docs/formatdomain.rst | 4 ++++ docs/schemas/domaincommon.rng | 12 ++++++++++ src/conf/domain_conf.c | 23 +++++++++++++++++++ src/conf/domain_conf.h | 10 ++++++++ src/libvirt_private.syms | 1 + src/qemu/qemu_virtiofs.c | 2 ++ .../vhost-user-fs-fd-memory.xml | 1 + 7 files changed, 53 insertions(+)
Add a new XML element
<filesystem>
<binary>
<sandbox mode='chroot|namespace'/>
</binary>
</filesystem>
Which maps to `virtiofsd -o sandbox=chroot|namespace`, which was added
in qemu 5.2.0:
https://git.qemu.org/?p=qemu.git;a=commit;h=06844584b62a43384642f7243b0fc01c9fff0fc7
Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
docs/formatdomain.rst | 4 ++++
docs/schemas/domaincommon.rng | 12 ++++++++++
src/conf/domain_conf.c | 23 +++++++++++++++++++
src/conf/domain_conf.h | 10 ++++++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_virtiofs.c | 2 ++
.../vhost-user-fs-fd-memory.xml | 1 +
7 files changed, 53 insertions(+)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 9392c80113..9dda39dbcb 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -3234,6 +3234,7 @@ A directory on the host that can be accessed directly from the guest.
<driver type='virtiofs' queue='1024'/>
<binary path='/usr/libexec/virtiofsd' xattr='on'>
<cache mode='always'/>
+ <sandbox mode='namespace'/>
<lock posix='on' flock='on'/>
</binary>
<source dir='/path'/>
@@ -3358,6 +3359,9 @@ A directory on the host that can be accessed directly from the guest.
``cache`` element, possible ``mode`` values being ``none`` and ``always``.
Locking can be controlled via the ``lock`` element - attributes ``posix`` and
``flock`` both accepting values ``on`` or ``off``. ( :since:`Since 6.2.0` )
+ The sandboxing method used by virtiofsd can be configured with the ``sandbox``
+ element, possible ``mode`` values being ``namespace`` and
+ ``chroot``. ( :since:`Since 7.2.0` )
``source``
The resource on the host that is being accessed in the guest. The ``name``
attribute must be used with ``type='template'``, and the ``dir`` attribute
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1dbfc68f18..6404ebf210 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -2960,6 +2960,18 @@
</optional>
</element>
</optional>
+ <optional>
+ <element name="sandbox">
+ <optional>
+ <attribute name="mode">
+ <choice>
+ <value>namespace</value>
+ <value>chroot</value>
+ </choice>
+ </attribute>
+ </optional>
+ </element>
+ </optional>
<optional>
<element name="lock">
<optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index b0eba9f7bd..70a900ee25 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -538,6 +538,13 @@ VIR_ENUM_IMPL(virDomainFSCacheMode,
"always",
);
+VIR_ENUM_IMPL(virDomainFSSandboxMode,
+ VIR_DOMAIN_FS_SANDBOX_MODE_LAST,
+ "default",
+ "namespace",
+ "chroot",
+);
+
VIR_ENUM_IMPL(virDomainNet,
VIR_DOMAIN_NET_TYPE_LAST,
@@ -10373,6 +10380,7 @@ virDomainFSDefParseXML(virDomainXMLOptionPtr xmlopt,
g_autofree char *binary = virXPathString("string(./binary/@path)", ctxt);
g_autofree char *xattr = virXPathString("string(./binary/@xattr)", ctxt);
g_autofree char *cache = virXPathString("string(./binary/cache/@mode)", ctxt);
+ g_autofree char *sandbox = virXPathString("string(./binary/sandbox/@mode)", ctxt);
g_autofree char *posix_lock = virXPathString("string(./binary/lock/@posix)", ctxt);
g_autofree char *flock = virXPathString("string(./binary/lock/@flock)", ctxt);
int val;
@@ -10406,6 +10414,16 @@ virDomainFSDefParseXML(virDomainXMLOptionPtr xmlopt,
def->cache = val;
}
+ if (sandbox) {
+ if ((val = virDomainFSSandboxModeTypeFromString(sandbox)) <= 0) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("cannot parse sandbox mode '%s' for virtiofs"),
+ sandbox);
+ goto error;
+ }
+ def->sandbox = val;
+ }
+
if (posix_lock) {
if ((val = virTristateSwitchTypeFromString(posix_lock)) <= 0) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
@@ -25483,6 +25501,11 @@ virDomainFSDefFormat(virBufferPtr buf,
virDomainFSCacheModeTypeToString(def->cache));
}
+ if (def->sandbox != VIR_DOMAIN_FS_SANDBOX_MODE_DEFAULT) {
+ virBufferAsprintf(&binaryBuf, "<sandbox mode='%s'/>\n",
+ virDomainFSSandboxModeTypeToString(def->sandbox));
+ }
+
if (def->posix_lock != VIR_TRISTATE_SWITCH_ABSENT) {
virBufferAsprintf(&lockAttrBuf, " posix='%s'",
virTristateSwitchTypeToString(def->posix_lock));
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0b8895bbdf..d77b04847b 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -846,6 +846,14 @@ typedef enum {
VIR_DOMAIN_FS_CACHE_MODE_LAST
} virDomainFSCacheMode;
+typedef enum {
+ VIR_DOMAIN_FS_SANDBOX_MODE_DEFAULT = 0,
+ VIR_DOMAIN_FS_SANDBOX_MODE_NAMESPACE,
+ VIR_DOMAIN_FS_SANDBOX_MODE_CHROOT,
+
+ VIR_DOMAIN_FS_SANDBOX_MODE_LAST
+} virDomainFSSandboxMode;
+
struct _virDomainFSDef {
int type;
int fsdriver; /* enum virDomainFSDriverType */
@@ -870,6 +878,7 @@ struct _virDomainFSDef {
virDomainFSCacheMode cache;
virTristateSwitch posix_lock;
virTristateSwitch flock;
+ virDomainFSSandboxMode sandbox;
virDomainVirtioOptionsPtr virtio;
virObjectPtr privateData;
};
@@ -3800,6 +3809,7 @@ VIR_ENUM_DECL(virDomainFSAccessMode);
VIR_ENUM_DECL(virDomainFSWrpolicy);
VIR_ENUM_DECL(virDomainFSModel);
VIR_ENUM_DECL(virDomainFSCacheMode);
+VIR_ENUM_DECL(virDomainFSSandboxMode);
VIR_ENUM_DECL(virDomainNet);
VIR_ENUM_DECL(virDomainNetBackend);
VIR_ENUM_DECL(virDomainNetVirtioTxMode);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index cb9fe7c80a..04b2bc9dcd 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -414,6 +414,7 @@ virDomainFSDriverTypeToString;
virDomainFSIndexByName;
virDomainFSInsert;
virDomainFSRemove;
+virDomainFSSandboxModeTypeToString;
virDomainFSTypeFromString;
virDomainFSTypeToString;
virDomainFSWrpolicyTypeFromString;
diff --git a/src/qemu/qemu_virtiofs.c b/src/qemu/qemu_virtiofs.c
index 2e239cad66..988b757d6f 100644
--- a/src/qemu/qemu_virtiofs.c
+++ b/src/qemu/qemu_virtiofs.c
@@ -131,6 +131,8 @@ qemuVirtioFSBuildCommandLine(virQEMUDriverConfigPtr cfg,
virQEMUBuildBufferEscapeComma(&opts, fs->src->path);
if (fs->cache)
virBufferAsprintf(&opts, ",cache=%s", virDomainFSCacheModeTypeToString(fs->cache));
+ if (fs->sandbox)
+ virBufferAsprintf(&opts, ",sandbox=%s", virDomainFSSandboxModeTypeToString(fs->sandbox));
if (fs->xattr == VIR_TRISTATE_SWITCH_ON)
virBufferAddLit(&opts, ",xattr");
diff --git a/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml b/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml
index 2277850c2c..abddf0870b 100644
--- a/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml
+++ b/tests/qemuxml2argvdata/vhost-user-fs-fd-memory.xml
@@ -30,6 +30,7 @@
<driver type='virtiofs' queue='1024'/>
<binary path='/usr/libexec/virtiofsd' xattr='on'>
<cache mode='always'/>
+ <sandbox mode='chroot'/>
<lock posix='off' flock='off'/>
</binary>
<source dir='/path'/>
--
2.30.2
On Fri, Mar 26, 2021 at 11:37:48 -0400, Cole Robinson wrote:
> Add a new XML element
>
> <filesystem>
> <binary>
> <sandbox mode='chroot|namespace'/>
> </binary>
> </filesystem>
>
> Which maps to `virtiofsd -o sandbox=chroot|namespace`, which was added
> in qemu 5.2.0:
>
> https://git.qemu.org/?p=qemu.git;a=commit;h=06844584b62a43384642f7243b0fc01c9fff0fc7
>
> Signed-off-by: Cole Robinson <crobinso@redhat.com>
> ---
> docs/formatdomain.rst | 4 ++++
> docs/schemas/domaincommon.rng | 12 ++++++++++
> src/conf/domain_conf.c | 23 +++++++++++++++++++
> src/conf/domain_conf.h | 10 ++++++++
> src/libvirt_private.syms | 1 +
> src/qemu/qemu_virtiofs.c | 2 ++
> .../vhost-user-fs-fd-memory.xml | 1 +
> 7 files changed, 53 insertions(+)
Please split the commit as it's usual for libvirt patches.
Also a test case modifying any of the .args files in qemuxml2argv test
is missing.
>
> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> index 9392c80113..9dda39dbcb 100644
> --- a/docs/formatdomain.rst
> +++ b/docs/formatdomain.rst
> @@ -3234,6 +3234,7 @@ A directory on the host that can be accessed directly from the guest.
> <driver type='virtiofs' queue='1024'/>
> <binary path='/usr/libexec/virtiofsd' xattr='on'>
> <cache mode='always'/>
> + <sandbox mode='namespace'/>
> <lock posix='on' flock='on'/>
> </binary>
> <source dir='/path'/>
> @@ -3358,6 +3359,9 @@ A directory on the host that can be accessed directly from the guest.
> ``cache`` element, possible ``mode`` values being ``none`` and ``always``.
> Locking can be controlled via the ``lock`` element - attributes ``posix`` and
> ``flock`` both accepting values ``on`` or ``off``. ( :since:`Since 6.2.0` )
> + The sandboxing method used by virtiofsd can be configured with the ``sandbox``
> + element, possible ``mode`` values being ``namespace`` and
> + ``chroot``. ( :since:`Since 7.2.0` )
Is there any reasonable short explanation of differences? Or perhaps
link to virtiofs docs to clarify what that the modes do?
> ``source``
> The resource on the host that is being accessed in the guest. The ``name``
> attribute must be used with ``type='template'``, and the ``dir`` attribute
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 1dbfc68f18..6404ebf210 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -2960,6 +2960,18 @@
> </optional>
> </element>
> </optional>
> + <optional>
> + <element name="sandbox">
> + <optional>
> + <attribute name="mode">
> + <choice>
> + <value>namespace</value>
> + <value>chroot</value>
> + </choice>
> + </attribute>
> + </optional>
> + </element>
> + </optional>
> <optional>
> <element name="lock">
> <optional>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index b0eba9f7bd..70a900ee25 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -538,6 +538,13 @@ VIR_ENUM_IMPL(virDomainFSCacheMode,
> "always",
> );
>
> +VIR_ENUM_IMPL(virDomainFSSandboxMode,
> + VIR_DOMAIN_FS_SANDBOX_MODE_LAST,
> + "default",
> + "namespace",
> + "chroot",
> +);
> +
>
> VIR_ENUM_IMPL(virDomainNet,
> VIR_DOMAIN_NET_TYPE_LAST,
> @@ -10373,6 +10380,7 @@ virDomainFSDefParseXML(virDomainXMLOptionPtr xmlopt,
> g_autofree char *binary = virXPathString("string(./binary/@path)", ctxt);
> g_autofree char *xattr = virXPathString("string(./binary/@xattr)", ctxt);
> g_autofree char *cache = virXPathString("string(./binary/cache/@mode)", ctxt);
> + g_autofree char *sandbox = virXPathString("string(./binary/sandbox/@mode)", ctxt);
> g_autofree char *posix_lock = virXPathString("string(./binary/lock/@posix)", ctxt);
> g_autofree char *flock = virXPathString("string(./binary/lock/@flock)", ctxt);
> int val;
> @@ -10406,6 +10414,16 @@ virDomainFSDefParseXML(virDomainXMLOptionPtr xmlopt,
> def->cache = val;
> }
>
> + if (sandbox) {
> + if ((val = virDomainFSSandboxModeTypeFromString(sandbox)) <= 0) {
> + virReportError(VIR_ERR_XML_ERROR,
> + _("cannot parse sandbox mode '%s' for virtiofs"),
> + sandbox);
> + goto error;
> + }
> + def->sandbox = val;
> + }
> +
> if (posix_lock) {
> if ((val = virTristateSwitchTypeFromString(posix_lock)) <= 0) {
> virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> @@ -25483,6 +25501,11 @@ virDomainFSDefFormat(virBufferPtr buf,
> virDomainFSCacheModeTypeToString(def->cache));
> }
>
> + if (def->sandbox != VIR_DOMAIN_FS_SANDBOX_MODE_DEFAULT) {
> + virBufferAsprintf(&binaryBuf, "<sandbox mode='%s'/>\n",
> + virDomainFSSandboxModeTypeToString(def->sandbox));
> + }
> +
> if (def->posix_lock != VIR_TRISTATE_SWITCH_ABSENT) {
> virBufferAsprintf(&lockAttrBuf, " posix='%s'",
> virTristateSwitchTypeToString(def->posix_lock));
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index 0b8895bbdf..d77b04847b 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -846,6 +846,14 @@ typedef enum {
> VIR_DOMAIN_FS_CACHE_MODE_LAST
> } virDomainFSCacheMode;
>
> +typedef enum {
> + VIR_DOMAIN_FS_SANDBOX_MODE_DEFAULT = 0,
> + VIR_DOMAIN_FS_SANDBOX_MODE_NAMESPACE,
> + VIR_DOMAIN_FS_SANDBOX_MODE_CHROOT,
> +
> + VIR_DOMAIN_FS_SANDBOX_MODE_LAST
> +} virDomainFSSandboxMode;
> +
> struct _virDomainFSDef {
> int type;
> int fsdriver; /* enum virDomainFSDriverType */
> @@ -870,6 +878,7 @@ struct _virDomainFSDef {
> virDomainFSCacheMode cache;
> virTristateSwitch posix_lock;
> virTristateSwitch flock;
> + virDomainFSSandboxMode sandbox;
validation check rejecting sandbox modes for 9p fs is missing
> virDomainVirtioOptionsPtr virtio;
> virObjectPtr privateData;
> };
On 3/26/21 11:53 AM, Peter Krempa wrote: > On Fri, Mar 26, 2021 at 11:37:48 -0400, Cole Robinson wrote: >> Add a new XML element >> >> <filesystem> >> <binary> >> <sandbox mode='chroot|namespace'/> >> </binary> >> </filesystem> >> >> Which maps to `virtiofsd -o sandbox=chroot|namespace`, which was added >> in qemu 5.2.0: >> >> https://git.qemu.org/?p=qemu.git;a=commit;h=06844584b62a43384642f7243b0fc01c9fff0fc7 >> >> Signed-off-by: Cole Robinson <crobinso@redhat.com> >> --- >> docs/formatdomain.rst | 4 ++++ >> docs/schemas/domaincommon.rng | 12 ++++++++++ >> src/conf/domain_conf.c | 23 +++++++++++++++++++ >> src/conf/domain_conf.h | 10 ++++++++ >> src/libvirt_private.syms | 1 + >> src/qemu/qemu_virtiofs.c | 2 ++ >> .../vhost-user-fs-fd-memory.xml | 1 + >> 7 files changed, 53 insertions(+) > > Please split the commit as it's usual for libvirt patches. > Okay, fixed in v2. I addressed the docs and validation piece in v2 too > Also a test case modifying any of the .args files in qemuxml2argv test > is missing. > This option affects the virtiofsd command line only, so it won't be reflected in .args files Thanks, Cole
© 2016 - 2026 Red Hat, Inc.