From nobody Wed Apr 30 05:40:24 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
permitted sender) client-ip=208.118.235.17;
envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
helo=lists.gnu.org;
Authentication-Results: mx.zoho.com;
spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
mx.zohomail.com
with SMTPS id 1488314728821428.33984410171206;
Tue, 28 Feb 2017 12:45:28 -0800 (PST)
Received: from localhost ([::1]:36782 helo=lists.gnu.org)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
id 1cioeF-0004GP-Aa
for importer@patchew.org; Tue, 28 Feb 2017 15:45:27 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44730)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <kwolf@redhat.com>) id 1cioWF-0005eC-Cg
for qemu-devel@nongnu.org; Tue, 28 Feb 2017 15:37:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <kwolf@redhat.com>) id 1cioWD-0007gA-C5
for qemu-devel@nongnu.org; Tue, 28 Feb 2017 15:37:11 -0500
Received: from mx1.redhat.com ([209.132.183.28]:35502)
by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <kwolf@redhat.com>)
id 1cioW9-0007d3-0O; Tue, 28 Feb 2017 15:37:05 -0500
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mx1.redhat.com (Postfix) with ESMTPS id 0FD9B61BAB;
Tue, 28 Feb 2017 20:37:05 +0000 (UTC)
Received: from noname.redhat.com (ovpn-116-177.ams2.redhat.com
[10.36.116.177])
by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
id v1SKapF7021888; Tue, 28 Feb 2017 15:37:03 -0500
From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Date: Tue, 28 Feb 2017 21:36:05 +0100
Message-Id: <1488314205-16264-7-git-send-email-kwolf@redhat.com>
In-Reply-To: <1488314205-16264-1-git-send-email-kwolf@redhat.com>
References: <1488314205-16264-1-git-send-email-kwolf@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
(mx1.redhat.com [10.5.110.39]);
Tue, 28 Feb 2017 20:37:05 +0000 (UTC)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
[fuzzy]
X-Received-From: 209.132.183.28
Subject: [Qemu-devel] [PULL 06/46] block: Involve block drivers in
permission granting
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0 Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
In many cases, the required permissions of one node on its children
depend on what its parents require from it. For example, the raw format
or most filter drivers only need to request consistent reads if that's
something that one of their parents wants.
In order to achieve this, this patch introduces two new BlockDriver
callbacks. The first one lets drivers first check (recursively) whether
the requested permissions can be set; the second one actually sets the
new permission bitmask.
Also add helper functions that drivers can use in their implementation
of the callbacks to update their permissions on a specific child.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Acked-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
---
block.c | 206 ++++++++++++++++++++++++++++++++++++++++++=
+++-
include/block/block_int.h | 61 ++++++++++++++
2 files changed, 263 insertions(+), 4 deletions(-)
diff --git a/block.c b/block.c
index 9628c7a..cf3534f 100644
--- a/block.c
+++ b/block.c
@@ -1326,11 +1326,146 @@ static int bdrv_fill_options(QDict **options, cons=
t char *filename,
return 0;
}
=20
+/*
+ * Check whether permissions on this node can be changed in a way that
+ * @cumulative_perms and @cumulative_shared_perms are the new cumulative
+ * permissions of all its parents. This involves checking whether all nece=
ssary
+ * permission changes to child nodes can be performed.
+ *
+ * A call to this function must always be followed by a call to bdrv_set_p=
erm()
+ * or bdrv_abort_perm_update().
+ */
+static int bdrv_check_perm(BlockDriverState *bs, uint64_t cumulative_perms,
+ uint64_t cumulative_shared_perms, Error **errp)
+{
+ BlockDriver *drv =3D bs->drv;
+ BdrvChild *c;
+ int ret;
+
+ /* Write permissions never work with read-only images */
+ if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) &&
+ bdrv_is_read_only(bs))
+ {
+ error_setg(errp, "Block node is read-only");
+ return -EPERM;
+ }
+
+ /* Check this node */
+ if (!drv) {
+ return 0;
+ }
+
+ if (drv->bdrv_check_perm) {
+ return drv->bdrv_check_perm(bs, cumulative_perms,
+ cumulative_shared_perms, errp);
+ }
+
+ /* Drivers may not have .bdrv_child_perm() */
+ if (!drv->bdrv_child_perm) {
+ return 0;
+ }
+
+ /* Check all children */
+ QLIST_FOREACH(c, &bs->children, next) {
+ uint64_t cur_perm, cur_shared;
+ drv->bdrv_child_perm(bs, c, c->role,
+ cumulative_perms, cumulative_shared_perms,
+ &cur_perm, &cur_shared);
+ ret =3D bdrv_child_check_perm(c, cur_perm, cur_shared, errp);
+ if (ret < 0) {
+ return ret;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Notifies drivers that after a previous bdrv_check_perm() call, the
+ * permission update is not performed and any preparations made for it (e.=
g.
+ * taken file locks) need to be undone.
+ *
+ * This function recursively notifies all child nodes.
+ */
+static void bdrv_abort_perm_update(BlockDriverState *bs)
+{
+ BlockDriver *drv =3D bs->drv;
+ BdrvChild *c;
+
+ if (!drv) {
+ return;
+ }
+
+ if (drv->bdrv_abort_perm_update) {
+ drv->bdrv_abort_perm_update(bs);
+ }
+
+ QLIST_FOREACH(c, &bs->children, next) {
+ bdrv_child_abort_perm_update(c);
+ }
+}
+
+static void bdrv_set_perm(BlockDriverState *bs, uint64_t cumulative_perms,
+ uint64_t cumulative_shared_perms)
+{
+ BlockDriver *drv =3D bs->drv;
+ BdrvChild *c;
+
+ if (!drv) {
+ return;
+ }
+
+ /* Update this node */
+ if (drv->bdrv_set_perm) {
+ drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms);
+ }
+
+ /* Drivers may not have .bdrv_child_perm() */
+ if (!drv->bdrv_child_perm) {
+ return;
+ }
+
+ /* Update all children */
+ QLIST_FOREACH(c, &bs->children, next) {
+ uint64_t cur_perm, cur_shared;
+ drv->bdrv_child_perm(bs, c, c->role,
+ cumulative_perms, cumulative_shared_perms,
+ &cur_perm, &cur_shared);
+ bdrv_child_set_perm(c, cur_perm, cur_shared);
+ }
+}
+
+static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
+ uint64_t *shared_perm)
+{
+ BdrvChild *c;
+ uint64_t cumulative_perms =3D 0;
+ uint64_t cumulative_shared_perms =3D BLK_PERM_ALL;
+
+ QLIST_FOREACH(c, &bs->parents, next_parent) {
+ cumulative_perms |=3D c->perm;
+ cumulative_shared_perms &=3D c->shared_perm;
+ }
+
+ *perm =3D cumulative_perms;
+ *shared_perm =3D cumulative_shared_perms;
+}
+
+/*
+ * Checks whether a new reference to @bs can be added if the new user requ=
ires
+ * @new_used_perm/@new_shared_perm as its permissions. If @ignore_child is=
set,
+ * this old reference is ignored in the calculations; this allows checking
+ * permission updates for an existing reference.
+ *
+ * Needs to be followed by a call to either bdrv_set_perm() or
+ * bdrv_abort_perm_update(). */
static int bdrv_check_update_perm(BlockDriverState *bs, uint64_t new_used_=
perm,
uint64_t new_shared_perm,
BdrvChild *ignore_child, Error **errp)
{
BdrvChild *c;
+ uint64_t cumulative_perms =3D new_used_perm;
+ uint64_t cumulative_shared_perms =3D new_shared_perm;
=20
/* There is no reason why anyone couldn't tolerate write_unchanged */
assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED);
@@ -1353,20 +1488,73 @@ static int bdrv_check_update_perm(BlockDriverState =
*bs, uint64_t new_used_perm,
error_setg(errp, "Conflicts with %s", user ?: "another operati=
on");
return -EPERM;
}
+
+ cumulative_perms |=3D c->perm;
+ cumulative_shared_perms &=3D c->shared_perm;
}
=20
+ return bdrv_check_perm(bs, cumulative_perms, cumulative_shared_perms, =
errp);
+}
+
+/* Needs to be followed by a call to either bdrv_child_set_perm() or
+ * bdrv_child_abort_perm_update(). */
+int bdrv_child_check_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ Error **errp)
+{
+ return bdrv_check_update_perm(c->bs, perm, shared, c, errp);
+}
+
+void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared)
+{
+ uint64_t cumulative_perms, cumulative_shared_perms;
+
+ c->perm =3D perm;
+ c->shared_perm =3D shared;
+
+ bdrv_get_cumulative_perm(c->bs, &cumulative_perms,
+ &cumulative_shared_perms);
+ bdrv_set_perm(c->bs, cumulative_perms, cumulative_shared_perms);
+}
+
+void bdrv_child_abort_perm_update(BdrvChild *c)
+{
+ bdrv_abort_perm_update(c->bs);
+}
+
+int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ Error **errp)
+{
+ int ret;
+
+ ret =3D bdrv_child_check_perm(c, perm, shared, errp);
+ if (ret < 0) {
+ bdrv_child_abort_perm_update(c);
+ return ret;
+ }
+
+ bdrv_child_set_perm(c, perm, shared);
+
return 0;
}
=20
-static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs)
+static void bdrv_replace_child(BdrvChild *child, BlockDriverState *new_bs,
+ bool check_new_perm)
{
BlockDriverState *old_bs =3D child->bs;
+ uint64_t perm, shared_perm;
=20
if (old_bs) {
if (old_bs->quiesce_counter && child->role->drained_end) {
child->role->drained_end(child);
}
QLIST_REMOVE(child, next_parent);
+
+ /* Update permissions for old node. This is guaranteed to succeed
+ * because we're just taking a parent away, so we're loosening
+ * restrictions. */
+ bdrv_get_cumulative_perm(old_bs, &perm, &shared_perm);
+ bdrv_check_perm(old_bs, perm, shared_perm, &error_abort);
+ bdrv_set_perm(old_bs, perm, shared_perm);
}
=20
child->bs =3D new_bs;
@@ -1376,6 +1564,12 @@ static void bdrv_replace_child(BdrvChild *child, Blo=
ckDriverState *new_bs)
if (new_bs->quiesce_counter && child->role->drained_begin) {
child->role->drained_begin(child);
}
+
+ bdrv_get_cumulative_perm(new_bs, &perm, &shared_perm);
+ if (check_new_perm) {
+ bdrv_check_perm(new_bs, perm, shared_perm, &error_abort);
+ }
+ bdrv_set_perm(new_bs, perm, shared_perm);
}
}
=20
@@ -1390,6 +1584,7 @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *c=
hild_bs,
=20
ret =3D bdrv_check_update_perm(child_bs, perm, shared_perm, NULL, errp=
);
if (ret < 0) {
+ bdrv_abort_perm_update(child_bs);
return NULL;
}
=20
@@ -1403,7 +1598,8 @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *c=
hild_bs,
.opaque =3D opaque,
};
=20
- bdrv_replace_child(child, child_bs);
+ /* This performs the matching bdrv_set_perm() for the above check. */
+ bdrv_replace_child(child, child_bs, false);
=20
return child;
}
@@ -1434,7 +1630,7 @@ static void bdrv_detach_child(BdrvChild *child)
child->next.le_prev =3D NULL;
}
=20
- bdrv_replace_child(child, NULL);
+ bdrv_replace_child(child, NULL, false);
=20
g_free(child->name);
g_free(child);
@@ -2541,7 +2737,9 @@ static void change_parent_backing_link(BlockDriverSta=
te *from,
=20
assert(c->role !=3D &child_backing);
bdrv_ref(to);
- bdrv_replace_child(c, to);
+ /* FIXME Are we sure that bdrv_replace_child() can't run into
+ * &error_abort because of permissions? */
+ bdrv_replace_child(c, to, true);
bdrv_unref(from);
}
}
diff --git a/include/block/block_int.h b/include/block/block_int.h
index ed63bad..cef2b6e 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -320,6 +320,59 @@ struct BlockDriver {
void (*bdrv_del_child)(BlockDriverState *parent, BdrvChild *child,
Error **errp);
=20
+ /**
+ * Informs the block driver that a permission change is intended. The
+ * driver checks whether the change is permissible and may take other
+ * preparations for the change (e.g. get file system locks). This oper=
ation
+ * is always followed either by a call to either .bdrv_set_perm or
+ * .bdrv_abort_perm_update.
+ *
+ * Checks whether the requested set of cumulative permissions in @perm
+ * can be granted for accessing @bs and whether no other users are usi=
ng
+ * permissions other than those given in @shared (both arguments take
+ * BLK_PERM_* bitmasks).
+ *
+ * If both conditions are met, 0 is returned. Otherwise, -errno is ret=
urned
+ * and errp is set to an error describing the conflict.
+ */
+ int (*bdrv_check_perm)(BlockDriverState *bs, uint64_t perm,
+ uint64_t shared, Error **errp);
+
+ /**
+ * Called to inform the driver that the set of cumulative set of used
+ * permissions for @bs has changed to @perm, and the set of sharable
+ * permission to @shared. The driver can use this to propagate changes=
to
+ * its children (i.e. request permissions only if a parent actually ne=
eds
+ * them).
+ *
+ * This function is only invoked after bdrv_check_perm(), so block dri=
vers
+ * may rely on preparations made in their .bdrv_check_perm implementat=
ion.
+ */
+ void (*bdrv_set_perm)(BlockDriverState *bs, uint64_t perm, uint64_t sh=
ared);
+
+ /*
+ * Called to inform the driver that after a previous bdrv_check_perm()
+ * call, the permission update is not performed and any preparations m=
ade
+ * for it (e.g. taken file locks) need to be undone.
+ *
+ * This function can be called even for nodes that never saw a
+ * bdrv_check_perm() call. It is a no-op then.
+ */
+ void (*bdrv_abort_perm_update)(BlockDriverState *bs);
+
+ /**
+ * Returns in @nperm and @nshared the permissions that the driver for =
@bs
+ * needs on its child @c, based on the cumulative permissions requeste=
d by
+ * the parents in @parent_perm and @parent_shared.
+ *
+ * If @c is NULL, return the permissions for attaching a new child for=
the
+ * given @role.
+ */
+ void (*bdrv_child_perm)(BlockDriverState *bs, BdrvChild *c,
+ const BdrvChildRole *role,
+ uint64_t parent_perm, uint64_t parent_shared,
+ uint64_t *nperm, uint64_t *nshared);
+
QLIST_ENTRY(BlockDriver) list;
};
=20
@@ -812,6 +865,14 @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *ch=
ild_bs,
void *opaque, Error **errp);
void bdrv_root_unref_child(BdrvChild *child);
=20
+int bdrv_child_check_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ Error **errp);
+void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared);
+void bdrv_child_abort_perm_update(BdrvChild *c);
+int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ Error **errp);
+
+
const char *bdrv_get_parent_name(const BlockDriverState *bs);
void blk_dev_change_media_cb(BlockBackend *blk, bool load);
bool blk_dev_has_removable_media(BlockBackend *blk);
--=20
1.8.3.1