From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=40402 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OGe0p-00081m-In for qemu-devel@nongnu.org; Mon, 24 May 2010 16:12:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OGe0f-0008Pk-44 for qemu-devel@nongnu.org; Mon, 24 May 2010 16:12:34 -0400 Received: from e9.ny.us.ibm.com ([32.97.182.139]:60619) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OGe0c-0008PK-Vi for qemu-devel@nongnu.org; Mon, 24 May 2010 16:12:24 -0400 Received: from d01relay07.pok.ibm.com (d01relay07.pok.ibm.com [9.56.227.147]) by e9.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id o4OJwawa028910 for ; Mon, 24 May 2010 15:58:36 -0400 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay07.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o4OKCLqA1405116 for ; Mon, 24 May 2010 16:12:21 -0400 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id o4OKCL1L031934 for ; Mon, 24 May 2010 16:12:21 -0400 Message-ID: <4BFADDA3.2070107@linux.vnet.ibm.com> Date: Mon, 24 May 2010 15:12:19 -0500 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH -V3 3/7] virtio-9p: modify create/open2 and mkdir for new security model. References: <1274477170-7658-1-git-send-email-jvrao@linux.vnet.ibm.com> <1274477170-7658-4-git-send-email-jvrao@linux.vnet.ibm.com> In-Reply-To: <1274477170-7658-4-git-send-email-jvrao@linux.vnet.ibm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Venkateswararao Jujjuri (JV)" Cc: aliguori@us.ibm.com, qemu-devel@nongnu.org On 05/21/2010 04:26 PM, Venkateswararao Jujjuri (JV) wrote: > Add required infrastructure and modify create/open2 and mkdir per the new > security model. > > Signed-off-by: Venkateswararao Jujjuri > --- > hw/file-op-9p.h | 23 ++++++++- > hw/virtio-9p-local.c | 139 +++++++++++++++++++++++++++++++++++--------------- > hw/virtio-9p.c | 42 ++++++++++----- > 3 files changed, 148 insertions(+), 56 deletions(-) > > diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h > index 2934ff1..2cf7d27 100644 > --- a/hw/file-op-9p.h > +++ b/hw/file-op-9p.h > @@ -19,13 +19,32 @@ > #include > #include > #include > +#define SM_LOCAL_MODE_BITS 0600 > + > +typedef enum > +{ > + sm_none = 0, > + sm_passthrough, /* uid/gid set on fileserver files */ > + sm_mapped, /* uid/gid part of xattr */ > Should use caps. > +} SecModel; > + > +typedef struct FsCred > +{ > + uid_t fc_uid; > + gid_t fc_gid; > + mode_t fc_mode; > + dev_t fc_rdev; > +} FsCred; > > typedef struct FsContext > { > char *fs_root; > + SecModel fs_sm; > uid_t uid; > } FsContext; > > +extern void cred_init(FsCred *); > + > typedef struct FileOperations > { > int (*lstat)(FsContext *, const char *, struct stat *); > @@ -43,7 +62,7 @@ typedef struct FileOperations > int (*closedir)(FsContext *, DIR *); > DIR *(*opendir)(FsContext *, const char *); > int (*open)(FsContext *, const char *, int); > - int (*open2)(FsContext *, const char *, int, mode_t); > + int (*open2)(FsContext *, const char *, int, FsCred *); > void (*rewinddir)(FsContext *, DIR *); > off_t (*telldir)(FsContext *, DIR *); > struct dirent *(*readdir)(FsContext *, DIR *); > @@ -51,7 +70,7 @@ typedef struct FileOperations > ssize_t (*readv)(FsContext *, int, const struct iovec *, int); > ssize_t (*writev)(FsContext *, int, const struct iovec *, int); > off_t (*lseek)(FsContext *, int, off_t, int); > - int (*mkdir)(FsContext *, const char *, mode_t); > + int (*mkdir)(FsContext *, const char *, FsCred *); > int (*fstat)(FsContext *, int, struct stat *); > int (*rename)(FsContext *, const char *, const char *); > int (*truncate)(FsContext *, const char *, off_t); > diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c > index 78960ac..14fd3d9 100644 > --- a/hw/virtio-9p-local.c > +++ b/hw/virtio-9p-local.c > @@ -17,6 +17,7 @@ > #include > #include > #include > +#include > This is probably not something that can be included unconditionally. Regards, Anthony Liguori > static const char *rpath(FsContext *ctx, const char *path) > { > @@ -31,47 +32,39 @@ static int local_lstat(FsContext *ctx, const char *path, struct stat *stbuf) > return lstat(rpath(ctx, path), stbuf); > } > > -static int local_setuid(FsContext *ctx, uid_t uid) > +static int local_set_xattr(const char *path, FsCred *credp) > { > - struct passwd *pw; > - gid_t groups[33]; > - int ngroups; > - static uid_t cur_uid = -1; > - > - if (cur_uid == uid) { > - return 0; > - } > - > - if (setreuid(0, 0)) { > - return -1; > - } > - > - pw = getpwuid(uid); > - if (pw == NULL) { > - return -1; > + int err; > + if (credp->fc_uid != -1) { > + err = setxattr(path, "user.virtfs.uid",&credp->fc_uid, sizeof(uid_t), > + 0); > + if (err) { > + return err; > + } > } > - > - ngroups = 33; > - if (getgrouplist(pw->pw_name, pw->pw_gid, groups,&ngroups) == -1) { > - return -1; > + if (credp->fc_gid != -1) { > + err = setxattr(path, "user.virtfs.gid",&credp->fc_gid, sizeof(gid_t), > + 0); > + if (err) { > + return err; > + } > } > - > - if (setgroups(ngroups, groups)) { > - return -1; > - } > - > - if (setregid(-1, pw->pw_gid)) { > - return -1; > + if (credp->fc_mode != -1) { > + err = setxattr(path, "user.virtfs.mode",&credp->fc_mode, > + sizeof(mode_t), 0); > + if (err) { > + return err; > + } > } > - > - if (setreuid(-1, uid)) { > - return -1; > + if (credp->fc_rdev != -1) { > + err = setxattr(path, "user.virtfs.rdev",&credp->fc_rdev, > + sizeof(dev_t), 0); > + if (err) { > + return err; > + } > } > - > - cur_uid = uid; > - > - return 0; > -} > + return 0; > + } > > static ssize_t local_readlink(FsContext *ctx, const char *path, > char *buf, size_t bufsz) > @@ -168,9 +161,39 @@ static int local_mksock(FsContext *ctx2, const char *path) > return 0; > } > > -static int local_mkdir(FsContext *ctx, const char *path, mode_t mode) > +static int local_mkdir(FsContext *fs_ctx, const char *path, FsCred *credp) > { > - return mkdir(rpath(ctx, path), mode); > + int err = -1; > + /* Determine the security model */ > + if (fs_ctx->fs_sm == sm_mapped) { > + err = mkdir(rpath(fs_ctx, path), SM_LOCAL_MODE_BITS); > + if (err == -1) { > + return err; > + } > + credp->fc_mode = credp->fc_mode|S_IFDIR; > + err = local_set_xattr(rpath(fs_ctx, path), credp); > + if (err == -1) { > + goto err_end; > + } > + } else if (fs_ctx->fs_sm == sm_passthrough) { > + err = mkdir(rpath(fs_ctx, path), credp->fc_mode); > + if (err == -1) { > + return err; > + } > + err = chmod(rpath(fs_ctx, path), credp->fc_mode& 07777); > + if (err == -1) { > + goto err_end; > + } > + err = chown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid); > + if (err == -1) { > + goto err_end; > + } > + } > + return err; > + > +err_end: > + remove(rpath(fs_ctx, path)); > + return err; > } > > static int local_fstat(FsContext *ctx, int fd, struct stat *stbuf) > @@ -178,9 +201,44 @@ static int local_fstat(FsContext *ctx, int fd, struct stat *stbuf) > return fstat(fd, stbuf); > } > > -static int local_open2(FsContext *ctx, const char *path, int flags, mode_t mode) > +static int local_open2(FsContext *fs_ctx, const char *path, int flags, > + FsCred *credp) > { > - return open(rpath(ctx, path), flags, mode); > + int fd = -1; > + int err = -1; > + /* Determine the security model */ > + if (fs_ctx->fs_sm == sm_mapped) { > + int err; > + fd = open(rpath(fs_ctx, path), flags, SM_LOCAL_MODE_BITS); > + if (fd == -1) { > + return fd; > + } > + credp->fc_mode = credp->fc_mode|S_IFREG; > + /* Set cleint credentials in xattr */ > + err = local_set_xattr(rpath(fs_ctx, path), credp); > + if (err == -1) { > + goto err_end; > + } > + } else if (fs_ctx->fs_sm == sm_passthrough) { > + fd = open(rpath(fs_ctx, path), flags, credp->fc_mode); > + if (fd == -1) { > + return fd; > + } > + err = chmod(rpath(fs_ctx, path), credp->fc_mode& 07777); > + if (err == -1) { > + goto err_end; > + } > + err = chown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid); > + if (err == -1) { > + goto err_end; > + } > + } > + return fd; > + > +err_end: > + close(fd); > + remove(rpath(fs_ctx, path)); > + return err; > } > > static int local_symlink(FsContext *ctx, const char *oldpath, > @@ -269,7 +327,6 @@ static int local_statfs(FsContext *s, const char *path, struct statfs *stbuf) > > FileOperations local_ops = { > .lstat = local_lstat, > - .setuid = local_setuid, > .readlink = local_readlink, > .close = local_close, > .closedir = local_closedir, > diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c > index fda3c4a..c8bd5da 100644 > --- a/hw/virtio-9p.c > +++ b/hw/virtio-9p.c > @@ -67,14 +67,17 @@ static int omode_to_uflags(int8_t mode) > return ret; > } > > -static int v9fs_do_lstat(V9fsState *s, V9fsString *path, struct stat *stbuf) > +void cred_init(FsCred *credp) > { > - return s->ops->lstat(&s->ctx, path->data, stbuf); > + credp->fc_uid = -1; > + credp->fc_gid = -1; > + credp->fc_mode = -1; > + credp->fc_rdev = -1; > } > > -static int v9fs_do_setuid(V9fsState *s, uid_t uid) > +static int v9fs_do_lstat(V9fsState *s, V9fsString *path, struct stat *stbuf) > { > - return s->ops->setuid(&s->ctx, uid); > + return s->ops->lstat(&s->ctx, path->data, stbuf); > } > > static ssize_t v9fs_do_readlink(V9fsState *s, V9fsString *path, V9fsString *buf) > @@ -164,9 +167,15 @@ static int v9fs_do_mksock(V9fsState *s, V9fsString *path) > return s->ops->mksock(&s->ctx, path->data); > } > > -static int v9fs_do_mkdir(V9fsState *s, V9fsString *path, mode_t mode) > +static int v9fs_do_mkdir(V9fsState *s, V9fsCreateState *vs) > { > - return s->ops->mkdir(&s->ctx, path->data, mode); > + FsCred cred; > + > + cred_init(&cred); > + cred.fc_uid = vs->fidp->uid; > + cred.fc_mode = vs->perm& 0777; > + > + return s->ops->mkdir(&s->ctx, vs->fullname.data,&cred); > } > > static int v9fs_do_fstat(V9fsState *s, int fd, struct stat *stbuf) > @@ -174,9 +183,17 @@ static int v9fs_do_fstat(V9fsState *s, int fd, struct stat *stbuf) > return s->ops->fstat(&s->ctx, fd, stbuf); > } > > -static int v9fs_do_open2(V9fsState *s, V9fsString *path, int flags, mode_t mode) > +static int v9fs_do_open2(V9fsState *s, V9fsCreateState *vs) > { > - return s->ops->open2(&s->ctx, path->data, flags, mode); > + FsCred cred; > + int flags; > + > + cred_init(&cred); > + cred.fc_uid = vs->fidp->uid; > + cred.fc_mode = vs->perm& 0777; > + flags = omode_to_uflags(vs->mode) | O_CREAT; > + > + return s->ops->open2(&s->ctx, vs->fullname.data, flags,&cred); > } > > static int v9fs_do_symlink(V9fsState *s, V9fsString *oldpath, > @@ -348,7 +365,6 @@ static V9fsFidState *lookup_fid(V9fsState *s, int32_t fid) > > for (f = s->fid_list; f; f = f->next) { > if (f->fid == fid) { > - v9fs_do_setuid(s, f->uid); > return f; > } > } > @@ -1762,7 +1778,7 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err) > } > > if (vs->perm& P9_STAT_MODE_DIR) { > - err = v9fs_do_mkdir(s,&vs->fullname, vs->perm& 0777); > + err = v9fs_do_mkdir(s, vs); > v9fs_create_post_mkdir(s, vs, err); > } else if (vs->perm& P9_STAT_MODE_SYMLINK) { > err = v9fs_do_symlink(s,&vs->extension,&vs->fullname); > @@ -1809,9 +1825,7 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err) > err = v9fs_do_mksock(s,&vs->fullname); > v9fs_create_post_mksock(s, vs, err); > } else { > - vs->fidp->fd = v9fs_do_open2(s,&vs->fullname, > - omode_to_uflags(vs->mode) | O_CREAT, > - vs->perm& 0777); > + vs->fidp->fd = v9fs_do_open2(s, vs); > v9fs_create_post_open2(s, vs, err); > } > > @@ -2322,10 +2336,12 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf) > > if (!strcmp(fse->security_model, "passthrough")) { > /* Files on the Fileserver set to client user credentials */ > + s->ctx.fs_sm = sm_passthrough; > } else if (!strcmp(fse->security_model, "mapped")) { > /* Files on the fileserver are set to QEMU credentials. > * Client user credentials are saved in extended attributes. > */ > + s->ctx.fs_sm = sm_mapped; > } else { > /* user haven't specified a correct security option */ > fprintf(stderr, "one of the following must be specified as the" >