fileserver:
-rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:57 asocket1

On Guest/Client:
srwxr-xr-x 1 guestuser guestuser 0 2010-05-11 12:57 asocket1

Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
---
 hw/file-op-9p.h      |    1 -
 hw/virtio-9p-local.c |   23 -----------------------
 hw/virtio-9p.c       |   25 ++-----------------------
 3 files changed, 2 insertions(+), 47 deletions(-)

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 5bc61b5..a741c93 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -52,7 +52,6 @@ typedef struct FileOperations
     int (*chmod)(FsContext *, const char *, FsCred *);
     int (*chown)(FsContext *, const char *, FsCred *);
     int (*mknod)(FsContext *, const char *, FsCred *);
-    int (*mksock)(FsContext *, const char *);
     int (*utime)(FsContext *, const char *, const struct utimbuf *);
     int (*remove)(FsContext *, const char *);
     int (*symlink)(FsContext *, const char *, const char *, FsCred *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 791a8ba..04f7f6f 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -230,28 +230,6 @@ err_end:
     return err;
 }
 
-static int local_mksock(FsContext *ctx2, const char *path)
-{
-    struct sockaddr_un addr;
-    int s;
-
-    addr.sun_family = AF_UNIX;
-    snprintf(addr.sun_path, 108, "%s", rpath(ctx2, path));
-
-    s = socket(PF_UNIX, SOCK_STREAM, 0);
-    if (s == -1) {
-        return -1;
-    }
-
-    if (bind(s, (struct sockaddr *)&addr, sizeof(addr))) {
-        close(s);
-        return -1;
-    }
-
-    close(s);
-    return 0;
-}
-
 static int local_mkdir(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
     int err = -1;
@@ -507,7 +485,6 @@ FileOperations local_ops = {
     .writev = local_writev,
     .chmod = local_chmod,
     .mknod = local_mknod,
-    .mksock = local_mksock,
     .mkdir = local_mkdir,
     .fstat = local_fstat,
     .open2 = local_open2,
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index d276db3..f8c85c3 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -171,11 +171,6 @@ static int v9fs_do_mknod(V9fsState *s, V9fsCreateState *vs, mode_t mode,
     return s->ops->mknod(&s->ctx, vs->fullname.data, &cred);
 }
 
-static int v9fs_do_mksock(V9fsState *s, V9fsString *path)
-{
-    return s->ops->mksock(&s->ctx, path->data);
-}
-
 static int v9fs_do_mkdir(V9fsState *s, V9fsCreateState *vs)
 {
     FsCred cred;
@@ -1740,22 +1735,6 @@ out:
     v9fs_post_create(s, vs, err);
 }
 
-static void v9fs_create_post_mksock(V9fsState *s, V9fsCreateState *vs,
-                                                                int err)
-{
-    if (err) {
-        err = -errno;
-        goto out;
-    }
-
-    err = v9fs_do_chmod(s, &vs->fullname, vs->perm & 0777);
-    v9fs_create_post_perms(s, vs, err);
-    return;
-
-out:
-    v9fs_post_create(s, vs, err);
-}
-
 static void v9fs_create_post_fstat(V9fsState *s, V9fsCreateState *vs, int err)
 {
     if (err) {
@@ -1837,8 +1816,8 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         err = v9fs_do_mknod(s, vs, S_IFIFO | (vs->perm & 0777), 0);
         v9fs_post_create(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SOCKET) {
-        err = v9fs_do_mksock(s, &vs->fullname);
-        v9fs_create_post_mksock(s, vs, err);
+        err = v9fs_do_mknod(s, vs, S_IFSOCK | (vs->perm & 0777), 0);
+        v9fs_post_create(s, vs, err);
     } else {
         vs->fidp->fd = v9fs_do_open2(s, vs);
         v9fs_create_post_open2(s, vs, err);
-- 
1.6.5.2

Re: [Qemu-devel] [PATCH-V7 09/10] virtio-9p: Implement Security model for mknod

[Anthony Liguori]

On 06/14/2010 03:34 PM, Venkateswararao Jujjuri (JV) wrote:
> Mapped mode stores extended attributes in the user space of the extended
> attributes. Given that the user space extended attributes are available
> to regular files only, special files are created as regular files on the
> fileserver and appropriate mode bits are added to the extended attributes.
> This method presents all special files and symlinks as regular files on the
> fileserver while they are represented as special files on the guest mount.
>
> On Host/Fileserver:
> -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:36 afifo
> -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:32 blkdev
> -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:33 chardev
>
> On Guest/Client:
> prw-r--r-- 1 guestuser guestuser 0 2010-05-11 12:36 afifo
> brw-r--r-- 1 guestuser guestuser 0, 0 2010-05-11 12:32 blkdev
> crw-r--r-- 1 guestuser guestuser 4, 5 2010-05-11 12:33 chardev
>
> In the passthrough securit model, specifal files are directly created
> on the fileserver. But the user credential
>
> Signed-off-by: Venkateswararao Jujjuri<jvrao@linux.vnet.ibm.com>
> ---
>   hw/file-op-9p.h      |    2 +-
>   hw/virtio-9p-local.c |   34 ++++++++++++++++++++++++++++++++--
>   hw/virtio-9p.c       |   14 ++++++++++----
>   3 files changed, 43 insertions(+), 7 deletions(-)
>
>
>   static int local_mksock(FsContext *ctx2, const char *path)
> diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
> index 1a25e96..d276db3 100644
> --- a/hw/virtio-9p.c
> +++ b/hw/virtio-9p.c
> @@ -160,9 +160,15 @@ static int v9fs_do_chmod(V9fsState *s, V9fsString *path, mode_t mode)
>       return s->ops->chmod(&s->ctx, path->data,&cred);
>   }
>
> -static int v9fs_do_mknod(V9fsState *s, V9fsString *path, mode_t mode, dev_t dev)
> +static int v9fs_do_mknod(V9fsState *s, V9fsCreateState *vs, mode_t mode,
> +        dev_t dev)
>   {
>    

You've added this function *before* you actually declare V9fsCreateState 
which is happening way down before v9fs_post_create().

Did you actually build these patches before sending them to the list?

Regards,

Anthony Liguori

Re: [Qemu-devel] [PATCH-V7 09/10] virtio-9p: Implement Security model for mknod

[Venkateswararao Jujjuri (JV)]

Anthony Liguori wrote:
> On 06/14/2010 03:34 PM, Venkateswararao Jujjuri (JV) wrote:
>> Mapped mode stores extended attributes in the user space of the extended
>> attributes. Given that the user space extended attributes are available
>> to regular files only, special files are created as regular files on the
>> fileserver and appropriate mode bits are added to the extended
>> attributes.
>> This method presents all special files and symlinks as regular files
>> on the
>> fileserver while they are represented as special files on the guest
>> mount.
>>
>> On Host/Fileserver:
>> -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:36 afifo
>> -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:32 blkdev
>> -rw-------. 1 virfsuid virtfsgid 0 2010-05-11 09:33 chardev
>>
>> On Guest/Client:
>> prw-r--r-- 1 guestuser guestuser 0 2010-05-11 12:36 afifo
>> brw-r--r-- 1 guestuser guestuser 0, 0 2010-05-11 12:32 blkdev
>> crw-r--r-- 1 guestuser guestuser 4, 5 2010-05-11 12:33 chardev
>>
>> In the passthrough securit model, specifal files are directly created
>> on the fileserver. But the user credential
>>
>> Signed-off-by: Venkateswararao Jujjuri<jvrao@linux.vnet.ibm.com>
>> ---
>>   hw/file-op-9p.h      |    2 +-
>>   hw/virtio-9p-local.c |   34 ++++++++++++++++++++++++++++++++--
>>   hw/virtio-9p.c       |   14 ++++++++++----
>>   3 files changed, 43 insertions(+), 7 deletions(-)
>>
>>
>>   static int local_mksock(FsContext *ctx2, const char *path)
>> diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
>> index 1a25e96..d276db3 100644
>> --- a/hw/virtio-9p.c
>> +++ b/hw/virtio-9p.c
>> @@ -160,9 +160,15 @@ static int v9fs_do_chmod(V9fsState *s, V9fsString
>> *path, mode_t mode)
>>       return s->ops->chmod(&s->ctx, path->data,&cred);
>>   }
>>
>> -static int v9fs_do_mknod(V9fsState *s, V9fsString *path, mode_t mode,
>> dev_t dev)
>> +static int v9fs_do_mknod(V9fsState *s, V9fsCreateState *vs, mode_t mode,
>> +        dev_t dev)
>>   {
>>    
> 
> You've added this function *before* you actually declare V9fsCreateState
> which is happening way down before v9fs_post_create().
> 
> Did you actually build these patches before sending them to the list?

Yes I did. This patch series is built on the following two patches. 
Please apply these two patches before taking this patch series.

[PATCH-V2] [virtio-9p] Flush the debug message out to the log file.
(http://lists.gnu.org/archive/html/qemu-devel/2010-06/msg00255.html)

[PATCH] virtio-9p: Rearrange fileop structures
(http://lists.gnu.org/archive/html/qemu-devel/2010-06/msg00143.html)


Sorry for the confusion.

- JV


> 
> Regards,
> 
> Anthony Liguori
> 

Re: [Qemu-devel] [PATCH-V7 01/10] virtio-9p: Introduces an option to specify the security model.

[Anthony Liguori]

On 06/14/2010 03:34 PM, Venkateswararao Jujjuri (JV) wrote:
> The new option is:
>
> -fsdev fstype,id=myid,path=/share_path/,security_model=[mapped|passthrough]
> -virtfs fstype,path=/share_path/,security_model=[mapped|passthrough],mnt_tag=tag
>
> In the case of mapped security model, files are created with QEMU user
> credentials and the client-user's credentials are saved in extended attributes.
> Whereas in the case of passthrough security model, files on the
> filesystem are directly created with client-user's credentials.
>
> Signed-off-by: Venkateswararao Jujjuri<jvrao@linux.vnet.ibm.com>
>    

Applied all.  Thanks.

Regards,

Anthony Liguori
> ---
>   fsdev/qemu-fsdev.c |    9 ++++++++-
>   fsdev/qemu-fsdev.h |    1 +
>   hw/virtio-9p.c     |    9 +++++++++
>   qemu-config.c      |    6 ++++++
>   qemu-options.hx    |   15 +++++++++++----
>   vl.c               |   18 +++++++++++++++---
>   6 files changed, 50 insertions(+), 8 deletions(-)
>
> diff --git a/fsdev/qemu-fsdev.c b/fsdev/qemu-fsdev.c
> index 813e1f7..ad69b0e 100644
> --- a/fsdev/qemu-fsdev.c
> +++ b/fsdev/qemu-fsdev.c
> @@ -34,7 +34,7 @@ int qemu_fsdev_add(QemuOpts *opts)
>           return -1;
>       }
>
> -     for (i = 0; i<  ARRAY_SIZE(FsTypes); i++) {
> +    for (i = 0; i<  ARRAY_SIZE(FsTypes); i++) {
>           if (strcmp(FsTypes[i].name, qemu_opt_get(opts, "fstype")) == 0) {
>               break;
>           }
> @@ -46,10 +46,17 @@ int qemu_fsdev_add(QemuOpts *opts)
>           return -1;
>       }
>
> +    if (qemu_opt_get(opts, "security_model") == NULL) {
> +        fprintf(stderr, "fsdev: No security_model specified.\n");
> +        return -1;
> +    }
> +
>       fsle = qemu_malloc(sizeof(*fsle));
>
>       fsle->fse.fsdev_id = qemu_strdup(qemu_opts_id(opts));
>       fsle->fse.path = qemu_strdup(qemu_opt_get(opts, "path"));
> +    fsle->fse.security_model = qemu_strdup(qemu_opt_get(opts,
> +                "security_model"));
>       fsle->fse.ops = FsTypes[i].ops;
>
>       QTAILQ_INSERT_TAIL(&fstype_entries, fsle, next);
> diff --git a/fsdev/qemu-fsdev.h b/fsdev/qemu-fsdev.h
> index b50fbe0..6c27881 100644
> --- a/fsdev/qemu-fsdev.h
> +++ b/fsdev/qemu-fsdev.h
> @@ -40,6 +40,7 @@ typedef struct FsTypeTable {
>   typedef struct FsTypeEntry {
>       char *fsdev_id;
>       char *path;
> +    char *security_model;
>       FileOperations *ops;
>   } FsTypeEntry;
>
> diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
> index 038bb39..2530488 100644
> --- a/hw/virtio-9p.c
> +++ b/hw/virtio-9p.c
> @@ -2253,6 +2253,15 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
>           exit(1);
>       }
>
> +    if (!strcmp(fse->security_model, "passthrough")&&
> +                !strcmp(fse->security_model, "mapped")) {
> +        /* user haven't specified a correct security option */
> +        fprintf(stderr, "one of the following must be specified as the"
> +                "security option:\n\t security_model=passthrough \n\t "
> +                "security_model=mapped\n");
> +        return NULL;
> +    }
> +
>       if (lstat(fse->path,&stat)) {
>           fprintf(stderr, "share path %s does not exist\n", fse->path);
>           exit(1);
> diff --git a/qemu-config.c b/qemu-config.c
> index 5a4e61b..95abe61 100644
> --- a/qemu-config.c
> +++ b/qemu-config.c
> @@ -163,6 +163,9 @@ QemuOptsList qemu_fsdev_opts = {
>           }, {
>               .name = "path",
>               .type = QEMU_OPT_STRING,
> +        }, {
> +            .name = "security_model",
> +            .type = QEMU_OPT_STRING,
>           },
>           { /*End of list */ }
>       },
> @@ -184,6 +187,9 @@ QemuOptsList qemu_virtfs_opts = {
>           }, {
>               .name = "mount_tag",
>               .type = QEMU_OPT_STRING,
> +        }, {
> +            .name = "security_model",
> +            .type = QEMU_OPT_STRING,
>           },
>
>           { /*End of list */ }
> diff --git a/qemu-options.hx b/qemu-options.hx
> index a6928b7..d1d2272 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -486,7 +486,7 @@ ETEXI
>   DEFHEADING(File system options:)
>
>   DEF("fsdev", HAS_ARG, QEMU_OPTION_fsdev,
> -    "-fsdev local,id=id,path=path\n",
> +    "-fsdev local,id=id,path=path,security_model=[mapped|passthrough]\n",
>       QEMU_ARCH_ALL)
>
>   STEXI
> @@ -502,7 +502,7 @@ The specific Fstype will determine the applicable options.
>
>   Options to each backend are described below.
>
> -@item -fsdev local ,id=@var{id} ,path=@var{path}
> +@item -fsdev local ,id=@var{id} ,path=@var{path} ,security_model=@var{security_model}
>
>   Create a file-system-"device" for local-filesystem.
>
> @@ -510,6 +510,9 @@ Create a file-system-"device" for local-filesystem.
>
>   @option{path} specifies the path to be exported. @option{path} is required.
>
> +@option{security_model} specifies the security model to be followed.
> +@option{security_model} is required.
> +
>   @end table
>   ETEXI
>   #endif
> @@ -518,7 +521,7 @@ ETEXI
>   DEFHEADING(Virtual File system pass-through options:)
>
>   DEF("virtfs", HAS_ARG, QEMU_OPTION_virtfs,
> -    "-virtfs local,path=path,mount_tag=tag\n",
> +    "-virtfs local,path=path,mount_tag=tag,security_model=[mapped|passthrough]\n",
>       QEMU_ARCH_ALL)
>
>   STEXI
> @@ -534,7 +537,7 @@ The specific Fstype will determine the applicable options.
>
>   Options to each backend are described below.
>
> -@item -virtfs local ,path=@var{path} ,mount_tag=@var{mount_tag}
> +@item -virtfs local ,path=@var{path} ,mount_tag=@var{mount_tag} ,security_model=@var{security_model}
>
>   Create a Virtual file-system-pass through for local-filesystem.
>
> @@ -542,6 +545,10 @@ Create a Virtual file-system-pass through for local-filesystem.
>
>   @option{path} specifies the path to be exported. @option{path} is required.
>
> +@option{security_model} specifies the security model to be followed.
> +@option{security_model} is required.
> +
> +
>   @option{mount_tag} specifies the tag with which the exported file is mounted.
>   @option{mount_tag} is required.
>
> diff --git a/vl.c b/vl.c
> index 7121cd0..98491ae 100644
> --- a/vl.c
> +++ b/vl.c
> @@ -3094,10 +3094,21 @@ int main(int argc, char **argv, char **envp)
>                       exit(1);
>                   }
>
> -                len = strlen(",id=,path=");
> +                if (qemu_opt_get(opts, "fstype") == NULL ||
> +                        qemu_opt_get(opts, "mount_tag") == NULL ||
> +                        qemu_opt_get(opts, "path") == NULL ||
> +                        qemu_opt_get(opts, "security_model") == NULL) {
> +                    fprintf(stderr, "Usage: -virtfs fstype,path=/share_path/,"
> +                            "security_model=[mapped|passthrough],"
> +                            "mnt_tag=tag.\n");
> +                    exit(1);
> +                }
> +
> +                len = strlen(",id=,path=,security_model=");
>                   len += strlen(qemu_opt_get(opts, "fstype"));
>                   len += strlen(qemu_opt_get(opts, "mount_tag"));
>                   len += strlen(qemu_opt_get(opts, "path"));
> +                len += strlen(qemu_opt_get(opts, "security_model"));
>                   arg_fsdev = qemu_malloc((len + 1) * sizeof(*arg_fsdev));
>
>                   if (!arg_fsdev) {
> @@ -3106,10 +3117,11 @@ int main(int argc, char **argv, char **envp)
>                       exit(1);
>                   }
>
> -                sprintf(arg_fsdev, "%s,id=%s,path=%s",
> +                sprintf(arg_fsdev, "%s,id=%s,path=%s,security_model=%s",
>                                   qemu_opt_get(opts, "fstype"),
>                                   qemu_opt_get(opts, "mount_tag"),
> -                                qemu_opt_get(opts, "path"));
> +                                qemu_opt_get(opts, "path"),
> +                                qemu_opt_get(opts, "security_model"));
>
>                   len = strlen("virtio-9p-pci,fsdev=,mount_tag=");
>                   len += 2*strlen(qemu_opt_get(opts, "mount_tag"));
>