From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=46192 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PgAuR-0002ny-KT
	for qemu-devel@nongnu.org; Fri, 21 Jan 2011 01:55:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jvrao@linux.vnet.ibm.com>) id 1PgAuQ-0006Fn-5S
	for qemu-devel@nongnu.org; Fri, 21 Jan 2011 01:55:47 -0500
Received: from e36.co.us.ibm.com ([32.97.110.154]:60255)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jvrao@linux.vnet.ibm.com>) id 1PgAuP-0006FF-T1
	for qemu-devel@nongnu.org; Fri, 21 Jan 2011 01:55:46 -0500
Received: from d03relay01.boulder.ibm.com (d03relay01.boulder.ibm.com
	[9.17.195.226])
	by e36.co.us.ibm.com (8.14.4/8.13.1) with ESMTP id p0L6omgt011087
	for <qemu-devel@nongnu.org>; Thu, 20 Jan 2011 23:50:48 -0700
Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168])
	by d03relay01.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	p0L6thhQ167900
	for <qemu-devel@nongnu.org>; Thu, 20 Jan 2011 23:55:43 -0700
Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1])
	by d03av02.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP
	id p0L6tga5002240
	for <qemu-devel@nongnu.org>; Thu, 20 Jan 2011 23:55:43 -0700
Message-ID: <4D392DEE.7070003@linux.vnet.ibm.com>
Date: Thu, 20 Jan 2011 22:55:42 -0800
From: "Venkateswararao Jujjuri (JV)" <jvrao@linux.vnet.ibm.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [V3 PATCH 7/8] virtio-9p: Move file post creation
	changes to none security model
References: <1295331799-23856-1-git-send-email-mohan@in.ibm.com>
	<1295339056-25396-1-git-send-email-mohan@in.ibm.com>
	<20110120085954.GB24021@stefanha-thinkpad.localdomain>
	<4D38A5FD.2080103@linux.vnet.ibm.com>
	<AANLkTini7+aZcUFHcfDd709FosNbw5L9sX6Nq_hxoHyh@mail.gmail.com>
In-Reply-To: <AANLkTini7+aZcUFHcfDd709FosNbw5L9sX6Nq_hxoHyh@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: "M. Mohan Kumar" <mohan@in.ibm.com>, qemu-devel@nongnu.org

On 1/20/2011 1:45 PM, Stefan Hajnoczi wrote:
> On Thu, Jan 20, 2011 at 9:15 PM, Venkateswararao Jujjuri (JV)
> <jvrao@linux.vnet.ibm.com> wrote:
>> On 1/20/2011 12:59 AM, Stefan Hajnoczi wrote:
>>> On Tue, Jan 18, 2011 at 01:54:16PM +0530, M. Mohan Kumar wrote:
>>>> After creating a file object, its permission and ownership details are updated
>>>> as per client's request for both passthrough and none security model. But with
>>>> chrooted environment its not required for passthrough security model. Move all
>>>> post file creation changes to none security model
>>>>
>>>> Signed-off-by: M. Mohan Kumar <mohan@in.ibm.com>
>>>> ---
>>>>  hw/9pfs/virtio-9p-local.c |   19 ++++++-------------
>>>>  1 files changed, 6 insertions(+), 13 deletions(-)
>>>>
>>>> diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
>>>> index 08fd67f..d2e32e2 100644
>>>> --- a/hw/9pfs/virtio-9p-local.c
>>>> +++ b/hw/9pfs/virtio-9p-local.c
>>>> @@ -208,21 +208,14 @@ static int local_set_xattr(const char *path, FsCred *credp)
>>>>      return 0;
>>>>  }
>>>>
>>>> -static int local_post_create_passthrough(FsContext *fs_ctx, const char *path,
>>>> +static int local_post_create_none(FsContext *fs_ctx, const char *path,
>>>>          FsCred *credp)
>>>>  {
>>>> +    int retval;
>>>>      if (chmod(rpath(fs_ctx, path), credp->fc_mode & 07777) < 0) {
>>>>          return -1;
>>>>      }
>>>> -    if (lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid) < 0) {
>>>> -        /*
>>>> -         * If we fail to change ownership and if we are
>>>> -         * using security model none. Ignore the error
>>>> -         */
>>>> -        if (fs_ctx->fs_sm != SM_NONE) {
>>>> -            return -1;
>>>> -        }
>>>> -    }
>>>> +    retval = lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
>>>>      return 0;
>>>>  }
>>>
>>> retval is unused.
>>>
>>> Can multiple virtio-9p requests execute at a time?  chmod() and lchown()
>>> after creation is a race condition if other requests can execute
>>> concurrently.
>>
>> If some level of serialization is needed it will be done at the client/guest
>> inode level.
>> Are you worried about filesystem semantics? or do you see some corruption if they
>> get executed in parallel?
> 
> My main concern is unreliable results due to the race conditions
> between creation and the fixups that are performed afterwards.
> 
> Is virtio-9p only useful for single guest exclusive access?  I thought
> both guest and host could access files at the same time?  What about
> multiple VMs sharing a directory?  These scenarios can only work if
> operations are made atomic.

For now, there is only one exploiter for the filesystem. The Guest/client.

In the future it could be different and we 'may' support multiple exploiters/users.
Note that we have two security models
1. Passthrough 2. Mapped. (3. None -  can be ignored as it is intended for
developer)

Mapped model is advised when you have only one exploiter;
Passthrough model is for more practical application/uses and it can be
used for multiple exploiters (say guests).

In passthrough model we don't do chmod() lchmod() after creating files.

Thanks,
JV
> 
> Stefan