dmask: umask applied to directories
fmask: umask applied to non-directories
to get "typical" permission bits for regular files (0644) and directories (0755), a single
umask option is not sufficient (or well, it isn't the way fuse implements it)
there is precident for separate umask and dmask options in other
filesystems (see for example fat: https://github.com/torvalds/linux/tree/master/fs/fat)
this addition should not affect backward-compatibility; the original
umask option retains the same meaning, but non-zero fmask or
dmask will override it.
After reading the file /proc/$PID/task/$PID/status the buffer wasn't
terminated with a null character. This could theoretically lead to buffer
overrun by the subsequent strstr() call.
Since the contents of the proc file are guaranteed to contain the pattern
that strstr is looking for, this doesn't happen in normal situations.
Add null termination for robustness.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
The code `fuse_init_intr_signal` in `_fuse_new_317` is useless
since commit 8ee553dac ("fuse_new(): don't accept options that
don't make sense for end-users") has remove the conf.intr option
for end-users. The conf.intr is always zero (i.e., disabled) here.
Move `fuse_init_intr_signal` after the user-defined `init()` function,
so that conf.intr and conf.intr_signal has been configured by the user.
The variable is not modified exclusively with locks since commit
cef8c8b249 ("Add support for no_interrupt") anymore.
That commit is safe, but might be error prone to future updates.
Changing it to a C11 _Atomic should avoid issues.
The function fuse_session_process_buf_int() would do much things
for FUSE_INTERRUPT requests, even there are no FUSE_INTERRUPT requests:
1. check every non-FUSE_INTERRUPT request and add these requests to the
linked list(se->list) under a big lock(se->lock).
2. the function fuse_free_req() frees every request and remove them from
the linked list(se->list) under a bing lock(se->lock).
These operations are not meaningful when there are no FUSE_INTERRUPT requests,
and have a great impact on the performance of fuse filesystem because the big
lock for each request.
In some cases, FUSE_INTERRUPT requests are infrequent, even none at all.
Besides, the user-defined filesystem may do nothing for FUSE_INTERRUPT requests.
And the kernel side has the option "no_interrupt" in struct fuse_conn. This kernel option
can be enabled by return ENOSYS in libfuse for the reply of FUSE_INTERRUPT request.
But I don't find the code to enable the "no_interrupt" kernel option in libfuse.
So add the no_interrupt support, and when this operaion is enabled:
1. remove the useless locking operaions and list operations.
2. return ENOSYS for the reply of FUSE_INTERRUPT request to inform the kernel to disable
FUSE_INTERRUPT request.
compat.c is supposed to be standalone to provide compat ABI symbols.
Including fuse header files can cause conflicts - just the opposite
of what compat.c was made for.
Add support for filesystem passthrough read/write of files.
When the FUSE_PASSTHROUGH capability is enabled, the FUSE server may
decide, while handling the "open" or "create" requests, if the given
file can be accessed by that process in "passthrough" mode, meaning that
all the further read and write operations would be forwarded by the
kernel directly to the backing file rather than to the FUSE server.
All requests other than read or write are still handled by the server.
This allows for an improved performance on reads and writes, especially
in the case of reads at random offsets, for which no (readahead)
caching mechanism would help, reducing the performance gap between FUSE
and native filesystem access.
Extend also the passthrough_hp example with the new passthrough feature.
This example opens a kernel backing file per FUSE inode on the first
FUSE file open of that inode and closes the backing file on the release
of the last FUSE file on that inode.
All opens of the same inode passthrough to the same backing file.
A combination of fi->direct_io and fi->passthrough is allowed.
It means that read/write operations go directly to the server, but mmap
is done on the backing file.
This allows to open some fds of the inode in passthrough mode and some
fd of the same inode in direct_io/passthrough_mmap mode.
Signed-off-by: Alessio Balsini <balsini@android.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
The API stays the same, the libfuse version comes from
inlined functions, which are defined fuse_lowlevel.h
and fuse.h. As these inlined functions are defined in the header
files they get added into the application, similar as if these
were preprocessor macros.
Macro vs inlined function is then just a style issue - I personally
prefer the latter.
fuse_session_new() -> static inlinei, in the application
_fuse_session_new -> inside of libfuse
fuse_new() -> static inline, in the application
_fuse_new() -> inside of libfuse
Note: Entirely untested is the fuse 30 api - we need a test
for it. And we do not have any ABI tests at all.
Signed-off-by: Bernd Schubert <bernd.schubert@fastmail.fm>
If the file system doesn't provide a ->open or an ->opendir, and the
kernel supports FUSE_CAP_NO_OPEN_SUPPORT or FUSE_CAP_NO_OPENDIR_SUPPORT,
allow the implementation to set FUSE_CAP_NO_OPEN*_SUPPORT on conn->want
in order to automatically get this behavior. Expand the documentation
to be more explicit about the behavior of libfuse in the different cases
WRT this capability.
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Despite the creation of the header file fuse_config.h during LibFUSE
version 3.16.2's Meson build process, the BSD mount_bsd.c file continues to reference config.h. Consequently, this discrepancy results in compilation failures.
FIX : Point the mount_bsd.c to correct header.
Define a new clone_fd() helper for fuse_custom_io, users
can implement their own clone fd logic.
Signed-off-by: Xiaoguang Wang <lege.wang@jaguarmicro.com>
If user updates conn->max_write in fuse_lowlevel_ops' init() method, do_init()
will miss the "conn.max_write > bufsize - FUSE_BUFFER_HEADER_SIZE" judgment,
and ->init method will be called after it, which obviously is a bug.
Signed-off-by: Xiaoguang Wang <lege.wang@jaguarmicro.com>
Co-authored-by: Xiaoguang Wang <lege.wang@jaguarmicro.com>
fixes#235
In fill_dir_plus(), there's a lookup for caching dirent attributes.
However, when offset = 0 the cache metadata from the lookup is lost
as only the entry attributes are passed when added to the list. Kernel
doesn't cache the attributes since .ino = 0.
This change moves the entry lookup to happen just before the relevant
fuse_add_direntry_plus() calls
User may still need to mount same fuse filesystem after umounting
it(In this case, the userspace filesystem server needs to keep live),
and after handling FUSE_DESTROY message, new FUSE_INIT message may come,
so need to reset got_init to be zero.
Signed-off-by: Xiaoguang Wang <lege.wang@jaguarmicro.com>
- This adds a wrapper function for the call sequence
of posix_spawn and posix_spawnp.
- Replaces perror() with fuse_log - the latter
can be redirected through the file system log function
and gives better end user friendly output
- other minor changes, like variable renames
- no functional change
Client code might allocate a lot of memory before starting the mount.
Fork is slow for processes that are using a lot of memory. But
posix_spawn fixes that.
Another issue with fork is if the process is also doing RDMA - this
might lead to data corruption, as least if memory used for RDMA
is not marked with MADV_DONTFORK. At least with linux kernels
before 5.12.
Also see https://blog.nelhage.com/post/a-cursed-bug/ for more details
Change by Bernd:
This also prepares the new fusermount option "--comm-fd", but keeps
the previous way to pass the parameter as env variable. In a future
release (exact data to be determined) we are going to remove usage
of the env variable and will switch to the new parameter.
This implements #651, tested with bindfs.
"x-*" options are comments meant to be interpreted by userspace.
#651 is about some 3rd party mount options like 'x-gvfs-notrash'.
This also removes the test if /etc/mtab is a symlink.
This test was added in commit 5f28cd15ab
and the corresponding ChangeLog entry in this commit points to mount
issues for read-only mtab.
However, in all recent Linux distributions /etc/mtab is a symlink to
/proc/self/mounts and never writable. In fact, util-linux 2.39
(libmount) entirely removed support for a writable mtab.
At least since util-linux 2.19 (10-Feb-2011) /run/mount/utab is used
as replacement for userspace mount entries..
'FUSE_CAP_HANDLE_KILLPRIV' is not enabled by default anymore, as that
would be a sudden security issue introduced by a new ABI and API
compatible libfuse version.
Allowing parallel dir operations could result in a crash in a filesystem
implementation that is not prepared for this.
To be safe keep this flag off by default (this is not a regression, since
there was no public release where this flag wasn't ignored).
If the filesystem wants better performance, then it should set this flag
explicitly.
Fixes: c9905341ea ("Pass FUSE_PARALLEL_DIROPS to kernel (#861)")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
This is not called FUSE_CAP_DIRECT_IO_RELAX, as the kernel flag
FUSE_DIRECT_IO_RELAX is supposed to be renamed to
FUSE_DIRECT_IO_ALLOW_MMAP. The corresponding kernel patches just
did not land yet.
This tells the kernel that parallel lookup/readdir operations are
supported. This is enabled by default but was not passed to the kernel
so you always get the synchronized version.
Since open(2) has been called with O_CLOEXEC flag if defined.
Signed-off-by: Xiaoguang Wang <lege.wang@jaguarmicro.com>
Co-authored-by: Xiaoguang Wang <lege.wang@jaguarmicro.com>
This fixes issue https://github.com/libfuse/libfuse/issues/810
and should avoid mold linking errors.
Commit d4e294b removed made fuse_register_module() a static
function, but forgot to remove it from the version script.
Commit fe4f942 introduced copy_file_range to libfuse and
added the non-exiting (neither declared nor defined) function
fuse_reply_copy_file_range() to the version script. Kernel
side just exects an integer reply how much was copied, using
fuse_reply_write() as in fuse_lib_copy_file_range() is sufficient
and no extra function is needed.
Co-authored-by: Bernd Schubert <bschubert@ddn.com>
The filesystem daemon is responsible for implementing eg. st_atime updates, so passing
options like relatime to the kernel results in them being silently ignored. Instead, such
options need to be interpreted (and filtered out) by the filesystem daemon.
Added a secondary check in fuse_lib_unlink() after hide_node()
to check again under a lock if the (now hidden) file is still open.
If not then delete it.
This should synchronise fuse_lib_unlink() with fuse_lib_release(),
when nullpath_ok is set.
Previously, in the high level API if we received a signal between
setting up signal handlers and processing INIT, we would leak
```
$ ./example/hello -s -d -f mountpoint/
[9/9] Linking target example/hello_ll
FUSE library version: 3.14.1
nullpath_ok: 0
=================================================================
==178330==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 352 byte(s) in 1 object(s) allocated from:
#0 0x7fbb19abf411 in __interceptor_calloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7fbb1a0efd3b in fuse_fs_new ../lib/fuse.c:4814
#2 0x7fbb1a0f02b5 in fuse_new_31 ../lib/fuse.c:4913
#3 0x7fbb1a10ec5e in fuse_main_real ../lib/helper.c:345
#4 0x5625db8ab418 in main ../example/hello.c:176
#5 0x7fbb1983c78f (/usr/lib/libc.so.6+0x2378f)
SUMMARY: AddressSanitizer: 352 byte(s) leaked in 1 allocation(s).
```
That's because `fuse_lowlevel.c`s `fuse_session_destroy` would only call
the user supplied `op.destroy`, if INIT had been processed, but the high
level API relied on `op.destroy` to free `f->fs`.
This patch moves the freeing into `fuse_destroy` that will always be
called by our high-level API.
* Fuse mount: make auto_unmount compatible with suid/dev mount options
> When you run as root, fuse normally does not call fusermount but uses
> the mount system call directly. When you specify auto_unmount, it goes
> through fusermount instead. However, fusermount is a setuid binary that
> is normally called by regular users, so it cannot in general accept suid
> or dev options.
In this patch, we split up how fuse mounts as root when `auto_unmount`
is specified.
First, we mount using system calls directly, then we reach out to
fusermount to set up auto_unmount only (with no actual mounting done in
fusermount).
Fixes: #148
This syncs fuse_kernel.h to <linux-6.3>/include/uapi/linux/fuse.h
Special handling is done for setxattr as in linux commit
52a4c95f4d24b struct fuse_setxattr_in was extended. Extended
struct is only used when FUSE_SETXATTR_EXT is passed in FUSE_INIT
reply.
When building, I get the following warning:
```bash
$ ninja
[18/71] Compiling C object lib/libfuse3.so.3.14.1.p/modules_iconv.c.o
../lib/modules/iconv.c: In function ‘iconv_convpath’:
../lib/modules/iconv.c:85:38: warning: pointer ‘newpath’ may be used after ‘realloc’ [-Wuse-after-free]
85 | p = tmp + (p - newpath);
| ~~~^~~~~~~~~~
../lib/modules/iconv.c:80:31: note: call to ‘realloc’ here
80 | tmp = realloc(newpath, newpathlen + 1);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[71/71] Linking target example/passthrough_hp
```
It's a false positive, I thinks. But it's also easy to silence this
warning with a small refactor.
The fuse_main_real() method doesn't apply the max_threads parameter
parsed through the commandline arguments. This commit fixes the wiring
of max_threads argument.
Right now fuse kernel serializes direct writes on the
same file. This serialization is good for such FUSE
implementations which rely on the inode lock to
avoid any data inconsistency issues but it hurts badly
such FUSE implementations which have their own mechanism
of dealing with cache/data integrity and can handle
parallel direct writes on the same file.
This patch allows parallel direct writes on the same file to be
enabled with the help of a flag FOPEN_PARALLEL_DIRECT_WRITES.
FUSE implementations which want to use this feature can
set this flag during fuse init. Default behaviour remains
same i.e no parallel direct writes on the same file.
Corresponding fuse kernel patch(Merged).
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.2&id=153524053bbb0d27bb2e0be36d1b46862e9ce74c
If a program with API before 312 did not set
max_idle_threads the new default from
fuse_parse_cmdline_312() is applied, which sets
UINT_MAX (-1).
Later in compat fuse_session_loop_mt_32 the old
config v1 struct is converted and that conversion
prints a warning if the default unset value was used.
This could have also happened to programs using the current
API, which just apply values struct fuse_cmdline_opts,
without checking if the defaults are set.
Such as for the xfstest-dev's generic/684 test case it will clear
suid and sgid if the fallocate request is commited by an unprivileged
user.
The kernel fuse passed the ATTR_KILL_SUID/ATTR_KILL_SGID flags to
userspace but it will be dropped.
Signed-off-by: Xiubo Li <xiubli@redhat.com>
This addresses https://github.com/libfuse/libfuse/issues/729
commit db35a37def introduced a public
config.h (rename to fuse_config.h to avoid conflicts) that
was installed with the package and included by libfuse users
through fuse_common.h. Probablem is that this file does not have
unique defines so that they are unique to libfuse - on including
the file conflicts with libfuse users came up.
In principle all defines could be prefixed, but then most of them
are internal for libfuse compilation only. So this splits out
publically required defines to a new file 'libfuse_config.h'
and changes back to include of "fuse_config.h" only when
HAVE_LIBFUSE_PRIVATE_CONFIG_H is defined.
This also renames HAVE_LIBC_VERSIONED_SYMBOLS to
LIBFUSE_BUILT_WITH_VERSIONED_SYMBOLS, as it actually
better explains for libfuse users what that variable
is for.
This addresses: https://github.com/libfuse/libfuse/issues/724
HAVE_LIBC_VERSIONED_SYMBOLS configures the library if to use
versioned symbols and is set at meson configuration time.
External filesystems (the main target, actually)
include fuse headers and the preprocessor
then acts on HAVE_LIBC_VERSIONED_SYMBOLS. Problem was now that
'config.h' was not distributed with libfuse and so
HAVE_LIBC_VERSIONED_SYMBOLS was never defined with external
tools and the preprocessor did the wrong decision.
This commit also increases the the minimal meson version,
as this depends on meson feature only available in 0.50
<quote 'meson' >
WARNING: Project specifies a minimum meson_
version '>= 0.42' but uses features which were added
in newer versions:
* 0.50.0: {'install arg in configure_file'}
</quote>
Additionally the config file has been renamed to "fuse_config.h"
to avoid clashes - 'config.h' is not very specific.
