9pfs: fix regression regarding CVE-2023-2861

The released fix for this CVE:

f6b0de53fb8 ("9pfs: prevent opening special files (CVE-2023-2861)")

caused a regression with security_model=passthroug

9pfs: fix regression regarding CVE-2023-2861

The released fix for this CVE:

f6b0de53fb8 ("9pfs: prevent opening special files (CVE-2023-2861)")

caused a regression with security_model=passthrough. When handling a
'Tmknod' request there was a side effect that 'Tmknod' request could fail
as 9p server was trying to adjust permissions:

#6 close_if_special_file (fd=30) at ../hw/9pfs/9p-util.h:140
#7 openat_file (mode=<optimized out>, flags=2228224,
name=<optimized out>, dirfd=<optimized out>) at
../hw/9pfs/9p-util.h:181
#8 fchmodat_nofollow (dirfd=dirfd@entry=31,
name=name@entry=0x5555577ea6e0 "mysocket", mode=493) at
../hw/9pfs/9p-local.c:360
#9 local_set_cred_passthrough (credp=0x7ffbbc4ace10, name=0x5555577ea6e0
"mysocket", dirfd=31, fs_ctx=0x55555811f528) at
../hw/9pfs/9p-local.c:457
#10 local_mknod (fs_ctx=0x55555811f528, dir_path=<optimized out>,
name=0x5555577ea6e0 "mysocket", credp=0x7ffbbc4ace10) at
../hw/9pfs/9p-local.c:702
#11 v9fs_co_mknod (pdu=pdu@entry=0x555558121140,
fidp=fidp@entry=0x5555574c46c0, name=name@entry=0x7ffbbc4aced0,
uid=1000, gid=1000, dev=<optimized out>, mode=49645,
stbuf=0x7ffbbc4acef0) at ../hw/9pfs/cofs.c:205
#12 v9fs_mknod (opaque=0x555558121140) at ../hw/9pfs/9p.c:3711

That's because server was opening the special file to adjust permissions,
however it was using O_PATH and it would have not returned the file
descriptor to guest. So the call to close_if_special_file() on that branch
was incorrect.

Let's lift the restriction introduced by f6b0de53fb8 such that it would
allow to open special files on host if O_PATH flag is supplied, not only
for 9p server's own operations as described above, but also for any client
'Topen' request.

It is safe to allow opening special files with O_PATH on host, because
O_PATH only allows path based operations on the resulting file descriptor
and prevents I/O such as read() and write() on that file descriptor.

Fixes: f6b0de53fb8 ("9pfs: prevent opening special files (CVE-2023-2861)")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2337
Reported-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Tested-by: Dirk Herrendorfer <d.herrendoerfer@de.ibm.com>
Message-Id: <E1tJWbk-007BH4-OB@kylie.crudebyte.com>
(cherry picked from commit d06a9d843fb65351e0e4dc42ba0c404f01ea92b3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

show more ...

Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging

trivial-patches 25-07-2023

# -----BEGIN PGP SIGNATURE-----
#
# iQFDBAABCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmS/2vgPHG1

Merge tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu into staging

trivial-patches 25-07-2023

# -----BEGIN PGP SIGNATURE-----
#
# iQFDBAABCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmS/2vgPHG1qdEB0bHMu
# bXNrLnJ1AAoJEHAbT2saaT5ZT6MH/j5L3P9yLV6TqW+DkhCppbmBygqxz2SbQjwl
# dVVfSLpJNbtpvLfEnvpb+ms+ZdaOCGj8IofAVf9w0VaIYJFP1srFphY/1x+RYVnw
# kDjCLzuLNSCAdCV2HPqsrMKzdFctZ/MfK+QzfcGik9IvmCNPYWOhpmevs+xAIEJd
# b0xk152zy2fIIC3vKK+3KcM7MFkqZWJ6z0pzUZAyEBS+aQyuZNPJ/cO8xMXotbP2
# jqv12SNGV2GLH1acvsd8GQwDB9MamstB4r8NWpSpT/AyPwOgmMR+j5B8a/WEBJCs
# OcEW/pEyrumSygqf9z01YoNJQUCSvSpg5aq4+S2cRDslmUgFDmw=
# =wCoQ
# -----END PGP SIGNATURE-----
# gpg: Signature made Tue 25 Jul 2023 15:23:52 BST
# gpg: using RSA key 7B73BAD68BE7A2C289314B22701B4F6B1A693E59
# gpg: issuer "mjt@tls.msk.ru"
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" [full]
# gpg: aka "Michael Tokarev <mjt@corpit.ru>" [full]
# gpg: aka "Michael Tokarev <mjt@debian.org>" [full]
# Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5
# Subkey fingerprint: 7B73 BAD6 8BE7 A2C2 8931 4B22 701B 4F6B 1A69 3E59

* tag 'pull-trivial-patches' of https://gitlab.com/mjt0k/qemu:
qapi: Correct "eg." to "e.g." in documentation
hw/pci: add comment to explain checking for available function 0 in pci hotplug
target/tricore: Rename tricore_feature
hw/9pfs: spelling fixes
other architectures: spelling fixes
arm: spelling fixes
s390x: spelling fixes
migration: spelling fixes

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hw/9pfs: spelling fixes

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

Merge tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu into staging

* Fix for CVE-2023-2861.

# -----BEGIN PGP SIGNATURE-----
#
# iQJLBAABCgA1FiEEltjREM96+AhPiFkBNMK1h2Wkc5UFAmSB7yMXHH

Merge tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu into staging

* Fix for CVE-2023-2861.

# -----BEGIN PGP SIGNATURE-----
#
# iQJLBAABCgA1FiEEltjREM96+AhPiFkBNMK1h2Wkc5UFAmSB7yMXHHFlbXVfb3Nz
# QGNydWRlYnl0ZS5jb20ACgkQNMK1h2Wkc5XykxAAzQb+d2clDVyj3Y3UqcB/YS7X
# ijxoZph9ObweyPiP2IThjsAcvNPnVR2Bc8bgEpihRkpEYGNLicw5BSk1SjqOgZvg
# buDRc8bOvOOrKqvYEBXbzaS/OHVIdozn8h+WNjX0jSsdUd4uq9vcwX+uqshkPwl+
# L4Ipx7ChzmHpaEigkVLh1biQEkLPRCTplny5JK/ZzvAmGVaqYb1usbSx//OVu7k+
# gBuBALmvJQst3iz/1e+bmVg+JhyxRqcHfCJuuWxaOLIyiZME3ZhTn7tp+2ilivRj
# n4/AGglTAv+yaVwRi6XEca7GND23HqFs26RPGgZrIhsAkFV03Iz3IT/BJ3Psy3Qv
# 7KYE4FhhReDnNU5JNfCbNxUPWVilwLY83BXVL9I0CADbAHgTqRSnataQ/PY26VQp
# BqKJKmxjAEnmsGVZSgRuCDDOhOBlPUPMRFINCUp2b0qujsUQaV5XHUlQ3qRfjUBc
# JQCy1LrxcSINg7oTRPZczNcrb9iWtaOfD24OGGeW1O6ihCAV0CYaRSmHUhFVPOPR
# uu4LWnbSToNgfNxBXaMk3vHA0SzWxJl7zBi53GVRvn8ciiTkAPVIoZLf0W8jE47X
# 5nkzfTpNdjnQJlaKAfDx+YcAyBUPxiknJjAJmjF/mquAtW8c9XbsCVJpyUgS4Lna
# GNfRoCUHQ6+6ui+/zM0=
# =6Vxp
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 08 Jun 2023 08:09:23 AM PDT
# gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg: issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4
# Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395

* tag 'pull-9p-20230608' of https://github.com/cschoenebeck/qemu:
9pfs: prevent opening special files (CVE-2023-2861)

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

9pfs: prevent opening special files (CVE-2023-2861)

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
m

9pfs: prevent opening special files (CVE-2023-2861)

The 9p protocol does not specifically define how server shall behave when
client tries to open a special file, however from security POV it does
make sense for 9p server to prohibit opening any special file on host side
in general. A sane Linux 9p client for instance would never attempt to
open a special file on host side, it would always handle those exclusively
on its guest side. A malicious client however could potentially escape
from the exported 9p tree by creating and opening a device file on host
side.

With QEMU this could only be exploited in the following unsafe setups:

- Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
security model.

or

- Using 9p 'proxy' fs driver (which is running its helper daemon as
root).

These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.

Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>

show more ...

Merge tag 'pull-9p-20221223' of https://github.com/cschoenebeck/qemu into staging

9pfs: Windows host prep, cleanup

* Next preparatory patches for upcoming Windows host support.

* Cleanup patches.

Merge tag 'pull-9p-20221223' of https://github.com/cschoenebeck/qemu into staging

9pfs: Windows host prep, cleanup

* Next preparatory patches for upcoming Windows host support.

* Cleanup patches.

# gpg: Signature made Fri 23 Dec 2022 11:04:26 GMT
# gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg: issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4
# Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395

* tag 'pull-9p-20221223' of https://github.com/cschoenebeck/qemu:
hw/9pfs: Replace the direct call to xxxat() APIs with a wrapper
hw/9pfs: Drop unnecessary *xattr wrapper API declarations
qemu/xattr.h: Exclude <sys/xattr.h> for Windows
MAINTAINERS: Add 9p test client to section "virtio-9p"
9pfs: Fix some return statements in the synth backend

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

hw/9pfs: Replace the direct call to xxxat() APIs with a wrapper

xxxat() APIs are only available on POSIX platforms. For future
extension to Windows, let's replace the direct call to xxxat()
APIs wit

hw/9pfs: Replace the direct call to xxxat() APIs with a wrapper

xxxat() APIs are only available on POSIX platforms. For future
extension to Windows, let's replace the direct call to xxxat()
APIs with a wrapper.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-Id: <20221219102022.2167736-4-bin.meng@windriver.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

hw/9pfs: Drop unnecessary *xattr wrapper API declarations

These are not used anywhere in the source tree. Drop them.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Greg Kurz <groug@k

hw/9pfs: Drop unnecessary *xattr wrapper API declarations

These are not used anywhere in the source tree. Drop them.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <20221219102022.2167736-3-bin.meng@windriver.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

Merge tag 'pull-9p-20220501' of https://github.com/cschoenebeck/qemu into staging

9pfs: various fixes

* macOS: Fix recently (in QEMU 7.0) added 9p support for macOS hosts.

* Tests: Fix inode seque

Merge tag 'pull-9p-20220501' of https://github.com/cschoenebeck/qemu into staging

9pfs: various fixes

* macOS: Fix recently (in QEMU 7.0) added 9p support for macOS hosts.

* Tests: Fix inode sequencing in 'synth' driver.

# -----BEGIN PGP SIGNATURE-----
#
# iQJLBAABCgA1FiEEltjREM96+AhPiFkBNMK1h2Wkc5UFAmJuhqEXHHFlbXVfb3Nz
# QGNydWRlYnl0ZS5jb20ACgkQNMK1h2Wkc5U4fBAAofSRlDuxC0h2irHy0tRRGv+W
# rH1gDVm0jzFChUumarUOs5/hZjG5C4H9nFA0g/6di9bSoiubtA839w/dDmUYV7Xn
# S/8Jvauk/zZley1R1AKK5BEtOjJTlEYkbLqR1i9JPUrUk3Q9A+/f0FhgnW8NU2zu
# KhqbzYZnUXb3P1RyRm4cTh9UCr904OI30mdqiM9U+oJag1Zd3us/Q9sPdqDCYs8e
# vD4UXqG8c5UYpEN6C/ag2p3oJpAzpRa3CLkT5U59j/LhNgVtBPG/Pm5Q9qKHrxiN
# 3p/+36NWLNXMtCKsU4Tf9TsA+tEB1G+QfObC5g8yM0e12dInW7K8KKUIOO7lE5Eq
# a8aXZZC4yjW6y9vml0tC2E8p3n7n3r4MdLIrdY5VoOk72QLLBORq547DN/c5vt8A
# Qsj2eZTvkrZNVmpQKpanwc8nsavslenFmQVVo+E6kuEOhTJpBeahsEx/ReH4D9rg
# Hmq9O+xnPXodrj4DI1uqdwxN37A6bAn/4UAnQiPosnbzn+a6rZ3TZZ7x6ZZVwVub
# MyPdWSwu0JujcD8Goina7f12tDOt2GaYrbegH4AG3B6kpMUQD6vwzcAFwZMP/0zZ
# XMQnhR/lrvpsuBymuNA8cHRjccK6uGHxCEbstSsvKJCw0GqSonvTzMKY43HtgWmz
# XjQe3jVk2+U5Aw8umTU=
# =KBDF
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 01 May 2022 06:09:53 AM PDT
# gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg: issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4
# Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395

* tag 'pull-9p-20220501' of https://github.com/cschoenebeck/qemu:
9pfs: fix qemu_mknodat() to always return -1 on error on macOS host
9pfs: fix removing non-existent POSIX ACL xattr on macOS host
9pfs: fix wrong errno being sent to Linux client on macOS host
9pfs: fix wrong encoding of rdev field in Rgetattr on macOS
9pfs: fix qemu_mknodat(S_IFSOCK) on macOS
9pfs: fix qemu_mknodat(S_IFREG) on macOS
9pfs: fix inode sequencing in 'synth' driver

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

show more ...

9pfs: fix wrong errno being sent to Linux client on macOS host

Linux and macOS only share some errno definitions with equal macro
name and value. In fact most mappings for errno are completely
diffe

9pfs: fix wrong errno being sent to Linux client on macOS host

Linux and macOS only share some errno definitions with equal macro
name and value. In fact most mappings for errno are completely
different on the two systems.

This patch converts some important errno values from macOS host to
corresponding Linux errno values before eventually sending such error
codes along with 'Rlerror' replies (if 9p2000.L is used that is). Not
having translated errnos before violated the 9p2000.L protocol spec,
which says:

"
size[4] Rlerror tag[2] ecode[4]

... ecode is a numerical Linux errno.
"

https://github.com/chaos/diod/wiki/protocol#lerror----return-error-code

This patch fixes a bunch of misbehaviours when running a Linux client
on macOS host. For instance this patch fixes:

mount -t 9p -o posixacl ...

on Linux guest if security_mode=mapped was used for 9p server, which
refused to mount successfully, because macOS returned ENOATTR==93
when client tried to retrieve POSIX ACL xattrs, because errno 93
is defined as EPROTONOSUPPORT==93 on Linux, so Linux client believed
that xattrs were not supported by filesystem on host in general.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Link: https://lore.kernel.org/qemu-devel/20220421124835.3e664669@bahia/
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <b322ab298a62069e527d2b032028bdc9115afacd.1651228001.git.qemu_oss@crudebyte.com>

show more ...

9pfs: fix wrong encoding of rdev field in Rgetattr on macOS

The 'rdev' field in 9p reponse 'Rgetattr' is of type dev_t,
which is actually a system dependant type and therefore both the
size and enco

9pfs: fix wrong encoding of rdev field in Rgetattr on macOS

The 'rdev' field in 9p reponse 'Rgetattr' is of type dev_t,
which is actually a system dependant type and therefore both the
size and encoding of dev_t differ between macOS and Linux.

So far we have sent 'rdev' to guest in host's dev_t format as-is,
which caused devices to appear with wrong device numbers on
guests running on macOS hosts, eventually leading to various
misbehaviours on guest in conjunction with device files.

This patch fixes this issue by converting the device number from
host's dev_t format to Linux dev_t format. As 9p request
'Tgettattr' is exclusive to protocol version 9p2000.L, it should
be fair to assume that 'rdev' field is assumed to be in Linux dev_t
format by client as well.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Link: https://lore.kernel.org/qemu-devel/20220421093056.5ab1e7ed@bahia/
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <b3a430c2c382ba69a7405e04c0b090ab0d86f17e.1651228001.git.qemu_oss@crudebyte.com>

show more ...

Merge remote-tracking branch 'remotes/cschoenebeck/tags/pull-9p-20220307' into staging

9pfs: introduce macOS host support and cleanup

* Add support for Darwin (a.k.a. macOS) hosts.

* Code cleanup

Merge remote-tracking branch 'remotes/cschoenebeck/tags/pull-9p-20220307' into staging

9pfs: introduce macOS host support and cleanup

* Add support for Darwin (a.k.a. macOS) hosts.

* Code cleanup (move qemu_dirent_dup() from osdep -> 9p-util).

* API doc cleanup (convert Doxygen -> kerneldoc format).

# gpg: Signature made Mon 07 Mar 2022 11:14:45 GMT
# gpg: using RSA key 96D8D110CF7AF8084F88590134C2B58765A47395
# gpg: issuer "qemu_oss@crudebyte.com"
# gpg: Good signature from "Christian Schoenebeck <qemu_oss@crudebyte.com>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: ECAB 1A45 4014 1413 BA38 4926 30DB 47C3 A012 D5F4
# Subkey fingerprint: 96D8 D110 CF7A F808 4F88 5901 34C2 B587 65A4 7395

* remotes/cschoenebeck/tags/pull-9p-20220307:
fsdev/p9array.h: convert Doxygen -> kerneldoc format
9pfs/coth.h: drop Doxygen format on v9fs_co_run_in_worker()
9pfs/9p-util.h: convert Doxygen -> kerneldoc format
9pfs/9p.c: convert Doxygen -> kerneldoc format
9pfs/codir.c: convert Doxygen -> kerneldoc format
9pfs/9p.h: convert Doxygen -> kerneldoc format
9pfs: drop Doxygen format from qemu_dirent_dup() API comment
9pfs: move qemu_dirent_dup() from osdep -> 9p-util
9p: darwin: meson: Allow VirtFS on Darwin
9p: darwin: Adjust assumption on virtio-9p-test
9p: darwin: Implement compatibility for mknodat
9p: darwin: Compatibility for f/l*xattr
9p: darwin: *xattr_nofollow implementations
9p: darwin: Move XATTR_SIZE_MAX->P9_XATTR_SIZE_MAX
9p: darwin: Ignore O_{NOATIME, DIRECT}
9p: darwin: Handle struct dirent differences
9p: darwin: Handle struct stat(fs) differences
9p: Rename 9p-util -> 9p-util-linux
9p: linux: Fix a couple Linux assumptions

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9pfs/9p-util.h: convert Doxygen -> kerneldoc format

API doc comments in QEMU are supposed to be in kerneldoc format, so
convert API doc comments from Doxygen format to kerneldoc format.

Signed-off-

9pfs/9p-util.h: convert Doxygen -> kerneldoc format

API doc comments in QEMU are supposed to be in kerneldoc format, so
convert API doc comments from Doxygen format to kerneldoc format.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <dc1c4a85e233f5884ee5f6ec96b87db286083df7.1646314856.git.qemu_oss@crudebyte.com>

show more ...

9pfs: drop Doxygen format from qemu_dirent_dup() API comment

API doc comments in QEMU are supposed to be in kerneldoc format, so drop
occurrences of "@c" which is Doxygen format for fixed-width text

9pfs: drop Doxygen format from qemu_dirent_dup() API comment

API doc comments in QEMU are supposed to be in kerneldoc format, so drop
occurrences of "@c" which is Doxygen format for fixed-width text.

Link: https://lore.kernel.org/qemu-devel/CAFEAcA89+ENOM6x19OEF53Kd2DWkhN5SN21Va0D7yepJSa3Jyg@mail.gmail.com/
Based-on: <E1nP9Oz-00043L-KJ@lizzy.crudebyte.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1nPTwO-0006pl-Np@lizzy.crudebyte.com>

show more ...

9pfs: move qemu_dirent_dup() from osdep -> 9p-util

Function qemu_dirent_dup() is currently only used by 9pfs server, so move
it from project global header osdep.h to 9pfs specific header 9p-util.h.

9pfs: move qemu_dirent_dup() from osdep -> 9p-util

Function qemu_dirent_dup() is currently only used by 9pfs server, so move
it from project global header osdep.h to 9pfs specific header 9p-util.h.

Link: https://lore.kernel.org/qemu-devel/CAFEAcA_=HAUNomKD2wurSVaAHa5mrk22A1oHKLWUDjk7v6Khmg@mail.gmail.com/
Based-on: <20220227223522.91937-12-wwcohen@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <E1nP9Oz-00043L-KJ@lizzy.crudebyte.com>

show more ...

9p: darwin: Implement compatibility for mknodat

Darwin does not support mknodat. However, to avoid race conditions
with later setting the permissions, we must avoid using mknod on
the full path inst

9p: darwin: Implement compatibility for mknodat

Darwin does not support mknodat. However, to avoid race conditions
with later setting the permissions, we must avoid using mknod on
the full path instead. We could try to fchdir, but that would cause
problems if multiple threads try to call mknodat at the same time.
However, luckily there is a solution: Darwin includes a function
that sets the cwd for the current thread only.
This should suffice to use mknod safely.

This function (pthread_fchdir_np) is protected by a check in
meson in a patch later in this series.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Michael Roitzsch <reactorcontrol@icloud.com>
[Will Cohen: - Adjust coding style
- Replace clang references with gcc
- Note radar filed with Apple for missing syscall
- Replace direct syscall with pthread_fchdir_np and
adjust patch notes accordingly
- Declare pthread_fchdir_np with
- __attribute__((weak_import)) to allow checking for
its presence before usage
- Move declarations above cplusplus guard
- Add CONFIG_PTHREAD_FCHDIR_NP to meson and check for
presence in 9p-util
- Rebase to apply cleanly on top of the 2022-02-10
changes to 9pfs
- Fix line over 90 characters formatting error]
Signed-off-by: Will Cohen <wwcohen@gmail.com>
Message-Id: <20220227223522.91937-10-wwcohen@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

9p: darwin: Compatibility for f/l*xattr

On darwin `fgetxattr` takes two extra optional arguments,
and the l* variants are not defined (in favor of an extra
flag to the regular variants.

Signed-off-

9p: darwin: Compatibility for f/l*xattr

On darwin `fgetxattr` takes two extra optional arguments,
and the l* variants are not defined (in favor of an extra
flag to the regular variants.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
[Michael Roitzsch: - Rebase for NixOS]
Signed-off-by: Michael Roitzsch <reactorcontrol@icloud.com>
Signed-off-by: Will Cohen <wwcohen@gmail.com>
Message-Id: <20220227223522.91937-9-wwcohen@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

9p: darwin: Ignore O_{NOATIME, DIRECT}

Darwin doesn't have either of these flags. Darwin does have
F_NOCACHE, which is similar to O_DIRECT, but has different
enough semantics that other projects don

9p: darwin: Ignore O_{NOATIME, DIRECT}

Darwin doesn't have either of these flags. Darwin does have
F_NOCACHE, which is similar to O_DIRECT, but has different
enough semantics that other projects don't generally map
them automatically. In any case, we don't support O_DIRECT
on Linux at the moment either.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
[Michael Roitzsch: - Rebase for NixOS]
Signed-off-by: Michael Roitzsch <reactorcontrol@icloud.com>
[Will Cohen: - Adjust coding style]
Signed-off-by: Will Cohen <wwcohen@gmail.com>
Message-Id: <20220227223522.91937-6-wwcohen@gmail.com>
[C.S.: - Fix compiler warning "unused label 'again'". ]
Link: https://lore.kernel.org/qemu-devel/11201492.CjeqJxXfGd@silver/
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

9p: darwin: Handle struct dirent differences

On darwin d_seekoff exists, but is optional and does not seem to
be commonly used by file systems. Use `telldir` instead to obtain
the seek offset and in

9p: darwin: Handle struct dirent differences

On darwin d_seekoff exists, but is optional and does not seem to
be commonly used by file systems. Use `telldir` instead to obtain
the seek offset and inject it into d_seekoff, and create a
qemu_dirent_off helper to call it appropriately when appropriate.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
[Michael Roitzsch: - Rebase for NixOS]
Signed-off-by: Michael Roitzsch <reactorcontrol@icloud.com>
[Will Cohen: - Adjust to pass testing
- Ensure that d_seekoff is filled using telldir
on darwin, and create qemu_dirent_off helper
to decide which to access]
[Fabian Franz: - Add telldir error handling for darwin]
Signed-off-by: Fabian Franz <fabianfranz.oss@gmail.com>
[Will Cohen: - Ensure that telldir error handling uses
signed int
- Cleanup of telldir error handling
- Remove superfluous error handling for
qemu_dirent_off
- Adjust formatting
- Use qemu_dirent_off in codir.c
- Declare qemu_dirent_off as static to prevent
linker error
- Move qemu_dirent_off above the end-of-file
endif to fix compilation]
Signed-off-by: Will Cohen <wwcohen@gmail.com>
Message-Id: <20220227223522.91937-5-wwcohen@gmail.com>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>

show more ...

Merge remote-tracking branch 'remotes/gkurz/tags/9p-next-2020-05-14' into staging

Changes:
- Christian Schoenebeck is now co-maintainer for 9pfs
- relax checks for O_NOATIME
- minor documentation up

Merge remote-tracking branch 'remotes/gkurz/tags/9p-next-2020-05-14' into staging

Changes:
- Christian Schoenebeck is now co-maintainer for 9pfs
- relax checks for O_NOATIME
- minor documentation updates

# gpg: Signature made Thu 14 May 2020 08:14:37 BST
# gpg: using RSA key B4828BAF943140CEF2A3491071D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>" [full]
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>" [full]
# gpg: aka "[jpeg image of size 3330]" [full]
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/9p-next-2020-05-14:
xen-9pfs: Fix log messages of reply errors
9pfs: local: ignore O_NOATIME if we don't have permissions
qemu-options.hx: 9p: clarify -virtfs vs. -fsdev
MAINTAINERS: Upgrade myself as 9pfs co-maintainer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9pfs: local: ignore O_NOATIME if we don't have permissions

QEMU's local 9pfs server passes through O_NOATIME from the client. If
the QEMU process doesn't have permissions to use O_NOATIME (namely, i

9pfs: local: ignore O_NOATIME if we don't have permissions

QEMU's local 9pfs server passes through O_NOATIME from the client. If
the QEMU process doesn't have permissions to use O_NOATIME (namely, it
does not own the file nor have the CAP_FOWNER capability), the open will
fail. This causes issues when from the client's point of view, it
believes it has permissions to use O_NOATIME (e.g., a process running as
root in the virtual machine). Additionally, overlayfs on Linux opens
files on the lower layer using O_NOATIME, so in this case a 9pfs mount
can't be used as a lower layer for overlayfs (cf.
https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
and https://github.com/NixOS/nixpkgs/issues/54509).

Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
network filesystems. open(2) notes that O_NOATIME "may not be effective
on all filesystems. One example is NFS, where the server maintains the
access time." This means that we can honor it when possible but fall
back to ignoring it.

Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Mostly bug fixes and code sanitization motivated by the upcoming
support for Darwin hosts. Thanks to Keno Fischer.

# gpg:

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Mostly bug fixes and code sanitization motivated by the upcoming
support for Darwin hosts. Thanks to Keno Fischer.

# gpg: Signature made Thu 07 Jun 2018 11:30:56 BST
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
9p: xattr: Properly translate xattrcreate flags
9p: Properly check/translate flags in unlinkat
9p: local: Avoid warning if FS_IOC_GETVERSION is not defined
9p: xattr: Fix crashes due to free of uninitialized value
9p: Move a couple xattr functions to 9p-util
9p: local: Properly set errp in fstatfs error path
9p: proxy: Fix size passed to `connect`

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9p: Move a couple xattr functions to 9p-util

These functions will need custom implementations on Darwin. Since the
implementation is very similar among all of them, and 9p-util already
has the _nofo

9p: Move a couple xattr functions to 9p-util

These functions will need custom implementations on Darwin. Since the
implementation is very similar among all of them, and 9p-util already
has the _nofollow version of fgetxattrat, let's move them all there.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Just a single fix for an annoying regression introduced in 2.9 when fixing
CVE-2016-9602.

# gpg: Signature made Thu 10 Au

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Just a single fix for an annoying regression introduced in 2.9 when fixing
CVE-2016-9602.

# gpg: Signature made Thu 10 Aug 2017 13:40:28 BST
# gpg: using DSA key 0x02FC3AEB0101DBC2
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Greg Kurz <groug@free.fr>"
# gpg: aka "Greg Kurz <gkurz@linux.vnet.ibm.com>"
# gpg: aka "Gregory Kurz (Groug) <groug@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2BD4 3B44 535E C0A7 9894 DBA2 02FC 3AEB 0101 DBC2

* remotes/gkurz/tags/for-upstream:
9pfs: local: fix fchmodat_nofollow() limitations

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9pfs: local: fix fchmodat_nofollow() limitations

This function has to ensure it doesn't follow a symlink that could be used
to escape the virtfs directory. This could be easily achieved if fchmodat(

9pfs: local: fix fchmodat_nofollow() limitations

This function has to ensure it doesn't follow a symlink that could be used
to escape the virtfs directory. This could be easily achieved if fchmodat()
on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but
it doesn't. There was a tentative to implement a new fchmodat2() syscall
with the correct semantics:

https://patchwork.kernel.org/patch/9596301/

but it didn't gain much momentum. Also it was suggested to look at an O_PATH
based solution in the first place.

The current implementation covers most use-cases, but it notably fails if:
- the target path has access rights equal to 0000 (openat() returns EPERM),
=> once you've done chmod(0000) on a file, you can never chmod() again
- the target path is UNIX domain socket (openat() returns ENXIO)
=> bind() of UNIX domain sockets fails if the file is on 9pfs

The solution is to use O_PATH: openat() now succeeds in both cases, and we
can ensure the path isn't a symlink with fstat(). The associated entry in
"/proc/self/fd" can hence be safely passed to the regular chmod() syscall.

The previous behavior is kept for older systems that don't have O_PATH.

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Zhi Yong Wu <zhiyong.wu@ucloud.cn>
Acked-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

show more ...