Hi,
v1 cover letter for an overview:
https://listman.redhat.com/archives/virtio-fs/2021-June/msg00033.html
v2 cover letter:
https://listman.redhat.com/archives/virtio-fs/2021-June/msg00074.html
For v3, at first I attempted to have errors related to file handle
generation (name_to_handle_at()) be returned to the guest unless they
are cases where file name generation is simply not supported, and only
then do a fallback to an O_PATH FD, as Vivek has suggested.
However, I found that to be rather complicated. (Always falling back is
just simpler.) Furthermore, because we believe that name_to_handle_at()
can rarely fail except for EOPNOTSUPP, there should be little difference
in practice.
Therefore, in v3, I kept the v2 model of always falling back to an
O_PATH FD when an error occurred during handle generation.
What did change in v3 is the following:
- I added patch 1, because f1aa1774dfb happened in the meantime, and
this is basically what we did for virtiofsd-rs in the form of
31e7ac63944 (virtiofsd-rs commit hash)
- Patch 4: In lookup_name(), I noticed that I failed to invoke
lo_inode_put() to match the lo_inode() from the beginning of the
function in all error paths. Fixed by adding a common error path.
- Patch 6: Mostly contextual rebase conflicts (partly because of patch
1), but also one functional change: I Dropped the `assert(fd >= 0)`
under `if (open_inode)` in lo_setxattr(), because `fd` is dropped by
this patch (and `inode_fd` is used regardless of the value of
`open_inode` we can’t assert anything similar on it).
- Patch 8:
- Fixed the condition to reject results found by st_ino lookup.
- st_ino on its own is only a valid identifier/key if we have an
O_PATH fd for its respective lo_inode, because otherwise the inode
may be unlinked and its st_ino might be reused by some new inode
- It does not matter whether lo_find()’s caller has supplied a file
handle for a prior lookup by handle or not, so drop that part of
the condition
- Semantically, it does not matter whether the lo_inode has a file
handle or not – what matters is whether it has an O_PATH fd or
not. (The two are linked by a `handle <=> !fd` condition, so that
part wasn’t technically wrong, just semantically.)
- In accordance with the last point, I rewrote the comment
explaining why we have to reject such results.
- Rebase conflict in lookup_name() because of the fix in patch 4
- Patch 9:
- Non-functional change in lo_do_lookup() to separate the
get_file_handle()/openat() part from the do_statx() calls (and have
the do_statx() calls be side by side) – as a side effect, this makes
the diff to master slightly smaller.
- Rebase conflict in lookup_name() because of the fix in patch 4
- Patch 10:
- Rebase conflict in lookup_name() because of the fix in patch 4
Max Reitz (10):
virtiofsd: Limit setxattr()'s creds-dropped region
virtiofsd: Add TempFd structure
virtiofsd: Use lo_inode_open() instead of openat()
virtiofsd: Add lo_inode_fd() helper
virtiofsd: Let lo_fd() return a TempFd
virtiofsd: Let lo_inode_open() return a TempFd
virtiofsd: Add lo_inode.fhandle
virtiofsd: Add inodes_by_handle hash table
virtiofsd: Optionally fill lo_inode.fhandle
virtiofsd: Add lazy lo_do_find()
tools/virtiofsd/helper.c | 3 +
tools/virtiofsd/passthrough_ll.c | 869 +++++++++++++++++++++-----
tools/virtiofsd/passthrough_seccomp.c | 2 +
3 files changed, 720 insertions(+), 154 deletions(-)
--
2.31.1