From nobody Mon Feb 9 09:16:43 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1622826072; cv=none; d=zohomail.com; s=zohoarc; b=NNbWHiKSUaR55+YZaJS/lc2XAOZg+NkJgpeEdz+L67/G29nthOIVk+NFtiJC5Sq7CW38sr0f+xcBnBLqxJcXNi5PgV4UIvJP5jzyXWvqd2+IZDpULhYIZfPCCFZfEeKwbyDREwXhMxN7nz6ELr2A7NewD8xcR/3dGkNorwHRhKQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622826072; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=llLhWB73wmGG/1AKbUe6sbNP1gpFejurns+JkXp3H8g=; b=JsZASXn52LF5apEesiL1Lgl4qgTBzsiqnukfftPTz3LIke0jMe13Pe1q3f/rL9k2fkawm1q1NqFifCPkyJGWlZb486yNVSc0vHuES05nvFzNV/Fi+1LxMuH+UU/92iJ+BISsUribL9fmEUVcaBpp4vuoiAnL/7XTIuNg9Nr7tUY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1622826072608902.6102807399354; Fri, 4 Jun 2021 10:01:12 -0700 (PDT) Received: from localhost ([::1]:40324 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lpDC3-00054Q-6O for importer@patchew.org; Fri, 04 Jun 2021 13:01:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53074) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lpCTa-0007nG-5T for qemu-devel@nongnu.org; Fri, 04 Jun 2021 12:15:16 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:45191) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lpCTV-0004DV-NA for qemu-devel@nongnu.org; Fri, 04 Jun 2021 12:15:13 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204-s6E9Jn2RPd2GiaRb7LPzjg-1; Fri, 04 Jun 2021 12:15:07 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6BF22180FD70 for ; Fri, 4 Jun 2021 16:15:06 +0000 (UTC) Received: from localhost (ovpn-114-199.ams2.redhat.com [10.36.114.199]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2769A5D71D; Fri, 4 Jun 2021 16:14:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1622823309; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=llLhWB73wmGG/1AKbUe6sbNP1gpFejurns+JkXp3H8g=; b=Ht0XmfVZRiBc7DLx+3OaVJLuuFaSs1II6FbOxBU+oti6Tx+rAj8exKBGDn9/C5FpZUYqKj I1N/4o7YubvUGwzjWqBIaCEW052rmBHuusQNvxPnC8wsjLdqV8QYqIuSvxG9aT6H7rqxgq a65Hr/kB8TGWDc11c7SV+AIGAIVbiZY= X-MC-Unique: s6E9Jn2RPd2GiaRb7LPzjg-1 From: Max Reitz To: qemu-devel@nongnu.org, virtio-fs@redhat.com Subject: [PATCH 8/9] virtiofsd: Optionally fill lo_inode.fhandle Date: Fri, 4 Jun 2021 18:13:36 +0200 Message-Id: <20210604161337.16048-9-mreitz@redhat.com> In-Reply-To: <20210604161337.16048-1-mreitz@redhat.com> References: <20210604161337.16048-1-mreitz@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mreitz@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=mreitz@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -31 X-Spam_score: -3.2 X-Spam_bar: --- X-Spam_report: (-3.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.373, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Dr . David Alan Gilbert" , Stefan Hajnoczi , Max Reitz Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Type: text/plain; charset="utf-8" When the inode_file_handles option is set, try to generate a file handle for new inodes instead of opening an O_PATH FD. Being able to open these again will require CAP_DAC_READ_SEARCH, so the description text tells the user they will also need to specify -o modcaps=3D+dac_read_search. Generating a file handle returns the mount ID it is valid for. Opening it will require an FD instead. We have mount_fds to map an ID to an FD. get_file_handle() fills the hash map by opening the file we have generated a handle for. To verify that the resulting FD indeed represents the handle's mount ID, we use statx(). Therefore, using file handles requires statx() support. Signed-off-by: Max Reitz --- tools/virtiofsd/helper.c | 3 + tools/virtiofsd/passthrough_ll.c | 170 ++++++++++++++++++++++++-- tools/virtiofsd/passthrough_seccomp.c | 1 + 3 files changed, 165 insertions(+), 9 deletions(-) diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c index 5e98ed702b..954f8639e6 100644 --- a/tools/virtiofsd/helper.c +++ b/tools/virtiofsd/helper.c @@ -186,6 +186,9 @@ void fuse_cmdline_help(void) " to virtiofsd from guest applica= tions.\n" " default: no_allow_direct_io\n" " -o announce_submounts Announce sub-mount points to th= e guest\n" + " -o inode_file_handles Use file handles to reference i= nodes\n" + " instead of O_PATH file descript= ors\n" + " (requires -o modcaps=3D+dac_rea= d_search)\n" ); } =20 diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index 793d2c333e..d01f9d3a59 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -190,6 +190,7 @@ struct lo_data { /* An O_PATH file descriptor to /proc/self/fd/ */ int proc_self_fd; int user_killpriv_v2, killpriv_v2; + int inode_file_handles; }; =20 /** @@ -244,6 +245,10 @@ static const struct fuse_opt lo_opts[] =3D { { "announce_submounts", offsetof(struct lo_data, announce_submounts), = 1 }, { "killpriv_v2", offsetof(struct lo_data, user_killpriv_v2), 1 }, { "no_killpriv_v2", offsetof(struct lo_data, user_killpriv_v2), 0 }, + { "inode_file_handles", offsetof(struct lo_data, inode_file_handles), = 1 }, + { "no_inode_file_handles", + offsetof(struct lo_data, inode_file_handles), + 0 }, FUSE_OPT_END }; static bool use_syslog =3D false; @@ -315,6 +320,108 @@ static int temp_fd_steal(TempFd *temp_fd) } } =20 +/** + * Generate a file handle for the given dirfd/name combination. + * + * If mount_fds does not yet contain an entry for the handle's mount + * ID, (re)open dirfd/name in O_RDONLY mode and add it to mount_fds + * as the FD for that mount ID. (That is the file that we have + * generated a handle for, so it should be representative for the + * mount ID. However, to be sure (and to rule out races), we use + * statx() to verify that our assumption is correct.) + */ +static struct lo_fhandle *get_file_handle(struct lo_data *lo, + int dirfd, const char *name) +{ + /* We need statx() to verify the mount ID */ +#if defined(CONFIG_STATX) && defined(STATX_MNT_ID) + struct lo_fhandle *fh; + int ret; + + if (!lo->use_statx || !lo->inode_file_handles) { + return NULL; + } + + fh =3D g_new0(struct lo_fhandle, 1); + + fh->handle.handle_bytes =3D sizeof(fh->padding) - sizeof(fh->handle); + ret =3D name_to_handle_at(dirfd, name, &fh->handle, &fh->mount_id, + AT_EMPTY_PATH); + if (ret < 0) { + goto fail; + } + + if (pthread_rwlock_rdlock(&mount_fds_lock)) { + goto fail; + } + if (!g_hash_table_contains(mount_fds, GINT_TO_POINTER(fh->mount_id))) { + struct statx stx; + int fd; + + pthread_rwlock_unlock(&mount_fds_lock); + + if (name[0]) { + fd =3D openat(dirfd, name, O_RDONLY); + } else { + char procname[64]; + snprintf(procname, sizeof(procname), "%i", dirfd); + fd =3D openat(lo->proc_self_fd, procname, O_RDONLY); + } + if (fd < 0) { + goto fail; + } + + ret =3D statx(fd, "", AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW, + STATX_MNT_ID, &stx); + if (ret < 0) { + if (errno =3D=3D ENOSYS) { + lo->use_statx =3D false; + fuse_log(FUSE_LOG_WARNING, + "statx() does not work: Will not be able to use f= ile " + "handles for inodes\n"); + } + goto fail; + } + if (!(stx.stx_mask & STATX_MNT_ID) || stx.stx_mnt_id !=3D fh->moun= t_id) { + /* + * One reason for stx_mnt_id !=3D mount_id could be that dirfd= /name + * is a directory, and some other filesystem was mounted there + * between us generating the file handle and then opening the = FD. + * (Other kinds of races might be possible, too.) + * Failing this function is not fatal, though, because our cal= ler + * (lo_do_lookup()) will just fall back to opening an O_PATH F= D to + * store in lo_inode.fd instead of storing a file handle in + * lo_inode.fhandle. So we do not need to try too hard to get= an + * FD for fh->mount_id so this function could succeed. + */ + goto fail; + } + + if (pthread_rwlock_wrlock(&mount_fds_lock)) { + goto fail; + } + + /* Check again, might have changed */ + if (g_hash_table_contains(mount_fds, GINT_TO_POINTER(fh->mount_id)= )) { + close(fd); + } else { + g_hash_table_insert(mount_fds, + GINT_TO_POINTER(fh->mount_id), + GINT_TO_POINTER(fd)); + } + } + pthread_rwlock_unlock(&mount_fds_lock); + + return fh; + +fail: + free(fh); + return NULL; +#else /* defined(CONFIG_STATX) && defined(STATX_MNT_ID) */ + return NULL; +#endif +} + /** * Open the given file handle with the given flags. * @@ -1132,6 +1239,11 @@ static int do_statx(struct lo_data *lo, int dirfd, c= onst char *pathname, return -1; } lo->use_statx =3D false; + if (lo->inode_file_handles) { + fuse_log(FUSE_LOG_WARNING, + "statx() does not work: Will not be able to use file " + "handles for inodes\n"); + } /* fallback */ } #endif @@ -1161,6 +1273,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t pa= rent, const char *name, struct lo_data *lo =3D lo_data(req); struct lo_inode *inode =3D NULL; struct lo_inode *dir =3D lo_inode(req, parent); + struct lo_fhandle *fh; =20 if (inodep) { *inodep =3D NULL; /* in case there is an error */ @@ -1190,13 +1303,19 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t = parent, const char *name, goto out; } =20 - newfd =3D openat(dir_fd.fd, name, O_PATH | O_NOFOLLOW); - if (newfd =3D=3D -1) { - goto out_err; - } + fh =3D get_file_handle(lo, dir_fd.fd, name); + if (fh) { + res =3D do_statx(lo, dir_fd.fd, name, &e->attr, + AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW, &mnt_id); + } else { + newfd =3D openat(dir_fd.fd, name, O_PATH | O_NOFOLLOW); + if (newfd =3D=3D -1) { + goto out_err; + } =20 - res =3D do_statx(lo, newfd, "", &e->attr, AT_EMPTY_PATH | AT_SYMLINK_N= OFOLLOW, - &mnt_id); + res =3D do_statx(lo, newfd, "", &e->attr, + AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW, &mnt_id); + } if (res =3D=3D -1) { goto out_err; } @@ -1206,9 +1325,19 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t p= arent, const char *name, e->attr_flags |=3D FUSE_ATTR_SUBMOUNT; } =20 - inode =3D lo_find(lo, NULL, &e->attr, mnt_id); + /* + * Note that fh is always NULL if lo->inode_file_handles is false, + * and so we will never do a lookup by file handle here, and + * lo->inodes_by_handle will always remain empty. We only need + * this map when we do not have an O_PATH fd open for every + * lo_inode, though, so if inode_file_handles is false, we do not + * need that map anyway. + */ + inode =3D lo_find(lo, fh, &e->attr, mnt_id); if (inode) { - close(newfd); + if (newfd !=3D -1) { + close(newfd); + } } else { inode =3D calloc(1, sizeof(struct lo_inode)); if (!inode) { @@ -1226,6 +1355,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t pa= rent, const char *name, =20 inode->nlookup =3D 1; inode->fd =3D newfd; + inode->fhandle =3D fh; inode->key.ino =3D e->attr.st_ino; inode->key.dev =3D e->attr.st_dev; inode->key.mnt_id =3D mnt_id; @@ -1237,6 +1367,9 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t pa= rent, const char *name, pthread_mutex_lock(&lo->mutex); inode->fuse_ino =3D lo_add_inode_mapping(req, inode); g_hash_table_insert(lo->inodes_by_ids, &inode->key, inode); + if (inode->fhandle) { + g_hash_table_insert(lo->inodes_by_handle, inode->fhandle, inod= e); + } pthread_mutex_unlock(&lo->mutex); } e->ino =3D inode->fuse_ino; @@ -1530,8 +1663,10 @@ static struct lo_inode *lookup_name(fuse_req_t req, = fuse_ino_t parent, int res; uint64_t mnt_id; struct stat attr; + struct lo_fhandle *fh; struct lo_data *lo =3D lo_data(req); struct lo_inode *dir =3D lo_inode(req, parent); + struct lo_inode *inode; =20 if (!dir) { return NULL; @@ -1542,13 +1677,19 @@ static struct lo_inode *lookup_name(fuse_req_t req,= fuse_ino_t parent, return NULL; } =20 + fh =3D get_file_handle(lo, dir_fd.fd, name); + /* Ignore errors, this is just an optional key for the lookup */ + res =3D do_statx(lo, dir_fd.fd, name, &attr, AT_SYMLINK_NOFOLLOW, &mnt= _id); lo_inode_put(lo, &dir); if (res =3D=3D -1) { return NULL; } =20 - return lo_find(lo, NULL, &attr, mnt_id); + inode =3D lo_find(lo, fh, &attr, mnt_id); + g_free(fh); + + return inode; } =20 static void lo_rmdir(fuse_req_t req, fuse_ino_t parent, const char *name) @@ -1712,6 +1853,9 @@ static void unref_inode(struct lo_data *lo, struct lo= _inode *inode, uint64_t n) if (!inode->nlookup) { lo_map_remove(&lo->ino_map, inode->fuse_ino); g_hash_table_remove(lo->inodes_by_ids, &inode->key); + if (inode->fhandle) { + g_hash_table_remove(lo->inodes_by_handle, inode->fhandle); + } if (lo->posix_lock) { if (g_hash_table_size(inode->posix_locks)) { fuse_log(FUSE_LOG_WARNING, "Hash table is not empty\n"); @@ -4156,6 +4300,14 @@ int main(int argc, char *argv[]) =20 lo.use_statx =3D true; =20 +#if !defined(CONFIG_STATX) || !defined(STATX_MNT_ID) + if (lo.inode_file_handles) { + fuse_log(FUSE_LOG_WARNING, + "No statx() or mount ID support: Will not be able to use = file " + "handles for inodes\n"); + } +#endif + se =3D fuse_session_new(&args, &lo_oper, sizeof(lo_oper), &lo); if (se =3D=3D NULL) { goto err_out1; diff --git a/tools/virtiofsd/passthrough_seccomp.c b/tools/virtiofsd/passth= rough_seccomp.c index e948f25ac1..ed23e67ba8 100644 --- a/tools/virtiofsd/passthrough_seccomp.c +++ b/tools/virtiofsd/passthrough_seccomp.c @@ -73,6 +73,7 @@ static const int syscall_allowlist[] =3D { SCMP_SYS(mprotect), SCMP_SYS(mremap), SCMP_SYS(munmap), + SCMP_SYS(name_to_handle_at), SCMP_SYS(newfstatat), SCMP_SYS(statx), SCMP_SYS(open), --=20 2.31.1