[PATCH] hw/9pfs: Follow native symlinks when security-model=mapped

[PATCH] hw/9pfs: Follow native symlinks when security-model=mapped

[Andrey Erokhin]

A directory mounted via virtfs with security-model=mapped[-xattr|-file] can contain "native" symlinks

This can happen e.g. when booting from a rootfs directory tree (usually with writable overlay set up on the host side)

Currently, with security-model=mapped, QEMU expects that all host "symlinks" are in "mapped" format, i.e. are files containing the linked path, so it tries to open with O_NOFOLLOW and fails with ELOOP in case of a native symlink

This patch gives such cases a second chance: trying to open as a native symlink, by reusing security-model=[none|passthrough] else if branch

QEMU issues:
https://gitlab.com/qemu-project/qemu/-/issues/173 (from https://bugs.launchpad.net/qemu/+bug/1831354)
https://gitlab.com/qemu-project/qemu/-/issues/3088 (dup of the first one)


Signed-off-by: Andrey Erokhin <language.lawyer@gmail.com>


diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 31e216227c..b4f8be2c81 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -468,12 +468,14 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path,
  
          fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0);
          if (fd == -1) {
+            if (errno == ELOOP) goto native_symlink;
              return -1;
          }
          tsize = RETRY_ON_EINTR(read(fd, (void *)buf, bufsz));
          close_preserve_errno(fd);
      } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
                 (fs_ctx->export_flags & V9FS_SM_NONE)) {
+native_symlink:;
          char *dirpath = g_path_get_dirname(fs_path->data);
          char *name = g_path_get_basename(fs_path->data);
          int dirfd;

Re: [PATCH] hw/9pfs: Follow native symlinks when security-model=mapped

[Christian Schoenebeck]

On Thursday, 20 November 2025 14:01:36 CET Andrey Erokhin wrote:
> A directory mounted via virtfs with security-model=mapped[-xattr|-file] can
> contain "native" symlinks
> 
> This can happen e.g. when booting from a rootfs directory tree (usually with
> writable overlay set up on the host side)
> 
> Currently, with security-model=mapped, QEMU expects that all host "symlinks"
> are in "mapped" format, i.e. are files containing the linked path, so it
> tries to open with O_NOFOLLOW and fails with ELOOP in case of a native
> symlink
> 
> This patch gives such cases a second chance: trying to open as a native
> symlink, by reusing security-model=[none|passthrough] else if branch

Hi Greg,

I would like to ask you to look at this patch as well.

As I already wrote on Gitlab, technically I think this patch is fine/harmless, 
as the resolved native symlink would solely be passed to guest for its own 
interpretation. AFAICS it would not be used by 9p server (host).

Andrey, just some minor issues from my side below:

Git commit log message should not exceed 76 characters per line.

> QEMU issues:
> https://gitlab.com/qemu-project/qemu/-/issues/173 (from
> https://bugs.launchpad.net/qemu/+bug/1831354)
> https://gitlab.com/qemu-project/qemu/-/issues/3088 (dup of the first one)

This should be:

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/173

The other links can be dropped. They are already linked by #173.

> Signed-off-by: Andrey Erokhin <language.lawyer@gmail.com>
> 
> 
> diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
> index 31e216227c..b4f8be2c81 100644
> --- a/hw/9pfs/9p-local.c
> +++ b/hw/9pfs/9p-local.c
> @@ -468,12 +468,14 @@ static ssize_t local_readlink(FsContext *fs_ctx,
> V9fsPath *fs_path,
> 
>           fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0);
>           if (fd == -1) {
> +            if (errno == ELOOP) goto native_symlink;
>               return -1;
>           }

scripts/checkpatch.pl complaints:

ERROR: trailing statements should be on next line
#33: FILE: hw/9pfs/9p-local.c:471:
+            if (errno == ELOOP) goto native_symlink;

ERROR: braces {} are necessary for all arms of this statement
#33: FILE: hw/9pfs/9p-local.c:471:
+            if (errno == ELOOP) goto native_symlink;
[...]

>           tsize = RETRY_ON_EINTR(read(fd, (void *)buf, bufsz));
>           close_preserve_errno(fd);
>       } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
>                  (fs_ctx->export_flags & V9FS_SM_NONE)) {
> +native_symlink:;

Semicolon is unnecessary here, isn't it?

>           char *dirpath = g_path_get_dirname(fs_path->data);
>           char *name = g_path_get_basename(fs_path->data);
>           int dirfd;

Re: [PATCH] hw/9pfs: Follow native symlinks when security-model=mapped

[Andrey Erokhin]

[-- Attachment #1: Type: text/plain, Size: 2030 bytes --]

On 21/11/2025 17:20, Christian Schoenebeck wrote:
> Andrey, just some minor issues from my side below:
> 
> Git commit log message should not exceed 76 characters per line.

TBH, I'm not used to sending patches by git, it was just an e-mail message, not a commit message
>> QEMU issues:
>> https://gitlab.com/qemu-project/qemu/-/issues/173 (from
>> https://bugs.launchpad.net/qemu/+bug/1831354)
>> https://gitlab.com/qemu-project/qemu/-/issues/3088 (dup of the first one)
> 
> This should be:
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/173

Fixed in the attached patch. Or should I start a new [PATCH v2] thread?

> The other links can be dropped. They are already linked by #173.
> 
>> Signed-off-by: Andrey Erokhin <language.lawyer@gmail.com>
>>
>>
>> diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
>> index 31e216227c..b4f8be2c81 100644
>> --- a/hw/9pfs/9p-local.c
>> +++ b/hw/9pfs/9p-local.c
>> @@ -468,12 +468,14 @@ static ssize_t local_readlink(FsContext *fs_ctx,
>> V9fsPath *fs_path,
>>
>>            fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0);
>>            if (fd == -1) {
>> +            if (errno == ELOOP) goto native_symlink;
>>                return -1;
>>            }
> 
> scripts/checkpatch.pl complaints:
> 
> ERROR: trailing statements should be on next line
> #33: FILE: hw/9pfs/9p-local.c:471:
> +            if (errno == ELOOP) goto native_symlink;
> 
> ERROR: braces {} are necessary for all arms of this statement
> #33: FILE: hw/9pfs/9p-local.c:471:
> +            if (errno == ELOOP) goto native_symlink;
> [...]

Fixed

>>            tsize = RETRY_ON_EINTR(read(fd, (void *)buf, bufsz));
>>            close_preserve_errno(fd);
>>        } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
>>                   (fs_ctx->export_flags & V9FS_SM_NONE)) {
>> +native_symlink:;
> 
> Semicolon is unnecessary here, isn't it?
https://port70.net/~nsz/c/c11/n1570.html#6.8.1 Labeled statements:

labeled-statement:
	identifier : statement

Can't be a declaration

[-- Attachment #2: 0001-hw-9pfs-follow-native-symlinks-in-security-model-map.patch --]
[-- Type: text/x-patch, Size: 1085 bytes --]

hw/9pfs: follow native symlinks in security-model=mapped

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/173

Signed-off-by: Andrey Erokhin <language.lawyer@gmail.com>
---
 hw/9pfs/9p-local.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 31e216227c..5ce97b76a6 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -468,12 +468,16 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path,
 
         fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0);
         if (fd == -1) {
+            if (errno == ELOOP) {
+                goto native_symlink;
+            }
             return -1;
         }
         tsize = RETRY_ON_EINTR(read(fd, (void *)buf, bufsz));
         close_preserve_errno(fd);
     } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) ||
                (fs_ctx->export_flags & V9FS_SM_NONE)) {
+    native_symlink:;
         char *dirpath = g_path_get_dirname(fs_path->data);
         char *name = g_path_get_basename(fs_path->data);
         int dirfd;
-- 
2.34.1

Re: [PATCH] hw/9pfs: Follow native symlinks when security-model=mapped

[Christian Schoenebeck]

On Friday, 21 November 2025 19:32:14 CET Andrey Erokhin wrote:
> On 21/11/2025 17:20, Christian Schoenebeck wrote:
> > Andrey, just some minor issues from my side below:
> > 
> > Git commit log message should not exceed 76 characters per line.
> 
> TBH, I'm not used to sending patches by git, it was just an e-mail message,
> not a commit message

NP. You can use whatever you want (git send-email, any standard email client, 
a script). However patches are automatically applied from this mailing list, 
so the leading sentences of your email *is* the git commit log message.

> >> QEMU issues:
> >> https://gitlab.com/qemu-project/qemu/-/issues/173 (from
> >> https://bugs.launchpad.net/qemu/+bug/1831354)
> >> https://gitlab.com/qemu-project/qemu/-/issues/3088 (dup of the first one)
> > 
> > This should be:
> > 
> > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/173
> 
> Fixed in the attached patch. Or should I start a new [PATCH v2] thread?

Please resend with [PATCH v2] in the subject. Patches should always be inline 
in the email, not as an attachment, and new versions should be top posted 
(i.e. not In-Reply-To v1 email).

/Christian