[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
/*
|
|
|
|
FUSE: Filesystem in Userspace
|
2008-11-26 19:03:54 +08:00
|
|
|
Copyright (C) 2001-2008 Miklos Szeredi <miklos@szeredi.hu>
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
|
|
|
This program can be distributed under the terms of the GNU GPL.
|
|
|
|
See the file COPYING.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "fuse_i.h"
|
|
|
|
|
|
|
|
#include <linux/pagemap.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/file.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/module.h>
|
2009-08-27 01:17:22 +08:00
|
|
|
#include <linux/moduleparam.h>
|
2019-03-26 00:38:31 +08:00
|
|
|
#include <linux/fs_context.h>
|
|
|
|
#include <linux/fs_parser.h>
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
#include <linux/statfs.h>
|
2006-06-25 20:48:55 +08:00
|
|
|
#include <linux/random.h>
|
Detach sched.h from mm.h
First thing mm.h does is including sched.h solely for can_do_mlock() inline
function which has "current" dereference inside. By dealing with can_do_mlock()
mm.h can be detached from sched.h which is good. See below, why.
This patch
a) removes unconditional inclusion of sched.h from mm.h
b) makes can_do_mlock() normal function in mm/mlock.c
c) exports can_do_mlock() to not break compilation
d) adds sched.h inclusions back to files that were getting it indirectly.
e) adds less bloated headers to some files (asm/signal.h, jiffies.h) that were
getting them indirectly
Net result is:
a) mm.h users would get less code to open, read, preprocess, parse, ... if
they don't need sched.h
b) sched.h stops being dependency for significant number of files:
on x86_64 allmodconfig touching sched.h results in recompile of 4083 files,
after patch it's only 3744 (-8.3%).
Cross-compile tested on
all arm defconfigs, all mips defconfigs, all powerpc defconfigs,
alpha alpha-up
arm
i386 i386-up i386-defconfig i386-allnoconfig
ia64 ia64-up
m68k
mips
parisc parisc-up
powerpc powerpc-up
s390 s390-up
sparc sparc-up
sparc64 sparc64-up
um-x86_64
x86_64 x86_64-up x86_64-defconfig x86_64-allnoconfig
as well as my two usual configs.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-05-21 05:22:52 +08:00
|
|
|
#include <linux/sched.h>
|
2008-07-25 16:49:00 +08:00
|
|
|
#include <linux/exportfs.h>
|
2016-08-29 21:46:37 +08:00
|
|
|
#include <linux/posix_acl.h>
|
2014-07-03 05:29:19 +08:00
|
|
|
#include <linux/pid_namespace.h>
|
2022-01-11 07:52:52 +08:00
|
|
|
#include <uapi/linux/magic.h>
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
|
|
|
MODULE_AUTHOR("Miklos Szeredi <miklos@szeredi.hu>");
|
|
|
|
MODULE_DESCRIPTION("Filesystem in Userspace");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
2006-12-07 12:33:20 +08:00
|
|
|
static struct kmem_cache *fuse_inode_cachep;
|
2006-06-25 20:48:51 +08:00
|
|
|
struct list_head fuse_conn_list;
|
|
|
|
DEFINE_MUTEX(fuse_mutex);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
treewide: Fix function prototypes for module_param_call()
Several function prototypes for the set/get functions defined by
module_param_call() have a slightly wrong argument types. This fixes
those in an effort to clean up the calls when running under type-enforced
compiler instrumentation for CFI. This is the result of running the
following semantic patch:
@match_module_param_call_function@
declarer name module_param_call;
identifier _name, _set_func, _get_func;
expression _arg, _mode;
@@
module_param_call(_name, _set_func, _get_func, _arg, _mode);
@fix_set_prototype
depends on match_module_param_call_function@
identifier match_module_param_call_function._set_func;
identifier _val, _param;
type _val_type, _param_type;
@@
int _set_func(
-_val_type _val
+const char * _val
,
-_param_type _param
+const struct kernel_param * _param
) { ... }
@fix_get_prototype
depends on match_module_param_call_function@
identifier match_module_param_call_function._get_func;
identifier _val, _param;
type _val_type, _param_type;
@@
int _get_func(
-_val_type _val
+char * _val
,
-_param_type _param
+const struct kernel_param * _param
) { ... }
Two additional by-hand changes are included for places where the above
Coccinelle script didn't notice them:
drivers/platform/x86/thinkpad_acpi.c
fs/lockd/svc.c
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
2017-10-18 10:04:42 +08:00
|
|
|
static int set_global_limit(const char *val, const struct kernel_param *kp);
|
2009-08-27 01:17:22 +08:00
|
|
|
|
2009-08-27 01:18:24 +08:00
|
|
|
unsigned max_user_bgreq;
|
2009-08-27 01:17:22 +08:00
|
|
|
module_param_call(max_user_bgreq, set_global_limit, param_get_uint,
|
|
|
|
&max_user_bgreq, 0644);
|
|
|
|
__MODULE_PARM_TYPE(max_user_bgreq, "uint");
|
|
|
|
MODULE_PARM_DESC(max_user_bgreq,
|
|
|
|
"Global limit for the maximum number of backgrounded requests an "
|
|
|
|
"unprivileged user can set");
|
|
|
|
|
2009-08-27 01:18:24 +08:00
|
|
|
unsigned max_user_congthresh;
|
2009-08-27 01:17:22 +08:00
|
|
|
module_param_call(max_user_congthresh, set_global_limit, param_get_uint,
|
|
|
|
&max_user_congthresh, 0644);
|
|
|
|
__MODULE_PARM_TYPE(max_user_congthresh, "uint");
|
|
|
|
MODULE_PARM_DESC(max_user_congthresh,
|
|
|
|
"Global limit for the maximum congestion threshold an "
|
|
|
|
"unprivileged user can set");
|
|
|
|
|
2008-02-08 20:21:43 +08:00
|
|
|
#define FUSE_DEFAULT_BLKSIZE 512
|
|
|
|
|
2009-07-02 08:28:41 +08:00
|
|
|
/** Maximum number of outstanding background requests */
|
|
|
|
#define FUSE_DEFAULT_MAX_BACKGROUND 12
|
|
|
|
|
|
|
|
/** Congestion starts at 75% of maximum */
|
|
|
|
#define FUSE_DEFAULT_CONGESTION_THRESHOLD (FUSE_DEFAULT_MAX_BACKGROUND * 3 / 4)
|
|
|
|
|
2019-03-26 00:38:31 +08:00
|
|
|
#ifdef CONFIG_BLOCK
|
|
|
|
static struct file_system_type fuseblk_fs_type;
|
|
|
|
#endif
|
|
|
|
|
2011-06-01 05:09:00 +08:00
|
|
|
struct fuse_forget_link *fuse_alloc_forget(void)
|
2010-12-08 03:16:56 +08:00
|
|
|
{
|
2019-09-18 03:35:33 +08:00
|
|
|
return kzalloc(sizeof(struct fuse_forget_link), GFP_KERNEL_ACCOUNT);
|
2010-12-08 03:16:56 +08:00
|
|
|
}
|
|
|
|
|
2023-11-04 01:39:47 +08:00
|
|
|
static struct fuse_submount_lookup *fuse_alloc_submount_lookup(void)
|
|
|
|
{
|
|
|
|
struct fuse_submount_lookup *sl;
|
|
|
|
|
|
|
|
sl = kzalloc(sizeof(struct fuse_submount_lookup), GFP_KERNEL_ACCOUNT);
|
|
|
|
if (!sl)
|
|
|
|
return NULL;
|
|
|
|
sl->forget = fuse_alloc_forget();
|
|
|
|
if (!sl->forget)
|
|
|
|
goto out_free;
|
|
|
|
|
|
|
|
return sl;
|
|
|
|
|
|
|
|
out_free:
|
|
|
|
kfree(sl);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
static struct inode *fuse_alloc_inode(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct fuse_inode *fi;
|
|
|
|
|
2022-03-23 05:41:03 +08:00
|
|
|
fi = alloc_inode_sb(sb, fuse_inode_cachep, GFP_KERNEL);
|
2019-05-06 16:52:25 +08:00
|
|
|
if (!fi)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
return NULL;
|
|
|
|
|
2006-07-30 18:04:10 +08:00
|
|
|
fi->i_time = 0;
|
2023-08-10 18:45:05 +08:00
|
|
|
fi->inval_mask = ~0;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
fi->nodeid = 0;
|
2005-09-10 04:10:29 +08:00
|
|
|
fi->nlookup = 0;
|
2007-11-29 08:22:02 +08:00
|
|
|
fi->attr_version = 0;
|
2012-05-10 23:49:38 +08:00
|
|
|
fi->orig_ino = 0;
|
2013-01-15 11:23:28 +08:00
|
|
|
fi->state = 0;
|
2023-11-04 01:39:47 +08:00
|
|
|
fi->submount_lookup = NULL;
|
2016-06-30 19:10:49 +08:00
|
|
|
mutex_init(&fi->mutex);
|
2018-11-09 18:33:22 +08:00
|
|
|
spin_lock_init(&fi->lock);
|
2010-12-08 03:16:56 +08:00
|
|
|
fi->forget = fuse_alloc_forget();
|
2020-08-20 06:19:51 +08:00
|
|
|
if (!fi->forget)
|
|
|
|
goto out_free;
|
|
|
|
|
|
|
|
if (IS_ENABLED(CONFIG_FUSE_DAX) && !fuse_dax_inode_alloc(sb, fi))
|
|
|
|
goto out_free_forget;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2024-02-09 22:57:17 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH))
|
|
|
|
fuse_inode_backing_set(fi, NULL);
|
|
|
|
|
2019-05-06 16:52:25 +08:00
|
|
|
return &fi->inode;
|
2020-08-20 06:19:51 +08:00
|
|
|
|
|
|
|
out_free_forget:
|
|
|
|
kfree(fi->forget);
|
|
|
|
out_free:
|
|
|
|
kmem_cache_free(fuse_inode_cachep, fi);
|
|
|
|
return NULL;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2019-04-16 07:37:09 +08:00
|
|
|
static void fuse_free_inode(struct inode *inode)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2005-09-10 04:10:28 +08:00
|
|
|
struct fuse_inode *fi = get_fuse_inode(inode);
|
2019-04-16 07:37:09 +08:00
|
|
|
|
2016-06-30 19:10:49 +08:00
|
|
|
mutex_destroy(&fi->mutex);
|
2010-12-08 03:16:56 +08:00
|
|
|
kfree(fi->forget);
|
2020-08-20 06:19:51 +08:00
|
|
|
#ifdef CONFIG_FUSE_DAX
|
|
|
|
kfree(fi->dax);
|
|
|
|
#endif
|
2024-02-09 22:57:17 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH))
|
|
|
|
fuse_backing_put(fuse_inode_backing(fi));
|
|
|
|
|
2019-04-16 07:37:09 +08:00
|
|
|
kmem_cache_free(fuse_inode_cachep, fi);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2023-11-04 01:39:47 +08:00
|
|
|
static void fuse_cleanup_submount_lookup(struct fuse_conn *fc,
|
|
|
|
struct fuse_submount_lookup *sl)
|
|
|
|
{
|
|
|
|
if (!refcount_dec_and_test(&sl->count))
|
|
|
|
return;
|
|
|
|
|
|
|
|
fuse_queue_forget(fc, sl->forget, sl->nodeid, 1);
|
|
|
|
sl->forget = NULL;
|
|
|
|
kfree(sl);
|
|
|
|
}
|
|
|
|
|
2010-06-08 02:34:48 +08:00
|
|
|
static void fuse_evict_inode(struct inode *inode)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2019-04-16 07:37:09 +08:00
|
|
|
struct fuse_inode *fi = get_fuse_inode(inode);
|
|
|
|
|
2021-10-22 23:03:01 +08:00
|
|
|
/* Will write inode on close/munmap and in all other dirtiers */
|
|
|
|
WARN_ON(inode->i_state & I_DIRTY_INODE);
|
|
|
|
|
2014-04-04 05:47:49 +08:00
|
|
|
truncate_inode_pages_final(&inode->i_data);
|
2012-05-03 20:48:02 +08:00
|
|
|
clear_inode(inode);
|
2017-11-28 05:05:09 +08:00
|
|
|
if (inode->i_sb->s_flags & SB_ACTIVE) {
|
2005-09-10 04:10:31 +08:00
|
|
|
struct fuse_conn *fc = get_fuse_conn(inode);
|
2020-08-20 06:19:51 +08:00
|
|
|
|
|
|
|
if (FUSE_IS_DAX(inode))
|
|
|
|
fuse_dax_inode_cleanup(inode);
|
2020-09-09 23:52:17 +08:00
|
|
|
if (fi->nlookup) {
|
|
|
|
fuse_queue_forget(fc, fi->forget, fi->nodeid,
|
|
|
|
fi->nlookup);
|
|
|
|
fi->forget = NULL;
|
|
|
|
}
|
2023-11-04 01:39:47 +08:00
|
|
|
|
|
|
|
if (fi->submount_lookup) {
|
|
|
|
fuse_cleanup_submount_lookup(fc, fi->submount_lookup);
|
|
|
|
fi->submount_lookup = NULL;
|
|
|
|
}
|
2005-09-10 04:10:28 +08:00
|
|
|
}
|
2020-12-10 22:33:14 +08:00
|
|
|
if (S_ISREG(inode->i_mode) && !fuse_is_bad(inode)) {
|
2024-04-07 23:57:56 +08:00
|
|
|
WARN_ON(fi->iocachectr != 0);
|
2019-04-16 07:37:09 +08:00
|
|
|
WARN_ON(!list_empty(&fi->write_files));
|
|
|
|
WARN_ON(!list_empty(&fi->queued_writes));
|
|
|
|
}
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
static int fuse_reconfigure(struct fs_context *fsc)
|
2006-06-25 20:48:52 +08:00
|
|
|
{
|
2021-08-04 19:22:58 +08:00
|
|
|
struct super_block *sb = fsc->root->d_sb;
|
2020-07-14 20:45:41 +08:00
|
|
|
|
2014-03-13 22:14:33 +08:00
|
|
|
sync_filesystem(sb);
|
2021-08-04 19:22:58 +08:00
|
|
|
if (fsc->sb_flags & SB_MANDLOCK)
|
2006-06-25 20:48:52 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-05-10 23:49:38 +08:00
|
|
|
/*
|
|
|
|
* ino_t is 32-bits on 32-bit arch. We have to squash the 64-bit value down
|
|
|
|
* so that it will fit.
|
|
|
|
*/
|
|
|
|
static ino_t fuse_squash_ino(u64 ino64)
|
|
|
|
{
|
|
|
|
ino_t ino = (ino_t) ino64;
|
|
|
|
if (sizeof(ino_t) < sizeof(u64))
|
|
|
|
ino ^= ino64 >> (sizeof(u64) - sizeof(ino_t)) * 8;
|
|
|
|
return ino;
|
|
|
|
}
|
|
|
|
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
|
2023-08-10 18:45:05 +08:00
|
|
|
struct fuse_statx *sx,
|
2021-10-22 23:03:03 +08:00
|
|
|
u64 attr_valid, u32 cache_mask)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2006-10-17 15:10:06 +08:00
|
|
|
struct fuse_conn *fc = get_fuse_conn(inode);
|
2007-10-17 14:31:03 +08:00
|
|
|
struct fuse_inode *fi = get_fuse_inode(inode);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2018-11-09 18:33:22 +08:00
|
|
|
lockdep_assert_held(&fi->lock);
|
|
|
|
|
2018-11-09 18:33:17 +08:00
|
|
|
fi->attr_version = atomic64_inc_return(&fc->attr_version);
|
fuse: fix race between getattr and write
Getattr and lookup operations can be running in parallel to attribute changing
operations, such as write and setattr.
This means, that if for example getattr was slower than a write, the cached
size attribute could be set to a stale value.
To prevent this race, introduce a per-filesystem attribute version counter.
This counter is incremented whenever cached attributes are modified, and the
incremented value stored in the inode.
Before storing new attributes in the cache, getattr and lookup check, using
the version number, whether the attributes have been modified during the
request's lifetime. If so, the returned attributes are not cached, because
they might be stale.
Thanks to Jakub Bogusz for the bug report and test program.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Jakub Bogusz <jakub.bogusz@gemius.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-18 18:06:58 +08:00
|
|
|
fi->i_time = attr_valid;
|
2023-08-10 18:45:05 +08:00
|
|
|
/* Clear basic stats from invalid mask */
|
|
|
|
set_mask_bits(&fi->inval_mask, STATX_BASIC_STATS, 0);
|
fuse: fix race between getattr and write
Getattr and lookup operations can be running in parallel to attribute changing
operations, such as write and setattr.
This means, that if for example getattr was slower than a write, the cached
size attribute could be set to a stale value.
To prevent this race, introduce a per-filesystem attribute version counter.
This counter is incremented whenever cached attributes are modified, and the
incremented value stored in the inode.
Before storing new attributes in the cache, getattr and lookup check, using
the version number, whether the attributes have been modified during the
request's lifetime. If so, the returned attributes are not cached, because
they might be stale.
Thanks to Jakub Bogusz for the bug report and test program.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Jakub Bogusz <jakub.bogusz@gemius.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-18 18:06:58 +08:00
|
|
|
|
2012-05-10 23:49:38 +08:00
|
|
|
inode->i_ino = fuse_squash_ino(attr->ino);
|
2007-10-17 14:31:03 +08:00
|
|
|
inode->i_mode = (inode->i_mode & S_IFMT) | (attr->mode & 07777);
|
2011-10-28 20:13:29 +08:00
|
|
|
set_nlink(inode, attr->nlink);
|
2018-02-22 01:18:07 +08:00
|
|
|
inode->i_uid = make_kuid(fc->user_ns, attr->uid);
|
|
|
|
inode->i_gid = make_kgid(fc->user_ns, attr->gid);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
inode->i_blocks = attr->blocks;
|
2022-07-21 22:06:18 +08:00
|
|
|
|
|
|
|
/* Sanitize nsecs */
|
|
|
|
attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1);
|
|
|
|
attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1);
|
|
|
|
attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1);
|
|
|
|
|
2023-10-05 02:52:24 +08:00
|
|
|
inode_set_atime(inode, attr->atime, attr->atimensec);
|
2013-12-26 23:51:11 +08:00
|
|
|
/* mtime from server may be stale due to local buffered write */
|
2021-10-22 23:03:03 +08:00
|
|
|
if (!(cache_mask & STATX_MTIME)) {
|
2023-10-05 02:52:24 +08:00
|
|
|
inode_set_mtime(inode, attr->mtime, attr->mtimensec);
|
2021-10-22 23:03:03 +08:00
|
|
|
}
|
|
|
|
if (!(cache_mask & STATX_CTIME)) {
|
2023-07-06 03:01:11 +08:00
|
|
|
inode_set_ctime(inode, attr->ctime, attr->ctimensec);
|
2013-12-26 23:51:11 +08:00
|
|
|
}
|
2023-08-10 18:45:05 +08:00
|
|
|
if (sx) {
|
|
|
|
/* Sanitize nsecs */
|
|
|
|
sx->btime.tv_nsec =
|
|
|
|
min_t(u32, sx->btime.tv_nsec, NSEC_PER_SEC - 1);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Btime has been queried, cache is valid (whether or not btime
|
|
|
|
* is available or not) so clear STATX_BTIME from inval_mask.
|
|
|
|
*
|
|
|
|
* Availability of the btime attribute is indicated in
|
|
|
|
* FUSE_I_BTIME
|
|
|
|
*/
|
|
|
|
set_mask_bits(&fi->inval_mask, STATX_BTIME, 0);
|
|
|
|
if (sx->mask & STATX_BTIME) {
|
|
|
|
set_bit(FUSE_I_BTIME, &fi->state);
|
|
|
|
fi->i_btime.tv_sec = sx->btime.tv_sec;
|
|
|
|
fi->i_btime.tv_nsec = sx->btime.tv_nsec;
|
|
|
|
}
|
|
|
|
}
|
2007-10-17 14:31:01 +08:00
|
|
|
|
2007-10-18 18:07:05 +08:00
|
|
|
if (attr->blksize != 0)
|
|
|
|
inode->i_blkbits = ilog2(attr->blksize);
|
|
|
|
else
|
|
|
|
inode->i_blkbits = inode->i_sb->s_blocksize_bits;
|
|
|
|
|
2007-10-17 14:31:03 +08:00
|
|
|
/*
|
|
|
|
* Don't set the sticky bit in i_mode, unless we want the VFS
|
|
|
|
* to check permissions. This prevents failures due to the
|
|
|
|
* check in may_delete().
|
|
|
|
*/
|
|
|
|
fi->orig_i_mode = inode->i_mode;
|
2016-10-01 13:32:32 +08:00
|
|
|
if (!fc->default_permissions)
|
2007-10-17 14:31:03 +08:00
|
|
|
inode->i_mode &= ~S_ISVTX;
|
2012-05-10 23:49:38 +08:00
|
|
|
|
|
|
|
fi->orig_ino = attr->ino;
|
2020-10-10 02:15:12 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We are refreshing inode data and it is possible that another
|
|
|
|
* client set suid/sgid or security.capability xattr. So clear
|
|
|
|
* S_NOSEC. Ideally, we could have cleared it only if suid/sgid
|
|
|
|
* was set or if security.capability xattr was set. But we don't
|
|
|
|
* know if security.capability has been set or not. So clear it
|
|
|
|
* anyway. Its less efficient but should be safe.
|
|
|
|
*/
|
|
|
|
inode->i_flags &= ~S_NOSEC;
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
}
|
|
|
|
|
2021-10-22 23:03:03 +08:00
|
|
|
u32 fuse_get_cache_mask(struct inode *inode)
|
|
|
|
{
|
|
|
|
struct fuse_conn *fc = get_fuse_conn(inode);
|
|
|
|
|
|
|
|
if (!fc->writeback_cache || !S_ISREG(inode->i_mode))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return STATX_MTIME | STATX_CTIME | STATX_SIZE;
|
|
|
|
}
|
|
|
|
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
|
2023-08-10 18:45:05 +08:00
|
|
|
struct fuse_statx *sx,
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
u64 attr_valid, u64 attr_version)
|
|
|
|
{
|
|
|
|
struct fuse_conn *fc = get_fuse_conn(inode);
|
|
|
|
struct fuse_inode *fi = get_fuse_inode(inode);
|
2021-10-22 23:03:03 +08:00
|
|
|
u32 cache_mask;
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
loff_t oldsize;
|
2018-07-13 22:35:10 +08:00
|
|
|
struct timespec64 old_mtime;
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
|
2018-11-09 18:33:22 +08:00
|
|
|
spin_lock(&fi->lock);
|
2021-10-22 23:03:03 +08:00
|
|
|
/*
|
|
|
|
* In case of writeback_cache enabled, writes update mtime, ctime and
|
|
|
|
* may update i_size. In these cases trust the cached value in the
|
|
|
|
* inode.
|
|
|
|
*/
|
2021-10-22 23:03:03 +08:00
|
|
|
cache_mask = fuse_get_cache_mask(inode);
|
|
|
|
if (cache_mask & STATX_SIZE)
|
2021-10-22 23:03:03 +08:00
|
|
|
attr->size = i_size_read(inode);
|
2021-10-22 23:03:03 +08:00
|
|
|
|
|
|
|
if (cache_mask & STATX_MTIME) {
|
2023-10-05 02:52:24 +08:00
|
|
|
attr->mtime = inode_get_mtime_sec(inode);
|
|
|
|
attr->mtimensec = inode_get_mtime_nsec(inode);
|
2021-10-22 23:03:03 +08:00
|
|
|
}
|
|
|
|
if (cache_mask & STATX_CTIME) {
|
2023-10-05 02:52:24 +08:00
|
|
|
attr->ctime = inode_get_ctime_sec(inode);
|
|
|
|
attr->ctimensec = inode_get_ctime_nsec(inode);
|
2021-10-22 23:03:03 +08:00
|
|
|
}
|
|
|
|
|
fuse: hotfix truncate_pagecache() issue
The way how fuse calls truncate_pagecache() from fuse_change_attributes()
is completely wrong. Because, w/o i_mutex held, we never sure whether
'oldsize' and 'attr->size' are valid by the time of execution of
truncate_pagecache(inode, oldsize, attr->size). In fact, as soon as we
released fc->lock in the middle of fuse_change_attributes(), we completely
loose control of actions which may happen with given inode until we reach
truncate_pagecache. The list of potentially dangerous actions includes
mmap-ed reads and writes, ftruncate(2) and write(2) extending file size.
The typical outcome of doing truncate_pagecache() with outdated arguments
is data corruption from user point of view. This is (in some sense)
acceptable in cases when the issue is triggered by a change of the file on
the server (i.e. externally wrt fuse operation), but it is absolutely
intolerable in scenarios when a single fuse client modifies a file without
any external intervention. A real life case I discovered by fsx-linux
looked like this:
1. Shrinking ftruncate(2) comes to fuse_do_setattr(). The latter sends
FUSE_SETATTR to the server synchronously, but before getting fc->lock ...
2. fuse_dentry_revalidate() is asynchronously called. It sends FUSE_LOOKUP
to the server synchronously, then calls fuse_change_attributes(). The
latter updates i_size, releases fc->lock, but before comparing oldsize vs
attr->size..
3. fuse_do_setattr() from the first step proceeds by acquiring fc->lock and
updating attributes and i_size, but now oldsize is equal to
outarg.attr.size because i_size has just been updated (step 2). Hence,
fuse_do_setattr() returns w/o calling truncate_pagecache().
4. As soon as ftruncate(2) completes, the user extends file size by
write(2) making a hole in the middle of file, then reads data from the hole
either by read(2) or mmap-ed read. The user expects to get zero data from
the hole, but gets stale data because truncate_pagecache() is not executed
yet.
The scenario above illustrates one side of the problem: not truncating the
page cache even though we should. Another side corresponds to truncating
page cache too late, when the state of inode changed significantly.
Theoretically, the following is possible:
1. As in the previous scenario fuse_dentry_revalidate() discovered that
i_size changed (due to our own fuse_do_setattr()) and is going to call
truncate_pagecache() for some 'new_size' it believes valid right now. But
by the time that particular truncate_pagecache() is called ...
2. fuse_do_setattr() returns (either having called truncate_pagecache() or
not -- it doesn't matter).
3. The file is extended either by write(2) or ftruncate(2) or fallocate(2).
4. mmap-ed write makes a page in the extended region dirty.
The result will be the lost of data user wrote on the fourth step.
The patch is a hotfix resolving the issue in a simplistic way: let's skip
dangerous i_size update and truncate_pagecache if an operation changing
file size is in progress. This simplistic approach looks correct for the
cases w/o external changes. And to handle them properly, more sophisticated
and intrusive techniques (e.g. NFS-like one) would be required. I'd like to
postpone it until the issue is well discussed on the mailing list(s).
Changed in v2:
- improved patch description to cover both sides of the issue.
Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: stable@vger.kernel.org
2013-08-30 21:06:04 +08:00
|
|
|
if ((attr_version != 0 && fi->attr_version > attr_version) ||
|
|
|
|
test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
|
2018-11-09 18:33:22 +08:00
|
|
|
spin_unlock(&fi->lock);
|
fuse: support writable mmap
Quoting Linus (3 years ago, FUSE inclusion discussions):
"User-space filesystems are hard to get right. I'd claim that they
are almost impossible, unless you limit them somehow (shared
writable mappings are the nastiest part - if you don't have those,
you can reasonably limit your problems by limiting the number of
dirty pages you accept through normal "write()" calls)."
Instead of attempting the impossible, I've just waited for the dirty page
accounting infrastructure to materialize (thanks to Peter Zijlstra and
others). This nicely solved the biggest problem: limiting the number of pages
used for write caching.
Some small details remained, however, which this largish patch attempts to
address. It provides a page writeback implementation for fuse, which is
completely safe against VM related deadlocks. Performance may not be very
good for certain usage patterns, but generally it should be acceptable.
It has been tested extensively with fsx-linux and bash-shared-mapping.
Fuse page writeback design
--------------------------
fuse_writepage() allocates a new temporary page with GFP_NOFS|__GFP_HIGHMEM.
It copies the contents of the original page, and queues a WRITE request to the
userspace filesystem using this temp page.
The writeback is finished instantly from the MM's point of view: the page is
removed from the radix trees, and the PageDirty and PageWriteback flags are
cleared.
For the duration of the actual write, the NR_WRITEBACK_TEMP counter is
incremented. The per-bdi writeback count is not decremented until the actual
write completes.
On dirtying the page, fuse waits for a previous write to finish before
proceeding. This makes sure, there can only be one temporary page used at a
time for one cached page.
This approach is wasteful in both memory and CPU bandwidth, so why is this
complication needed?
The basic problem is that there can be no guarantee about the time in which
the userspace filesystem will complete a write. It may be buggy or even
malicious, and fail to complete WRITE requests. We don't want unrelated parts
of the system to grind to a halt in such cases.
Also a filesystem may need additional resources (particularly memory) to
complete a WRITE request. There's a great danger of a deadlock if that
allocation may wait for the writepage to finish.
Currently there are several cases where the kernel can block on page
writeback:
- allocation order is larger than PAGE_ALLOC_COSTLY_ORDER
- page migration
- throttle_vm_writeout (through NR_WRITEBACK)
- sync(2)
Of course in some cases (fsync, msync) we explicitly want to allow blocking.
So for these cases new code has to be added to fuse, since the VM is not
tracking writeback pages for us any more.
As an extra safetly measure, the maximum dirty ratio allocated to a single
fuse filesystem is set to 1% by default. This way one (or several) buggy or
malicious fuse filesystems cannot slow down the rest of the system by hogging
dirty memory.
With appropriate privileges, this limit can be raised through
'/sys/class/bdi/<bdi>/max_ratio'.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-30 15:54:41 +08:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-10-05 02:52:24 +08:00
|
|
|
old_mtime = inode_get_mtime(inode);
|
2023-08-10 18:45:05 +08:00
|
|
|
fuse_change_attributes_common(inode, attr, sx, attr_valid, cache_mask);
|
2007-10-17 14:31:03 +08:00
|
|
|
|
2007-10-17 14:31:01 +08:00
|
|
|
oldsize = inode->i_size;
|
2013-10-10 21:10:46 +08:00
|
|
|
/*
|
|
|
|
* In case of writeback_cache enabled, the cached writes beyond EOF
|
|
|
|
* extend local i_size without keeping userspace server in sync. So,
|
|
|
|
* attr->size coming from server can be stale. We cannot trust it.
|
|
|
|
*/
|
2021-10-22 23:03:03 +08:00
|
|
|
if (!(cache_mask & STATX_SIZE))
|
2013-10-10 21:10:46 +08:00
|
|
|
i_size_write(inode, attr->size);
|
2018-11-09 18:33:22 +08:00
|
|
|
spin_unlock(&fi->lock);
|
2007-10-17 14:31:01 +08:00
|
|
|
|
2021-10-22 23:03:03 +08:00
|
|
|
if (!cache_mask && S_ISREG(inode->i_mode)) {
|
2012-07-17 03:23:49 +08:00
|
|
|
bool inval = false;
|
|
|
|
|
|
|
|
if (oldsize != attr->size) {
|
2013-09-13 06:13:56 +08:00
|
|
|
truncate_pagecache(inode, attr->size);
|
fuse: allow filesystems to have precise control over data cache
On networked filesystems file data can be changed externally. FUSE
provides notification messages for filesystem to inform kernel that
metadata or data region of a file needs to be invalidated in local page
cache. That provides the basis for filesystem implementations to invalidate
kernel cache explicitly based on observed filesystem-specific events.
FUSE has also "automatic" invalidation mode(*) when the kernel
automatically invalidates data cache of a file if it sees mtime change. It
also automatically invalidates whole data cache of a file if it sees file
size being changed.
The automatic mode has corresponding capability - FUSE_AUTO_INVAL_DATA.
However, due to probably historical reason, that capability controls only
whether mtime change should be resulting in automatic invalidation or
not. A change in file size always results in invalidating whole data cache
of a file irregardless of whether FUSE_AUTO_INVAL_DATA was negotiated(+).
The filesystem I write[1] represents data arrays stored in networked
database as local files suitable for mmap. It is read-only filesystem -
changes to data are committed externally via database interfaces and the
filesystem only glues data into contiguous file streams suitable for mmap
and traditional array processing. The files are big - starting from
hundreds gigabytes and more. The files change regularly, and frequently by
data being appended to their end. The size of files thus changes
frequently.
If a file was accessed locally and some part of its data got into page
cache, we want that data to stay cached unless there is memory pressure, or
unless corresponding part of the file was actually changed. However current
FUSE behaviour - when it sees file size change - is to invalidate the whole
file. The data cache of the file is thus completely lost even on small size
change, and despite that the filesystem server is careful to accurately
translate database changes into FUSE invalidation messages to kernel.
Let's fix it: if a filesystem, through new FUSE_EXPLICIT_INVAL_DATA
capability, indicates to kernel that it is fully responsible for data cache
invalidation, then the kernel won't invalidate files data cache on size
change and only truncate that cache to new size in case the size decreased.
(*) see 72d0d248ca "fuse: add FUSE_AUTO_INVAL_DATA init flag",
eed2179efe "fuse: invalidate inode mapping if mtime changes"
(+) in writeback mode the kernel does not invalidate data cache on file
size change, but neither it allows the filesystem to set the size due to
external event (see 8373200b12 "fuse: Trust kernel i_size only")
[1] https://lab.nexedi.com/kirr/wendelin.core/blob/a50f1d9f/wcfs/wcfs.go#L20
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2019-03-27 19:14:15 +08:00
|
|
|
if (!fc->explicit_inval_data)
|
|
|
|
inval = true;
|
2012-07-17 03:23:49 +08:00
|
|
|
} else if (fc->auto_inval_data) {
|
2018-07-13 22:35:10 +08:00
|
|
|
struct timespec64 new_mtime = {
|
2012-07-17 03:23:49 +08:00
|
|
|
.tv_sec = attr->mtime,
|
|
|
|
.tv_nsec = attr->mtimensec,
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Auto inval mode also checks and invalidates if mtime
|
|
|
|
* has changed.
|
|
|
|
*/
|
2018-07-13 22:35:10 +08:00
|
|
|
if (!timespec64_equal(&old_mtime, &new_mtime))
|
2012-07-17 03:23:49 +08:00
|
|
|
inval = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (inval)
|
|
|
|
invalidate_inode_pages2(inode->i_mapping);
|
2007-10-17 14:31:01 +08:00
|
|
|
}
|
2021-11-25 15:05:29 +08:00
|
|
|
|
|
|
|
if (IS_ENABLED(CONFIG_FUSE_DAX))
|
|
|
|
fuse_dax_dontcache(inode, attr->flags);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2023-11-04 01:39:47 +08:00
|
|
|
static void fuse_init_submount_lookup(struct fuse_submount_lookup *sl,
|
|
|
|
u64 nodeid)
|
|
|
|
{
|
|
|
|
sl->nodeid = nodeid;
|
|
|
|
refcount_set(&sl->count, 1);
|
|
|
|
}
|
|
|
|
|
2023-01-20 19:55:04 +08:00
|
|
|
static void fuse_init_inode(struct inode *inode, struct fuse_attr *attr,
|
|
|
|
struct fuse_conn *fc)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
|
|
|
inode->i_mode = attr->mode & S_IFMT;
|
2006-10-17 15:10:06 +08:00
|
|
|
inode->i_size = attr->size;
|
2023-10-05 02:52:24 +08:00
|
|
|
inode_set_mtime(inode, attr->mtime, attr->mtimensec);
|
2023-07-06 03:01:11 +08:00
|
|
|
inode_set_ctime(inode, attr->ctime, attr->ctimensec);
|
2005-09-10 04:10:28 +08:00
|
|
|
if (S_ISREG(inode->i_mode)) {
|
|
|
|
fuse_init_common(inode);
|
fuse: enable per inode DAX
DAX may be limited in some specific situation. When the number of usable
DAX windows is under watermark, the recalim routine will be triggered to
reclaim some DAX windows. It may have a negative impact on the
performance, since some processes may need to wait for DAX windows to be
recalimed and reused then. To mitigate the performance degradation, the
overall DAX window need to be expanded larger.
However, simply expanding the DAX window may not be a good deal in some
scenario. To maintain one DAX window chunk (i.e., 2MB in size), 32KB
(512 * 64 bytes) memory footprint will be consumed for page descriptors
inside guest, which is greater than the memory footprint if it uses
guest page cache when DAX disabled. Thus it'd better disable DAX for
those files smaller than 32KB, to reduce the demand for DAX window and
thus avoid the unworthy memory overhead.
Per inode DAX feature is introduced to address this issue, by offering a
finer grained control for dax to users, trying to achieve a balance
between performance and memory overhead.
The FUSE_ATTR_DAX flag in FUSE_LOOKUP reply is used to indicate whether
DAX should be enabled or not for corresponding file. Currently the state
whether DAX is enabled or not for the file is initialized only when
inode is instantiated.
Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2021-11-25 15:05:27 +08:00
|
|
|
fuse_init_file_inode(inode, attr->flags);
|
2005-09-10 04:10:28 +08:00
|
|
|
} else if (S_ISDIR(inode->i_mode))
|
|
|
|
fuse_init_dir(inode);
|
|
|
|
else if (S_ISLNK(inode->i_mode))
|
|
|
|
fuse_init_symlink(inode);
|
|
|
|
else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
|
|
|
|
S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
|
|
|
|
fuse_init_common(inode);
|
|
|
|
init_special_inode(inode, inode->i_mode,
|
|
|
|
new_decode_dev(attr->rdev));
|
2006-01-06 16:19:43 +08:00
|
|
|
} else
|
|
|
|
BUG();
|
2023-01-20 19:55:04 +08:00
|
|
|
/*
|
|
|
|
* Ensure that we don't cache acls for daemons without FUSE_POSIX_ACL
|
|
|
|
* so they see the exact same behavior as before.
|
|
|
|
*/
|
|
|
|
if (!fc->posix_acl)
|
|
|
|
inode->i_acl = inode->i_default_acl = ACL_DONT_CACHE;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
static int fuse_inode_eq(struct inode *inode, void *_nodeidp)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2008-04-30 15:54:44 +08:00
|
|
|
u64 nodeid = *(u64 *) _nodeidp;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
if (get_node_id(inode) == nodeid)
|
|
|
|
return 1;
|
|
|
|
else
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int fuse_inode_set(struct inode *inode, void *_nodeidp)
|
|
|
|
{
|
2008-04-30 15:54:44 +08:00
|
|
|
u64 nodeid = *(u64 *) _nodeidp;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
get_fuse_inode(inode)->nodeid = nodeid;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-04-30 15:54:44 +08:00
|
|
|
struct inode *fuse_iget(struct super_block *sb, u64 nodeid,
|
fuse: fix race between getattr and write
Getattr and lookup operations can be running in parallel to attribute changing
operations, such as write and setattr.
This means, that if for example getattr was slower than a write, the cached
size attribute could be set to a stale value.
To prevent this race, introduce a per-filesystem attribute version counter.
This counter is incremented whenever cached attributes are modified, and the
incremented value stored in the inode.
Before storing new attributes in the cache, getattr and lookup check, using
the version number, whether the attributes have been modified during the
request's lifetime. If so, the returned attributes are not cached, because
they might be stale.
Thanks to Jakub Bogusz for the bug report and test program.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Jakub Bogusz <jakub.bogusz@gemius.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-18 18:06:58 +08:00
|
|
|
int generation, struct fuse_attr *attr,
|
|
|
|
u64 attr_valid, u64 attr_version)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
|
|
|
struct inode *inode;
|
2005-09-10 04:10:29 +08:00
|
|
|
struct fuse_inode *fi;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
struct fuse_conn *fc = get_fuse_conn_super(sb);
|
|
|
|
|
2020-04-21 20:47:15 +08:00
|
|
|
/*
|
|
|
|
* Auto mount points get their node id from the submount root, which is
|
|
|
|
* not a unique identifier within this filesystem.
|
|
|
|
*
|
|
|
|
* To avoid conflicts, do not place submount points into the inode hash
|
|
|
|
* table.
|
|
|
|
*/
|
|
|
|
if (fc->auto_submounts && (attr->flags & FUSE_ATTR_SUBMOUNT) &&
|
|
|
|
S_ISDIR(attr->mode)) {
|
2023-11-04 01:39:47 +08:00
|
|
|
struct fuse_inode *fi;
|
|
|
|
|
2020-04-21 20:47:15 +08:00
|
|
|
inode = new_inode(sb);
|
|
|
|
if (!inode)
|
|
|
|
return NULL;
|
|
|
|
|
2023-01-20 19:55:04 +08:00
|
|
|
fuse_init_inode(inode, attr, fc);
|
2023-11-04 01:39:47 +08:00
|
|
|
fi = get_fuse_inode(inode);
|
|
|
|
fi->nodeid = nodeid;
|
|
|
|
fi->submount_lookup = fuse_alloc_submount_lookup();
|
|
|
|
if (!fi->submount_lookup) {
|
|
|
|
iput(inode);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
/* Sets nlookup = 1 on fi->submount_lookup->nlookup */
|
|
|
|
fuse_init_submount_lookup(fi->submount_lookup, nodeid);
|
2020-04-21 20:47:15 +08:00
|
|
|
inode->i_flags |= S_AUTOMOUNT;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
retry:
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
inode = iget5_locked(sb, nodeid, fuse_inode_eq, fuse_inode_set, &nodeid);
|
|
|
|
if (!inode)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if ((inode->i_state & I_NEW)) {
|
2013-12-26 23:51:11 +08:00
|
|
|
inode->i_flags |= S_NOATIME;
|
2014-04-28 20:19:21 +08:00
|
|
|
if (!fc->writeback_cache || !S_ISREG(attr->mode))
|
2013-12-26 23:51:11 +08:00
|
|
|
inode->i_flags |= S_NOCMTIME;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
inode->i_generation = generation;
|
2023-01-20 19:55:04 +08:00
|
|
|
fuse_init_inode(inode, attr, fc);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
unlock_new_inode(inode);
|
2021-06-21 19:03:53 +08:00
|
|
|
} else if (fuse_stale_inode(inode, generation, attr)) {
|
|
|
|
/* nodeid was reused, any I/O on the old inode should fail */
|
2020-12-10 22:33:14 +08:00
|
|
|
fuse_make_bad(inode);
|
2024-02-28 23:50:49 +08:00
|
|
|
if (inode != d_inode(sb->s_root)) {
|
|
|
|
remove_inode_hash(inode);
|
|
|
|
iput(inode);
|
|
|
|
goto retry;
|
|
|
|
}
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
2005-09-10 04:10:29 +08:00
|
|
|
fi = get_fuse_inode(inode);
|
2018-11-09 18:33:27 +08:00
|
|
|
spin_lock(&fi->lock);
|
2008-11-26 19:03:54 +08:00
|
|
|
fi->nlookup++;
|
2018-11-09 18:33:27 +08:00
|
|
|
spin_unlock(&fi->lock);
|
2023-11-04 01:39:47 +08:00
|
|
|
done:
|
2023-08-10 18:45:05 +08:00
|
|
|
fuse_change_attributes(inode, attr, NULL, attr_valid, attr_version);
|
fuse: fix race between getattr and write
Getattr and lookup operations can be running in parallel to attribute changing
operations, such as write and setattr.
This means, that if for example getattr was slower than a write, the cached
size attribute could be set to a stale value.
To prevent this race, introduce a per-filesystem attribute version counter.
This counter is incremented whenever cached attributes are modified, and the
incremented value stored in the inode.
Before storing new attributes in the cache, getattr and lookup check, using
the version number, whether the attributes have been modified during the
request's lifetime. If so, the returned attributes are not cached, because
they might be stale.
Thanks to Jakub Bogusz for the bug report and test program.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Jakub Bogusz <jakub.bogusz@gemius.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-18 18:06:58 +08:00
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
return inode;
|
|
|
|
}
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
struct inode *fuse_ilookup(struct fuse_conn *fc, u64 nodeid,
|
|
|
|
struct fuse_mount **fm)
|
|
|
|
{
|
|
|
|
struct fuse_mount *fm_iter;
|
|
|
|
struct inode *inode;
|
|
|
|
|
|
|
|
WARN_ON(!rwsem_is_locked(&fc->killsb));
|
|
|
|
list_for_each_entry(fm_iter, &fc->mounts, fc_entry) {
|
|
|
|
if (!fm_iter->sb)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
inode = ilookup5(fm_iter->sb, nodeid, fuse_inode_eq, &nodeid);
|
|
|
|
if (inode) {
|
|
|
|
if (fm)
|
|
|
|
*fm = fm_iter;
|
|
|
|
return inode;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
int fuse_reverse_inval_inode(struct fuse_conn *fc, u64 nodeid,
|
2009-05-31 23:13:57 +08:00
|
|
|
loff_t offset, loff_t len)
|
|
|
|
{
|
2020-05-19 20:50:38 +08:00
|
|
|
struct fuse_inode *fi;
|
2009-05-31 23:13:57 +08:00
|
|
|
struct inode *inode;
|
|
|
|
pgoff_t pg_start;
|
|
|
|
pgoff_t pg_end;
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
inode = fuse_ilookup(fc, nodeid, NULL);
|
2009-05-31 23:13:57 +08:00
|
|
|
if (!inode)
|
|
|
|
return -ENOENT;
|
|
|
|
|
2020-05-19 20:50:38 +08:00
|
|
|
fi = get_fuse_inode(inode);
|
|
|
|
spin_lock(&fi->lock);
|
|
|
|
fi->attr_version = atomic64_inc_return(&fc->attr_version);
|
|
|
|
spin_unlock(&fi->lock);
|
|
|
|
|
2009-05-31 23:13:57 +08:00
|
|
|
fuse_invalidate_attr(inode);
|
2016-08-29 21:46:37 +08:00
|
|
|
forget_all_cached_acls(inode);
|
2009-05-31 23:13:57 +08:00
|
|
|
if (offset >= 0) {
|
mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.
This promise never materialized. And unlikely will.
We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE. And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.
Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.
Let's stop pretending that pages in page cache are special. They are
not.
The changes are pretty straight-forward:
- <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
- page_cache_get() -> get_page();
- page_cache_release() -> put_page();
This patch contains automated changes generated with coccinelle using
script below. For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.
The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.
There are few places in the code where coccinelle didn't reach. I'll
fix them manually in a separate patch. Comments and documentation also
will be addressed with the separate patch.
virtual patch
@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT
@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE
@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK
@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)
@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)
@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-01 20:29:47 +08:00
|
|
|
pg_start = offset >> PAGE_SHIFT;
|
2009-05-31 23:13:57 +08:00
|
|
|
if (len <= 0)
|
|
|
|
pg_end = -1;
|
|
|
|
else
|
mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.
This promise never materialized. And unlikely will.
We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE. And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.
Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.
Let's stop pretending that pages in page cache are special. They are
not.
The changes are pretty straight-forward:
- <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
- page_cache_get() -> get_page();
- page_cache_release() -> put_page();
This patch contains automated changes generated with coccinelle using
script below. For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.
The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.
There are few places in the code where coccinelle didn't reach. I'll
fix them manually in a separate patch. Comments and documentation also
will be addressed with the separate patch.
virtual patch
@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT
@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE
@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK
@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)
@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)
@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-01 20:29:47 +08:00
|
|
|
pg_end = (offset + len - 1) >> PAGE_SHIFT;
|
2009-05-31 23:13:57 +08:00
|
|
|
invalidate_inode_pages2_range(inode->i_mapping,
|
|
|
|
pg_start, pg_end);
|
|
|
|
}
|
|
|
|
iput(inode);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-07-26 22:13:11 +08:00
|
|
|
bool fuse_lock_inode(struct inode *inode)
|
2016-06-30 19:10:49 +08:00
|
|
|
{
|
2018-07-26 22:13:11 +08:00
|
|
|
bool locked = false;
|
|
|
|
|
|
|
|
if (!get_fuse_conn(inode)->parallel_dirops) {
|
2016-06-30 19:10:49 +08:00
|
|
|
mutex_lock(&get_fuse_inode(inode)->mutex);
|
2018-07-26 22:13:11 +08:00
|
|
|
locked = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return locked;
|
2016-06-30 19:10:49 +08:00
|
|
|
}
|
|
|
|
|
2018-07-26 22:13:11 +08:00
|
|
|
void fuse_unlock_inode(struct inode *inode, bool locked)
|
2016-06-30 19:10:49 +08:00
|
|
|
{
|
2018-07-26 22:13:11 +08:00
|
|
|
if (locked)
|
2016-06-30 19:10:49 +08:00
|
|
|
mutex_unlock(&get_fuse_inode(inode)->mutex);
|
|
|
|
}
|
|
|
|
|
2008-04-24 19:21:56 +08:00
|
|
|
static void fuse_umount_begin(struct super_block *sb)
|
2006-01-17 14:14:41 +08:00
|
|
|
{
|
2019-05-07 03:35:43 +08:00
|
|
|
struct fuse_conn *fc = get_fuse_conn_super(sb);
|
|
|
|
|
2022-07-27 14:44:25 +08:00
|
|
|
if (fc->no_force_umount)
|
|
|
|
return;
|
|
|
|
|
|
|
|
fuse_abort_conn(fc);
|
|
|
|
|
|
|
|
// Only retire block-device-based superblocks.
|
|
|
|
if (sb->s_bdev != NULL)
|
|
|
|
retire_super(sb);
|
2006-01-17 14:14:41 +08:00
|
|
|
}
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
static void fuse_send_destroy(struct fuse_mount *fm)
|
2006-12-07 12:35:52 +08:00
|
|
|
{
|
2020-05-06 23:44:12 +08:00
|
|
|
if (fm->fc->conn_init) {
|
2019-09-10 21:04:09 +08:00
|
|
|
FUSE_ARGS(args);
|
|
|
|
|
|
|
|
args.opcode = FUSE_DESTROY;
|
|
|
|
args.force = true;
|
|
|
|
args.nocreds = true;
|
2020-05-06 23:44:12 +08:00
|
|
|
fuse_simple_request(fm, &args);
|
2006-12-07 12:35:52 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-09-10 04:10:28 +08:00
|
|
|
static void convert_fuse_statfs(struct kstatfs *stbuf, struct fuse_kstatfs *attr)
|
|
|
|
{
|
|
|
|
stbuf->f_type = FUSE_SUPER_MAGIC;
|
|
|
|
stbuf->f_bsize = attr->bsize;
|
2006-01-06 16:19:37 +08:00
|
|
|
stbuf->f_frsize = attr->frsize;
|
2005-09-10 04:10:28 +08:00
|
|
|
stbuf->f_blocks = attr->blocks;
|
|
|
|
stbuf->f_bfree = attr->bfree;
|
|
|
|
stbuf->f_bavail = attr->bavail;
|
|
|
|
stbuf->f_files = attr->files;
|
|
|
|
stbuf->f_ffree = attr->ffree;
|
|
|
|
stbuf->f_namelen = attr->namelen;
|
|
|
|
/* fsid is left zero */
|
|
|
|
}
|
|
|
|
|
2006-06-23 17:02:58 +08:00
|
|
|
static int fuse_statfs(struct dentry *dentry, struct kstatfs *buf)
|
2005-09-10 04:10:28 +08:00
|
|
|
{
|
2006-06-23 17:02:58 +08:00
|
|
|
struct super_block *sb = dentry->d_sb;
|
2020-05-06 23:44:12 +08:00
|
|
|
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
2014-12-12 16:49:05 +08:00
|
|
|
FUSE_ARGS(args);
|
2005-09-10 04:10:28 +08:00
|
|
|
struct fuse_statfs_out outarg;
|
|
|
|
int err;
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
if (!fuse_allow_current_process(fm->fc)) {
|
2007-10-18 18:06:58 +08:00
|
|
|
buf->f_type = FUSE_SUPER_MAGIC;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-01-06 16:19:37 +08:00
|
|
|
memset(&outarg, 0, sizeof(outarg));
|
2019-09-10 21:04:08 +08:00
|
|
|
args.in_numargs = 0;
|
|
|
|
args.opcode = FUSE_STATFS;
|
|
|
|
args.nodeid = get_node_id(d_inode(dentry));
|
|
|
|
args.out_numargs = 1;
|
|
|
|
args.out_args[0].size = sizeof(outarg);
|
|
|
|
args.out_args[0].value = &outarg;
|
2020-05-06 23:44:12 +08:00
|
|
|
err = fuse_simple_request(fm, &args);
|
2005-09-10 04:10:28 +08:00
|
|
|
if (!err)
|
|
|
|
convert_fuse_statfs(buf, &outarg.st);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2021-09-01 18:39:02 +08:00
|
|
|
static struct fuse_sync_bucket *fuse_sync_bucket_alloc(void)
|
|
|
|
{
|
|
|
|
struct fuse_sync_bucket *bucket;
|
|
|
|
|
|
|
|
bucket = kzalloc(sizeof(*bucket), GFP_KERNEL | __GFP_NOFAIL);
|
|
|
|
if (bucket) {
|
|
|
|
init_waitqueue_head(&bucket->waitq);
|
|
|
|
/* Initial active count */
|
|
|
|
atomic_set(&bucket->count, 1);
|
|
|
|
}
|
|
|
|
return bucket;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void fuse_sync_fs_writes(struct fuse_conn *fc)
|
|
|
|
{
|
|
|
|
struct fuse_sync_bucket *bucket, *new_bucket;
|
|
|
|
int count;
|
|
|
|
|
|
|
|
new_bucket = fuse_sync_bucket_alloc();
|
|
|
|
spin_lock(&fc->lock);
|
|
|
|
bucket = rcu_dereference_protected(fc->curr_bucket, 1);
|
|
|
|
count = atomic_read(&bucket->count);
|
|
|
|
WARN_ON(count < 1);
|
|
|
|
/* No outstanding writes? */
|
|
|
|
if (count == 1) {
|
|
|
|
spin_unlock(&fc->lock);
|
|
|
|
kfree(new_bucket);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Completion of new bucket depends on completion of this bucket, so add
|
|
|
|
* one more count.
|
|
|
|
*/
|
|
|
|
atomic_inc(&new_bucket->count);
|
|
|
|
rcu_assign_pointer(fc->curr_bucket, new_bucket);
|
|
|
|
spin_unlock(&fc->lock);
|
|
|
|
/*
|
|
|
|
* Drop initial active count. At this point if all writes in this and
|
|
|
|
* ancestor buckets complete, the count will go to zero and this task
|
|
|
|
* will be woken up.
|
|
|
|
*/
|
|
|
|
atomic_dec(&bucket->count);
|
|
|
|
|
|
|
|
wait_event(bucket->waitq, atomic_read(&bucket->count) == 0);
|
|
|
|
|
|
|
|
/* Drop temp count on descendant bucket */
|
|
|
|
fuse_sync_bucket_dec(new_bucket);
|
|
|
|
kfree_rcu(bucket, rcu);
|
|
|
|
}
|
|
|
|
|
2021-05-20 23:46:54 +08:00
|
|
|
static int fuse_sync_fs(struct super_block *sb, int wait)
|
|
|
|
{
|
|
|
|
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
|
|
|
struct fuse_conn *fc = fm->fc;
|
|
|
|
struct fuse_syncfs_in inarg;
|
|
|
|
FUSE_ARGS(args);
|
|
|
|
int err;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Userspace cannot handle the wait == 0 case. Avoid a
|
|
|
|
* gratuitous roundtrip.
|
|
|
|
*/
|
|
|
|
if (!wait)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* The filesystem is being unmounted. Nothing to do. */
|
|
|
|
if (!sb->s_root)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!fc->sync_fs)
|
|
|
|
return 0;
|
|
|
|
|
2021-09-01 18:39:02 +08:00
|
|
|
fuse_sync_fs_writes(fc);
|
|
|
|
|
2021-05-20 23:46:54 +08:00
|
|
|
memset(&inarg, 0, sizeof(inarg));
|
|
|
|
args.in_numargs = 1;
|
|
|
|
args.in_args[0].size = sizeof(inarg);
|
|
|
|
args.in_args[0].value = &inarg;
|
|
|
|
args.opcode = FUSE_SYNCFS;
|
|
|
|
args.nodeid = get_node_id(sb->s_root->d_inode);
|
|
|
|
args.out_numargs = 0;
|
|
|
|
|
|
|
|
err = fuse_simple_request(fm, &args);
|
|
|
|
if (err == -ENOSYS) {
|
|
|
|
fc->sync_fs = 0;
|
|
|
|
err = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
enum {
|
2019-03-26 00:38:31 +08:00
|
|
|
OPT_SOURCE,
|
|
|
|
OPT_SUBTYPE,
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
OPT_FD,
|
|
|
|
OPT_ROOTMODE,
|
|
|
|
OPT_USER_ID,
|
2005-09-10 04:10:34 +08:00
|
|
|
OPT_GROUP_ID,
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
OPT_DEFAULT_PERMISSIONS,
|
|
|
|
OPT_ALLOW_OTHER,
|
2005-09-10 04:10:33 +08:00
|
|
|
OPT_MAX_READ,
|
2006-12-07 12:35:48 +08:00
|
|
|
OPT_BLKSIZE,
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
OPT_ERR
|
|
|
|
};
|
|
|
|
|
2019-09-07 19:23:15 +08:00
|
|
|
static const struct fs_parameter_spec fuse_fs_parameters[] = {
|
2019-03-26 00:38:31 +08:00
|
|
|
fsparam_string ("source", OPT_SOURCE),
|
|
|
|
fsparam_u32 ("fd", OPT_FD),
|
|
|
|
fsparam_u32oct ("rootmode", OPT_ROOTMODE),
|
2024-07-03 06:23:24 +08:00
|
|
|
fsparam_uid ("user_id", OPT_USER_ID),
|
|
|
|
fsparam_gid ("group_id", OPT_GROUP_ID),
|
2019-03-26 00:38:31 +08:00
|
|
|
fsparam_flag ("default_permissions", OPT_DEFAULT_PERMISSIONS),
|
|
|
|
fsparam_flag ("allow_other", OPT_ALLOW_OTHER),
|
|
|
|
fsparam_u32 ("max_read", OPT_MAX_READ),
|
|
|
|
fsparam_u32 ("blksize", OPT_BLKSIZE),
|
2019-03-26 00:38:31 +08:00
|
|
|
fsparam_string ("subtype", OPT_SUBTYPE),
|
2019-03-26 00:38:31 +08:00
|
|
|
{}
|
|
|
|
};
|
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
static int fuse_parse_param(struct fs_context *fsc, struct fs_parameter *param)
|
2014-07-07 21:28:51 +08:00
|
|
|
{
|
2019-03-26 00:38:31 +08:00
|
|
|
struct fs_parse_result result;
|
2021-08-04 19:22:58 +08:00
|
|
|
struct fuse_fs_context *ctx = fsc->fs_private;
|
2019-03-26 00:38:31 +08:00
|
|
|
int opt;
|
2024-07-03 06:22:41 +08:00
|
|
|
kuid_t kuid;
|
|
|
|
kgid_t kgid;
|
2019-03-26 00:38:31 +08:00
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
if (fsc->purpose == FS_CONTEXT_FOR_RECONFIGURE) {
|
2020-07-14 20:45:41 +08:00
|
|
|
/*
|
|
|
|
* Ignore options coming from mount(MS_REMOUNT) for backward
|
|
|
|
* compatibility.
|
|
|
|
*/
|
2021-08-04 19:22:58 +08:00
|
|
|
if (fsc->oldapi)
|
2020-07-14 20:45:41 +08:00
|
|
|
return 0;
|
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
return invalfc(fsc, "No changes allowed in reconfigure");
|
2020-07-14 20:45:41 +08:00
|
|
|
}
|
2020-07-14 20:45:41 +08:00
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
opt = fs_parse(fsc, fuse_fs_parameters, param, &result);
|
2019-03-26 00:38:31 +08:00
|
|
|
if (opt < 0)
|
|
|
|
return opt;
|
|
|
|
|
|
|
|
switch (opt) {
|
|
|
|
case OPT_SOURCE:
|
2021-08-04 19:22:58 +08:00
|
|
|
if (fsc->source)
|
|
|
|
return invalfc(fsc, "Multiple sources specified");
|
|
|
|
fsc->source = param->string;
|
2019-03-26 00:38:31 +08:00
|
|
|
param->string = NULL;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_SUBTYPE:
|
|
|
|
if (ctx->subtype)
|
2021-08-04 19:22:58 +08:00
|
|
|
return invalfc(fsc, "Multiple subtypes specified");
|
2019-03-26 00:38:31 +08:00
|
|
|
ctx->subtype = param->string;
|
|
|
|
param->string = NULL;
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
case OPT_FD:
|
|
|
|
ctx->fd = result.uint_32;
|
2020-01-14 20:39:45 +08:00
|
|
|
ctx->fd_present = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_ROOTMODE:
|
|
|
|
if (!fuse_valid_type(result.uint_32))
|
2021-08-04 19:22:58 +08:00
|
|
|
return invalfc(fsc, "Invalid rootmode");
|
2019-03-26 00:38:31 +08:00
|
|
|
ctx->rootmode = result.uint_32;
|
2020-01-14 20:39:45 +08:00
|
|
|
ctx->rootmode_present = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_USER_ID:
|
2024-07-03 06:23:24 +08:00
|
|
|
kuid = result.uid;
|
2024-07-03 06:22:41 +08:00
|
|
|
/*
|
|
|
|
* The requested uid must be representable in the
|
|
|
|
* filesystem's idmapping.
|
|
|
|
*/
|
|
|
|
if (!kuid_has_mapping(fsc->user_ns, kuid))
|
|
|
|
return invalfc(fsc, "Invalid user_id");
|
|
|
|
ctx->user_id = kuid;
|
2020-01-14 20:39:45 +08:00
|
|
|
ctx->user_id_present = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_GROUP_ID:
|
2024-07-03 06:23:24 +08:00
|
|
|
kgid = result.gid;
|
2024-07-03 06:22:41 +08:00
|
|
|
/*
|
|
|
|
* The requested gid must be representable in the
|
|
|
|
* filesystem's idmapping.
|
|
|
|
*/
|
|
|
|
if (!kgid_has_mapping(fsc->user_ns, kgid))
|
2021-08-04 19:22:58 +08:00
|
|
|
return invalfc(fsc, "Invalid group_id");
|
2024-07-03 06:22:41 +08:00
|
|
|
ctx->group_id = kgid;
|
2020-01-14 20:39:45 +08:00
|
|
|
ctx->group_id_present = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_DEFAULT_PERMISSIONS:
|
2020-01-14 20:39:45 +08:00
|
|
|
ctx->default_permissions = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_ALLOW_OTHER:
|
2020-01-14 20:39:45 +08:00
|
|
|
ctx->allow_other = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_MAX_READ:
|
|
|
|
ctx->max_read = result.uint_32;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case OPT_BLKSIZE:
|
|
|
|
if (!ctx->is_bdev)
|
2021-08-04 19:22:58 +08:00
|
|
|
return invalfc(fsc, "blksize only supported for fuseblk");
|
2019-03-26 00:38:31 +08:00
|
|
|
ctx->blksize = result.uint_32;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
2014-07-07 21:28:51 +08:00
|
|
|
}
|
2019-03-26 00:38:31 +08:00
|
|
|
|
|
|
|
return 0;
|
2014-07-07 21:28:51 +08:00
|
|
|
}
|
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
static void fuse_free_fsc(struct fs_context *fsc)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2021-08-04 19:22:58 +08:00
|
|
|
struct fuse_fs_context *ctx = fsc->fs_private;
|
2005-09-10 04:10:34 +08:00
|
|
|
|
2019-03-26 00:38:31 +08:00
|
|
|
if (ctx) {
|
|
|
|
kfree(ctx->subtype);
|
|
|
|
kfree(ctx);
|
|
|
|
}
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2011-12-09 10:32:45 +08:00
|
|
|
static int fuse_show_options(struct seq_file *m, struct dentry *root)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2011-12-09 10:32:45 +08:00
|
|
|
struct super_block *sb = root->d_sb;
|
|
|
|
struct fuse_conn *fc = get_fuse_conn_super(sb);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2020-08-20 06:19:45 +08:00
|
|
|
if (fc->legacy_opts_show) {
|
|
|
|
seq_printf(m, ",user_id=%u",
|
|
|
|
from_kuid_munged(fc->user_ns, fc->user_id));
|
|
|
|
seq_printf(m, ",group_id=%u",
|
|
|
|
from_kgid_munged(fc->user_ns, fc->group_id));
|
|
|
|
if (fc->default_permissions)
|
|
|
|
seq_puts(m, ",default_permissions");
|
|
|
|
if (fc->allow_other)
|
|
|
|
seq_puts(m, ",allow_other");
|
|
|
|
if (fc->max_read != ~0)
|
|
|
|
seq_printf(m, ",max_read=%u", fc->max_read);
|
|
|
|
if (sb->s_bdev && sb->s_blocksize != FUSE_DEFAULT_BLKSIZE)
|
|
|
|
seq_printf(m, ",blksize=%lu", sb->s_blocksize);
|
|
|
|
}
|
2020-08-20 06:19:47 +08:00
|
|
|
#ifdef CONFIG_FUSE_DAX
|
2021-11-25 15:05:25 +08:00
|
|
|
if (fc->dax_mode == FUSE_DAX_ALWAYS)
|
|
|
|
seq_puts(m, ",dax=always");
|
|
|
|
else if (fc->dax_mode == FUSE_DAX_NEVER)
|
|
|
|
seq_puts(m, ",dax=never");
|
|
|
|
else if (fc->dax_mode == FUSE_DAX_INODE_USER)
|
|
|
|
seq_puts(m, ",dax=inode");
|
2020-08-20 06:19:47 +08:00
|
|
|
#endif
|
2019-10-15 22:11:41 +08:00
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-06-18 22:53:19 +08:00
|
|
|
static void fuse_iqueue_init(struct fuse_iqueue *fiq,
|
|
|
|
const struct fuse_iqueue_ops *ops,
|
|
|
|
void *priv)
|
2015-07-01 22:26:01 +08:00
|
|
|
{
|
|
|
|
memset(fiq, 0, sizeof(struct fuse_iqueue));
|
fuse: fix deadlock with aio poll and fuse_iqueue::waitq.lock
When IOCB_CMD_POLL is used on the FUSE device, aio_poll() disables IRQs
and takes kioctx::ctx_lock, then fuse_iqueue::waitq.lock.
This may have to wait for fuse_iqueue::waitq.lock to be released by one
of many places that take it with IRQs enabled. Since the IRQ handler
may take kioctx::ctx_lock, lockdep reports that a deadlock is possible.
Fix it by protecting the state of struct fuse_iqueue with a separate
spinlock, and only accessing fuse_iqueue::waitq using the versions of
the waitqueue functions which do IRQ-safe locking internally.
Reproducer:
#include <fcntl.h>
#include <stdio.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <linux/aio_abi.h>
int main()
{
char opts[128];
int fd = open("/dev/fuse", O_RDWR);
aio_context_t ctx = 0;
struct iocb cb = { .aio_lio_opcode = IOCB_CMD_POLL, .aio_fildes = fd };
struct iocb *cbp = &cb;
sprintf(opts, "fd=%d,rootmode=040000,user_id=0,group_id=0", fd);
mkdir("mnt", 0700);
mount("foo", "mnt", "fuse", 0, opts);
syscall(__NR_io_setup, 1, &ctx);
syscall(__NR_io_submit, ctx, 1, &cbp);
}
Beginning of lockdep output:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
5.3.0-rc5 #9 Not tainted
-----------------------------------------------------
syz_fuse/135 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
000000003590ceda (&fiq->waitq){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline]
000000003590ceda (&fiq->waitq){+.+.}, at: aio_poll fs/aio.c:1751 [inline]
000000003590ceda (&fiq->waitq){+.+.}, at: __io_submit_one.constprop.0+0x203/0x5b0 fs/aio.c:1825
and this task is already holding:
0000000075037284 (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:363 [inline]
0000000075037284 (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1749 [inline]
0000000075037284 (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one.constprop.0+0x1f4/0x5b0 fs/aio.c:1825
which would create a new lock dependency:
(&(&ctx->ctx_lock)->rlock){..-.} -> (&fiq->waitq){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(&(&ctx->ctx_lock)->rlock){..-.}
[...]
Reported-by: syzbot+af05535bb79520f95431@syzkaller.appspotmail.com
Reported-by: syzbot+d86c4426a01f60feddc7@syzkaller.appspotmail.com
Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL")
Cc: <stable@vger.kernel.org> # v4.19+
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2019-09-09 11:15:18 +08:00
|
|
|
spin_lock_init(&fiq->lock);
|
2015-07-01 22:26:01 +08:00
|
|
|
init_waitqueue_head(&fiq->waitq);
|
|
|
|
INIT_LIST_HEAD(&fiq->pending);
|
|
|
|
INIT_LIST_HEAD(&fiq->interrupts);
|
|
|
|
fiq->forget_list_tail = &fiq->forget_list_head;
|
2015-07-01 22:26:01 +08:00
|
|
|
fiq->connected = 1;
|
2018-06-18 22:53:19 +08:00
|
|
|
fiq->ops = ops;
|
|
|
|
fiq->priv = priv;
|
2015-07-01 22:26:01 +08:00
|
|
|
}
|
|
|
|
|
2015-07-01 22:26:04 +08:00
|
|
|
static void fuse_pqueue_init(struct fuse_pqueue *fpq)
|
|
|
|
{
|
2018-09-11 18:12:14 +08:00
|
|
|
unsigned int i;
|
|
|
|
|
2015-07-01 22:26:06 +08:00
|
|
|
spin_lock_init(&fpq->lock);
|
2018-09-11 18:12:14 +08:00
|
|
|
for (i = 0; i < FUSE_PQ_HASH_SIZE; i++)
|
|
|
|
INIT_LIST_HEAD(&fpq->processing[i]);
|
2015-07-01 22:26:04 +08:00
|
|
|
INIT_LIST_HEAD(&fpq->io);
|
2015-07-01 22:26:04 +08:00
|
|
|
fpq->connected = 1;
|
2015-07-01 22:26:04 +08:00
|
|
|
}
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
void fuse_conn_init(struct fuse_conn *fc, struct fuse_mount *fm,
|
|
|
|
struct user_namespace *user_ns,
|
2018-06-18 22:53:19 +08:00
|
|
|
const struct fuse_iqueue_ops *fiq_ops, void *fiq_priv)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2008-11-26 19:03:55 +08:00
|
|
|
memset(fc, 0, sizeof(*fc));
|
|
|
|
spin_lock_init(&fc->lock);
|
2018-08-27 23:29:46 +08:00
|
|
|
spin_lock_init(&fc->bg_lock);
|
2009-05-31 23:13:57 +08:00
|
|
|
init_rwsem(&fc->killsb);
|
2017-03-03 17:04:05 +08:00
|
|
|
refcount_set(&fc->count, 1);
|
2015-07-01 22:26:09 +08:00
|
|
|
atomic_set(&fc->dev_count, 1);
|
2008-11-26 19:03:55 +08:00
|
|
|
init_waitqueue_head(&fc->blocked_waitq);
|
2018-06-18 22:53:19 +08:00
|
|
|
fuse_iqueue_init(&fc->iq, fiq_ops, fiq_priv);
|
2008-11-26 19:03:55 +08:00
|
|
|
INIT_LIST_HEAD(&fc->bg_queue);
|
|
|
|
INIT_LIST_HEAD(&fc->entry);
|
2015-07-01 22:26:08 +08:00
|
|
|
INIT_LIST_HEAD(&fc->devices);
|
2008-11-26 19:03:55 +08:00
|
|
|
atomic_set(&fc->num_waiting, 0);
|
2009-07-02 08:28:41 +08:00
|
|
|
fc->max_background = FUSE_DEFAULT_MAX_BACKGROUND;
|
|
|
|
fc->congestion_threshold = FUSE_DEFAULT_CONGESTION_THRESHOLD;
|
2019-01-24 17:40:17 +08:00
|
|
|
atomic64_set(&fc->khctr, 0);
|
2008-11-26 19:03:55 +08:00
|
|
|
fc->polled_files = RB_ROOT;
|
2013-03-21 22:02:28 +08:00
|
|
|
fc->blocked = 0;
|
2013-03-21 22:02:15 +08:00
|
|
|
fc->initialized = 0;
|
2015-07-01 22:26:01 +08:00
|
|
|
fc->connected = 1;
|
2018-11-09 18:33:17 +08:00
|
|
|
atomic64_set(&fc->attr_version, 1);
|
2008-11-26 19:03:55 +08:00
|
|
|
get_random_bytes(&fc->scramble_key, sizeof(fc->scramble_key));
|
2014-07-03 05:29:19 +08:00
|
|
|
fc->pid_ns = get_pid_ns(task_active_pid_ns(current));
|
2018-02-22 01:18:07 +08:00
|
|
|
fc->user_ns = get_user_ns(user_ns);
|
2019-01-16 17:27:59 +08:00
|
|
|
fc->max_pages = FUSE_DEFAULT_MAX_PAGES_PER_REQ;
|
2021-03-18 21:52:22 +08:00
|
|
|
fc->max_pages_limit = FUSE_MAX_MAX_PAGES;
|
2020-05-06 23:44:12 +08:00
|
|
|
|
2023-09-11 22:09:27 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH))
|
|
|
|
fuse_backing_files_init(fc);
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
INIT_LIST_HEAD(&fc->mounts);
|
|
|
|
list_add(&fm->fc_entry, &fc->mounts);
|
|
|
|
fm->fc = fc;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
2008-11-26 19:03:55 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_conn_init);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2023-09-28 12:19:39 +08:00
|
|
|
static void delayed_release(struct rcu_head *p)
|
|
|
|
{
|
|
|
|
struct fuse_conn *fc = container_of(p, struct fuse_conn, rcu);
|
|
|
|
|
|
|
|
put_user_ns(fc->user_ns);
|
|
|
|
fc->release(fc);
|
|
|
|
}
|
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
void fuse_conn_put(struct fuse_conn *fc)
|
|
|
|
{
|
2017-03-03 17:04:05 +08:00
|
|
|
if (refcount_dec_and_test(&fc->count)) {
|
virtio-fs: add virtiofs filesystem
Add a basic file system module for virtio-fs. This does not yet contain
shared data support between host and guest or metadata coherency speedups.
However it is already significantly faster than virtio-9p.
Design Overview
===============
With the goal of designing something with better performance and local file
system semantics, a bunch of ideas were proposed.
- Use fuse protocol (instead of 9p) for communication between guest and
host. Guest kernel will be fuse client and a fuse server will run on
host to serve the requests.
- For data access inside guest, mmap portion of file in QEMU address space
and guest accesses this memory using dax. That way guest page cache is
bypassed and there is only one copy of data (on host). This will also
enable mmap(MAP_SHARED) between guests.
- For metadata coherency, there is a shared memory region which contains
version number associated with metadata and any guest changing metadata
updates version number and other guests refresh metadata on next access.
This is yet to be implemented.
How virtio-fs differs from existing approaches
==============================================
The unique idea behind virtio-fs is to take advantage of the co-location of
the virtual machine and hypervisor to avoid communication (vmexits).
DAX allows file contents to be accessed without communication with the
hypervisor. The shared memory region for metadata avoids communication in
the common case where metadata is unchanged.
By replacing expensive communication with cheaper shared memory accesses,
we expect to achieve better performance than approaches based on network
file system protocols. In addition, this also makes it easier to achieve
local file system semantics (coherency).
These techniques are not applicable to network file system protocols since
the communications channel is bypassed by taking advantage of shared memory
on a local machine. This is why we decided to build virtio-fs rather than
focus on 9P or NFS.
Caching Modes
=============
Like virtio-9p, different caching modes are supported which determine the
coherency level as well. The “cache=FOO” and “writeback” options control
the level of coherence between the guest and host filesystems.
- cache=none
metadata, data and pathname lookup are not cached in guest. They are
always fetched from host and any changes are immediately pushed to host.
- cache=always
metadata, data and pathname lookup are cached in guest and never expire.
- cache=auto
metadata and pathname lookup cache expires after a configured amount of
time (default is 1 second). Data is cached while the file is open
(close to open consistency).
- writeback/no_writeback
These options control the writeback strategy. If writeback is disabled,
then normal writes will immediately be synchronized with the host fs.
If writeback is enabled, then writes may be cached in the guest until
the file is closed or an fsync(2) performed. This option has no effect
on mmap-ed writes or writes going through the DAX mechanism.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2018-06-12 16:41:17 +08:00
|
|
|
struct fuse_iqueue *fiq = &fc->iq;
|
2021-09-01 18:39:02 +08:00
|
|
|
struct fuse_sync_bucket *bucket;
|
virtio-fs: add virtiofs filesystem
Add a basic file system module for virtio-fs. This does not yet contain
shared data support between host and guest or metadata coherency speedups.
However it is already significantly faster than virtio-9p.
Design Overview
===============
With the goal of designing something with better performance and local file
system semantics, a bunch of ideas were proposed.
- Use fuse protocol (instead of 9p) for communication between guest and
host. Guest kernel will be fuse client and a fuse server will run on
host to serve the requests.
- For data access inside guest, mmap portion of file in QEMU address space
and guest accesses this memory using dax. That way guest page cache is
bypassed and there is only one copy of data (on host). This will also
enable mmap(MAP_SHARED) between guests.
- For metadata coherency, there is a shared memory region which contains
version number associated with metadata and any guest changing metadata
updates version number and other guests refresh metadata on next access.
This is yet to be implemented.
How virtio-fs differs from existing approaches
==============================================
The unique idea behind virtio-fs is to take advantage of the co-location of
the virtual machine and hypervisor to avoid communication (vmexits).
DAX allows file contents to be accessed without communication with the
hypervisor. The shared memory region for metadata avoids communication in
the common case where metadata is unchanged.
By replacing expensive communication with cheaper shared memory accesses,
we expect to achieve better performance than approaches based on network
file system protocols. In addition, this also makes it easier to achieve
local file system semantics (coherency).
These techniques are not applicable to network file system protocols since
the communications channel is bypassed by taking advantage of shared memory
on a local machine. This is why we decided to build virtio-fs rather than
focus on 9P or NFS.
Caching Modes
=============
Like virtio-9p, different caching modes are supported which determine the
coherency level as well. The “cache=FOO” and “writeback” options control
the level of coherence between the guest and host filesystems.
- cache=none
metadata, data and pathname lookup are not cached in guest. They are
always fetched from host and any changes are immediately pushed to host.
- cache=always
metadata, data and pathname lookup are cached in guest and never expire.
- cache=auto
metadata and pathname lookup cache expires after a configured amount of
time (default is 1 second). Data is cached while the file is open
(close to open consistency).
- writeback/no_writeback
These options control the writeback strategy. If writeback is disabled,
then normal writes will immediately be synchronized with the host fs.
If writeback is enabled, then writes may be cached in the guest until
the file is closed or an fsync(2) performed. This option has no effect
on mmap-ed writes or writes going through the DAX mechanism.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2018-06-12 16:41:17 +08:00
|
|
|
|
2020-08-20 06:19:47 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_DAX))
|
|
|
|
fuse_dax_conn_free(fc);
|
virtio-fs: add virtiofs filesystem
Add a basic file system module for virtio-fs. This does not yet contain
shared data support between host and guest or metadata coherency speedups.
However it is already significantly faster than virtio-9p.
Design Overview
===============
With the goal of designing something with better performance and local file
system semantics, a bunch of ideas were proposed.
- Use fuse protocol (instead of 9p) for communication between guest and
host. Guest kernel will be fuse client and a fuse server will run on
host to serve the requests.
- For data access inside guest, mmap portion of file in QEMU address space
and guest accesses this memory using dax. That way guest page cache is
bypassed and there is only one copy of data (on host). This will also
enable mmap(MAP_SHARED) between guests.
- For metadata coherency, there is a shared memory region which contains
version number associated with metadata and any guest changing metadata
updates version number and other guests refresh metadata on next access.
This is yet to be implemented.
How virtio-fs differs from existing approaches
==============================================
The unique idea behind virtio-fs is to take advantage of the co-location of
the virtual machine and hypervisor to avoid communication (vmexits).
DAX allows file contents to be accessed without communication with the
hypervisor. The shared memory region for metadata avoids communication in
the common case where metadata is unchanged.
By replacing expensive communication with cheaper shared memory accesses,
we expect to achieve better performance than approaches based on network
file system protocols. In addition, this also makes it easier to achieve
local file system semantics (coherency).
These techniques are not applicable to network file system protocols since
the communications channel is bypassed by taking advantage of shared memory
on a local machine. This is why we decided to build virtio-fs rather than
focus on 9P or NFS.
Caching Modes
=============
Like virtio-9p, different caching modes are supported which determine the
coherency level as well. The “cache=FOO” and “writeback” options control
the level of coherence between the guest and host filesystems.
- cache=none
metadata, data and pathname lookup are not cached in guest. They are
always fetched from host and any changes are immediately pushed to host.
- cache=always
metadata, data and pathname lookup are cached in guest and never expire.
- cache=auto
metadata and pathname lookup cache expires after a configured amount of
time (default is 1 second). Data is cached while the file is open
(close to open consistency).
- writeback/no_writeback
These options control the writeback strategy. If writeback is disabled,
then normal writes will immediately be synchronized with the host fs.
If writeback is enabled, then writes may be cached in the guest until
the file is closed or an fsync(2) performed. This option has no effect
on mmap-ed writes or writes going through the DAX mechanism.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2018-06-12 16:41:17 +08:00
|
|
|
if (fiq->ops->release)
|
|
|
|
fiq->ops->release(fiq);
|
2014-07-03 05:29:19 +08:00
|
|
|
put_pid_ns(fc->pid_ns);
|
2021-09-01 18:39:02 +08:00
|
|
|
bucket = rcu_dereference_protected(fc->curr_bucket, 1);
|
|
|
|
if (bucket) {
|
|
|
|
WARN_ON(atomic_read(&bucket->count) != 1);
|
|
|
|
kfree(bucket);
|
|
|
|
}
|
2023-09-11 22:09:27 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH))
|
|
|
|
fuse_backing_files_free(fc);
|
2023-09-28 12:19:39 +08:00
|
|
|
call_rcu(&fc->rcu, delayed_release);
|
2006-10-17 15:10:11 +08:00
|
|
|
}
|
2006-06-25 20:48:51 +08:00
|
|
|
}
|
2009-04-14 09:54:53 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_conn_put);
|
2006-06-25 20:48:51 +08:00
|
|
|
|
|
|
|
struct fuse_conn *fuse_conn_get(struct fuse_conn *fc)
|
|
|
|
{
|
2017-03-03 17:04:05 +08:00
|
|
|
refcount_inc(&fc->count);
|
2006-06-25 20:48:51 +08:00
|
|
|
return fc;
|
|
|
|
}
|
2009-04-14 09:54:53 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_conn_get);
|
2006-06-25 20:48:51 +08:00
|
|
|
|
2008-11-26 19:03:55 +08:00
|
|
|
static struct inode *fuse_get_root_inode(struct super_block *sb, unsigned mode)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
|
|
|
struct fuse_attr attr;
|
|
|
|
memset(&attr, 0, sizeof(attr));
|
|
|
|
|
|
|
|
attr.mode = mode;
|
|
|
|
attr.ino = FUSE_ROOT_ID;
|
2007-10-17 14:31:02 +08:00
|
|
|
attr.nlink = 1;
|
2024-02-28 23:50:49 +08:00
|
|
|
return fuse_iget(sb, FUSE_ROOT_ID, 0, &attr, 0, 0);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2008-11-26 19:03:54 +08:00
|
|
|
struct fuse_inode_handle {
|
2008-07-25 16:49:00 +08:00
|
|
|
u64 nodeid;
|
|
|
|
u32 generation;
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct dentry *fuse_get_dentry(struct super_block *sb,
|
|
|
|
struct fuse_inode_handle *handle)
|
|
|
|
{
|
2008-07-25 16:49:02 +08:00
|
|
|
struct fuse_conn *fc = get_fuse_conn_super(sb);
|
2008-07-25 16:49:00 +08:00
|
|
|
struct inode *inode;
|
|
|
|
struct dentry *entry;
|
|
|
|
int err = -ESTALE;
|
|
|
|
|
|
|
|
if (handle->nodeid == 0)
|
|
|
|
goto out_err;
|
|
|
|
|
|
|
|
inode = ilookup5(sb, handle->nodeid, fuse_inode_eq, &handle->nodeid);
|
2008-07-25 16:49:02 +08:00
|
|
|
if (!inode) {
|
|
|
|
struct fuse_entry_out outarg;
|
2016-07-21 10:34:44 +08:00
|
|
|
const struct qstr name = QSTR_INIT(".", 1);
|
2008-07-25 16:49:02 +08:00
|
|
|
|
|
|
|
if (!fc->export_support)
|
|
|
|
goto out_err;
|
|
|
|
|
|
|
|
err = fuse_lookup_name(sb, handle->nodeid, &name, &outarg,
|
|
|
|
&inode);
|
|
|
|
if (err && err != -ENOENT)
|
|
|
|
goto out_err;
|
|
|
|
if (err || !inode) {
|
|
|
|
err = -ESTALE;
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
err = -EIO;
|
|
|
|
if (get_node_id(inode) != handle->nodeid)
|
|
|
|
goto out_iput;
|
|
|
|
}
|
2008-07-25 16:49:00 +08:00
|
|
|
err = -ESTALE;
|
|
|
|
if (inode->i_generation != handle->generation)
|
|
|
|
goto out_iput;
|
|
|
|
|
2008-08-11 21:49:04 +08:00
|
|
|
entry = d_obtain_alias(inode);
|
2010-12-19 00:15:22 +08:00
|
|
|
if (!IS_ERR(entry) && get_node_id(inode) != FUSE_ROOT_ID)
|
2008-07-25 16:49:00 +08:00
|
|
|
fuse_invalidate_entry_cache(entry);
|
|
|
|
|
|
|
|
return entry;
|
|
|
|
|
|
|
|
out_iput:
|
|
|
|
iput(inode);
|
|
|
|
out_err:
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
|
2012-04-03 02:34:06 +08:00
|
|
|
static int fuse_encode_fh(struct inode *inode, u32 *fh, int *max_len,
|
|
|
|
struct inode *parent)
|
2008-07-25 16:49:00 +08:00
|
|
|
{
|
2012-04-03 02:34:06 +08:00
|
|
|
int len = parent ? 6 : 3;
|
2008-07-25 16:49:00 +08:00
|
|
|
u64 nodeid;
|
|
|
|
u32 generation;
|
|
|
|
|
2011-01-29 21:13:25 +08:00
|
|
|
if (*max_len < len) {
|
|
|
|
*max_len = len;
|
2013-02-17 14:48:11 +08:00
|
|
|
return FILEID_INVALID;
|
2011-01-29 21:13:25 +08:00
|
|
|
}
|
2008-07-25 16:49:00 +08:00
|
|
|
|
|
|
|
nodeid = get_fuse_inode(inode)->nodeid;
|
|
|
|
generation = inode->i_generation;
|
|
|
|
|
|
|
|
fh[0] = (u32)(nodeid >> 32);
|
|
|
|
fh[1] = (u32)(nodeid & 0xffffffff);
|
|
|
|
fh[2] = generation;
|
|
|
|
|
2012-04-03 02:34:06 +08:00
|
|
|
if (parent) {
|
2008-07-25 16:49:00 +08:00
|
|
|
nodeid = get_fuse_inode(parent)->nodeid;
|
|
|
|
generation = parent->i_generation;
|
|
|
|
|
|
|
|
fh[3] = (u32)(nodeid >> 32);
|
|
|
|
fh[4] = (u32)(nodeid & 0xffffffff);
|
|
|
|
fh[5] = generation;
|
|
|
|
}
|
|
|
|
|
|
|
|
*max_len = len;
|
2023-10-24 02:08:00 +08:00
|
|
|
return parent ? FILEID_INO64_GEN_PARENT : FILEID_INO64_GEN;
|
2008-07-25 16:49:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct dentry *fuse_fh_to_dentry(struct super_block *sb,
|
|
|
|
struct fid *fid, int fh_len, int fh_type)
|
|
|
|
{
|
|
|
|
struct fuse_inode_handle handle;
|
|
|
|
|
2023-10-24 02:08:00 +08:00
|
|
|
if ((fh_type != FILEID_INO64_GEN &&
|
|
|
|
fh_type != FILEID_INO64_GEN_PARENT) || fh_len < 3)
|
2008-07-25 16:49:00 +08:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
handle.nodeid = (u64) fid->raw[0] << 32;
|
|
|
|
handle.nodeid |= (u64) fid->raw[1];
|
|
|
|
handle.generation = fid->raw[2];
|
|
|
|
return fuse_get_dentry(sb, &handle);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct dentry *fuse_fh_to_parent(struct super_block *sb,
|
|
|
|
struct fid *fid, int fh_len, int fh_type)
|
|
|
|
{
|
|
|
|
struct fuse_inode_handle parent;
|
|
|
|
|
2023-10-24 02:08:00 +08:00
|
|
|
if (fh_type != FILEID_INO64_GEN_PARENT || fh_len < 6)
|
2008-07-25 16:49:00 +08:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
parent.nodeid = (u64) fid->raw[3] << 32;
|
|
|
|
parent.nodeid |= (u64) fid->raw[4];
|
|
|
|
parent.generation = fid->raw[5];
|
|
|
|
return fuse_get_dentry(sb, &parent);
|
|
|
|
}
|
|
|
|
|
2008-07-25 16:49:02 +08:00
|
|
|
static struct dentry *fuse_get_parent(struct dentry *child)
|
|
|
|
{
|
2015-03-18 06:25:59 +08:00
|
|
|
struct inode *child_inode = d_inode(child);
|
2008-07-25 16:49:02 +08:00
|
|
|
struct fuse_conn *fc = get_fuse_conn(child_inode);
|
|
|
|
struct inode *inode;
|
|
|
|
struct dentry *parent;
|
|
|
|
struct fuse_entry_out outarg;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (!fc->export_support)
|
|
|
|
return ERR_PTR(-ESTALE);
|
|
|
|
|
|
|
|
err = fuse_lookup_name(child_inode->i_sb, get_node_id(child_inode),
|
2021-04-16 07:46:50 +08:00
|
|
|
&dotdot_name, &outarg, &inode);
|
2008-08-11 21:49:04 +08:00
|
|
|
if (err) {
|
|
|
|
if (err == -ENOENT)
|
|
|
|
return ERR_PTR(-ESTALE);
|
2008-07-25 16:49:02 +08:00
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
2008-08-11 21:49:04 +08:00
|
|
|
|
|
|
|
parent = d_obtain_alias(inode);
|
2010-12-19 00:15:22 +08:00
|
|
|
if (!IS_ERR(parent) && get_node_id(inode) != FUSE_ROOT_ID)
|
2008-07-25 16:49:02 +08:00
|
|
|
fuse_invalidate_entry_cache(parent);
|
|
|
|
|
|
|
|
return parent;
|
|
|
|
}
|
2008-07-25 16:49:00 +08:00
|
|
|
|
fuse: add support for explicit export disabling
open_by_handle_at(2) can fail with -ESTALE with a valid handle returned
by a previous name_to_handle_at(2) for evicted fuse inodes, which is
especially common when entry_valid_timeout is 0, e.g. when the fuse
daemon is in "cache=none" mode.
The time sequence is like:
name_to_handle_at(2) # succeed
evict fuse inode
open_by_handle_at(2) # fail
The root cause is that, with 0 entry_valid_timeout, the dput() called in
name_to_handle_at(2) will trigger iput -> evict(), which will send
FUSE_FORGET to the daemon. The following open_by_handle_at(2) will send
a new FUSE_LOOKUP request upon inode cache miss since the previous inode
eviction. Then the fuse daemon may fail the FUSE_LOOKUP request with
-ENOENT as the cached metadata of the requested inode has already been
cleaned up during the previous FUSE_FORGET. The returned -ENOENT is
treated as -ESTALE when open_by_handle_at(2) returns.
This confuses the application somehow, as open_by_handle_at(2) fails
when the previous name_to_handle_at(2) succeeds. The returned errno is
also confusing as the requested file is not deleted and already there.
It is reasonable to fail name_to_handle_at(2) early in this case, after
which the application can fallback to open(2) to access files.
Since this issue typically appears when entry_valid_timeout is 0 which
is configured by the fuse daemon, the fuse daemon is the right person to
explicitly disable the export when required.
Also considering FUSE_EXPORT_SUPPORT actually indicates the support for
lookups of "." and "..", and there are existing fuse daemons supporting
export without FUSE_EXPORT_SUPPORT set, for compatibility, we add a new
INIT flag for such purpose.
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2024-02-26 11:54:35 +08:00
|
|
|
/* only for fid encoding; no support for file handle */
|
|
|
|
static const struct export_operations fuse_export_fid_operations = {
|
|
|
|
.encode_fh = fuse_encode_fh,
|
|
|
|
};
|
|
|
|
|
2008-07-25 16:49:00 +08:00
|
|
|
static const struct export_operations fuse_export_operations = {
|
|
|
|
.fh_to_dentry = fuse_fh_to_dentry,
|
|
|
|
.fh_to_parent = fuse_fh_to_parent,
|
|
|
|
.encode_fh = fuse_encode_fh,
|
2008-07-25 16:49:02 +08:00
|
|
|
.get_parent = fuse_get_parent,
|
2008-07-25 16:49:00 +08:00
|
|
|
};
|
|
|
|
|
2007-02-12 16:55:41 +08:00
|
|
|
static const struct super_operations fuse_super_operations = {
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
.alloc_inode = fuse_alloc_inode,
|
2019-04-16 07:37:09 +08:00
|
|
|
.free_inode = fuse_free_inode,
|
2010-06-08 02:34:48 +08:00
|
|
|
.evict_inode = fuse_evict_inode,
|
2014-04-28 20:19:23 +08:00
|
|
|
.write_inode = fuse_write_inode,
|
2007-05-24 04:57:54 +08:00
|
|
|
.drop_inode = generic_delete_inode,
|
2006-01-17 14:14:41 +08:00
|
|
|
.umount_begin = fuse_umount_begin,
|
2005-09-10 04:10:28 +08:00
|
|
|
.statfs = fuse_statfs,
|
2021-05-20 23:46:54 +08:00
|
|
|
.sync_fs = fuse_sync_fs,
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
.show_options = fuse_show_options,
|
|
|
|
};
|
|
|
|
|
2009-08-27 01:17:22 +08:00
|
|
|
static void sanitize_global_limit(unsigned *limit)
|
|
|
|
{
|
2019-09-12 20:28:13 +08:00
|
|
|
/*
|
|
|
|
* The default maximum number of async requests is calculated to consume
|
|
|
|
* 1/2^13 of the total memory, assuming 392 bytes per request.
|
|
|
|
*/
|
2009-08-27 01:17:22 +08:00
|
|
|
if (*limit == 0)
|
2019-09-12 20:28:13 +08:00
|
|
|
*limit = ((totalram_pages() << PAGE_SHIFT) >> 13) / 392;
|
2009-08-27 01:17:22 +08:00
|
|
|
|
|
|
|
if (*limit >= 1 << 16)
|
|
|
|
*limit = (1 << 16) - 1;
|
|
|
|
}
|
|
|
|
|
treewide: Fix function prototypes for module_param_call()
Several function prototypes for the set/get functions defined by
module_param_call() have a slightly wrong argument types. This fixes
those in an effort to clean up the calls when running under type-enforced
compiler instrumentation for CFI. This is the result of running the
following semantic patch:
@match_module_param_call_function@
declarer name module_param_call;
identifier _name, _set_func, _get_func;
expression _arg, _mode;
@@
module_param_call(_name, _set_func, _get_func, _arg, _mode);
@fix_set_prototype
depends on match_module_param_call_function@
identifier match_module_param_call_function._set_func;
identifier _val, _param;
type _val_type, _param_type;
@@
int _set_func(
-_val_type _val
+const char * _val
,
-_param_type _param
+const struct kernel_param * _param
) { ... }
@fix_get_prototype
depends on match_module_param_call_function@
identifier match_module_param_call_function._get_func;
identifier _val, _param;
type _val_type, _param_type;
@@
int _get_func(
-_val_type _val
+char * _val
,
-_param_type _param
+const struct kernel_param * _param
) { ... }
Two additional by-hand changes are included for places where the above
Coccinelle script didn't notice them:
drivers/platform/x86/thinkpad_acpi.c
fs/lockd/svc.c
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
2017-10-18 10:04:42 +08:00
|
|
|
static int set_global_limit(const char *val, const struct kernel_param *kp)
|
2009-08-27 01:17:22 +08:00
|
|
|
{
|
|
|
|
int rv;
|
|
|
|
|
|
|
|
rv = param_set_uint(val, kp);
|
|
|
|
if (rv)
|
|
|
|
return rv;
|
|
|
|
|
|
|
|
sanitize_global_limit((unsigned *)kp->arg);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void process_init_limits(struct fuse_conn *fc, struct fuse_init_out *arg)
|
|
|
|
{
|
|
|
|
int cap_sys_admin = capable(CAP_SYS_ADMIN);
|
|
|
|
|
|
|
|
if (arg->minor < 13)
|
|
|
|
return;
|
|
|
|
|
|
|
|
sanitize_global_limit(&max_user_bgreq);
|
|
|
|
sanitize_global_limit(&max_user_congthresh);
|
|
|
|
|
2018-08-27 23:29:46 +08:00
|
|
|
spin_lock(&fc->bg_lock);
|
2009-08-27 01:17:22 +08:00
|
|
|
if (arg->max_background) {
|
|
|
|
fc->max_background = arg->max_background;
|
|
|
|
|
|
|
|
if (!cap_sys_admin && fc->max_background > max_user_bgreq)
|
|
|
|
fc->max_background = max_user_bgreq;
|
|
|
|
}
|
|
|
|
if (arg->congestion_threshold) {
|
|
|
|
fc->congestion_threshold = arg->congestion_threshold;
|
|
|
|
|
|
|
|
if (!cap_sys_admin &&
|
|
|
|
fc->congestion_threshold > max_user_congthresh)
|
|
|
|
fc->congestion_threshold = max_user_congthresh;
|
|
|
|
}
|
2018-08-27 23:29:46 +08:00
|
|
|
spin_unlock(&fc->bg_lock);
|
2009-08-27 01:17:22 +08:00
|
|
|
}
|
|
|
|
|
2019-09-10 21:04:10 +08:00
|
|
|
struct fuse_init_args {
|
|
|
|
struct fuse_args args;
|
|
|
|
struct fuse_init_in in;
|
|
|
|
struct fuse_init_out out;
|
|
|
|
};
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
static void process_init_reply(struct fuse_mount *fm, struct fuse_args *args,
|
2019-09-10 21:04:10 +08:00
|
|
|
int error)
|
2006-01-17 14:14:44 +08:00
|
|
|
{
|
2020-05-06 23:44:12 +08:00
|
|
|
struct fuse_conn *fc = fm->fc;
|
2019-09-10 21:04:10 +08:00
|
|
|
struct fuse_init_args *ia = container_of(args, typeof(*ia), args);
|
|
|
|
struct fuse_init_out *arg = &ia->out;
|
2020-08-20 06:19:49 +08:00
|
|
|
bool ok = true;
|
2006-01-17 14:14:44 +08:00
|
|
|
|
2019-09-10 21:04:10 +08:00
|
|
|
if (error || arg->major != FUSE_KERNEL_VERSION)
|
2020-08-20 06:19:49 +08:00
|
|
|
ok = false;
|
2006-01-17 14:14:44 +08:00
|
|
|
else {
|
2006-02-01 19:04:40 +08:00
|
|
|
unsigned long ra_pages;
|
|
|
|
|
2009-08-27 01:17:22 +08:00
|
|
|
process_init_limits(fc, arg);
|
|
|
|
|
2006-02-01 19:04:40 +08:00
|
|
|
if (arg->minor >= 6) {
|
2022-04-15 19:53:56 +08:00
|
|
|
u64 flags = arg->flags;
|
|
|
|
|
|
|
|
if (flags & FUSE_INIT_EXT)
|
|
|
|
flags |= (u64) arg->flags2 << 32;
|
2021-11-25 21:05:18 +08:00
|
|
|
|
mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.
This promise never materialized. And unlikely will.
We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE. And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.
Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.
Let's stop pretending that pages in page cache are special. They are
not.
The changes are pretty straight-forward:
- <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
- page_cache_get() -> get_page();
- page_cache_release() -> put_page();
This patch contains automated changes generated with coccinelle using
script below. For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.
The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.
There are few places in the code where coccinelle didn't reach. I'll
fix them manually in a separate patch. Comments and documentation also
will be addressed with the separate patch.
virtual patch
@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT
@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE
@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK
@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)
@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)
@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-01 20:29:47 +08:00
|
|
|
ra_pages = arg->max_readahead / PAGE_SIZE;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_ASYNC_READ)
|
2006-02-01 19:04:40 +08:00
|
|
|
fc->async_read = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (!(flags & FUSE_POSIX_LOCKS))
|
2006-06-25 20:48:52 +08:00
|
|
|
fc->no_lock = 1;
|
2011-08-08 22:08:08 +08:00
|
|
|
if (arg->minor >= 17) {
|
2021-11-25 21:05:18 +08:00
|
|
|
if (!(flags & FUSE_FLOCK_LOCKS))
|
2011-08-08 22:08:08 +08:00
|
|
|
fc->no_flock = 1;
|
2011-09-12 15:31:49 +08:00
|
|
|
} else {
|
2021-11-25 21:05:18 +08:00
|
|
|
if (!(flags & FUSE_POSIX_LOCKS))
|
2011-09-12 15:31:49 +08:00
|
|
|
fc->no_flock = 1;
|
2011-08-08 22:08:08 +08:00
|
|
|
}
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_ATOMIC_O_TRUNC)
|
2007-10-18 18:07:02 +08:00
|
|
|
fc->atomic_o_trunc = 1;
|
2008-07-25 16:49:02 +08:00
|
|
|
if (arg->minor >= 9) {
|
|
|
|
/* LOOKUP has dependency on proto version */
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_EXPORT_SUPPORT)
|
2008-07-25 16:49:02 +08:00
|
|
|
fc->export_support = 1;
|
|
|
|
}
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_BIG_WRITES)
|
2008-05-13 05:02:32 +08:00
|
|
|
fc->big_writes = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_DONT_MASK)
|
2009-07-01 02:12:23 +08:00
|
|
|
fc->dont_mask = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_AUTO_INVAL_DATA)
|
2012-07-17 03:23:48 +08:00
|
|
|
fc->auto_inval_data = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
else if (flags & FUSE_EXPLICIT_INVAL_DATA)
|
fuse: allow filesystems to have precise control over data cache
On networked filesystems file data can be changed externally. FUSE
provides notification messages for filesystem to inform kernel that
metadata or data region of a file needs to be invalidated in local page
cache. That provides the basis for filesystem implementations to invalidate
kernel cache explicitly based on observed filesystem-specific events.
FUSE has also "automatic" invalidation mode(*) when the kernel
automatically invalidates data cache of a file if it sees mtime change. It
also automatically invalidates whole data cache of a file if it sees file
size being changed.
The automatic mode has corresponding capability - FUSE_AUTO_INVAL_DATA.
However, due to probably historical reason, that capability controls only
whether mtime change should be resulting in automatic invalidation or
not. A change in file size always results in invalidating whole data cache
of a file irregardless of whether FUSE_AUTO_INVAL_DATA was negotiated(+).
The filesystem I write[1] represents data arrays stored in networked
database as local files suitable for mmap. It is read-only filesystem -
changes to data are committed externally via database interfaces and the
filesystem only glues data into contiguous file streams suitable for mmap
and traditional array processing. The files are big - starting from
hundreds gigabytes and more. The files change regularly, and frequently by
data being appended to their end. The size of files thus changes
frequently.
If a file was accessed locally and some part of its data got into page
cache, we want that data to stay cached unless there is memory pressure, or
unless corresponding part of the file was actually changed. However current
FUSE behaviour - when it sees file size change - is to invalidate the whole
file. The data cache of the file is thus completely lost even on small size
change, and despite that the filesystem server is careful to accurately
translate database changes into FUSE invalidation messages to kernel.
Let's fix it: if a filesystem, through new FUSE_EXPLICIT_INVAL_DATA
capability, indicates to kernel that it is fully responsible for data cache
invalidation, then the kernel won't invalidate files data cache on size
change and only truncate that cache to new size in case the size decreased.
(*) see 72d0d248ca "fuse: add FUSE_AUTO_INVAL_DATA init flag",
eed2179efe "fuse: invalidate inode mapping if mtime changes"
(+) in writeback mode the kernel does not invalidate data cache on file
size change, but neither it allows the filesystem to set the size due to
external event (see 8373200b12 "fuse: Trust kernel i_size only")
[1] https://lab.nexedi.com/kirr/wendelin.core/blob/a50f1d9f/wcfs/wcfs.go#L20
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2019-03-27 19:14:15 +08:00
|
|
|
fc->explicit_inval_data = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_DO_READDIRPLUS) {
|
2012-08-19 20:53:23 +08:00
|
|
|
fc->do_readdirplus = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_READDIRPLUS_AUTO)
|
2013-06-03 20:40:22 +08:00
|
|
|
fc->readdirplus_auto = 1;
|
|
|
|
}
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_ASYNC_DIO)
|
2013-05-01 20:37:21 +08:00
|
|
|
fc->async_dio = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_WRITEBACK_CACHE)
|
2013-10-10 21:12:18 +08:00
|
|
|
fc->writeback_cache = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_PARALLEL_DIROPS)
|
2016-06-30 19:10:49 +08:00
|
|
|
fc->parallel_dirops = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_HANDLE_KILLPRIV)
|
2016-10-01 13:32:32 +08:00
|
|
|
fc->handle_killpriv = 1;
|
2014-04-28 20:19:23 +08:00
|
|
|
if (arg->time_gran && arg->time_gran <= 1000000000)
|
2020-05-06 23:44:12 +08:00
|
|
|
fm->sb->s_time_gran = arg->time_gran;
|
2021-11-25 21:05:18 +08:00
|
|
|
if ((flags & FUSE_POSIX_ACL)) {
|
2016-10-01 13:32:32 +08:00
|
|
|
fc->default_permissions = 1;
|
2016-08-29 21:46:37 +08:00
|
|
|
fc->posix_acl = 1;
|
|
|
|
}
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_CACHE_SYMLINKS)
|
2018-10-11 23:17:00 +08:00
|
|
|
fc->cache_symlinks = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_ABORT_ERROR)
|
2017-11-10 04:23:35 +08:00
|
|
|
fc->abort_err = 1;
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_MAX_PAGES) {
|
fuse: add max_pages to init_out
Replace FUSE_MAX_PAGES_PER_REQ with the configurable parameter max_pages to
improve performance.
Old RFC with detailed description of the problem and many fixes by Mitsuo
Hayasaka (mitsuo.hayasaka.hu@hitachi.com):
- https://lkml.org/lkml/2012/7/5/136
We've encountered performance degradation and fixed it on a big and complex
virtual environment.
Environment to reproduce degradation and improvement:
1. Add lag to user mode FUSE
Add nanosleep(&(struct timespec){ 0, 1000 }, NULL); to xmp_write_buf in
passthrough_fh.c
2. patch UM fuse with configurable max_pages parameter. The patch will be
provided latter.
3. run test script and perform test on tmpfs
fuse_test()
{
cd /tmp
mkdir -p fusemnt
passthrough_fh -o max_pages=$1 /tmp/fusemnt
grep fuse /proc/self/mounts
dd conv=fdatasync oflag=dsync if=/dev/zero of=fusemnt/tmp/tmp \
count=1K bs=1M 2>&1 | grep -v records
rm fusemnt/tmp/tmp
killall passthrough_fh
}
Test results:
passthrough_fh /tmp/fusemnt fuse.passthrough_fh \
rw,nosuid,nodev,relatime,user_id=0,group_id=0 0 0
1073741824 bytes (1.1 GB) copied, 1.73867 s, 618 MB/s
passthrough_fh /tmp/fusemnt fuse.passthrough_fh \
rw,nosuid,nodev,relatime,user_id=0,group_id=0,max_pages=256 0 0
1073741824 bytes (1.1 GB) copied, 1.15643 s, 928 MB/s
Obviously with bigger lag the difference between 'before' and 'after'
will be more significant.
Mitsuo Hayasaka, in 2012 (https://lkml.org/lkml/2012/7/5/136),
observed improvement from 400-550 to 520-740.
Signed-off-by: Constantine Shulyupin <const@MakeLinux.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2018-09-06 20:37:06 +08:00
|
|
|
fc->max_pages =
|
2021-03-18 21:52:22 +08:00
|
|
|
min_t(unsigned int, fc->max_pages_limit,
|
fuse: add max_pages to init_out
Replace FUSE_MAX_PAGES_PER_REQ with the configurable parameter max_pages to
improve performance.
Old RFC with detailed description of the problem and many fixes by Mitsuo
Hayasaka (mitsuo.hayasaka.hu@hitachi.com):
- https://lkml.org/lkml/2012/7/5/136
We've encountered performance degradation and fixed it on a big and complex
virtual environment.
Environment to reproduce degradation and improvement:
1. Add lag to user mode FUSE
Add nanosleep(&(struct timespec){ 0, 1000 }, NULL); to xmp_write_buf in
passthrough_fh.c
2. patch UM fuse with configurable max_pages parameter. The patch will be
provided latter.
3. run test script and perform test on tmpfs
fuse_test()
{
cd /tmp
mkdir -p fusemnt
passthrough_fh -o max_pages=$1 /tmp/fusemnt
grep fuse /proc/self/mounts
dd conv=fdatasync oflag=dsync if=/dev/zero of=fusemnt/tmp/tmp \
count=1K bs=1M 2>&1 | grep -v records
rm fusemnt/tmp/tmp
killall passthrough_fh
}
Test results:
passthrough_fh /tmp/fusemnt fuse.passthrough_fh \
rw,nosuid,nodev,relatime,user_id=0,group_id=0 0 0
1073741824 bytes (1.1 GB) copied, 1.73867 s, 618 MB/s
passthrough_fh /tmp/fusemnt fuse.passthrough_fh \
rw,nosuid,nodev,relatime,user_id=0,group_id=0,max_pages=256 0 0
1073741824 bytes (1.1 GB) copied, 1.15643 s, 928 MB/s
Obviously with bigger lag the difference between 'before' and 'after'
will be more significant.
Mitsuo Hayasaka, in 2012 (https://lkml.org/lkml/2012/7/5/136),
observed improvement from 400-550 to 520-740.
Signed-off-by: Constantine Shulyupin <const@MakeLinux.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2018-09-06 20:37:06 +08:00
|
|
|
max_t(unsigned int, arg->max_pages, 1));
|
|
|
|
}
|
2021-11-25 15:05:28 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_DAX)) {
|
|
|
|
if (flags & FUSE_MAP_ALIGNMENT &&
|
|
|
|
!fuse_dax_check_alignment(fc, arg->map_alignment)) {
|
|
|
|
ok = false;
|
|
|
|
}
|
|
|
|
if (flags & FUSE_HAS_INODE_DAX)
|
|
|
|
fc->inode_dax = 1;
|
2020-08-20 06:19:49 +08:00
|
|
|
}
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_HANDLE_KILLPRIV_V2) {
|
2020-10-10 02:15:07 +08:00
|
|
|
fc->handle_killpriv_v2 = 1;
|
2020-10-10 02:15:12 +08:00
|
|
|
fm->sb->s_flags |= SB_NOSEC;
|
|
|
|
}
|
2021-11-25 21:05:18 +08:00
|
|
|
if (flags & FUSE_SETXATTR_EXT)
|
2021-03-25 23:18:22 +08:00
|
|
|
fc->setxattr_ext = 1;
|
fuse: send security context of inode on file
When a new inode is created, send its security context to server along with
creation request (FUSE_CREAT, FUSE_MKNOD, FUSE_MKDIR and FUSE_SYMLINK).
This gives server an opportunity to create new file and set security
context (possibly atomically). In all the configurations it might not be
possible to set context atomically.
Like nfs and ceph, use security_dentry_init_security() to dermine security
context of inode and send it with create, mkdir, mknod, and symlink
requests.
Following is the information sent to server.
fuse_sectx_header, fuse_secctx, xattr_name, security_context
- struct fuse_secctx_header
This contains total number of security contexts being sent and total
size of all the security contexts (including size of
fuse_secctx_header).
- struct fuse_secctx
This contains size of security context which follows this structure.
There is one fuse_secctx instance per security context.
- xattr name string
This string represents name of xattr which should be used while setting
security context.
- security context
This is the actual security context whose size is specified in
fuse_secctx struct.
Also add the FUSE_SECURITY_CTX flag for the `flags` field of the
fuse_init_out struct. When this flag is set the kernel will append the
security context for a newly created inode to the request (create, mkdir,
mknod, and symlink). The server is responsible for ensuring that the inode
appears atomically (preferrably) with the requested security context.
For example, If the server is using SELinux and backed by a "real" linux
file system that supports extended attributes it can write the security
context value to /proc/thread-self/attr/fscreate before making the syscall
to create the inode.
This patch is based on patch from Chirantan Ekbote <chirantan@chromium.org>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2021-11-11 22:32:49 +08:00
|
|
|
if (flags & FUSE_SECURITY_CTX)
|
|
|
|
fc->init_security = 1;
|
2022-11-10 22:46:33 +08:00
|
|
|
if (flags & FUSE_CREATE_SUPP_GROUP)
|
|
|
|
fc->create_supp_group = 1;
|
2023-09-20 10:40:00 +08:00
|
|
|
if (flags & FUSE_DIRECT_IO_ALLOW_MMAP)
|
|
|
|
fc->direct_io_allow_mmap = 1;
|
2024-02-09 22:57:17 +08:00
|
|
|
/*
|
|
|
|
* max_stack_depth is the max stack depth of FUSE fs,
|
|
|
|
* so it has to be at least 1 to support passthrough
|
|
|
|
* to backing files.
|
|
|
|
*
|
|
|
|
* with max_stack_depth > 1, the backing files can be
|
|
|
|
* on a stacked fs (e.g. overlayfs) themselves and with
|
|
|
|
* max_stack_depth == 1, FUSE fs can be stacked as the
|
|
|
|
* underlying fs of a stacked fs (e.g. overlayfs).
|
|
|
|
*/
|
|
|
|
if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH) &&
|
|
|
|
(flags & FUSE_PASSTHROUGH) &&
|
|
|
|
arg->max_stack_depth > 0 &&
|
|
|
|
arg->max_stack_depth <= FILESYSTEM_MAX_STACK_DEPTH) {
|
|
|
|
fc->passthrough = 1;
|
|
|
|
fc->max_stack_depth = arg->max_stack_depth;
|
|
|
|
fm->sb->s_stack_depth = arg->max_stack_depth;
|
|
|
|
}
|
fuse: add support for explicit export disabling
open_by_handle_at(2) can fail with -ESTALE with a valid handle returned
by a previous name_to_handle_at(2) for evicted fuse inodes, which is
especially common when entry_valid_timeout is 0, e.g. when the fuse
daemon is in "cache=none" mode.
The time sequence is like:
name_to_handle_at(2) # succeed
evict fuse inode
open_by_handle_at(2) # fail
The root cause is that, with 0 entry_valid_timeout, the dput() called in
name_to_handle_at(2) will trigger iput -> evict(), which will send
FUSE_FORGET to the daemon. The following open_by_handle_at(2) will send
a new FUSE_LOOKUP request upon inode cache miss since the previous inode
eviction. Then the fuse daemon may fail the FUSE_LOOKUP request with
-ENOENT as the cached metadata of the requested inode has already been
cleaned up during the previous FUSE_FORGET. The returned -ENOENT is
treated as -ESTALE when open_by_handle_at(2) returns.
This confuses the application somehow, as open_by_handle_at(2) fails
when the previous name_to_handle_at(2) succeeds. The returned errno is
also confusing as the requested file is not deleted and already there.
It is reasonable to fail name_to_handle_at(2) early in this case, after
which the application can fallback to open(2) to access files.
Since this issue typically appears when entry_valid_timeout is 0 which
is configured by the fuse daemon, the fuse daemon is the right person to
explicitly disable the export when required.
Also considering FUSE_EXPORT_SUPPORT actually indicates the support for
lookups of "." and "..", and there are existing fuse daemons supporting
export without FUSE_EXPORT_SUPPORT set, for compatibility, we add a new
INIT flag for such purpose.
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2024-02-26 11:54:35 +08:00
|
|
|
if (flags & FUSE_NO_EXPORT_SUPPORT)
|
|
|
|
fm->sb->s_export_op = &fuse_export_fid_operations;
|
2006-06-25 20:48:52 +08:00
|
|
|
} else {
|
mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.
This promise never materialized. And unlikely will.
We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE. And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.
Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.
Let's stop pretending that pages in page cache are special. They are
not.
The changes are pretty straight-forward:
- <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
- page_cache_get() -> get_page();
- page_cache_release() -> put_page();
This patch contains automated changes generated with coccinelle using
script below. For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.
The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.
There are few places in the code where coccinelle didn't reach. I'll
fix them manually in a separate patch. Comments and documentation also
will be addressed with the separate patch.
virtual patch
@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT
@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE
@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK
@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)
@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)
@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-01 20:29:47 +08:00
|
|
|
ra_pages = fc->max_read / PAGE_SIZE;
|
2006-06-25 20:48:52 +08:00
|
|
|
fc->no_lock = 1;
|
2011-08-08 22:08:08 +08:00
|
|
|
fc->no_flock = 1;
|
2006-06-25 20:48:52 +08:00
|
|
|
}
|
2006-02-01 19:04:40 +08:00
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
fm->sb->s_bdi->ra_pages =
|
|
|
|
min(fm->sb->s_bdi->ra_pages, ra_pages);
|
2006-01-17 14:14:44 +08:00
|
|
|
fc->minor = arg->minor;
|
|
|
|
fc->max_write = arg->minor < 5 ? 4096 : arg->max_write;
|
2008-06-18 00:05:40 +08:00
|
|
|
fc->max_write = max_t(unsigned, 4096, fc->max_write);
|
2006-12-07 12:35:52 +08:00
|
|
|
fc->conn_init = 1;
|
2006-01-17 14:14:44 +08:00
|
|
|
}
|
2019-09-10 21:04:10 +08:00
|
|
|
kfree(ia);
|
|
|
|
|
2020-08-20 06:19:49 +08:00
|
|
|
if (!ok) {
|
|
|
|
fc->conn_init = 0;
|
|
|
|
fc->conn_error = 1;
|
|
|
|
}
|
|
|
|
|
2015-01-06 17:45:35 +08:00
|
|
|
fuse_set_initialized(fc);
|
2006-04-11 13:54:59 +08:00
|
|
|
wake_up_all(&fc->blocked_waitq);
|
2006-01-17 14:14:44 +08:00
|
|
|
}
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
void fuse_send_init(struct fuse_mount *fm)
|
2006-01-17 14:14:44 +08:00
|
|
|
{
|
2019-09-10 21:04:10 +08:00
|
|
|
struct fuse_init_args *ia;
|
2021-11-25 21:05:18 +08:00
|
|
|
u64 flags;
|
2006-01-17 14:14:52 +08:00
|
|
|
|
2019-09-10 21:04:10 +08:00
|
|
|
ia = kzalloc(sizeof(*ia), GFP_KERNEL | __GFP_NOFAIL);
|
|
|
|
|
|
|
|
ia->in.major = FUSE_KERNEL_VERSION;
|
|
|
|
ia->in.minor = FUSE_KERNEL_MINOR_VERSION;
|
2020-05-06 23:44:12 +08:00
|
|
|
ia->in.max_readahead = fm->sb->s_bdi->ra_pages * PAGE_SIZE;
|
2021-11-25 21:05:18 +08:00
|
|
|
flags =
|
2019-09-10 21:04:10 +08:00
|
|
|
FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
|
2011-08-08 22:08:08 +08:00
|
|
|
FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
|
2012-07-18 22:09:40 +08:00
|
|
|
FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
|
2016-07-25 21:17:04 +08:00
|
|
|
FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
|
2013-10-10 21:12:18 +08:00
|
|
|
FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO |
|
2016-06-30 19:10:49 +08:00
|
|
|
FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |
|
2017-11-10 04:23:35 +08:00
|
|
|
FUSE_PARALLEL_DIROPS | FUSE_HANDLE_KILLPRIV | FUSE_POSIX_ACL |
|
2019-01-08 08:53:17 +08:00
|
|
|
FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS |
|
2020-10-10 02:15:07 +08:00
|
|
|
FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |
|
fuse: send security context of inode on file
When a new inode is created, send its security context to server along with
creation request (FUSE_CREAT, FUSE_MKNOD, FUSE_MKDIR and FUSE_SYMLINK).
This gives server an opportunity to create new file and set security
context (possibly atomically). In all the configurations it might not be
possible to set context atomically.
Like nfs and ceph, use security_dentry_init_security() to dermine security
context of inode and send it with create, mkdir, mknod, and symlink
requests.
Following is the information sent to server.
fuse_sectx_header, fuse_secctx, xattr_name, security_context
- struct fuse_secctx_header
This contains total number of security contexts being sent and total
size of all the security contexts (including size of
fuse_secctx_header).
- struct fuse_secctx
This contains size of security context which follows this structure.
There is one fuse_secctx instance per security context.
- xattr name string
This string represents name of xattr which should be used while setting
security context.
- security context
This is the actual security context whose size is specified in
fuse_secctx struct.
Also add the FUSE_SECURITY_CTX flag for the `flags` field of the
fuse_init_out struct. When this flag is set the kernel will append the
security context for a newly created inode to the request (create, mkdir,
mknod, and symlink). The server is responsible for ensuring that the inode
appears atomically (preferrably) with the requested security context.
For example, If the server is using SELinux and backed by a "real" linux
file system that supports extended attributes it can write the security
context value to /proc/thread-self/attr/fscreate before making the syscall
to create the inode.
This patch is based on patch from Chirantan Ekbote <chirantan@chromium.org>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2021-11-11 22:32:49 +08:00
|
|
|
FUSE_HANDLE_KILLPRIV_V2 | FUSE_SETXATTR_EXT | FUSE_INIT_EXT |
|
2023-03-27 22:14:49 +08:00
|
|
|
FUSE_SECURITY_CTX | FUSE_CREATE_SUPP_GROUP |
|
fuse: add support for explicit export disabling
open_by_handle_at(2) can fail with -ESTALE with a valid handle returned
by a previous name_to_handle_at(2) for evicted fuse inodes, which is
especially common when entry_valid_timeout is 0, e.g. when the fuse
daemon is in "cache=none" mode.
The time sequence is like:
name_to_handle_at(2) # succeed
evict fuse inode
open_by_handle_at(2) # fail
The root cause is that, with 0 entry_valid_timeout, the dput() called in
name_to_handle_at(2) will trigger iput -> evict(), which will send
FUSE_FORGET to the daemon. The following open_by_handle_at(2) will send
a new FUSE_LOOKUP request upon inode cache miss since the previous inode
eviction. Then the fuse daemon may fail the FUSE_LOOKUP request with
-ENOENT as the cached metadata of the requested inode has already been
cleaned up during the previous FUSE_FORGET. The returned -ENOENT is
treated as -ESTALE when open_by_handle_at(2) returns.
This confuses the application somehow, as open_by_handle_at(2) fails
when the previous name_to_handle_at(2) succeeds. The returned errno is
also confusing as the requested file is not deleted and already there.
It is reasonable to fail name_to_handle_at(2) early in this case, after
which the application can fallback to open(2) to access files.
Since this issue typically appears when entry_valid_timeout is 0 which
is configured by the fuse daemon, the fuse daemon is the right person to
explicitly disable the export when required.
Also considering FUSE_EXPORT_SUPPORT actually indicates the support for
lookups of "." and "..", and there are existing fuse daemons supporting
export without FUSE_EXPORT_SUPPORT set, for compatibility, we add a new
INIT flag for such purpose.
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2024-02-26 11:54:35 +08:00
|
|
|
FUSE_HAS_EXPIRE_ONLY | FUSE_DIRECT_IO_ALLOW_MMAP |
|
2024-01-09 17:24:43 +08:00
|
|
|
FUSE_NO_EXPORT_SUPPORT | FUSE_HAS_RESEND;
|
2020-08-20 06:19:49 +08:00
|
|
|
#ifdef CONFIG_FUSE_DAX
|
2020-05-06 23:44:12 +08:00
|
|
|
if (fm->fc->dax)
|
2021-11-25 21:05:18 +08:00
|
|
|
flags |= FUSE_MAP_ALIGNMENT;
|
2021-11-25 15:05:28 +08:00
|
|
|
if (fuse_is_inode_dax_mode(fm->fc->dax_mode))
|
|
|
|
flags |= FUSE_HAS_INODE_DAX;
|
2020-08-20 06:19:49 +08:00
|
|
|
#endif
|
2020-04-21 20:47:15 +08:00
|
|
|
if (fm->fc->auto_submounts)
|
2021-11-25 21:05:18 +08:00
|
|
|
flags |= FUSE_SUBMOUNTS;
|
2024-02-09 22:57:17 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH))
|
|
|
|
flags |= FUSE_PASSTHROUGH;
|
2021-11-25 21:05:18 +08:00
|
|
|
|
|
|
|
ia->in.flags = flags;
|
|
|
|
ia->in.flags2 = flags >> 32;
|
2020-04-21 20:47:15 +08:00
|
|
|
|
2019-09-10 21:04:10 +08:00
|
|
|
ia->args.opcode = FUSE_INIT;
|
|
|
|
ia->args.in_numargs = 1;
|
|
|
|
ia->args.in_args[0].size = sizeof(ia->in);
|
|
|
|
ia->args.in_args[0].value = &ia->in;
|
|
|
|
ia->args.out_numargs = 1;
|
tree-wide: Assorted spelling fixes
In particular, several occurances of funny versions of 'success',
'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address',
'beginning', 'desirable', 'separate' and 'necessary' are fixed.
Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Joe Perches <joe@perches.com>
Cc: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2010-02-03 08:01:28 +08:00
|
|
|
/* Variable length argument used for backward compatibility
|
2006-01-17 14:14:44 +08:00
|
|
|
with interface version < 7.5. Rest of init_out is zeroed
|
|
|
|
by do_get_request(), so a short reply is not a problem */
|
2020-01-14 20:39:45 +08:00
|
|
|
ia->args.out_argvar = true;
|
2019-09-10 21:04:10 +08:00
|
|
|
ia->args.out_args[0].size = sizeof(ia->out);
|
|
|
|
ia->args.out_args[0].value = &ia->out;
|
|
|
|
ia->args.force = true;
|
|
|
|
ia->args.nocreds = true;
|
|
|
|
ia->args.end = process_init_reply;
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
if (fuse_simple_background(fm, &ia->args, GFP_KERNEL) != 0)
|
|
|
|
process_init_reply(fm, &ia->args, -ENOTCONN);
|
2006-01-17 14:14:44 +08:00
|
|
|
}
|
2019-03-07 05:51:39 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_send_init);
|
2006-01-17 14:14:44 +08:00
|
|
|
|
2019-08-29 17:01:20 +08:00
|
|
|
void fuse_free_conn(struct fuse_conn *fc)
|
2008-11-26 19:03:56 +08:00
|
|
|
{
|
2015-07-01 22:26:08 +08:00
|
|
|
WARN_ON(!list_empty(&fc->devices));
|
2023-09-28 12:19:39 +08:00
|
|
|
kfree(fc);
|
2008-11-26 19:03:56 +08:00
|
|
|
}
|
2019-08-29 17:01:20 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_free_conn);
|
2008-11-26 19:03:56 +08:00
|
|
|
|
2009-04-14 09:54:52 +08:00
|
|
|
static int fuse_bdi_init(struct fuse_conn *fc, struct super_block *sb)
|
|
|
|
{
|
|
|
|
int err;
|
2017-04-12 18:24:40 +08:00
|
|
|
char *suffix = "";
|
2009-04-14 09:54:52 +08:00
|
|
|
|
2017-05-16 18:22:22 +08:00
|
|
|
if (sb->s_bdev) {
|
2017-04-12 18:24:40 +08:00
|
|
|
suffix = "-fuseblk";
|
2017-05-16 18:22:22 +08:00
|
|
|
/*
|
|
|
|
* sb->s_bdi points to blkdev's bdi however we want to redirect
|
|
|
|
* it to our private bdi...
|
|
|
|
*/
|
|
|
|
bdi_put(sb->s_bdi);
|
|
|
|
sb->s_bdi = &noop_backing_dev_info;
|
|
|
|
}
|
2017-04-12 18:24:40 +08:00
|
|
|
err = super_setup_bdi_name(sb, "%u:%u%s", MAJOR(fc->dev),
|
|
|
|
MINOR(fc->dev), suffix);
|
2009-04-14 09:54:52 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2017-04-12 18:24:40 +08:00
|
|
|
/* fuse does it's own writeback accounting */
|
2020-09-24 14:51:39 +08:00
|
|
|
sb->s_bdi->capabilities &= ~BDI_CAP_WRITEBACK_ACCT;
|
|
|
|
sb->s_bdi->capabilities |= BDI_CAP_STRICTLIMIT;
|
2009-04-14 09:54:52 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* For a single fuse filesystem use max 1% of dirty +
|
|
|
|
* writeback threshold.
|
|
|
|
*
|
|
|
|
* This gives about 1M of write buffer for memory maps on a
|
|
|
|
* machine with 1G and 10% dirty_ratio, which should be more
|
|
|
|
* than enough.
|
|
|
|
*
|
|
|
|
* Privileged users can raise it by writing to
|
|
|
|
*
|
|
|
|
* /sys/class/bdi/<bdi>/max_ratio
|
|
|
|
*/
|
2017-04-12 18:24:40 +08:00
|
|
|
bdi_set_max_ratio(sb->s_bdi, 1);
|
2009-04-14 09:54:52 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-03-07 05:51:40 +08:00
|
|
|
struct fuse_dev *fuse_dev_alloc(void)
|
2015-07-01 22:26:08 +08:00
|
|
|
{
|
|
|
|
struct fuse_dev *fud;
|
2018-09-11 18:12:14 +08:00
|
|
|
struct list_head *pq;
|
2015-07-01 22:26:08 +08:00
|
|
|
|
|
|
|
fud = kzalloc(sizeof(struct fuse_dev), GFP_KERNEL);
|
2018-09-11 18:12:14 +08:00
|
|
|
if (!fud)
|
|
|
|
return NULL;
|
2015-07-01 22:26:08 +08:00
|
|
|
|
2018-09-11 18:12:14 +08:00
|
|
|
pq = kcalloc(FUSE_PQ_HASH_SIZE, sizeof(struct list_head), GFP_KERNEL);
|
|
|
|
if (!pq) {
|
|
|
|
kfree(fud);
|
|
|
|
return NULL;
|
2015-07-01 22:26:08 +08:00
|
|
|
}
|
|
|
|
|
2018-09-11 18:12:14 +08:00
|
|
|
fud->pq.processing = pq;
|
|
|
|
fuse_pqueue_init(&fud->pq);
|
|
|
|
|
2019-03-07 05:51:40 +08:00
|
|
|
return fud;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fuse_dev_alloc);
|
|
|
|
|
|
|
|
void fuse_dev_install(struct fuse_dev *fud, struct fuse_conn *fc)
|
|
|
|
{
|
|
|
|
fud->fc = fuse_conn_get(fc);
|
2018-09-11 18:12:14 +08:00
|
|
|
spin_lock(&fc->lock);
|
|
|
|
list_add_tail(&fud->entry, &fc->devices);
|
|
|
|
spin_unlock(&fc->lock);
|
2019-03-07 05:51:40 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fuse_dev_install);
|
2018-09-11 18:12:14 +08:00
|
|
|
|
2019-03-07 05:51:40 +08:00
|
|
|
struct fuse_dev *fuse_dev_alloc_install(struct fuse_conn *fc)
|
|
|
|
{
|
|
|
|
struct fuse_dev *fud;
|
|
|
|
|
|
|
|
fud = fuse_dev_alloc();
|
|
|
|
if (!fud)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
fuse_dev_install(fud, fc);
|
2015-07-01 22:26:08 +08:00
|
|
|
return fud;
|
|
|
|
}
|
2019-03-07 05:51:40 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_dev_alloc_install);
|
2015-07-01 22:26:08 +08:00
|
|
|
|
|
|
|
void fuse_dev_free(struct fuse_dev *fud)
|
|
|
|
{
|
|
|
|
struct fuse_conn *fc = fud->fc;
|
|
|
|
|
|
|
|
if (fc) {
|
|
|
|
spin_lock(&fc->lock);
|
|
|
|
list_del(&fud->entry);
|
|
|
|
spin_unlock(&fc->lock);
|
|
|
|
|
|
|
|
fuse_conn_put(fc);
|
|
|
|
}
|
2018-12-09 13:30:15 +08:00
|
|
|
kfree(fud->pq.processing);
|
2015-07-01 22:26:08 +08:00
|
|
|
kfree(fud);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fuse_dev_free);
|
|
|
|
|
2020-09-09 23:52:17 +08:00
|
|
|
static void fuse_fill_attr_from_inode(struct fuse_attr *attr,
|
|
|
|
const struct fuse_inode *fi)
|
|
|
|
{
|
2023-10-05 02:52:24 +08:00
|
|
|
struct timespec64 atime = inode_get_atime(&fi->inode);
|
|
|
|
struct timespec64 mtime = inode_get_mtime(&fi->inode);
|
2023-07-06 03:01:11 +08:00
|
|
|
struct timespec64 ctime = inode_get_ctime(&fi->inode);
|
|
|
|
|
2020-09-09 23:52:17 +08:00
|
|
|
*attr = (struct fuse_attr){
|
|
|
|
.ino = fi->inode.i_ino,
|
|
|
|
.size = fi->inode.i_size,
|
|
|
|
.blocks = fi->inode.i_blocks,
|
2023-10-05 02:52:24 +08:00
|
|
|
.atime = atime.tv_sec,
|
|
|
|
.mtime = mtime.tv_sec,
|
2023-07-06 03:01:11 +08:00
|
|
|
.ctime = ctime.tv_sec,
|
2023-10-05 02:52:24 +08:00
|
|
|
.atimensec = atime.tv_nsec,
|
|
|
|
.mtimensec = mtime.tv_nsec,
|
2023-07-06 03:01:11 +08:00
|
|
|
.ctimensec = ctime.tv_nsec,
|
2020-09-09 23:52:17 +08:00
|
|
|
.mode = fi->inode.i_mode,
|
|
|
|
.nlink = fi->inode.i_nlink,
|
2024-01-05 23:21:29 +08:00
|
|
|
.uid = __kuid_val(fi->inode.i_uid),
|
|
|
|
.gid = __kgid_val(fi->inode.i_gid),
|
2020-09-09 23:52:17 +08:00
|
|
|
.rdev = fi->inode.i_rdev,
|
|
|
|
.blksize = 1u << fi->inode.i_blkbits,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
static void fuse_sb_defaults(struct super_block *sb)
|
|
|
|
{
|
|
|
|
sb->s_magic = FUSE_SUPER_MAGIC;
|
|
|
|
sb->s_op = &fuse_super_operations;
|
|
|
|
sb->s_xattr = fuse_xattr_handlers;
|
|
|
|
sb->s_maxbytes = MAX_LFS_FILESIZE;
|
|
|
|
sb->s_time_gran = 1;
|
|
|
|
sb->s_export_op = &fuse_export_operations;
|
|
|
|
sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;
|
|
|
|
if (sb->s_user_ns != &init_user_ns)
|
|
|
|
sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;
|
|
|
|
sb->s_flags &= ~(SB_NOSEC | SB_I_VERSION);
|
|
|
|
}
|
|
|
|
|
2021-06-05 00:11:56 +08:00
|
|
|
static int fuse_fill_super_submount(struct super_block *sb,
|
|
|
|
struct fuse_inode *parent_fi)
|
2020-09-09 23:52:17 +08:00
|
|
|
{
|
|
|
|
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
|
|
|
struct super_block *parent_sb = parent_fi->inode.i_sb;
|
|
|
|
struct fuse_attr root_attr;
|
|
|
|
struct inode *root;
|
2023-11-04 01:39:47 +08:00
|
|
|
struct fuse_submount_lookup *sl;
|
|
|
|
struct fuse_inode *fi;
|
2020-09-09 23:52:17 +08:00
|
|
|
|
|
|
|
fuse_sb_defaults(sb);
|
|
|
|
fm->sb = sb;
|
|
|
|
|
|
|
|
WARN_ON(sb->s_bdi != &noop_backing_dev_info);
|
|
|
|
sb->s_bdi = bdi_get(parent_sb->s_bdi);
|
|
|
|
|
|
|
|
sb->s_xattr = parent_sb->s_xattr;
|
fuse: add support for explicit export disabling
open_by_handle_at(2) can fail with -ESTALE with a valid handle returned
by a previous name_to_handle_at(2) for evicted fuse inodes, which is
especially common when entry_valid_timeout is 0, e.g. when the fuse
daemon is in "cache=none" mode.
The time sequence is like:
name_to_handle_at(2) # succeed
evict fuse inode
open_by_handle_at(2) # fail
The root cause is that, with 0 entry_valid_timeout, the dput() called in
name_to_handle_at(2) will trigger iput -> evict(), which will send
FUSE_FORGET to the daemon. The following open_by_handle_at(2) will send
a new FUSE_LOOKUP request upon inode cache miss since the previous inode
eviction. Then the fuse daemon may fail the FUSE_LOOKUP request with
-ENOENT as the cached metadata of the requested inode has already been
cleaned up during the previous FUSE_FORGET. The returned -ENOENT is
treated as -ESTALE when open_by_handle_at(2) returns.
This confuses the application somehow, as open_by_handle_at(2) fails
when the previous name_to_handle_at(2) succeeds. The returned errno is
also confusing as the requested file is not deleted and already there.
It is reasonable to fail name_to_handle_at(2) early in this case, after
which the application can fallback to open(2) to access files.
Since this issue typically appears when entry_valid_timeout is 0 which
is configured by the fuse daemon, the fuse daemon is the right person to
explicitly disable the export when required.
Also considering FUSE_EXPORT_SUPPORT actually indicates the support for
lookups of "." and "..", and there are existing fuse daemons supporting
export without FUSE_EXPORT_SUPPORT set, for compatibility, we add a new
INIT flag for such purpose.
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2024-02-26 11:54:35 +08:00
|
|
|
sb->s_export_op = parent_sb->s_export_op;
|
2020-09-09 23:52:17 +08:00
|
|
|
sb->s_time_gran = parent_sb->s_time_gran;
|
|
|
|
sb->s_blocksize = parent_sb->s_blocksize;
|
|
|
|
sb->s_blocksize_bits = parent_sb->s_blocksize_bits;
|
|
|
|
sb->s_subtype = kstrdup(parent_sb->s_subtype, GFP_KERNEL);
|
|
|
|
if (parent_sb->s_subtype && !sb->s_subtype)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
fuse_fill_attr_from_inode(&root_attr, parent_fi);
|
|
|
|
root = fuse_iget(sb, parent_fi->nodeid, 0, &root_attr, 0, 0);
|
|
|
|
/*
|
|
|
|
* This inode is just a duplicate, so it is not looked up and
|
|
|
|
* its nlookup should not be incremented. fuse_iget() does
|
|
|
|
* that, though, so undo it here.
|
|
|
|
*/
|
2023-11-04 01:39:47 +08:00
|
|
|
fi = get_fuse_inode(root);
|
|
|
|
fi->nlookup--;
|
|
|
|
|
2020-09-09 23:52:17 +08:00
|
|
|
sb->s_d_op = &fuse_dentry_operations;
|
|
|
|
sb->s_root = d_make_root(root);
|
|
|
|
if (!sb->s_root)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2023-11-04 01:39:47 +08:00
|
|
|
/*
|
|
|
|
* Grab the parent's submount_lookup pointer and take a
|
|
|
|
* reference on the shared nlookup from the parent. This is to
|
|
|
|
* prevent the last forget for this nodeid from getting
|
|
|
|
* triggered until all users have finished with it.
|
|
|
|
*/
|
|
|
|
sl = parent_fi->submount_lookup;
|
|
|
|
WARN_ON(!sl);
|
|
|
|
if (sl) {
|
|
|
|
refcount_inc(&sl->count);
|
|
|
|
fi->submount_lookup = sl;
|
|
|
|
}
|
|
|
|
|
2020-09-09 23:52:17 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-06-05 00:11:54 +08:00
|
|
|
/* Filesystem context private data holds the FUSE inode of the mount point */
|
2021-06-05 00:11:53 +08:00
|
|
|
static int fuse_get_tree_submount(struct fs_context *fsc)
|
|
|
|
{
|
2021-06-05 00:11:54 +08:00
|
|
|
struct fuse_mount *fm;
|
|
|
|
struct fuse_inode *mp_fi = fsc->fs_private;
|
|
|
|
struct fuse_conn *fc = get_fuse_conn(&mp_fi->inode);
|
|
|
|
struct super_block *sb;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
fm = kzalloc(sizeof(struct fuse_mount), GFP_KERNEL);
|
|
|
|
if (!fm)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2021-10-21 16:01:39 +08:00
|
|
|
fm->fc = fuse_conn_get(fc);
|
2021-06-05 00:11:54 +08:00
|
|
|
fsc->s_fs_info = fm;
|
|
|
|
sb = sget_fc(fsc, NULL, set_anon_super_fc);
|
2021-10-21 16:01:39 +08:00
|
|
|
if (fsc->s_fs_info)
|
|
|
|
fuse_mount_destroy(fm);
|
|
|
|
if (IS_ERR(sb))
|
2021-06-05 00:11:54 +08:00
|
|
|
return PTR_ERR(sb);
|
|
|
|
|
|
|
|
/* Initialize superblock, making @mp_fi its root */
|
|
|
|
err = fuse_fill_super_submount(sb, mp_fi);
|
|
|
|
if (err) {
|
|
|
|
deactivate_locked_super(sb);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
down_write(&fc->killsb);
|
|
|
|
list_add_tail(&fm->fc_entry, &fc->mounts);
|
|
|
|
up_write(&fc->killsb);
|
|
|
|
|
|
|
|
sb->s_flags |= SB_ACTIVE;
|
|
|
|
fsc->root = dget(sb->s_root);
|
|
|
|
|
2021-06-05 00:11:53 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct fs_context_operations fuse_context_submount_ops = {
|
|
|
|
.get_tree = fuse_get_tree_submount,
|
|
|
|
};
|
|
|
|
|
|
|
|
int fuse_init_fs_context_submount(struct fs_context *fsc)
|
|
|
|
{
|
|
|
|
fsc->ops = &fuse_context_submount_ops;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fuse_init_fs_context_submount);
|
|
|
|
|
2018-06-13 17:23:04 +08:00
|
|
|
int fuse_fill_super_common(struct super_block *sb, struct fuse_fs_context *ctx)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2020-05-05 02:33:15 +08:00
|
|
|
struct fuse_dev *fud = NULL;
|
2020-05-06 23:44:12 +08:00
|
|
|
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
|
|
|
struct fuse_conn *fc = fm->fc;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
struct inode *root;
|
2006-01-17 14:14:35 +08:00
|
|
|
struct dentry *root_dentry;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
int err;
|
|
|
|
|
2009-01-26 22:00:58 +08:00
|
|
|
err = -EINVAL;
|
2017-11-28 05:05:09 +08:00
|
|
|
if (sb->s_flags & SB_MANDLOCK)
|
2009-01-26 22:00:58 +08:00
|
|
|
goto err;
|
2006-06-25 20:48:52 +08:00
|
|
|
|
2021-09-01 18:39:02 +08:00
|
|
|
rcu_assign_pointer(fc->curr_bucket, fuse_sync_bucket_alloc());
|
2020-09-09 23:52:17 +08:00
|
|
|
fuse_sb_defaults(sb);
|
2011-06-04 06:24:58 +08:00
|
|
|
|
2018-06-13 17:23:04 +08:00
|
|
|
if (ctx->is_bdev) {
|
2006-12-07 12:35:54 +08:00
|
|
|
#ifdef CONFIG_BLOCK
|
2009-01-26 22:00:58 +08:00
|
|
|
err = -EINVAL;
|
2019-03-26 00:38:31 +08:00
|
|
|
if (!sb_set_blocksize(sb, ctx->blksize))
|
2009-01-26 22:00:58 +08:00
|
|
|
goto err;
|
2006-12-07 12:35:54 +08:00
|
|
|
#endif
|
2006-12-07 12:35:48 +08:00
|
|
|
} else {
|
mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros
PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} macros were introduced *long* time
ago with promise that one day it will be possible to implement page
cache with bigger chunks than PAGE_SIZE.
This promise never materialized. And unlikely will.
We have many places where PAGE_CACHE_SIZE assumed to be equal to
PAGE_SIZE. And it's constant source of confusion on whether
PAGE_CACHE_* or PAGE_* constant should be used in a particular case,
especially on the border between fs and mm.
Global switching to PAGE_CACHE_SIZE != PAGE_SIZE would cause to much
breakage to be doable.
Let's stop pretending that pages in page cache are special. They are
not.
The changes are pretty straight-forward:
- <foo> << (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- <foo> >> (PAGE_CACHE_SHIFT - PAGE_SHIFT) -> <foo>;
- PAGE_CACHE_{SIZE,SHIFT,MASK,ALIGN} -> PAGE_{SIZE,SHIFT,MASK,ALIGN};
- page_cache_get() -> get_page();
- page_cache_release() -> put_page();
This patch contains automated changes generated with coccinelle using
script below. For some reason, coccinelle doesn't patch header files.
I've called spatch for them manually.
The only adjustment after coccinelle is revert of changes to
PAGE_CAHCE_ALIGN definition: we are going to drop it later.
There are few places in the code where coccinelle didn't reach. I'll
fix them manually in a separate patch. Comments and documentation also
will be addressed with the separate patch.
virtual patch
@@
expression E;
@@
- E << (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
expression E;
@@
- E >> (PAGE_CACHE_SHIFT - PAGE_SHIFT)
+ E
@@
@@
- PAGE_CACHE_SHIFT
+ PAGE_SHIFT
@@
@@
- PAGE_CACHE_SIZE
+ PAGE_SIZE
@@
@@
- PAGE_CACHE_MASK
+ PAGE_MASK
@@
expression E;
@@
- PAGE_CACHE_ALIGN(E)
+ PAGE_ALIGN(E)
@@
expression E;
@@
- page_cache_get(E)
+ get_page(E)
@@
expression E;
@@
- page_cache_release(E)
+ put_page(E)
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-01 20:29:47 +08:00
|
|
|
sb->s_blocksize = PAGE_SIZE;
|
|
|
|
sb->s_blocksize_bits = PAGE_SHIFT;
|
2006-12-07 12:35:48 +08:00
|
|
|
}
|
2019-03-26 00:38:31 +08:00
|
|
|
|
|
|
|
sb->s_subtype = ctx->subtype;
|
|
|
|
ctx->subtype = NULL;
|
2020-08-20 06:19:47 +08:00
|
|
|
if (IS_ENABLED(CONFIG_FUSE_DAX)) {
|
2021-11-25 15:05:25 +08:00
|
|
|
err = fuse_dax_conn_alloc(fc, ctx->dax_mode, ctx->dax_dev);
|
2020-08-20 06:19:47 +08:00
|
|
|
if (err)
|
|
|
|
goto err;
|
|
|
|
}
|
2018-05-05 00:47:28 +08:00
|
|
|
|
2020-05-05 02:33:15 +08:00
|
|
|
if (ctx->fudptr) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
fud = fuse_dev_alloc_install(fc);
|
|
|
|
if (!fud)
|
2020-08-20 06:19:47 +08:00
|
|
|
goto err_free_dax;
|
2020-05-05 02:33:15 +08:00
|
|
|
}
|
2015-07-01 22:26:08 +08:00
|
|
|
|
2009-04-14 09:54:52 +08:00
|
|
|
fc->dev = sb->s_dev;
|
2020-05-06 23:44:12 +08:00
|
|
|
fm->sb = sb;
|
2009-04-14 09:54:52 +08:00
|
|
|
err = fuse_bdi_init(fc, sb);
|
|
|
|
if (err)
|
2015-07-01 22:26:08 +08:00
|
|
|
goto err_dev_free;
|
2008-11-26 19:03:55 +08:00
|
|
|
|
2009-07-01 02:12:23 +08:00
|
|
|
/* Handle umasking inside the fuse code */
|
2017-11-28 05:05:09 +08:00
|
|
|
if (sb->s_flags & SB_POSIXACL)
|
2009-07-01 02:12:23 +08:00
|
|
|
fc->dont_mask = 1;
|
2017-11-28 05:05:09 +08:00
|
|
|
sb->s_flags |= SB_POSIXACL;
|
2009-07-01 02:12:23 +08:00
|
|
|
|
2019-03-26 00:38:31 +08:00
|
|
|
fc->default_permissions = ctx->default_permissions;
|
|
|
|
fc->allow_other = ctx->allow_other;
|
|
|
|
fc->user_id = ctx->user_id;
|
|
|
|
fc->group_id = ctx->group_id;
|
2020-08-20 06:19:45 +08:00
|
|
|
fc->legacy_opts_show = ctx->legacy_opts_show;
|
2020-09-09 23:52:17 +08:00
|
|
|
fc->max_read = max_t(unsigned int, 4096, ctx->max_read);
|
2019-08-29 17:01:20 +08:00
|
|
|
fc->destroy = ctx->destroy;
|
2019-05-07 03:35:43 +08:00
|
|
|
fc->no_control = ctx->no_control;
|
|
|
|
fc->no_force_umount = ctx->no_force_umount;
|
2006-01-17 14:14:35 +08:00
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
err = -ENOMEM;
|
2019-03-26 00:38:31 +08:00
|
|
|
root = fuse_get_root_inode(sb, ctx->rootmode);
|
2016-10-18 21:36:48 +08:00
|
|
|
sb->s_d_op = &fuse_root_dentry_operations;
|
2012-01-09 11:15:13 +08:00
|
|
|
root_dentry = d_make_root(root);
|
|
|
|
if (!root_dentry)
|
2015-07-01 22:26:08 +08:00
|
|
|
goto err_dev_free;
|
2016-10-18 21:36:48 +08:00
|
|
|
/* Root dentry doesn't have .d_revalidate */
|
2010-12-19 00:15:22 +08:00
|
|
|
sb->s_d_op = &fuse_dentry_operations;
|
2006-01-17 14:14:35 +08:00
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
mutex_lock(&fuse_mutex);
|
2006-04-26 16:49:16 +08:00
|
|
|
err = -EINVAL;
|
2020-05-05 02:33:15 +08:00
|
|
|
if (ctx->fudptr && *ctx->fudptr)
|
2006-06-25 20:48:51 +08:00
|
|
|
goto err_unlock;
|
2006-04-26 16:49:16 +08:00
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
err = fuse_ctl_add_conn(fc);
|
|
|
|
if (err)
|
|
|
|
goto err_unlock;
|
|
|
|
|
|
|
|
list_add_tail(&fc->entry, &fuse_conn_list);
|
2006-01-17 14:14:35 +08:00
|
|
|
sb->s_root = root_dentry;
|
2020-05-05 02:33:15 +08:00
|
|
|
if (ctx->fudptr)
|
|
|
|
*ctx->fudptr = fud;
|
2006-06-25 20:48:51 +08:00
|
|
|
mutex_unlock(&fuse_mutex);
|
2018-06-13 17:23:04 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
err_unlock:
|
|
|
|
mutex_unlock(&fuse_mutex);
|
|
|
|
dput(root_dentry);
|
|
|
|
err_dev_free:
|
2020-05-05 02:33:15 +08:00
|
|
|
if (fud)
|
|
|
|
fuse_dev_free(fud);
|
2020-08-20 06:19:47 +08:00
|
|
|
err_free_dax:
|
|
|
|
if (IS_ENABLED(CONFIG_FUSE_DAX))
|
|
|
|
fuse_dax_conn_free(fc);
|
2018-06-13 17:23:04 +08:00
|
|
|
err:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fuse_fill_super_common);
|
|
|
|
|
|
|
|
static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
|
|
|
|
{
|
|
|
|
struct fuse_fs_context *ctx = fsc->fs_private;
|
|
|
|
int err;
|
|
|
|
|
2021-08-05 11:57:27 +08:00
|
|
|
if (!ctx->file || !ctx->rootmode_present ||
|
2021-08-04 19:22:58 +08:00
|
|
|
!ctx->user_id_present || !ctx->group_id_present)
|
|
|
|
return -EINVAL;
|
2018-06-13 17:23:04 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Require mount to happen from the same user namespace which
|
|
|
|
* opened /dev/fuse to prevent potential attacks.
|
|
|
|
*/
|
2021-08-05 11:57:27 +08:00
|
|
|
if ((ctx->file->f_op != &fuse_dev_operations) ||
|
|
|
|
(ctx->file->f_cred->user_ns != sb->s_user_ns))
|
2021-10-21 16:01:39 +08:00
|
|
|
return -EINVAL;
|
2021-08-05 11:57:27 +08:00
|
|
|
ctx->fudptr = &ctx->file->private_data;
|
2018-06-13 17:23:04 +08:00
|
|
|
|
|
|
|
err = fuse_fill_super_common(sb, ctx);
|
|
|
|
if (err)
|
2021-10-21 16:01:39 +08:00
|
|
|
return err;
|
2021-08-05 11:57:27 +08:00
|
|
|
/* file->private_data shall be visible on all CPUs after this */
|
|
|
|
smp_mb();
|
2020-05-06 23:44:12 +08:00
|
|
|
fuse_send_init(get_fuse_mount_super(sb));
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-08-05 11:57:27 +08:00
|
|
|
/*
|
|
|
|
* This is the path where user supplied an already initialized fuse dev. In
|
|
|
|
* this case never create a new super if the old one is gone.
|
|
|
|
*/
|
|
|
|
static int fuse_set_no_super(struct super_block *sb, struct fs_context *fsc)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2021-08-05 11:57:27 +08:00
|
|
|
return -ENOTCONN;
|
|
|
|
}
|
2019-03-26 00:38:31 +08:00
|
|
|
|
2021-08-05 11:57:27 +08:00
|
|
|
static int fuse_test_super(struct super_block *sb, struct fs_context *fsc)
|
|
|
|
{
|
2019-03-26 00:38:31 +08:00
|
|
|
|
2021-08-05 11:57:27 +08:00
|
|
|
return fsc->sget_key == get_fuse_conn_super(sb);
|
|
|
|
}
|
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
static int fuse_get_tree(struct fs_context *fsc)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2021-08-04 19:22:58 +08:00
|
|
|
struct fuse_fs_context *ctx = fsc->fs_private;
|
2021-08-05 11:57:27 +08:00
|
|
|
struct fuse_dev *fud;
|
2021-10-21 16:01:39 +08:00
|
|
|
struct fuse_conn *fc;
|
|
|
|
struct fuse_mount *fm;
|
2021-08-05 11:57:27 +08:00
|
|
|
struct super_block *sb;
|
2021-08-05 11:57:27 +08:00
|
|
|
int err;
|
2019-03-26 00:38:31 +08:00
|
|
|
|
2021-10-21 16:01:39 +08:00
|
|
|
fc = kmalloc(sizeof(*fc), GFP_KERNEL);
|
|
|
|
if (!fc)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
fm = kzalloc(sizeof(*fm), GFP_KERNEL);
|
|
|
|
if (!fm) {
|
|
|
|
kfree(fc);
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
fuse_conn_init(fc, fm, fsc->user_ns, &fuse_dev_fiq_ops, NULL);
|
|
|
|
fc->release = fuse_free_conn;
|
|
|
|
|
|
|
|
fsc->s_fs_info = fm;
|
|
|
|
|
2021-08-05 11:57:27 +08:00
|
|
|
if (ctx->fd_present)
|
|
|
|
ctx->file = fget(ctx->fd);
|
2019-03-26 00:38:31 +08:00
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
if (IS_ENABLED(CONFIG_BLOCK) && ctx->is_bdev) {
|
2021-08-05 11:57:27 +08:00
|
|
|
err = get_tree_bdev(fsc, fuse_fill_super);
|
2021-10-21 16:01:39 +08:00
|
|
|
goto out;
|
2021-08-04 19:22:58 +08:00
|
|
|
}
|
2021-08-05 11:57:27 +08:00
|
|
|
/*
|
|
|
|
* While block dev mount can be initialized with a dummy device fd
|
|
|
|
* (found by device name), normal fuse mounts can't
|
|
|
|
*/
|
2021-10-21 16:01:39 +08:00
|
|
|
err = -EINVAL;
|
2021-08-05 11:57:27 +08:00
|
|
|
if (!ctx->file)
|
2021-10-21 16:01:39 +08:00
|
|
|
goto out;
|
2019-03-26 00:38:31 +08:00
|
|
|
|
2021-08-05 11:57:27 +08:00
|
|
|
/*
|
|
|
|
* Allow creating a fuse mount with an already initialized fuse
|
|
|
|
* connection
|
|
|
|
*/
|
|
|
|
fud = READ_ONCE(ctx->file->private_data);
|
|
|
|
if (ctx->file->f_op == &fuse_dev_operations && fud) {
|
|
|
|
fsc->sget_key = fud->fc;
|
|
|
|
sb = sget_fc(fsc, fuse_test_super, fuse_set_no_super);
|
|
|
|
err = PTR_ERR_OR_ZERO(sb);
|
|
|
|
if (!IS_ERR(sb))
|
|
|
|
fsc->root = dget(sb->s_root);
|
|
|
|
} else {
|
|
|
|
err = get_tree_nodev(fsc, fuse_fill_super);
|
|
|
|
}
|
2021-10-21 16:01:39 +08:00
|
|
|
out:
|
|
|
|
if (fsc->s_fs_info)
|
|
|
|
fuse_mount_destroy(fm);
|
2021-08-05 11:57:27 +08:00
|
|
|
if (ctx->file)
|
|
|
|
fput(ctx->file);
|
|
|
|
return err;
|
2019-03-26 00:38:31 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static const struct fs_context_operations fuse_context_ops = {
|
2021-08-04 19:22:58 +08:00
|
|
|
.free = fuse_free_fsc,
|
2019-03-26 00:38:31 +08:00
|
|
|
.parse_param = fuse_parse_param,
|
2020-07-14 20:45:41 +08:00
|
|
|
.reconfigure = fuse_reconfigure,
|
2019-03-26 00:38:31 +08:00
|
|
|
.get_tree = fuse_get_tree,
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set up the filesystem mount context.
|
|
|
|
*/
|
2021-08-04 19:22:58 +08:00
|
|
|
static int fuse_init_fs_context(struct fs_context *fsc)
|
2019-03-26 00:38:31 +08:00
|
|
|
{
|
|
|
|
struct fuse_fs_context *ctx;
|
|
|
|
|
|
|
|
ctx = kzalloc(sizeof(struct fuse_fs_context), GFP_KERNEL);
|
|
|
|
if (!ctx)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
ctx->max_read = ~0;
|
|
|
|
ctx->blksize = FUSE_DEFAULT_BLKSIZE;
|
2020-08-20 06:19:45 +08:00
|
|
|
ctx->legacy_opts_show = true;
|
2019-03-26 00:38:31 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_BLOCK
|
2021-08-04 19:22:58 +08:00
|
|
|
if (fsc->fs_type == &fuseblk_fs_type) {
|
2019-03-26 00:38:31 +08:00
|
|
|
ctx->is_bdev = true;
|
2019-08-29 17:01:20 +08:00
|
|
|
ctx->destroy = true;
|
|
|
|
}
|
2019-03-26 00:38:31 +08:00
|
|
|
#endif
|
|
|
|
|
2021-08-04 19:22:58 +08:00
|
|
|
fsc->fs_private = ctx;
|
|
|
|
fsc->ops = &fuse_context_ops;
|
2019-03-26 00:38:31 +08:00
|
|
|
return 0;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
bool fuse_mount_remove(struct fuse_mount *fm)
|
2009-05-31 23:13:57 +08:00
|
|
|
{
|
2020-05-06 23:44:12 +08:00
|
|
|
struct fuse_conn *fc = fm->fc;
|
|
|
|
bool last = false;
|
2009-05-31 23:13:57 +08:00
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
down_write(&fc->killsb);
|
|
|
|
list_del_init(&fm->fc_entry);
|
|
|
|
if (list_empty(&fc->mounts))
|
|
|
|
last = true;
|
|
|
|
up_write(&fc->killsb);
|
2018-07-26 22:13:11 +08:00
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
return last;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(fuse_mount_remove);
|
2018-07-26 22:13:11 +08:00
|
|
|
|
2020-05-06 23:44:12 +08:00
|
|
|
void fuse_conn_destroy(struct fuse_mount *fm)
|
|
|
|
{
|
|
|
|
struct fuse_conn *fc = fm->fc;
|
|
|
|
|
|
|
|
if (fc->destroy)
|
|
|
|
fuse_send_destroy(fm);
|
|
|
|
|
|
|
|
fuse_abort_conn(fc);
|
|
|
|
fuse_wait_aborted(fc);
|
2020-10-09 18:40:11 +08:00
|
|
|
|
|
|
|
if (!list_empty(&fc->entry)) {
|
|
|
|
mutex_lock(&fuse_mutex);
|
|
|
|
list_del(&fc->entry);
|
|
|
|
fuse_ctl_remove_conn(fc);
|
|
|
|
mutex_unlock(&fuse_mutex);
|
2009-05-31 23:13:57 +08:00
|
|
|
}
|
2018-07-26 22:13:11 +08:00
|
|
|
}
|
2020-05-06 23:44:12 +08:00
|
|
|
EXPORT_SYMBOL_GPL(fuse_conn_destroy);
|
2009-05-31 23:13:57 +08:00
|
|
|
|
2020-11-12 00:22:32 +08:00
|
|
|
static void fuse_sb_destroy(struct super_block *sb)
|
2018-07-26 22:13:11 +08:00
|
|
|
{
|
2020-05-06 23:44:12 +08:00
|
|
|
struct fuse_mount *fm = get_fuse_mount_super(sb);
|
|
|
|
bool last;
|
|
|
|
|
2021-10-21 16:01:38 +08:00
|
|
|
if (sb->s_root) {
|
2020-05-06 23:44:12 +08:00
|
|
|
last = fuse_mount_remove(fm);
|
|
|
|
if (last)
|
|
|
|
fuse_conn_destroy(fm);
|
|
|
|
}
|
2020-11-12 00:22:32 +08:00
|
|
|
}
|
|
|
|
|
2021-10-21 16:01:38 +08:00
|
|
|
void fuse_mount_destroy(struct fuse_mount *fm)
|
|
|
|
{
|
2021-10-21 16:01:39 +08:00
|
|
|
fuse_conn_put(fm->fc);
|
2023-09-28 12:19:39 +08:00
|
|
|
kfree_rcu(fm, rcu);
|
2021-10-21 16:01:38 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(fuse_mount_destroy);
|
|
|
|
|
2020-11-12 00:22:32 +08:00
|
|
|
static void fuse_kill_sb_anon(struct super_block *sb)
|
|
|
|
{
|
|
|
|
fuse_sb_destroy(sb);
|
2009-05-31 23:13:57 +08:00
|
|
|
kill_anon_super(sb);
|
2021-10-21 16:01:38 +08:00
|
|
|
fuse_mount_destroy(get_fuse_mount_super(sb));
|
2009-05-31 23:13:57 +08:00
|
|
|
}
|
|
|
|
|
2006-12-07 12:35:54 +08:00
|
|
|
static struct file_system_type fuse_fs_type = {
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.name = "fuse",
|
2018-05-29 22:04:46 +08:00
|
|
|
.fs_flags = FS_HAS_SUBTYPE | FS_USERNS_MOUNT,
|
2019-03-26 00:38:31 +08:00
|
|
|
.init_fs_context = fuse_init_fs_context,
|
2019-09-07 19:23:15 +08:00
|
|
|
.parameters = fuse_fs_parameters,
|
2009-05-31 23:13:57 +08:00
|
|
|
.kill_sb = fuse_kill_sb_anon,
|
2006-12-07 12:35:54 +08:00
|
|
|
};
|
2013-03-03 11:39:14 +08:00
|
|
|
MODULE_ALIAS_FS("fuse");
|
2006-12-07 12:35:54 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_BLOCK
|
2009-05-31 23:13:57 +08:00
|
|
|
static void fuse_kill_sb_blk(struct super_block *sb)
|
|
|
|
{
|
2020-11-12 00:22:32 +08:00
|
|
|
fuse_sb_destroy(sb);
|
2009-05-31 23:13:57 +08:00
|
|
|
kill_block_super(sb);
|
2021-10-21 16:01:38 +08:00
|
|
|
fuse_mount_destroy(get_fuse_mount_super(sb));
|
2009-05-31 23:13:57 +08:00
|
|
|
}
|
|
|
|
|
2006-12-07 12:35:44 +08:00
|
|
|
static struct file_system_type fuseblk_fs_type = {
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.name = "fuseblk",
|
2019-03-26 00:38:31 +08:00
|
|
|
.init_fs_context = fuse_init_fs_context,
|
2019-09-07 19:23:15 +08:00
|
|
|
.parameters = fuse_fs_parameters,
|
2009-05-31 23:13:57 +08:00
|
|
|
.kill_sb = fuse_kill_sb_blk,
|
2007-06-17 01:16:05 +08:00
|
|
|
.fs_flags = FS_REQUIRES_DEV | FS_HAS_SUBTYPE,
|
2006-12-07 12:35:44 +08:00
|
|
|
};
|
2013-03-03 11:39:14 +08:00
|
|
|
MODULE_ALIAS_FS("fuseblk");
|
2006-12-07 12:35:44 +08:00
|
|
|
|
2006-12-07 12:35:54 +08:00
|
|
|
static inline int register_fuseblk(void)
|
|
|
|
{
|
|
|
|
return register_filesystem(&fuseblk_fs_type);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void unregister_fuseblk(void)
|
|
|
|
{
|
|
|
|
unregister_filesystem(&fuseblk_fs_type);
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline int register_fuseblk(void)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void unregister_fuseblk(void)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2008-07-26 10:45:34 +08:00
|
|
|
static void fuse_inode_init_once(void *foo)
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
{
|
2008-11-26 19:03:54 +08:00
|
|
|
struct inode *inode = foo;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2007-05-17 13:10:57 +08:00
|
|
|
inode_init_once(inode);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int __init fuse_fs_init(void)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
2006-12-07 12:35:44 +08:00
|
|
|
fuse_inode_cachep = kmem_cache_create("fuse_inode",
|
2017-11-16 09:38:34 +08:00
|
|
|
sizeof(struct fuse_inode), 0,
|
|
|
|
SLAB_HWCACHE_ALIGN|SLAB_ACCOUNT|SLAB_RECLAIM_ACCOUNT,
|
|
|
|
fuse_inode_init_once);
|
2006-12-07 12:35:44 +08:00
|
|
|
err = -ENOMEM;
|
|
|
|
if (!fuse_inode_cachep)
|
2011-12-14 01:25:27 +08:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = register_fuseblk();
|
|
|
|
if (err)
|
|
|
|
goto out2;
|
|
|
|
|
|
|
|
err = register_filesystem(&fuse_fs_type);
|
|
|
|
if (err)
|
|
|
|
goto out3;
|
2006-12-07 12:35:44 +08:00
|
|
|
|
|
|
|
return 0;
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2011-12-14 01:25:27 +08:00
|
|
|
out3:
|
2006-12-07 12:35:54 +08:00
|
|
|
unregister_fuseblk();
|
2011-12-14 01:25:27 +08:00
|
|
|
out2:
|
|
|
|
kmem_cache_destroy(fuse_inode_cachep);
|
2006-12-07 12:35:44 +08:00
|
|
|
out:
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void fuse_fs_cleanup(void)
|
|
|
|
{
|
|
|
|
unregister_filesystem(&fuse_fs_type);
|
2006-12-07 12:35:54 +08:00
|
|
|
unregister_fuseblk();
|
2012-09-26 09:33:07 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Make sure all delayed rcu free inodes are flushed before we
|
|
|
|
* destroy cache.
|
|
|
|
*/
|
|
|
|
rcu_barrier();
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
kmem_cache_destroy(fuse_inode_cachep);
|
|
|
|
}
|
|
|
|
|
2007-10-30 03:13:17 +08:00
|
|
|
static struct kobject *fuse_kobj;
|
|
|
|
|
2006-01-17 14:14:35 +08:00
|
|
|
static int fuse_sysfs_init(void)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
2007-10-30 04:17:23 +08:00
|
|
|
fuse_kobj = kobject_create_and_add("fuse", fs_kobj);
|
2007-10-30 03:13:17 +08:00
|
|
|
if (!fuse_kobj) {
|
|
|
|
err = -ENOMEM;
|
2006-01-17 14:14:35 +08:00
|
|
|
goto out_err;
|
2007-10-30 03:13:17 +08:00
|
|
|
}
|
2006-01-17 14:14:35 +08:00
|
|
|
|
2015-05-14 06:35:41 +08:00
|
|
|
err = sysfs_create_mount_point(fuse_kobj, "connections");
|
|
|
|
if (err)
|
2006-01-17 14:14:35 +08:00
|
|
|
goto out_fuse_unregister;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_fuse_unregister:
|
2007-12-21 00:13:05 +08:00
|
|
|
kobject_put(fuse_kobj);
|
2006-01-17 14:14:35 +08:00
|
|
|
out_err:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void fuse_sysfs_cleanup(void)
|
|
|
|
{
|
2015-05-14 06:35:41 +08:00
|
|
|
sysfs_remove_mount_point(fuse_kobj, "connections");
|
2007-12-21 00:13:05 +08:00
|
|
|
kobject_put(fuse_kobj);
|
2006-01-17 14:14:35 +08:00
|
|
|
}
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
static int __init fuse_init(void)
|
|
|
|
{
|
|
|
|
int res;
|
|
|
|
|
2019-03-27 17:15:17 +08:00
|
|
|
pr_info("init (API version %i.%i)\n",
|
|
|
|
FUSE_KERNEL_VERSION, FUSE_KERNEL_MINOR_VERSION);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
INIT_LIST_HEAD(&fuse_conn_list);
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
res = fuse_fs_init();
|
|
|
|
if (res)
|
|
|
|
goto err;
|
|
|
|
|
2005-09-10 04:10:27 +08:00
|
|
|
res = fuse_dev_init();
|
|
|
|
if (res)
|
|
|
|
goto err_fs_cleanup;
|
|
|
|
|
2006-01-17 14:14:35 +08:00
|
|
|
res = fuse_sysfs_init();
|
|
|
|
if (res)
|
|
|
|
goto err_dev_cleanup;
|
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
res = fuse_ctl_init();
|
|
|
|
if (res)
|
|
|
|
goto err_sysfs_cleanup;
|
|
|
|
|
2009-08-27 01:17:22 +08:00
|
|
|
sanitize_global_limit(&max_user_bgreq);
|
|
|
|
sanitize_global_limit(&max_user_congthresh);
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
return 0;
|
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
err_sysfs_cleanup:
|
|
|
|
fuse_sysfs_cleanup();
|
2006-01-17 14:14:35 +08:00
|
|
|
err_dev_cleanup:
|
|
|
|
fuse_dev_cleanup();
|
2005-09-10 04:10:27 +08:00
|
|
|
err_fs_cleanup:
|
|
|
|
fuse_fs_cleanup();
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
err:
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit fuse_exit(void)
|
|
|
|
{
|
2019-03-27 17:15:17 +08:00
|
|
|
pr_debug("exit\n");
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
|
2006-06-25 20:48:51 +08:00
|
|
|
fuse_ctl_cleanup();
|
2006-01-17 14:14:35 +08:00
|
|
|
fuse_sysfs_cleanup();
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
fuse_fs_cleanup();
|
2005-09-10 04:10:27 +08:00
|
|
|
fuse_dev_cleanup();
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-10 04:10:26 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
module_init(fuse_init);
|
|
|
|
module_exit(fuse_exit);
|