From nobody Wed Dec 17 21:45:42 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1560875099; cv=none; d=zoho.com; s=zohoarc; b=K/6laOvPuL2KABClyJ5Ew8RXQ/OXPZWjY8xgjbSwCh1VlEw45pjnxnJ6SlNnIpDmhLxySOH6N+DtjHZQ7qJLXXLtVjzxBPUwZ1JV/sU/jKBa9CsaAVub3lLKsqyALBG19+YNudlVFKn2Vgfs9F7mHC3AJHhA1aWUaGhqsFijH/E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560875099; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=xNVyM3O434v5cErapSI7ezBvqFInmNMChI3tt3c4l8k=; b=Vi+nOfD+hwBKOZlTUhYDr8h7HaO963rL3z2UbO4jSu5ys5SHzzPTSccldyHZ+c9xNKbhVyZn7bGRpl/MsJdvzeYSykqF3xQs9zVWhbCm1MNbKf+dA0kH8Qzss0rMJG8uoMwiT5tXgfHOzMClOONvPco4r0iUin+Kem+R3wUjNZk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by mx.zohomail.com with SMTPS id 1560875099543524.4577725821182; Tue, 18 Jun 2019 09:24:59 -0700 (PDT) Received: from localhost ([::1]:59532 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hdGue-0003A2-El for importer@patchew.org; Tue, 18 Jun 2019 12:24:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56327) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hdFxm-0008Sr-Nt for qemu-devel@nongnu.org; Tue, 18 Jun 2019 11:24:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hdFxd-0000v6-B7 for qemu-devel@nongnu.org; Tue, 18 Jun 2019 11:23:58 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41714) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hdFxS-0000hH-QB; Tue, 18 Jun 2019 11:23:39 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2368A30BB524; Tue, 18 Jun 2019 15:23:37 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-116-185.ams2.redhat.com [10.36.116.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id 43AD519492; Tue, 18 Jun 2019 15:23:36 +0000 (UTC) From: Kevin Wolf To: qemu-block@nongnu.org Date: Tue, 18 Jun 2019 17:23:15 +0200 Message-Id: <20190618152318.24953-12-kwolf@redhat.com> In-Reply-To: <20190618152318.24953-1-kwolf@redhat.com> References: <20190618152318.24953-1-kwolf@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Tue, 18 Jun 2019 15:23:37 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 11/14] block: Add *tighten_restrictions to *check*_perm() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, qemu-devel@nongnu.org Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Max Reitz This patch makes three functions report whether the necessary permission change tightens restrictions or not. These functions are: - bdrv_check_perm() - bdrv_check_update_perm() - bdrv_child_check_perm() Callers can use this result to decide whether a failure is fatal or not (see the next patch). Signed-off-by: Max Reitz Signed-off-by: Kevin Wolf --- block.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 70 insertions(+), 17 deletions(-) diff --git a/block.c b/block.c index b7d4149c2f..1b10a5ce35 100644 --- a/block.c +++ b/block.c @@ -1706,7 +1706,8 @@ static int bdrv_fill_options(QDict **options, const c= har *filename, =20 static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q, uint64_t perm, uint64_t shared, - GSList *ignore_children, Error **errp); + GSList *ignore_children, + bool *tighten_restrictions, Error **errp); static void bdrv_child_abort_perm_update(BdrvChild *c); static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shar= ed); static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm, @@ -1781,18 +1782,43 @@ static void bdrv_child_perm(BlockDriverState *bs, B= lockDriverState *child_bs, * permissions of all its parents. This involves checking whether all nece= ssary * permission changes to child nodes can be performed. * + * Will set *tighten_restrictions to true if and only if new permissions h= ave to + * be taken or currently shared permissions are to be unshared. Otherwise, + * errors are not fatal as long as the caller accepts that the restrictions + * remain tighter than they need to be. The caller still has to abort the + * transaction. + * @tighten_restrictions cannot be used together with @q: When reopening, = we may + * encounter fatal errors even though no restrictions are to be tightened.= For + * example, changing a node from RW to RO will fail if the WRITE permissio= n is + * to be kept. + * * A call to this function must always be followed by a call to bdrv_set_p= erm() * or bdrv_abort_perm_update(). */ static int bdrv_check_perm(BlockDriverState *bs, BlockReopenQueue *q, uint64_t cumulative_perms, uint64_t cumulative_shared_perms, - GSList *ignore_children, Error **errp) + GSList *ignore_children, + bool *tighten_restrictions, Error **errp) { BlockDriver *drv =3D bs->drv; BdrvChild *c; int ret; =20 + assert(!q || !tighten_restrictions); + + if (tighten_restrictions) { + uint64_t current_perms, current_shared; + uint64_t added_perms, removed_shared_perms; + + bdrv_get_cumulative_perm(bs, ¤t_perms, ¤t_shared); + + added_perms =3D cumulative_perms & ~current_perms; + removed_shared_perms =3D current_shared & ~cumulative_shared_perms; + + *tighten_restrictions =3D added_perms || removed_shared_perms; + } + /* Write permissions never work with read-only images */ if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) && !bdrv_is_writable_after_reopen(bs, q)) @@ -1833,11 +1859,18 @@ static int bdrv_check_perm(BlockDriverState *bs, Bl= ockReopenQueue *q, /* Check all children */ QLIST_FOREACH(c, &bs->children, next) { uint64_t cur_perm, cur_shared; + bool child_tighten_restr; + bdrv_child_perm(bs, c->bs, c, c->role, q, cumulative_perms, cumulative_shared_perms, &cur_perm, &cur_shared); - ret =3D bdrv_child_check_perm(c, q, cur_perm, cur_shared, - ignore_children, errp); + ret =3D bdrv_child_check_perm(c, q, cur_perm, cur_shared, ignore_c= hildren, + tighten_restrictions ? &child_tighten_= restr + : NULL, + errp); + if (tighten_restrictions) { + *tighten_restrictions |=3D child_tighten_restr; + } if (ret < 0) { return ret; } @@ -1961,17 +1994,23 @@ char *bdrv_perm_names(uint64_t perm) * set, the BdrvChild objects in this list are ignored in the calculations; * this allows checking permission updates for an existing reference. * + * See bdrv_check_perm() for the semantics of @tighten_restrictions. + * * Needs to be followed by a call to either bdrv_set_perm() or * bdrv_abort_perm_update(). */ static int bdrv_check_update_perm(BlockDriverState *bs, BlockReopenQueue *= q, uint64_t new_used_perm, uint64_t new_shared_perm, - GSList *ignore_children, Error **errp) + GSList *ignore_children, + bool *tighten_restrictions, + Error **errp) { BdrvChild *c; uint64_t cumulative_perms =3D new_used_perm; uint64_t cumulative_shared_perms =3D new_shared_perm; =20 + assert(!q || !tighten_restrictions); + /* There is no reason why anyone couldn't tolerate write_unchanged */ assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED); =20 @@ -1983,6 +2022,11 @@ static int bdrv_check_update_perm(BlockDriverState *= bs, BlockReopenQueue *q, if ((new_used_perm & c->shared_perm) !=3D new_used_perm) { char *user =3D bdrv_child_user_desc(c); char *perm_names =3D bdrv_perm_names(new_used_perm & ~c->share= d_perm); + + if (tighten_restrictions) { + *tighten_restrictions =3D true; + } + error_setg(errp, "Conflicts with use by %s as '%s', which does= not " "allow '%s' on %s", user, c->name, perm_names, bdrv_get_node_name(c->bs= )); @@ -1994,6 +2038,11 @@ static int bdrv_check_update_perm(BlockDriverState *= bs, BlockReopenQueue *q, if ((c->perm & new_shared_perm) !=3D c->perm) { char *user =3D bdrv_child_user_desc(c); char *perm_names =3D bdrv_perm_names(c->perm & ~new_shared_per= m); + + if (tighten_restrictions) { + *tighten_restrictions =3D true; + } + error_setg(errp, "Conflicts with use by %s as '%s', which uses= " "'%s' on %s", user, c->name, perm_names, bdrv_get_node_name(c->bs= )); @@ -2007,19 +2056,21 @@ static int bdrv_check_update_perm(BlockDriverState = *bs, BlockReopenQueue *q, } =20 return bdrv_check_perm(bs, q, cumulative_perms, cumulative_shared_perm= s, - ignore_children, errp); + ignore_children, tighten_restrictions, errp); } =20 /* Needs to be followed by a call to either bdrv_child_set_perm() or * bdrv_child_abort_perm_update(). */ static int bdrv_child_check_perm(BdrvChild *c, BlockReopenQueue *q, uint64_t perm, uint64_t shared, - GSList *ignore_children, Error **errp) + GSList *ignore_children, + bool *tighten_restrictions, Error **errp) { int ret; =20 ignore_children =3D g_slist_prepend(g_slist_copy(ignore_children), c); - ret =3D bdrv_check_update_perm(c->bs, q, perm, shared, ignore_children= , errp); + ret =3D bdrv_check_update_perm(c->bs, q, perm, shared, ignore_children, + tighten_restrictions, errp); g_slist_free(ignore_children); =20 if (ret < 0) { @@ -2072,7 +2123,7 @@ int bdrv_child_try_set_perm(BdrvChild *c, uint64_t pe= rm, uint64_t shared, { int ret; =20 - ret =3D bdrv_child_check_perm(c, NULL, perm, shared, NULL, errp); + ret =3D bdrv_child_check_perm(c, NULL, perm, shared, NULL, NULL, errp); if (ret < 0) { bdrv_child_abort_perm_update(c); return ret; @@ -2258,7 +2309,8 @@ static void bdrv_replace_child(BdrvChild *child, Bloc= kDriverState *new_bs) * because we're just taking a parent away, so we're loosening * restrictions. */ bdrv_get_cumulative_perm(old_bs, &perm, &shared_perm); - bdrv_check_perm(old_bs, NULL, perm, shared_perm, NULL, &error_abor= t); + bdrv_check_perm(old_bs, NULL, perm, shared_perm, NULL, + NULL, &error_abort); bdrv_set_perm(old_bs, perm, shared_perm); =20 /* When the parent requiring a non-default AioContext is removed, = the @@ -2288,7 +2340,8 @@ BdrvChild *bdrv_root_attach_child(BlockDriverState *c= hild_bs, Error *local_err =3D NULL; int ret; =20 - ret =3D bdrv_check_update_perm(child_bs, NULL, perm, shared_perm, NULL= , errp); + ret =3D bdrv_check_update_perm(child_bs, NULL, perm, shared_perm, NULL= , NULL, + errp); if (ret < 0) { bdrv_abort_perm_update(child_bs); bdrv_unref(child_bs); @@ -3369,7 +3422,7 @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, = Error **errp) QSIMPLEQ_FOREACH(bs_entry, bs_queue, entry) { BDRVReopenState *state =3D &bs_entry->state; ret =3D bdrv_check_perm(state->bs, bs_queue, state->perm, - state->shared_perm, NULL, errp); + state->shared_perm, NULL, NULL, errp); if (ret < 0) { goto cleanup_perm; } @@ -3381,7 +3434,7 @@ int bdrv_reopen_multiple(BlockReopenQueue *bs_queue, = Error **errp) state->perm, state->shared_perm, &nperm, &nshared); ret =3D bdrv_check_update_perm(state->new_backing_bs, NULL, - nperm, nshared, NULL, errp); + nperm, nshared, NULL, NULL, errp); if (ret < 0) { goto cleanup_perm; } @@ -4097,7 +4150,7 @@ void bdrv_replace_node(BlockDriverState *from, BlockD= riverState *to, =20 /* Check whether the required permissions can be granted on @to, ignor= ing * all BdrvChild in @list so that they can't block themselves. */ - ret =3D bdrv_check_update_perm(to, NULL, perm, shared, list, errp); + ret =3D bdrv_check_update_perm(to, NULL, perm, shared, list, NULL, err= p); if (ret < 0) { bdrv_abort_perm_update(to); goto out; @@ -4444,7 +4497,7 @@ int bdrv_drop_intermediate(BlockDriverState *top, Blo= ckDriverState *base, /* Check whether we are allowed to switch c from top to base */ GSList *ignore_children =3D g_slist_prepend(NULL, c); ret =3D bdrv_check_update_perm(base, NULL, c->perm, c->shared_perm, - ignore_children, &local_err); + ignore_children, NULL, &local_err); g_slist_free(ignore_children); if (ret < 0) { error_report_err(local_err); @@ -5219,7 +5272,7 @@ static void coroutine_fn bdrv_co_invalidate_cache(Blo= ckDriverState *bs, */ bs->open_flags &=3D ~BDRV_O_INACTIVE; bdrv_get_cumulative_perm(bs, &perm, &shared_perm); - ret =3D bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, &local_err); + ret =3D bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &loca= l_err); if (ret < 0) { bs->open_flags |=3D BDRV_O_INACTIVE; error_propagate(errp, local_err); @@ -5369,7 +5422,7 @@ static int bdrv_inactivate_recurse(BlockDriverState *= bs) =20 /* Update permissions, they may differ for inactive nodes */ bdrv_get_cumulative_perm(bs, &perm, &shared_perm); - bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, &error_abort); + bdrv_check_perm(bs, NULL, perm, shared_perm, NULL, NULL, &error_abort); bdrv_set_perm(bs, perm, shared_perm); =20 =20 --=20 2.20.1