From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479862285830.1039449212188; Wed, 13 Dec 2023 07:04:22 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 1D293173C; Wed, 13 Dec 2023 10:04:21 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 46AAE1913; Wed, 13 Dec 2023 09:51:48 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id E50EC1816; Wed, 13 Dec 2023 09:50:57 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id EA69E17D3 for ; Wed, 13 Dec 2023 09:50:30 -0500 (EST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-682-xcK_NVdIPAeTlm6ZcSkpsQ-1; Wed, 13 Dec 2023 09:50:21 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B5D378350E6 for ; Wed, 13 Dec 2023 14:50:20 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C57A2026D66 for ; Wed, 13 Dec 2023 14:50:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: xcK_NVdIPAeTlm6ZcSkpsQ-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 1/9] conf: move idmap definition earlier Date: Wed, 13 Dec 2023 15:47:17 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: I3SNTFE4UK7YIN6BITHO2L46VZHNPJAY X-Message-ID-Hash: I3SNTFE4UK7YIN6BITHO2L46VZHNPJAY X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479864582100001 It will be reused for as well. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/conf/domain_conf.h | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index ed07859bc5..5a93ee0aee 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -765,6 +765,20 @@ struct _virDomainControllerDef { virDomainVirtioOptions *virtio; }; =20 +struct _virDomainIdMapEntry { + unsigned int start; + unsigned int target; + unsigned int count; +}; + +struct _virDomainIdMapDef { + size_t nuidmap; + virDomainIdMapEntry *uidmap; + + size_t ngidmap; + virDomainIdMapEntry *gidmap; +}; + =20 /* Types of disk backends */ typedef enum { @@ -2671,20 +2685,6 @@ virDomainMemoryDef *virDomainMemoryDefNew(virDomainM= emoryModel model); void virDomainMemoryDefFree(virDomainMemoryDef *def); G_DEFINE_AUTOPTR_CLEANUP_FUNC(virDomainMemoryDef, virDomainMemoryDefFree); =20 -struct _virDomainIdMapEntry { - unsigned int start; - unsigned int target; - unsigned int count; -}; - -struct _virDomainIdMapDef { - size_t nuidmap; - virDomainIdMapEntry *uidmap; - - size_t ngidmap; - virDomainIdMapEntry *gidmap; -}; - =20 typedef enum { VIR_DOMAIN_PANIC_MODEL_DEFAULT, --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479220420916.442733566512; Wed, 13 Dec 2023 06:53:40 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 61DCF187C; Wed, 13 Dec 2023 09:53:39 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 8081C1789; Wed, 13 Dec 2023 09:50:39 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id DBBCE178B; Wed, 13 Dec 2023 09:50:24 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id D781E177E for ; Wed, 13 Dec 2023 09:50:23 -0500 (EST) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-695-tMV_MtQ5Pfe4O7no5fzTTg-1; Wed, 13 Dec 2023 09:50:22 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BBBA229ABA13 for ; Wed, 13 Dec 2023 14:50:21 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id 21A8A2026D6F for ; Wed, 13 Dec 2023 14:50:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: tMV_MtQ5Pfe4O7no5fzTTg-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 2/9] conf: move idmap parsing earlier Date: Wed, 13 Dec 2023 15:47:18 +0100 Message-ID: <1863131849a61ed8ba991af5f7f3223f28500bf8.1702478845.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: LT5HAXAVJMM76AWXI4WR6JH5U3DTNSUF X-Message-ID-Hash: LT5HAXAVJMM76AWXI4WR6JH5U3DTNSUF X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479221263100001 It will be reused for as well. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/conf/domain_conf.c | 102 +++++++++++++++++++++-------------------- 1 file changed, 52 insertions(+), 50 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 22ad43e1d7..a70a1f29f2 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -8582,6 +8582,58 @@ virDomainNetGenerateMAC(virDomainXMLOption *xmlopt, } =20 =20 +static int virDomainIdMapEntrySort(const void *a, + const void *b, + void *opaque G_GNUC_UNUSED) +{ + const virDomainIdMapEntry *entrya =3D a; + const virDomainIdMapEntry *entryb =3D b; + + if (entrya->start > entryb->start) + return 1; + else if (entrya->start < entryb->start) + return -1; + else + return 0; +} + + +/* Parse the XML definition for user namespace id map. + * + * idmap has the form of + * + * + * + */ +static virDomainIdMapEntry * +virDomainIdmapDefParseXML(xmlXPathContextPtr ctxt, + xmlNodePtr *node, + size_t num) +{ + size_t i; + virDomainIdMapEntry *idmap =3D NULL; + VIR_XPATH_NODE_AUTORESTORE(ctxt) + + idmap =3D g_new0(virDomainIdMapEntry, num); + + for (i =3D 0; i < num; i++) { + ctxt->node =3D node[i]; + if (virXPathUInt("string(./@start)", ctxt, &idmap[i].start) < 0 || + virXPathUInt("string(./@target)", ctxt, &idmap[i].target) < 0 = || + virXPathUInt("string(./@count)", ctxt, &idmap[i].count) < 0) { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("invalid idmap start/target/count settings")); + VIR_FREE(idmap); + return NULL; + } + } + + g_qsort_with_data(idmap, num, sizeof(idmap[0]), virDomainIdMapEntrySor= t, NULL); + + return idmap; +} + + static virDomainFSDef * virDomainFSDefParseXML(virDomainXMLOption *xmlopt, xmlNodePtr node, @@ -15742,56 +15794,6 @@ virDomainDefParseBootXML(xmlXPathContextPtr ctxt, } =20 =20 -static int virDomainIdMapEntrySort(const void *a, - const void *b, - void *opaque G_GNUC_UNUSED) -{ - const virDomainIdMapEntry *entrya =3D a; - const virDomainIdMapEntry *entryb =3D b; - - if (entrya->start > entryb->start) - return 1; - else if (entrya->start < entryb->start) - return -1; - else - return 0; -} - -/* Parse the XML definition for user namespace id map. - * - * idmap has the form of - * - * - * - */ -static virDomainIdMapEntry * -virDomainIdmapDefParseXML(xmlXPathContextPtr ctxt, - xmlNodePtr *node, - size_t num) -{ - size_t i; - virDomainIdMapEntry *idmap =3D NULL; - VIR_XPATH_NODE_AUTORESTORE(ctxt) - - idmap =3D g_new0(virDomainIdMapEntry, num); - - for (i =3D 0; i < num; i++) { - ctxt->node =3D node[i]; - if (virXPathUInt("string(./@start)", ctxt, &idmap[i].start) < 0 || - virXPathUInt("string(./@target)", ctxt, &idmap[i].target) < 0 = || - virXPathUInt("string(./@count)", ctxt, &idmap[i].count) < 0) { - virReportError(VIR_ERR_XML_ERROR, "%s", - _("invalid idmap start/target/count settings")); - VIR_FREE(idmap); - return NULL; - } - } - - g_qsort_with_data(idmap, num, sizeof(idmap[0]), virDomainIdMapEntrySor= t, NULL); - - return idmap; -} - /* Parse the XML definition for an IOThread ID * * Format is : --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479332596363.5632793794607; Wed, 13 Dec 2023 06:55:32 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 70AD01855; Wed, 13 Dec 2023 09:55:31 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id E592117D7; Wed, 13 Dec 2023 09:50:48 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 2A953178F; Wed, 13 Dec 2023 09:50:26 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id F156C1789 for ; Wed, 13 Dec 2023 09:50:24 -0500 (EST) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-13-ArskQ5jJN1GH44lJ0PbTHQ-1; Wed, 13 Dec 2023 09:50:22 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 92A9629ABA13 for ; Wed, 13 Dec 2023 14:50:22 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0D20C2026D66 for ; Wed, 13 Dec 2023 14:50:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: ArskQ5jJN1GH44lJ0PbTHQ-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 3/9] conf: add idmap element to filesystem Date: Wed, 13 Dec 2023 15:47:19 +0100 Message-ID: <3e52f15fc6bd774cd4e8f8b13a1076bbd7427a95.1702478845.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: NHIZ2LDR5YOZDSXVJR65WNU77DP3YIFZ X-Message-ID-Hash: NHIZ2LDR5YOZDSXVJR65WNU77DP3YIFZ X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479333830100001 Allow the user to manually tweak the ID mapping that will allow virtiofsd to run unprivileged. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- docs/formatdomain.rst | 8 +++ src/conf/domain_conf.c | 50 +++++++++++++++++++ src/conf/domain_conf.h | 1 + src/conf/schemas/domaincommon.rng | 3 ++ .../vhost-user-fs-fd-memory.xml | 4 ++ 5 files changed, 66 insertions(+) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 310d2bc427..96e03a3807 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -3548,6 +3548,10 @@ A directory on the host that can be accessed directl= y from the guest. + + + + @@ -3697,6 +3701,10 @@ A directory on the host that can be accessed directl= y from the guest. Where the ``source`` can be accessed in the guest. For most drivers thi= s is an automatic mount point, but for QEMU/KVM this is merely an arbitrary = string tag that is exported to the guest as a hint for where to mount. +``idmap`` + For ``virtiofs``, an ``idmap`` element can be specified to map IDs in t= he user + namespace. See the `Container boot`_ section for the syntax of the elem= ent. + :since:`Since 10.0.0` ``readonly`` Enables exporting filesystem as a readonly mount for guest, by default read-write access is given (currently only works for QEMU/KVM driver; n= ot diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index a70a1f29f2..58a985fc5d 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2588,6 +2588,8 @@ void virDomainFSDefFree(virDomainFSDef *def) virObjectUnref(def->privateData); g_free(def->binary); g_free(def->sock); + g_free(def->idmap.uidmap); + g_free(def->idmap.gidmap); =20 g_free(def); } @@ -8771,6 +8773,9 @@ virDomainFSDefParseXML(virDomainXMLOption *xmlopt, xmlNodePtr binary_lock_node =3D virXPathNode("./binary/lock", ctxt= ); xmlNodePtr binary_cache_node =3D virXPathNode("./binary/cache", ct= xt); xmlNodePtr binary_sandbox_node =3D virXPathNode("./binary/sandbox"= , ctxt); + ssize_t n; + g_autofree xmlNodePtr *uid_nodes =3D NULL; + g_autofree xmlNodePtr *gid_nodes =3D NULL; =20 if (queue_size && virStrToLong_ull(queue_size, NULL, 10, &def->que= ue_size) < 0) { virReportError(VIR_ERR_XML_ERROR, @@ -8816,6 +8821,28 @@ virDomainFSDefParseXML(virDomainXMLOption *xmlopt, VIR_XML_PROP_NONZERO, &def->sandbox) < 0) goto error; + + if ((n =3D virXPathNodeSet("./idmap/uid", ctxt, &uid_nodes)) < 0) + return NULL; + + if (n) { + def->idmap.uidmap =3D virDomainIdmapDefParseXML(ctxt, uid_node= s, n); + if (!def->idmap.uidmap) + return NULL; + + def->idmap.nuidmap =3D n; + } + + if ((n =3D virXPathNodeSet("./idmap/gid", ctxt, &gid_nodes)) < 0) + return NULL; + + if (n) { + def->idmap.gidmap =3D virDomainIdmapDefParseXML(ctxt, gid_node= s, n); + if (!def->idmap.gidmap) + return NULL; + + def->idmap.ngidmap =3D n; + } } =20 if (source =3D=3D NULL && def->type !=3D VIR_DOMAIN_FS_TYPE_RAM @@ -23233,6 +23260,29 @@ virDomainFSDefFormat(virBuffer *buf, virXMLFormatElement(buf, "driver", &driverAttrBuf, &driverBuf); virXMLFormatElement(buf, "binary", &binaryAttrBuf, &binaryBuf); =20 + if (def->idmap.uidmap) { + size_t i; + + virBufferAddLit(buf, "\n"); + virBufferAdjustIndent(buf, 2); + for (i =3D 0; i < def->idmap.nuidmap; i++) { + virBufferAsprintf(buf, + "\n", + def->idmap.uidmap[i].start, + def->idmap.uidmap[i].target, + def->idmap.uidmap[i].count); + } + for (i =3D 0; i < def->idmap.ngidmap; i++) { + virBufferAsprintf(buf, + "\n", + def->idmap.gidmap[i].start, + def->idmap.gidmap[i].target, + def->idmap.gidmap[i].count); + } + virBufferAdjustIndent(buf, -2); + virBufferAddLit(buf, "\n"); + } + switch (def->type) { case VIR_DOMAIN_FS_TYPE_MOUNT: case VIR_DOMAIN_FS_TYPE_BIND: diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 5a93ee0aee..0c5e2636e1 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -888,6 +888,7 @@ struct _virDomainFSDef { virTristateSwitch flock; virDomainFSSandboxMode sandbox; int thread_pool_size; + virDomainIdMapDef idmap; virDomainVirtioOptions *virtio; virObject *privateData; }; diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom= mon.rng index b98a2ae602..f318c06797 100644 --- a/src/conf/schemas/domaincommon.rng +++ b/src/conf/schemas/domaincommon.rng @@ -3120,6 +3120,9 @@ + + + diff --git a/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml b/tests/qem= uxml2argvdata/vhost-user-fs-fd-memory.xml index 81de8c0dd7..1d0bc26c46 100644 --- a/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml +++ b/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml @@ -34,6 +34,10 @@ + + + +
--=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 170247941116086.59971049072419; Wed, 13 Dec 2023 06:56:51 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 0CE17188A; Wed, 13 Dec 2023 09:56:50 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 42BB41822; Wed, 13 Dec 2023 09:50:59 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 5794317AD; Wed, 13 Dec 2023 09:50:27 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 77007177E for ; Wed, 13 Dec 2023 09:50:25 -0500 (EST) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-395-bmAp9u8FNXmtNn8chQg30Q-1; Wed, 13 Dec 2023 09:50:23 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7C9E93C0274B for ; Wed, 13 Dec 2023 14:50:23 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id DA3142026D6F for ; Wed, 13 Dec 2023 14:50:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: bmAp9u8FNXmtNn8chQg30Q-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 4/9] qemu: format uid/gid map for virtiofs Date: Wed, 13 Dec 2023 15:47:20 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: ANZKSLXHUPPT364W33O2W7645XFPZ5HG X-Message-ID-Hash: ANZKSLXHUPPT364W33O2W7645XFPZ5HG X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479411531100001 Pass the ID map to virtiofsd, which will run the suid `newuidmap` binary for us. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/qemu/qemu_virtiofs.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index 230f85c291..af51d58673 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -131,6 +131,7 @@ qemuVirtioFSBuildCommandLine(virQEMUDriverConfig *cfg, { g_autoptr(virCommand) cmd =3D NULL; g_auto(virBuffer) opts =3D VIR_BUFFER_INITIALIZER; + size_t i =3D 4; =20 cmd =3D virCommandNew(fs->binary); =20 @@ -169,6 +170,20 @@ qemuVirtioFSBuildCommandLine(virQEMUDriverConfig *cfg, if (cfg->virtiofsdDebug) virCommandAddArg(cmd, "-d"); =20 + for (i =3D 0; i < fs->idmap.nuidmap; i++) { + virCommandAddArgFormat(cmd, "--uid-map=3D:%u:%u:%u:", + fs->idmap.uidmap[i].start, + fs->idmap.uidmap[i].target, + fs->idmap.uidmap[i].count); + } + + for (i =3D 0; i < fs->idmap.ngidmap; i++) { + virCommandAddArgFormat(cmd, "--gid-map=3D:%u:%u:%u:", + fs->idmap.gidmap[i].start, + fs->idmap.gidmap[i].target, + fs->idmap.gidmap[i].count); + } + return g_steal_pointer(&cmd); } =20 --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479531701454.87896688491276; Wed, 13 Dec 2023 06:58:51 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 8528A18E4; Wed, 13 Dec 2023 09:58:50 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 416FD17E3; Wed, 13 Dec 2023 09:51:11 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 4E8D217BC; Wed, 13 Dec 2023 09:50:29 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2FDB31789 for ; Wed, 13 Dec 2023 09:50:26 -0500 (EST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-139-AmG0-XlsNd60EXy28TiDsw-1; Wed, 13 Dec 2023 09:50:24 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4F690185A782 for ; Wed, 13 Dec 2023 14:50:24 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id C72FA2026D66 for ; Wed, 13 Dec 2023 14:50:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: AmG0-XlsNd60EXy28TiDsw-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 5/9] qemu: virtiofs: do not force UID 0 Date: Wed, 13 Dec 2023 15:47:21 +0100 Message-ID: <6bdadd7b6a3d56d532491e0095efb1970e13afef.1702478845.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: HPAZH5C6CDJSK6RSSFMTLBI7Q6MXAPOF X-Message-ID-Hash: HPAZH5C6CDJSK6RSSFMTLBI7Q6MXAPOF X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479532014100001 When this check was introduced, virtiofsd required root privileges. This has changed since then - now it does not need to set up all the sandboxing when running as non-root. It even gained support for id mapping, which makes running unprivileged even more useful. Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/qemu/qemu_virtiofs.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index af51d58673..4dacd37a1c 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -257,10 +257,6 @@ qemuVirtioFSStart(virQEMUDriver *driver, if (!(cmd =3D qemuVirtioFSBuildCommandLine(cfg, fs, &fd))) goto error; =20 - /* so far only running as root is supported */ - virCommandSetUID(cmd, 0); - virCommandSetGID(cmd, 0); - virCommandSetPidFile(cmd, pidfile); virCommandSetOutputFD(cmd, &logfd); virCommandSetErrorFD(cmd, &logfd); --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479608338500.3902427500627; Wed, 13 Dec 2023 07:00:08 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 4597817BB; Wed, 13 Dec 2023 10:00:07 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 8543F18FA; Wed, 13 Dec 2023 09:51:19 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id D53A617D0; Wed, 13 Dec 2023 09:50:48 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0D6A217AA for ; Wed, 13 Dec 2023 09:50:27 -0500 (EST) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-507-PY2Sg7oyOVyxZb8mk6ogFg-1; Wed, 13 Dec 2023 09:50:25 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3D18A3C02747 for ; Wed, 13 Dec 2023 14:50:25 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id B0E022026D66 for ; Wed, 13 Dec 2023 14:50:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: PY2Sg7oyOVyxZb8mk6ogFg-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 6/9] qemu: allow running virtiofsd in session mode Date: Wed, 13 Dec 2023 15:47:22 +0100 Message-ID: <5c0f98af80a44c5d81aaf4ed7527e449997b42ad.1702478845.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: VZXISMHSI7J2KOMZD4Z7Z4ZPVUGPSCZP X-Message-ID-Hash: VZXISMHSI7J2KOMZD4Z7Z4ZPVUGPSCZP X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479610640100001 https://gitlab.com/libvirt/libvirt/-/issues/535 Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/qemu/qemu_validate.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c index e475ad035e..9e50c2f45b 100644 --- a/src/qemu/qemu_validate.c +++ b/src/qemu/qemu_validate.c @@ -4256,7 +4256,7 @@ qemuValidateDomainDeviceDefGraphics(const virDomainGr= aphicsDef *graphics, static int qemuValidateDomainDeviceDefFS(virDomainFSDef *fs, const virDomainDef *def, - virQEMUDriver *driver, + virQEMUDriver *driver G_GNUC_UNUSED, virQEMUCaps *qemuCaps) { if (fs->type !=3D VIR_DOMAIN_FS_TYPE_MOUNT) { @@ -4320,11 +4320,6 @@ qemuValidateDomainDeviceDefFS(virDomainFSDef *fs, _("virtiofs does not yet support read-only = mode")); return -1; } - if (!driver->privileged) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("virtiofs is not yet supported in session= mode")); - return -1; - } if (fs->accessmode !=3D VIR_DOMAIN_FS_ACCESSMODE_PASSTHROUGH) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("virtiofs only supports passthrough acces= smode")); --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479708618202.78236009957425; Wed, 13 Dec 2023 07:01:48 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 4E88E194F; Wed, 13 Dec 2023 10:01:47 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id D02631902; Wed, 13 Dec 2023 09:51:29 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id B4CCF177E; Wed, 13 Dec 2023 09:50:53 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0C5F417B2 for ; Wed, 13 Dec 2023 09:50:28 -0500 (EST) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-363-T0ig9vewOQOb2es11p9LSQ-1; Wed, 13 Dec 2023 09:50:26 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 298AD1C05EAB for ; Wed, 13 Dec 2023 14:50:26 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9D7932026D66 for ; Wed, 13 Dec 2023 14:50:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: T0ig9vewOQOb2es11p9LSQ-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 7/9] util: add virGetSubUIDs Date: Wed, 13 Dec 2023 15:47:23 +0100 Message-ID: <89003e730006f7c7fcdb0a0db8a392983bd90267.1702478845.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: 6GU4FDVNUZSGDELMKTZDOPPR5N5P7EAA X-Message-ID-Hash: 6GU4FDVNUZSGDELMKTZDOPPR5N5P7EAA X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479709065100001 A function for parsing /etc/sub[ug]id Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 2 ++ src/util/virutil.c | 70 ++++++++++++++++++++++++++++++++++++ src/util/virutil.h | 12 +++++++ tests/utiltest.c | 33 +++++++++++++++++ tests/virutiltestdata/subuid | 4 +++ 5 files changed, 121 insertions(+) create mode 100644 tests/virutiltestdata/subuid diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 553b01b8c0..20f34d72b5 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -3640,6 +3640,7 @@ virGetHostname; virGetHostnameQuiet; virGetPassword; virGetSelfLastChanged; +virGetSubIDs; virGetSystemPageSize; virGetSystemPageSizeKB; virGetUserCacheDirectory; @@ -3670,6 +3671,7 @@ virSetNonBlock; virSetSockReuseAddr; virSetUIDGID; virSetUIDGIDWithCaps; +virSubIDsFree; virUpdateSelfLastChanged; virValidateWWN; virWaitForDevices; diff --git a/src/util/virutil.c b/src/util/virutil.c index 17d65ad834..369e0bc4dc 100644 --- a/src/util/virutil.c +++ b/src/util/virutil.c @@ -738,6 +738,76 @@ virGetUserIDByName(const char *name, uid_t *uid, bool = missing_ok) return ret; } =20 +void +virSubIDsFree(virSubID **uids, size_t n) +{ + size_t i; + + for (i =3D 0; i < n; i++) { + if ((*uids)[i].idstr) + g_free((*uids)[i].idstr); + } + g_clear_pointer(uids, g_free); +} + +int +virGetSubIDs(virSubID **retval, const char *file) +{ + g_autofree char *buf =3D NULL; + g_auto(GStrv) lines =3D NULL; + virSubID *entries =3D NULL; + size_t i =3D 0; + size_t len; + int ret =3D -1; + + *retval =3D NULL; + + if (virFileReadAll(file, BUFSIZ, &buf) < 0) + return -1; + + lines =3D g_strsplit(buf, "\n", 0); + if (!lines) + return -1; + + len =3D g_strv_length(lines); + entries =3D g_new0(virSubID, len); + + for (i =3D 0; i < len; i++) { + g_auto(GStrv) fields =3D NULL; + unsigned long ulong_id; + + fields =3D g_strsplit(lines[i], ":", 0); + if (!fields) + goto cleanup; + + if (g_strv_length(fields) !=3D 3) + break; + + if (g_ascii_isdigit(fields[0][0])) { + if (virStrToLong_ul(fields[0], NULL, 10, &ulong_id) < 0) + goto cleanup; + entries[i].id =3D ulong_id; + } else { + entries[i].idstr =3D g_strdup(fields[0]); + } + + if (virStrToLong_ul(fields[1], NULL, 10, &ulong_id) < 0) + goto cleanup; + entries[i].start =3D ulong_id; + + if (virStrToLong_ul(fields[2], NULL, 10, &ulong_id) < 0) + goto cleanup; + entries[i].range =3D ulong_id; + } + + *retval =3D g_steal_pointer(&entries); + ret =3D i; + cleanup: + if (entries) + virSubIDsFree(&entries, len); + return ret; +} + /* Try to match a user id based on `user`. The default behavior is to parse * `user` first as a user name and then as a user id. However if `user` * contains a leading '+', the rest of the string is always parsed as a ui= d. diff --git a/src/util/virutil.h b/src/util/virutil.h index ab8511bf8d..3bac15d02b 100644 --- a/src/util/virutil.h +++ b/src/util/virutil.h @@ -102,6 +102,18 @@ char *virGetUserName(uid_t uid) G_NO_INLINE; char *virGetGroupName(gid_t gid) G_NO_INLINE; int virGetGroupList(uid_t uid, gid_t group, gid_t **groups) ATTRIBUTE_NONNULL(3); + +typedef struct _virSubID { + uid_t id; + char *idstr; + uid_t start; + uid_t range; +} virSubID; + +int virGetSubIDs(virSubID **ret, const char *file); +void virSubIDsFree(virSubID **uids, size_t n); + + int virGetUserID(const char *name, uid_t *uid) G_GNUC_WARN_UNUSED_RESULT; int virGetGroupID(const char *name, diff --git a/tests/utiltest.c b/tests/utiltest.c index 5930557c08..b30bfbed70 100644 --- a/tests/utiltest.c +++ b/tests/utiltest.c @@ -377,6 +377,38 @@ testKernelCmdlineMatchParam(const void *data G_GNUC_UN= USED) } =20 =20 +static int +testGetSubIDs(const void *data G_GNUC_UNUSED) +{ + g_autofree char *subuid_file =3D g_strdup_printf("%s/virutiltestdata/s= ubuid", abs_srcdir); + virSubID *subids =3D NULL; + int len =3D 0; + int ret =3D -1; + + if ((len =3D virGetSubIDs(&subids, subuid_file)) < 0) { + VIR_TEST_DEBUG("virGetSubIDs failed"); + goto cleanup; + } + + if (len !=3D 4) { + VIR_TEST_DEBUG("virGetSubIDs returned %d (expected 4)", len); + goto cleanup; + } + + if (STRNEQ(subids[0].idstr, "joe")) { + VIR_TEST_DEBUG("virGetSubIDs returned wrong name for entry 0: '%s'= ", NULLSTR(subids[0].idstr)); + goto cleanup; + } + + ret =3D 0; + + cleanup: + if (len >=3D 0) + virSubIDsFree(&subids, len); + return ret; +} + + static int mymain(void) { @@ -400,6 +432,7 @@ mymain(void) DO_TEST(OverflowCheckMacro); DO_TEST(KernelCmdlineNextParam); DO_TEST(KernelCmdlineMatchParam); + DO_TEST(GetSubIDs); =20 return result =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; } diff --git a/tests/virutiltestdata/subuid b/tests/virutiltestdata/subuid new file mode 100644 index 0000000000..c873c0e3bf --- /dev/null +++ b/tests/virutiltestdata/subuid @@ -0,0 +1,4 @@ +joe:100000:65535 +bob:300000:65535 +1024:400000:65535 +alice:200000:65535 --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479796674148.40299497430385; Wed, 13 Dec 2023 07:03:16 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 569A0178C; Wed, 13 Dec 2023 10:03:15 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id F320818C7; Wed, 13 Dec 2023 09:51:39 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id E9F0017B2; Wed, 13 Dec 2023 09:50:54 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 26F4117BE for ; Wed, 13 Dec 2023 09:50:29 -0500 (EST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-147-kWR3OQOVOpyrEa1RV_sViA-1; Wed, 13 Dec 2023 09:50:27 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 16DB41018AA2 for ; Wed, 13 Dec 2023 14:50:27 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8A7092026D66 for ; Wed, 13 Dec 2023 14:50:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: kWR3OQOVOpyrEa1RV_sViA-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 8/9] qemu: virtiofs: auto-fill idmap for unprivileged use Date: Wed, 13 Dec 2023 15:47:24 +0100 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: XYAPMRPEALC7ZYPDY4WVB43X3MWV5NFC X-Message-ID-Hash: XYAPMRPEALC7ZYPDY4WVB43X3MWV5NFC X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479798015100001 If the user did not specify any uid mapping, map its own user ID to ID 0 inside the container and the rest of the IDs to the first found user's authorized range in /etc/sub[ug]id https://issues.redhat.com/browse/RHEL-7386 https://gitlab.com/libvirt/libvirt/-/issues/535 Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- src/qemu/qemu_virtiofs.c | 76 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 74 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c index 4dacd37a1c..d539d0a192 100644 --- a/src/qemu/qemu_virtiofs.c +++ b/src/qemu/qemu_virtiofs.c @@ -369,12 +369,84 @@ qemuVirtioFSSetupCgroup(virDomainObj *vm, return 0; } =20 +static int +qemuVirtioFSPrepareIdMap(virDomainFSDef *fs) +{ + g_autofree char *username =3D NULL; + g_autofree char *groupname =3D NULL; + virSubID *subuids =3D NULL; + virSubID *subgids =3D NULL; + uid_t euid =3D geteuid(); + uid_t egid =3D getegid(); + int subuidlen =3D 0; + int subgidlen =3D 0; + size_t i; + + username =3D virGetUserName(euid); + groupname =3D virGetGroupName(egid); + + fs->idmap.uidmap =3D g_new0(virDomainIdMapEntry, 2); + fs->idmap.gidmap =3D g_new0(virDomainIdMapEntry, 2); + + if ((subuidlen =3D virGetSubIDs(&subuids, "/etc/subuid")) < 0) + return -1; + + fs->idmap.uidmap[0].start =3D 0; + fs->idmap.uidmap[0].target =3D euid; + fs->idmap.uidmap[0].count =3D 1; + fs->idmap.nuidmap =3D 1; + + for (i =3D 0; i < subuidlen; i++) { + if ((subuids[i].idstr && STREQ(subuids[i].idstr, username)) || + subuids[i].id =3D=3D euid) { + fs->idmap.uidmap[1].start =3D 1; + fs->idmap.uidmap[1].target =3D subuids[i].start; + fs->idmap.uidmap[1].count =3D subuids[i].range; + fs->idmap.nuidmap++; + break; + } + } + + virSubIDsFree(&subuids, subuidlen); + + if ((subgidlen =3D virGetSubIDs(&subgids, "/etc/subgid")) < 0) + return -1; + + fs->idmap.gidmap[0].start =3D 0; + fs->idmap.gidmap[0].target =3D getegid(); + fs->idmap.gidmap[0].count =3D 1; + fs->idmap.ngidmap =3D 1; + + for (i =3D 0; i < subgidlen; i++) { + if ((subgids[i].idstr && STREQ(subgids[i].idstr, groupname)) || + subgids[i].id =3D=3D egid) { + fs->idmap.gidmap[1].start =3D 1; + fs->idmap.gidmap[1].target =3D subgids[i].start; + fs->idmap.gidmap[1].count =3D subgids[i].range; + fs->idmap.ngidmap++; + break; + } + } + + virSubIDsFree(&subgids, subgidlen); + + return 0; +} + int qemuVirtioFSPrepareDomain(virQEMUDriver *driver, virDomainFSDef *fs) { - if (fs->binary || fs->sock) + if (fs->sock) return 0; =20 - return qemuVhostUserFillDomainFS(driver, fs); + if (!fs->binary && qemuVhostUserFillDomainFS(driver, fs) < 0) + return -1; + + if (!driver->privileged && !fs->idmap.uidmap) { + if (qemuVirtioFSPrepareIdMap(fs) < 0) + return -1; + } + + return 0; } --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon May 13 17:39:20 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1702479952920772.210183002614; Wed, 13 Dec 2023 07:05:52 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id DCAFA53F; Wed, 13 Dec 2023 10:05:51 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id E94971825; Wed, 13 Dec 2023 09:51:57 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 82F5C17B1; Wed, 13 Dec 2023 09:51:01 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id EA72117D5 for ; Wed, 13 Dec 2023 09:50:30 -0500 (EST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-378-7h3G2_xiPAyryflaBG06TA-1; Wed, 13 Dec 2023 09:50:28 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1C48D8350E4 for ; Wed, 13 Dec 2023 14:50:28 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.45.224.157]) by smtp.corp.redhat.com (Postfix) with ESMTP id 76E952026D66 for ; Wed, 13 Dec 2023 14:50:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 7h3G2_xiPAyryflaBG06TA-1 From: =?UTF-8?q?J=C3=A1n=20Tomko?= To: devel@lists.libvirt.org Subject: [libvirt PATCHv2 9/9] docs: virtiofs: add section about ID remapping Date: Wed, 13 Dec 2023 15:47:25 +0100 Message-ID: <3c0a5ed36e0d30664325e14ec19494adedab6e59.1702478845.git.jtomko@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: FHSIHEFZB2OWF2AB4DZNBISEOJ3K77WD X-Message-ID-Hash: FHSIHEFZB2OWF2AB4DZNBISEOJ3K77WD X-MailFrom: jtomko@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1702479953301100001 Signed-off-by: J=C3=A1n Tomko Reviewed-by: Michal Privoznik --- docs/kbase/virtiofs.rst | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/kbase/virtiofs.rst b/docs/kbase/virtiofs.rst index 5940092db5..457c15da7f 100644 --- a/docs/kbase/virtiofs.rst +++ b/docs/kbase/virtiofs.rst @@ -59,6 +59,25 @@ Sharing a host directory with a guest =20 Note: this requires virtiofs support in the guest kernel (Linux v5.4 or= later) =20 +Running unprivileged +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +In unprivileged mode (``qemu:///session``), mapping user/group IDs is avai= lable +(since libvirt version 10.0.0). The root user (ID 0) in the guest will be = mapped +to the current user on the host. + +The rest of the IDs will be mapped to the subordinate user IDs specified +in `/etc/subuid`: + +:: + + $ cat /etc/subuid + jtomko:100000:65536 + $ cat /etc/subgid + jtomko:100000:65536 + +To manually tweak the user ID mapping, the `idmap` element can be used. + Optional parameters =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org