From nobody Sun Apr 13 04:29:19 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1488314488818901.6348292457783; Tue, 28 Feb 2017 12:41:28 -0800 (PST) Received: from localhost ([::1]:36758 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cioaL-0000ID-Gx for importer@patchew.org; Tue, 28 Feb 2017 15:41:25 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44702) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cioWE-0005cz-CZ for qemu-devel@nongnu.org; Tue, 28 Feb 2017 15:37:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cioWD-0007fy-5B for qemu-devel@nongnu.org; Tue, 28 Feb 2017 15:37:10 -0500 Received: from mx1.redhat.com ([209.132.183.28]:35476) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cioW6-0007aV-WD; Tue, 28 Feb 2017 15:37:03 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2791361BB5; Tue, 28 Feb 2017 20:37:03 +0000 (UTC) Received: from noname.redhat.com (ovpn-116-177.ams2.redhat.com [10.36.116.177]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1SKapF6021888; Tue, 28 Feb 2017 15:37:01 -0500 From: Kevin Wolf To: qemu-block@nongnu.org Date: Tue, 28 Feb 2017 21:36:04 +0100 Message-Id: <1488314205-16264-6-git-send-email-kwolf@redhat.com> In-Reply-To: <1488314205-16264-1-git-send-email-kwolf@redhat.com> References: <1488314205-16264-1-git-send-email-kwolf@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 28 Feb 2017 20:37:03 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 05/46] block: Let callers request permissions when attaching a child node X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" When attaching a node as a child to a new parent, the required and shared permissions for this parent are checked against all other parents of the node now, and an error is returned if there is a conflict. This allows error returns to a function that previously always succeeded, and the same is true for quite a few callers and their callers. Converting all of them within the same patch would be too much, so for now everyone tells that they don't need any permissions and allow everyone else to do anything. This way we can use &error_abort initially and convert caller by caller to pass actual permission requirements and implement error handling. All these places are marked with FIXME comments and it will be the job of the next patches to clean them up again. Signed-off-by: Kevin Wolf Reviewed-by: Max Reitz Acked-by: Fam Zheng --- block.c | 66 +++++++++++++++++++++++++++++++++++++++++--= ---- block/block-backend.c | 8 ++++-- include/block/block_int.h | 15 ++++++++++- 3 files changed, 78 insertions(+), 11 deletions(-) diff --git a/block.c b/block.c index 65240fa..9628c7a 100644 --- a/block.c +++ b/block.c @@ -1326,6 +1326,38 @@ static int bdrv_fill_options(QDict **options, const = char *filename, return 0; } =20 +static int bdrv_check_update_perm(BlockDriverState *bs, uint64_t new_used_= perm, + uint64_t new_shared_perm, + BdrvChild *ignore_child, Error **errp) +{ + BdrvChild *c; + + /* There is no reason why anyone couldn't tolerate write_unchanged */ + assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED); + + QLIST_FOREACH(c, &bs->parents, next_parent) { + if (c =3D=3D ignore_child) { + continue; + } + + if ((new_used_perm & c->shared_perm) !=3D new_used_perm || + (c->perm & new_shared_perm) !=3D c->perm) + { + const char *user =3D NULL; + if (c->role->get_name) { + user =3D c->role->get_name(c); + if (user && !*user) { + user =3D NULL; + } + } + error_setg(errp, "Conflicts with %s", user ?: "another operati= on"); + return -EPERM; + } + } + + return 0; +} + static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs) { BlockDriverState *old_bs =3D child->bs; @@ -1350,14 +1382,25 @@ static void bdrv_replace_child(BdrvChild *child, Bl= ockDriverState *new_bs) BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, const char *child_name, const BdrvChildRole *child_role, - void *opaque) + uint64_t perm, uint64_t shared_perm, + void *opaque, Error **errp) { - BdrvChild *child =3D g_new(BdrvChild, 1); + BdrvChild *child; + int ret; + + ret =3D bdrv_check_update_perm(child_bs, perm, shared_perm, NULL, errp= ); + if (ret < 0) { + return NULL; + } + + child =3D g_new(BdrvChild, 1); *child =3D (BdrvChild) { - .bs =3D NULL, - .name =3D g_strdup(child_name), - .role =3D child_role, - .opaque =3D opaque, + .bs =3D NULL, + .name =3D g_strdup(child_name), + .role =3D child_role, + .perm =3D perm, + .shared_perm =3D shared_perm, + .opaque =3D opaque, }; =20 bdrv_replace_child(child, child_bs); @@ -1371,8 +1414,15 @@ BdrvChild *bdrv_attach_child(BlockDriverState *paren= t_bs, const BdrvChildRole *child_role, Error **errp) { - BdrvChild *child =3D bdrv_root_attach_child(child_bs, child_name, chil= d_role, - parent_bs); + BdrvChild *child; + + /* FIXME Use real permissions */ + child =3D bdrv_root_attach_child(child_bs, child_name, child_role, + 0, BLK_PERM_ALL, parent_bs, errp); + if (child =3D=3D NULL) { + return NULL; + } + QLIST_INSERT_HEAD(&parent_bs->children, child, next); return child; } diff --git a/block/block-backend.c b/block/block-backend.c index 492e71e..9bb4528 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -163,7 +163,9 @@ BlockBackend *blk_new_open(const char *filename, const = char *reference, return NULL; } =20 - blk->root =3D bdrv_root_attach_child(bs, "root", &child_root, blk); + /* FIXME Use real permissions */ + blk->root =3D bdrv_root_attach_child(bs, "root", &child_root, + 0, BLK_PERM_ALL, blk, &error_abort); =20 return blk; } @@ -498,7 +500,9 @@ void blk_remove_bs(BlockBackend *blk) void blk_insert_bs(BlockBackend *blk, BlockDriverState *bs) { bdrv_ref(bs); - blk->root =3D bdrv_root_attach_child(bs, "root", &child_root, blk); + /* FIXME Use real permissions */ + blk->root =3D bdrv_root_attach_child(bs, "root", &child_root, + 0, BLK_PERM_ALL, blk, &error_abort); =20 notifier_list_notify(&blk->insert_bs_notifiers, blk); if (blk->public.throttle_state) { diff --git a/include/block/block_int.h b/include/block/block_int.h index 1670941..ed63bad 100644 --- a/include/block/block_int.h +++ b/include/block/block_int.h @@ -419,6 +419,18 @@ struct BdrvChild { char *name; const BdrvChildRole *role; void *opaque; + + /** + * Granted permissions for operating on this BdrvChild (BLK_PERM_* bit= mask) + */ + uint64_t perm; + + /** + * Permissions that can still be granted to other users of @bs while t= his + * BdrvChild is still attached to it. (BLK_PERM_* bitmask) + */ + uint64_t shared_perm; + QLIST_ENTRY(BdrvChild) next; QLIST_ENTRY(BdrvChild) next_parent; }; @@ -796,7 +808,8 @@ void hmp_drive_add_node(Monitor *mon, const char *optst= r); BdrvChild *bdrv_root_attach_child(BlockDriverState *child_bs, const char *child_name, const BdrvChildRole *child_role, - void *opaque); + uint64_t perm, uint64_t shared_perm, + void *opaque, Error **errp); void bdrv_root_unref_child(BdrvChild *child); =20 const char *bdrv_get_parent_name(const BlockDriverState *bs); --=20 1.8.3.1