From nobody Mon Feb 9 09:51:52 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1645119713968579.2210439553982; Thu, 17 Feb 2022 09:41:53 -0800 (PST) Received: from localhost ([::1]:36848 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nKkmu-0004CS-QU for importer@patchew.org; Thu, 17 Feb 2022 12:41:52 -0500 Received: from eggs.gnu.org ([209.51.188.92]:60768) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nKkaz-0008Tw-Nr for qemu-devel@nongnu.org; Thu, 17 Feb 2022 12:29:33 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:33214) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nKkax-0004LK-II for qemu-devel@nongnu.org; Thu, 17 Feb 2022 12:29:33 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-325-zum8f-8jOn6ZJej_tNJ-gA-1; Thu, 17 Feb 2022 12:29:28 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CC7991091DA0; Thu, 17 Feb 2022 17:29:27 +0000 (UTC) Received: from dgilbert-t580.localhost (unknown [10.39.194.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3B8868463A; Thu, 17 Feb 2022 17:28:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1645118970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q+09v5qD27UrCshzrExA6MaEJ6WNs+fLBm0Lpz2Ours=; b=bWcRZP41+pihrQoWDYfTH/NnZCzTHnk1VVUOqhS1U4ZeJFEJ1jM2D52+PSjS46ZC7Y5GZm qVTY31B/LtOHMYCMCl12XZpAFWPjyV3ivUps4ZGAthO3NH9nXKNXaClirY4UP7S4Ly2X8O idAxbcMOexwyRhv2jYC+0ZnFaDvhE0k= X-MC-Unique: zum8f-8jOn6ZJej_tNJ-gA-1 From: "Dr. David Alan Gilbert (git)" To: qemu-devel@nongnu.org, vgoyal@redhat.com, groug@kaod.org, sebastian.hasler@stuvus.uni-stuttgart.de Subject: [PULL 10/12] virtiofsd: Create new file using O_TMPFILE and set security context Date: Thu, 17 Feb 2022 17:24:58 +0000 Message-Id: <20220217172500.60500-11-dgilbert@redhat.com> In-Reply-To: <20220217172500.60500-1-dgilbert@redhat.com> References: <20220217172500.60500-1-dgilbert@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dgilbert@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=dgilbert@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -28 X-Spam_score: -2.9 X-Spam_bar: -- X-Spam_report: (-2.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.082, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: virtio-fs@redhat.com, stefanha@redhat.com, slp@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1645119716690100001 Content-Type: text/plain; charset="utf-8" From: Vivek Goyal If guest and host policies can't work with each other, then guest security context (selinux label) needs to be set into an xattr. Say remap guest security.selinux xattr to trusted.virtiofs.security.selinux. That means setting "fscreate" is not going to help as that's ony useful for security.selinux xattr on host. So we need another method which is atomic. Use O_TMPFILE to create new file, set xattr and then linkat() to proper place. But this works only for regular files. So dir, symlinks will continue to be non-atomic. Also if host filesystem does not support O_TMPFILE, we fallback to non-atomic behavior. Reviewed-by: Dr. David Alan Gilbert Signed-off-by: Vivek Goyal Message-Id: <20220208204813.682906-10-vgoyal@redhat.com> Signed-off-by: Dr. David Alan Gilbert --- tools/virtiofsd/passthrough_ll.c | 80 ++++++++++++++++++++++++++++---- 1 file changed, 72 insertions(+), 8 deletions(-) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough= _ll.c index e1c45bb420..f5d584e18a 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2153,14 +2153,29 @@ static int lo_do_open(struct lo_data *lo, struct lo= _inode *inode, =20 static int do_create_nosecctx(fuse_req_t req, struct lo_inode *parent_inod= e, const char *name, mode_t mode, - struct fuse_file_info *fi, int *open_fd) + struct fuse_file_info *fi, int *open_fd, + bool tmpfile) { int err, fd; struct lo_cred old =3D {}; struct lo_data *lo =3D lo_data(req); int flags; =20 - flags =3D fi->flags | O_CREAT | O_EXCL; + if (tmpfile) { + flags =3D fi->flags | O_TMPFILE; + /* + * Don't use O_EXCL as we want to link file later. Also reset O_CR= EAT + * otherwise openat() returns -EINVAL. + */ + flags &=3D ~(O_CREAT | O_EXCL); + + /* O_TMPFILE needs either O_RDWR or O_WRONLY */ + if ((flags & O_ACCMODE) =3D=3D O_RDONLY) { + flags |=3D O_RDWR; + } + } else { + flags =3D fi->flags | O_CREAT | O_EXCL; + } =20 err =3D lo_change_cred(req, &old, lo->change_umask); if (err) { @@ -2191,7 +2206,7 @@ static int do_create_secctx_fscreate(fuse_req_t req, return err; } =20 - err =3D do_create_nosecctx(req, parent_inode, name, mode, fi, &fd); + err =3D do_create_nosecctx(req, parent_inode, name, mode, fi, &fd, fal= se); =20 close_reset_proc_fscreate(fscreate_fd); if (!err) { @@ -2200,6 +2215,44 @@ static int do_create_secctx_fscreate(fuse_req_t req, return err; } =20 +static int do_create_secctx_tmpfile(fuse_req_t req, + struct lo_inode *parent_inode, + const char *name, mode_t mode, + struct fuse_file_info *fi, + const char *secctx_name, int *open_fd) +{ + int err, fd =3D -1; + struct lo_data *lo =3D lo_data(req); + char procname[64]; + + err =3D do_create_nosecctx(req, parent_inode, ".", mode, fi, &fd, true= ); + if (err) { + return err; + } + + err =3D fsetxattr(fd, secctx_name, req->secctx.ctx, req->secctx.ctxlen= , 0); + if (err) { + err =3D errno; + goto out; + } + + /* Security context set on file. Link it in place */ + sprintf(procname, "%d", fd); + FCHDIR_NOFAIL(lo->proc_self_fd); + err =3D linkat(AT_FDCWD, procname, parent_inode->fd, name, + AT_SYMLINK_FOLLOW); + err =3D err =3D=3D -1 ? errno : 0; + FCHDIR_NOFAIL(lo->root.fd); + +out: + if (!err) { + *open_fd =3D fd; + } else if (fd !=3D -1) { + close(fd); + } + return err; +} + static int do_create_secctx_noatomic(fuse_req_t req, struct lo_inode *parent_inode, const char *name, mode_t mode, @@ -2208,7 +2261,7 @@ static int do_create_secctx_noatomic(fuse_req_t req, { int err =3D 0, fd =3D -1; =20 - err =3D do_create_nosecctx(req, parent_inode, name, mode, fi, &fd); + err =3D do_create_nosecctx(req, parent_inode, name, mode, fi, &fd, fal= se); if (err) { goto out; } @@ -2250,20 +2303,31 @@ static int do_lo_create(fuse_req_t req, struct lo_i= node *parent_inode, if (secctx_enabled) { /* * If security.selinux has not been remapped and selinux is enable= d, - * use fscreate to set context before file creation. - * Otherwise fallback to non-atomic method of file creation - * and xattr settting. + * use fscreate to set context before file creation. If not, use + * tmpfile method for regular files. Otherwise fallback to + * non-atomic method of file creation and xattr settting. */ if (!mapped_name && lo->use_fscreate) { err =3D do_create_secctx_fscreate(req, parent_inode, name, mod= e, fi, open_fd); goto out; + } else if (S_ISREG(mode)) { + err =3D do_create_secctx_tmpfile(req, parent_inode, name, mode= , fi, + ctxname, open_fd); + /* + * If filesystem does not support O_TMPFILE, fallback to non-a= tomic + * method. + */ + if (!err || err !=3D EOPNOTSUPP) { + goto out; + } } =20 err =3D do_create_secctx_noatomic(req, parent_inode, name, mode, f= i, ctxname, open_fd); } else { - err =3D do_create_nosecctx(req, parent_inode, name, mode, fi, open= _fd); + err =3D do_create_nosecctx(req, parent_inode, name, mode, fi, open= _fd, + false); } =20 out: --=20 2.35.1