[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor
From: |
Dr. David Alan Gilbert (git) |
Subject: |
[PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor |
Date: |
Thu, 24 Oct 2019 12:27:08 +0100 |
From: Stefan Hajnoczi <address@hidden>
Sandboxing will remove /proc from the mount namespace so we can no
longer build string paths into "/proc/self/fd/...".
Keep an O_PATH file descriptor so we can still re-open fds via
/proc/self/fd.
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
contrib/virtiofsd/passthrough_ll.c | 128 +++++++++++++++++++++++------
1 file changed, 101 insertions(+), 27 deletions(-)
diff --git a/contrib/virtiofsd/passthrough_ll.c
b/contrib/virtiofsd/passthrough_ll.c
index cb01e3f088..3ddf22d162 100644
--- a/contrib/virtiofsd/passthrough_ll.c
+++ b/contrib/virtiofsd/passthrough_ll.c
@@ -110,6 +110,9 @@ struct lo_data {
struct lo_map ino_map; /* protected by lo->mutex */
struct lo_map dirp_map; /* protected by lo->mutex */
struct lo_map fd_map; /* protected by lo->mutex */
+
+ /* An O_PATH file descriptor to /proc/self/fd/ */
+ int proc_self_fd;
};
static const struct fuse_opt lo_opts[] = {
@@ -378,9 +381,9 @@ static int lo_parent_and_name(struct lo_data *lo, struct
lo_inode *inode,
int res;
retry:
- sprintf(procname, "/proc/self/fd/%i", inode->fd);
+ sprintf(procname, "%i", inode->fd);
- res = readlink(procname, path, PATH_MAX);
+ res = readlinkat(lo->proc_self_fd, procname, path, PATH_MAX);
if (res < 0) {
fuse_log(FUSE_LOG_WARNING, "lo_parent_and_name: readlink
failed: %m\n");
goto fail_noretry;
@@ -465,9 +468,9 @@ static int utimensat_empty(struct lo_data *lo, struct
lo_inode *inode,
}
return res;
}
- sprintf(path, "/proc/self/fd/%i", inode->fd);
+ sprintf(path, "%i", inode->fd);
- return utimensat(AT_FDCWD, path, tv, 0);
+ return utimensat(lo->proc_self_fd, path, tv, 0);
fallback:
res = lo_parent_and_name(lo, inode, path, &parent);
@@ -521,8 +524,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino,
struct stat *attr,
if (fi) {
res = fchmod(fd, attr->st_mode);
} else {
- sprintf(procname, "/proc/self/fd/%i", ifd);
- res = chmod(procname, attr->st_mode);
+ sprintf(procname, "%i", ifd);
+ res = fchmodat(lo->proc_self_fd, procname,
+ attr->st_mode, 0);
}
if (res == -1)
goto out_err;
@@ -539,11 +543,23 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino,
struct stat *attr,
goto out_err;
}
if (valid & FUSE_SET_ATTR_SIZE) {
+ int truncfd;
+
if (fi) {
- res = ftruncate(fd, attr->st_size);
+ truncfd = fd;
} else {
- sprintf(procname, "/proc/self/fd/%i", ifd);
- res = truncate(procname, attr->st_size);
+ sprintf(procname, "%i", ifd);
+ truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
+ if (truncfd < 0) {
+ goto out_err;
+ }
+ }
+
+ res = ftruncate(truncfd, attr->st_size);
+ if (!fi) {
+ saverr = errno;
+ close(truncfd);
+ errno = saverr;
}
if (res == -1)
goto out_err;
@@ -825,9 +841,9 @@ static int linkat_empty_nofollow(struct lo_data *lo, struct
lo_inode *inode,
return res;
}
- sprintf(path, "/proc/self/fd/%i", inode->fd);
+ sprintf(path, "%i", inode->fd);
- return linkat(AT_FDCWD, path, dfd, name, AT_SYMLINK_FOLLOW);
+ return linkat(lo->proc_self_fd, path, dfd, name, AT_SYMLINK_FOLLOW);
fallback:
res = lo_parent_and_name(lo, inode, path, &parent);
@@ -1325,8 +1341,8 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino,
struct fuse_file_info *fi)
if (lo->writeback && (fi->flags & O_APPEND))
fi->flags &= ~O_APPEND;
- sprintf(buf, "/proc/self/fd/%i", lo_fd(req, ino));
- fd = open(buf, fi->flags & ~O_NOFOLLOW);
+ sprintf(buf, "%i", lo_fd(req, ino));
+ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
if (fd == -1)
return (void) fuse_reply_err(req, errno);
@@ -1375,8 +1391,8 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino,
struct fuse_file_info *fi)
static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
struct fuse_file_info *fi)
{
+ struct lo_data *lo = lo_data(req);
int res;
- (void) ino;
int fd;
char *buf;
@@ -1384,11 +1400,11 @@ static void lo_fsync(fuse_req_t req, fuse_ino_t ino,
int datasync,
(void *)fi);
if (!fi) {
- res = asprintf(&buf, "/proc/self/fd/%i", lo_fd(req, ino));
+ res = asprintf(&buf, "%i", lo_fd(req, ino));
if (res == -1)
return (void) fuse_reply_err(req, errno);
- fd = open(buf, O_RDWR);
+ fd = openat(lo->proc_self_fd, buf, O_RDWR);
free(buf);
if (fd == -1)
return (void) fuse_reply_err(req, errno);
@@ -1493,11 +1509,13 @@ static void lo_flock(fuse_req_t req, fuse_ino_t ino,
struct fuse_file_info *fi,
static void lo_getxattr(fuse_req_t req, fuse_ino_t ino, const char *name,
size_t size)
{
+ struct lo_data *lo = lo_data(req);
char *value = NULL;
char procname[64];
struct lo_inode *inode;
ssize_t ret;
int saverr;
+ int fd = -1;
inode = lo_inode(req, ino);
if (!inode) {
@@ -1520,14 +1538,18 @@ static void lo_getxattr(fuse_req_t req, fuse_ino_t ino,
const char *name,
goto out;
}
- sprintf(procname, "/proc/self/fd/%i", inode->fd);
+ sprintf(procname, "%i", inode->fd);
+ fd = openat(lo->proc_self_fd, procname, O_RDONLY);
+ if (fd < 0) {
+ goto out_err;
+ }
if (size) {
value = malloc(size);
if (!value)
goto out_err;
- ret = getxattr(procname, name, value, size);
+ ret = fgetxattr(fd, name, value, size);
if (ret == -1)
goto out_err;
saverr = 0;
@@ -1536,7 +1558,7 @@ static void lo_getxattr(fuse_req_t req, fuse_ino_t ino,
const char *name,
fuse_reply_buf(req, value, ret);
} else {
- ret = getxattr(procname, name, NULL, 0);
+ ret = fgetxattr(fd, name, NULL, 0);
if (ret == -1)
goto out_err;
@@ -1544,6 +1566,10 @@ static void lo_getxattr(fuse_req_t req, fuse_ino_t ino,
const char *name,
}
out_free:
free(value);
+
+ if (fd >= 0) {
+ close(fd);
+ }
return;
out_err:
@@ -1555,11 +1581,13 @@ out:
static void lo_listxattr(fuse_req_t req, fuse_ino_t ino, size_t size)
{
+ struct lo_data *lo = lo_data(req);
char *value = NULL;
char procname[64];
struct lo_inode *inode;
ssize_t ret;
int saverr;
+ int fd = -1;
inode = lo_inode(req, ino);
if (!inode) {
@@ -1582,14 +1610,18 @@ static void lo_listxattr(fuse_req_t req, fuse_ino_t
ino, size_t size)
goto out;
}
- sprintf(procname, "/proc/self/fd/%i", inode->fd);
+ sprintf(procname, "%i", inode->fd);
+ fd = openat(lo->proc_self_fd, procname, O_RDONLY);
+ if (fd < 0) {
+ goto out_err;
+ }
if (size) {
value = malloc(size);
if (!value)
goto out_err;
- ret = listxattr(procname, value, size);
+ ret = flistxattr(fd, value, size);
if (ret == -1)
goto out_err;
saverr = 0;
@@ -1598,7 +1630,7 @@ static void lo_listxattr(fuse_req_t req, fuse_ino_t ino,
size_t size)
fuse_reply_buf(req, value, ret);
} else {
- ret = listxattr(procname, NULL, 0);
+ ret = flistxattr(fd, NULL, 0);
if (ret == -1)
goto out_err;
@@ -1606,6 +1638,10 @@ static void lo_listxattr(fuse_req_t req, fuse_ino_t ino,
size_t size)
}
out_free:
free(value);
+
+ if (fd >= 0) {
+ close(fd);
+ }
return;
out_err:
@@ -1619,9 +1655,11 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino,
const char *name,
const char *value, size_t size, int flags)
{
char procname[64];
+ struct lo_data *lo = lo_data(req);
struct lo_inode *inode;
ssize_t ret;
int saverr;
+ int fd = -1;
inode = lo_inode(req, ino);
if (!inode) {
@@ -1644,21 +1682,31 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino,
const char *name,
goto out;
}
- sprintf(procname, "/proc/self/fd/%i", inode->fd);
+ sprintf(procname, "%i", inode->fd);
+ fd = openat(lo->proc_self_fd, procname, O_RDWR);
+ if (fd < 0) {
+ saverr = errno;
+ goto out;
+ }
- ret = setxattr(procname, name, value, size, flags);
+ ret = fsetxattr(fd, name, value, size, flags);
saverr = ret == -1 ? errno : 0;
out:
+ if (fd >= 0) {
+ close(fd);
+ }
fuse_reply_err(req, saverr);
}
static void lo_removexattr(fuse_req_t req, fuse_ino_t ino, const char *name)
{
char procname[64];
+ struct lo_data *lo = lo_data(req);
struct lo_inode *inode;
ssize_t ret;
int saverr;
+ int fd = -1;
inode = lo_inode(req, ino);
if (!inode) {
@@ -1681,12 +1729,20 @@ static void lo_removexattr(fuse_req_t req, fuse_ino_t
ino, const char *name)
goto out;
}
- sprintf(procname, "/proc/self/fd/%i", inode->fd);
+ sprintf(procname, "%i", inode->fd);
+ fd = openat(lo->proc_self_fd, procname, O_RDWR);
+ if (fd < 0) {
+ saverr = errno;
+ goto out;
+ }
- ret = removexattr(procname, name);
+ ret = fremovexattr(fd, name);
saverr = ret == -1 ? errno : 0;
out:
+ if (fd >= 0) {
+ close(fd);
+ }
fuse_reply_err(req, saverr);
}
@@ -1765,13 +1821,24 @@ static void print_capabilities(void)
printf("}\n");
}
+static void setup_proc_self_fd(struct lo_data *lo)
+{
+ lo->proc_self_fd = open("/proc/self/fd", O_PATH);
+ if (lo->proc_self_fd == -1) {
+ fuse_log(FUSE_LOG_ERR, "open(/proc/self/fd, O_PATH): %m\n");
+ exit(1);
+ }
+}
+
int main(int argc, char *argv[])
{
struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
struct fuse_session *se;
struct fuse_cmdline_opts opts;
struct lo_data lo = { .debug = 0,
- .writeback = 0 };
+ .writeback = 0,
+ .proc_self_fd = -1,
+ };
struct lo_map_elem *root_elem;
int ret = -1;
@@ -1878,6 +1945,9 @@ int main(int argc, char *argv[])
fuse_daemonize(opts.foreground);
+ /* Must be after daemonize to get the right /proc/self/fd */
+ setup_proc_self_fd(&lo);
+
/* Block until ctrl+c or fusermount -u */
ret = virtio_loop(se);
@@ -1893,6 +1963,10 @@ err_out1:
lo_map_destroy(&lo.dirp_map);
lo_map_destroy(&lo.ino_map);
+ if (lo.proc_self_fd >= 0) {
+ close(lo.proc_self_fd);
+ }
+
if (lo.root.fd >= 0)
close(lo.root.fd);
--
2.23.0
- [PATCH 04/25] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers, (continued)
- [PATCH 04/25] virtiofsd: passthrough_ll: add dirp_map to hide lo_dirp pointers, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 03/25] virtiofsd: passthrough_ll: add ino_map to hide lo_inode pointers, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 05/25] virtiofsd: passthrough_ll: add fd_map to hide file descriptors, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 07/25] virtiofsd: validate path components, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 06/25] virtiofsd: passthrough_ll: add fallback for racy ops, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 08/25] virtiofsd: Plumb fuse_bufvec through to do_write_buf, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 09/25] virtiofsd: Pass write iov's all the way through, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 10/25] virtiofsd: add fuse_mbuf_iter API, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 11/25] virtiofsd: validate input buffer sizes in do_write_buf(), Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 12/25] virtiofsd: check input buffer size in fuse_lowlevel.c ops, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 15/25] virtiofsd: use /proc/self/fd/ O_PATH file descriptor,
Dr. David Alan Gilbert (git) <=
- [PATCH 13/25] virtiofsd: prevent ".." escape in lo_do_lookup(), Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 14/25] virtiofsd: prevent ".." escape in lo_do_readdir(), Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 16/25] virtiofsd: sandbox mount namespace, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 17/25] virtiofsd: move to an empty network namespace, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 18/25] virtiofsd: move to a new pid namespace, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 19/25] virtiofsd: add seccomp whitelist, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 20/25] virtiofsd: Parse flag FUSE_WRITE_KILL_PRIV, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 21/25] virtiofsd: Drop CAP_FSETID if client asked for it, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 22/25] virtiofsd: set maximum RLIMIT_NOFILE limit, Dr. David Alan Gilbert (git), 2019/10/24
- [PATCH 23/25] virtiofsd: add security guide document, Dr. David Alan Gilbert (git), 2019/10/24