xref: /openbmc/qemu/scsi/qemu-pr-helper.c (revision 4b615be540d8566f4b981245b4d5401163c57ced) 
1 /*
2  * Privileged helper to handle persistent reservation commands for QEMU
3  *
4  * Copyright (C) 2017 Red Hat, Inc. <pbonzini@redhat.com>
5  *
6  * Author: Paolo Bonzini <pbonzini@redhat.com>
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License as published by
10  * the Free Software Foundation; under version 2 of the License.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20 
21 #include "qemu/osdep.h"
22 #include <getopt.h>
23 #include <sys/ioctl.h>
24 #include <linux/dm-ioctl.h>
25 #include <scsi/sg.h>
26 
27 #ifdef CONFIG_LIBCAP
28 #include <cap-ng.h>
29 #endif
30 #include <pwd.h>
31 #include <grp.h>
32 
33 #ifdef CONFIG_MPATH
34 #include <libudev.h>
35 #include <mpath_cmd.h>
36 #include <mpath_persist.h>
37 #endif
38 
39 #include "qapi/error.h"
40 #include "qemu-common.h"
41 #include "qemu/cutils.h"
42 #include "qemu/main-loop.h"
43 #include "qemu/error-report.h"
44 #include "qemu/config-file.h"
45 #include "qemu/bswap.h"
46 #include "qemu/log.h"
47 #include "qemu/systemd.h"
48 #include "qapi/util.h"
49 #include "qapi/qmp/qstring.h"
50 #include "io/channel-socket.h"
51 #include "trace/control.h"
52 #include "qemu-version.h"
53 
54 #include "block/aio.h"
55 #include "block/thread-pool.h"
56 
57 #include "scsi/constants.h"
58 #include "scsi/utils.h"
59 #include "pr-helper.h"
60 
61 #define PR_OUT_FIXED_PARAM_SIZE 24
62 
63 static char *socket_path;
64 static char *pidfile;
65 static enum { RUNNING, TERMINATE, TERMINATING } state;
66 static QIOChannelSocket *server_ioc;
67 static int server_watch;
68 static int num_active_sockets = 1;
69 static int noisy;
70 static int verbose;
71 
72 #ifdef CONFIG_LIBCAP
73 static int uid = -1;
74 static int gid = -1;
75 #endif
76 
77 static void compute_default_paths(void)
78 {
79     socket_path = qemu_get_local_state_pathname("run/qemu-pr-helper.sock");
80     pidfile = qemu_get_local_state_pathname("run/qemu-pr-helper.pid");
81 }
82 
83 static void usage(const char *name)
84 {
85     (printf) (
86 "Usage: %s [OPTIONS] FILE\n"
87 "Persistent Reservation helper program for QEMU\n"
88 "\n"
89 "  -h, --help                display this help and exit\n"
90 "  -V, --version             output version information and exit\n"
91 "\n"
92 "  -d, --daemon              run in the background\n"
93 "  -f, --pidfile=PATH        PID file when running as a daemon\n"
94 "                            (default '%s')\n"
95 "  -k, --socket=PATH         path to the unix socket\n"
96 "                            (default '%s')\n"
97 "  -T, --trace [[enable=]<pattern>][,events=<file>][,file=<file>]\n"
98 "                            specify tracing options\n"
99 #ifdef CONFIG_LIBCAP
100 "  -u, --user=USER           user to drop privileges to\n"
101 "  -g, --group=GROUP         group to drop privileges to\n"
102 #endif
103 "\n"
104 QEMU_HELP_BOTTOM "\n"
105     , name, pidfile, socket_path);
106 }
107 
108 static void version(const char *name)
109 {
110     printf(
111 "%s " QEMU_FULL_VERSION "\n"
112 "Written by Paolo Bonzini.\n"
113 "\n"
114 QEMU_COPYRIGHT "\n"
115 "This is free software; see the source for copying conditions.  There is NO\n"
116 "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"
117     , name);
118 }
119 
120 static void write_pidfile(void)
121 {
122     int pidfd;
123     char pidstr[32];
124 
125     pidfd = qemu_open(pidfile, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR);
126     if (pidfd == -1) {
127         error_report("Cannot open pid file, %s", strerror(errno));
128         exit(EXIT_FAILURE);
129     }
130 
131     if (lockf(pidfd, F_TLOCK, 0)) {
132         error_report("Cannot lock pid file, %s", strerror(errno));
133         goto fail;
134     }
135     if (ftruncate(pidfd, 0)) {
136         error_report("Failed to truncate pid file");
137         goto fail;
138     }
139 
140     snprintf(pidstr, sizeof(pidstr), "%d\n", getpid());
141     if (write(pidfd, pidstr, strlen(pidstr)) != strlen(pidstr)) {
142         error_report("Failed to write pid file");
143         goto fail;
144     }
145     return;
146 
147 fail:
148     unlink(pidfile);
149     close(pidfd);
150     exit(EXIT_FAILURE);
151 }
152 
153 /* SG_IO support */
154 
155 typedef struct PRHelperSGIOData {
156     int fd;
157     const uint8_t *cdb;
158     uint8_t *sense;
159     uint8_t *buf;
160     int sz;              /* input/output */
161     int dir;
162 } PRHelperSGIOData;
163 
164 static int do_sgio_worker(void *opaque)
165 {
166     PRHelperSGIOData *data = opaque;
167     struct sg_io_hdr io_hdr;
168     int ret;
169     int status;
170     SCSISense sense_code;
171 
172     memset(data->sense, 0, PR_HELPER_SENSE_SIZE);
173     memset(&io_hdr, 0, sizeof(io_hdr));
174     io_hdr.interface_id = 'S';
175     io_hdr.cmd_len = PR_HELPER_CDB_SIZE;
176     io_hdr.cmdp = (uint8_t *)data->cdb;
177     io_hdr.sbp = data->sense;
178     io_hdr.mx_sb_len = PR_HELPER_SENSE_SIZE;
179     io_hdr.timeout = 1;
180     io_hdr.dxfer_direction = data->dir;
181     io_hdr.dxferp = (char *)data->buf;
182     io_hdr.dxfer_len = data->sz;
183     ret = ioctl(data->fd, SG_IO, &io_hdr);
184     status = sg_io_sense_from_errno(ret < 0 ? errno : 0, &io_hdr,
185                                     &sense_code);
186     if (status == GOOD) {
187         data->sz -= io_hdr.resid;
188     } else {
189         data->sz = 0;
190     }
191 
192     if (status == CHECK_CONDITION &&
193         !(io_hdr.driver_status & SG_ERR_DRIVER_SENSE)) {
194         scsi_build_sense(data->sense, sense_code);
195     }
196 
197     return status;
198 }
199 
200 static int do_sgio(int fd, const uint8_t *cdb, uint8_t *sense,
201                     uint8_t *buf, int *sz, int dir)
202 {
203     ThreadPool *pool = aio_get_thread_pool(qemu_get_aio_context());
204     int r;
205 
206     PRHelperSGIOData data = {
207         .fd = fd,
208         .cdb = cdb,
209         .sense = sense,
210         .buf = buf,
211         .sz = *sz,
212         .dir = dir,
213     };
214 
215     r = thread_pool_submit_co(pool, do_sgio_worker, &data);
216     *sz = data.sz;
217     return r;
218 }
219 
220 /* Device mapper interface */
221 
222 #ifdef CONFIG_MPATH
223 #define CONTROL_PATH "/dev/mapper/control"
224 
225 typedef struct DMData {
226     struct dm_ioctl dm;
227     uint8_t data[1024];
228 } DMData;
229 
230 static int control_fd;
231 
232 static void *dm_ioctl(int ioc, struct dm_ioctl *dm)
233 {
234     static DMData d;
235     memcpy(&d.dm, dm, sizeof(d.dm));
236     QEMU_BUILD_BUG_ON(sizeof(d.data) < sizeof(struct dm_target_spec));
237 
238     d.dm.version[0] = DM_VERSION_MAJOR;
239     d.dm.version[1] = 0;
240     d.dm.version[2] = 0;
241     d.dm.data_size = 1024;
242     d.dm.data_start = offsetof(DMData, data);
243     if (ioctl(control_fd, ioc, &d) < 0) {
244         return NULL;
245     }
246     memcpy(dm, &d.dm, sizeof(d.dm));
247     return &d.data;
248 }
249 
250 static void *dm_dev_ioctl(int fd, int ioc, struct dm_ioctl *dm)
251 {
252     struct stat st;
253     int r;
254 
255     r = fstat(fd, &st);
256     if (r < 0) {
257         perror("fstat");
258         exit(1);
259     }
260 
261     dm->dev = st.st_rdev;
262     return dm_ioctl(ioc, dm);
263 }
264 
265 static void dm_init(void)
266 {
267     control_fd = open(CONTROL_PATH, O_RDWR);
268     if (control_fd < 0) {
269         perror("Cannot open " CONTROL_PATH);
270         exit(1);
271     }
272     struct dm_ioctl dm = { 0 };
273     if (!dm_ioctl(DM_VERSION, &dm)) {
274         perror("ioctl");
275         exit(1);
276     }
277     if (dm.version[0] != DM_VERSION_MAJOR) {
278         fprintf(stderr, "Unsupported device mapper interface");
279         exit(1);
280     }
281 }
282 
283 /* Variables required by libmultipath and libmpathpersist.  */
284 QEMU_BUILD_BUG_ON(PR_HELPER_DATA_SIZE > MPATH_MAX_PARAM_LEN);
285 static struct config *multipath_conf;
286 unsigned mpath_mx_alloc_len = PR_HELPER_DATA_SIZE;
287 int logsink;
288 struct udev *udev;
289 
290 extern struct config *get_multipath_config(void);
291 struct config *get_multipath_config(void)
292 {
293     return multipath_conf;
294 }
295 
296 extern void put_multipath_config(struct config *conf);
297 void put_multipath_config(struct config *conf)
298 {
299 }
300 
301 static void multipath_pr_init(void)
302 {
303     udev = udev_new();
304 #ifdef CONFIG_MPATH_NEW_API
305     multipath_conf = mpath_lib_init();
306 #else
307     mpath_lib_init(udev);
308 #endif
309 }
310 
311 static int is_mpath(int fd)
312 {
313     struct dm_ioctl dm = { .flags = DM_NOFLUSH_FLAG };
314     struct dm_target_spec *tgt;
315 
316     tgt = dm_dev_ioctl(fd, DM_TABLE_STATUS, &dm);
317     if (!tgt) {
318         if (errno == ENXIO) {
319             return 0;
320         }
321         perror("ioctl");
322         exit(EXIT_FAILURE);
323     }
324     return !strncmp(tgt->target_type, "multipath", DM_MAX_TYPE_NAME);
325 }
326 
327 static SCSISense mpath_generic_sense(int r)
328 {
329     switch (r) {
330     case MPATH_PR_SENSE_NOT_READY:
331          return SENSE_CODE(NOT_READY);
332     case MPATH_PR_SENSE_MEDIUM_ERROR:
333          return SENSE_CODE(READ_ERROR);
334     case MPATH_PR_SENSE_HARDWARE_ERROR:
335          return SENSE_CODE(TARGET_FAILURE);
336     case MPATH_PR_SENSE_ABORTED_COMMAND:
337          return SENSE_CODE(IO_ERROR);
338     default:
339          abort();
340     }
341 }
342 
343 static int mpath_reconstruct_sense(int fd, int r, uint8_t *sense)
344 {
345     switch (r) {
346     case MPATH_PR_SUCCESS:
347         return GOOD;
348     case MPATH_PR_SENSE_NOT_READY:
349     case MPATH_PR_SENSE_MEDIUM_ERROR:
350     case MPATH_PR_SENSE_HARDWARE_ERROR:
351     case MPATH_PR_SENSE_ABORTED_COMMAND:
352         {
353             /* libmpathpersist ate the exact sense.  Try to find it by
354              * issuing TEST UNIT READY.
355              */
356             uint8_t cdb[6] = { TEST_UNIT_READY };
357             int sz = 0;
358             int r = do_sgio(fd, cdb, sense, NULL, &sz, SG_DXFER_NONE);
359 
360             if (r != GOOD) {
361                 return r;
362             }
363             scsi_build_sense(sense, mpath_generic_sense(r));
364             return CHECK_CONDITION;
365         }
366 
367     case MPATH_PR_SENSE_UNIT_ATTENTION:
368         /* Congratulations libmpathpersist, you ruined the Unit Attention...
369          * Return a heavyweight one.
370          */
371         scsi_build_sense(sense, SENSE_CODE(SCSI_BUS_RESET));
372         return CHECK_CONDITION;
373     case MPATH_PR_SENSE_INVALID_OP:
374         /* Only one valid sense.  */
375         scsi_build_sense(sense, SENSE_CODE(INVALID_OPCODE));
376         return CHECK_CONDITION;
377     case MPATH_PR_ILLEGAL_REQ:
378         /* Guess.  */
379         scsi_build_sense(sense, SENSE_CODE(INVALID_PARAM));
380         return CHECK_CONDITION;
381     case MPATH_PR_NO_SENSE:
382         scsi_build_sense(sense, SENSE_CODE(NO_SENSE));
383         return CHECK_CONDITION;
384 
385     case MPATH_PR_RESERV_CONFLICT:
386         return RESERVATION_CONFLICT;
387 
388     case MPATH_PR_OTHER:
389     default:
390         scsi_build_sense(sense, SENSE_CODE(LUN_COMM_FAILURE));
391         return CHECK_CONDITION;
392     }
393 }
394 
395 static int multipath_pr_in(int fd, const uint8_t *cdb, uint8_t *sense,
396                            uint8_t *data, int sz)
397 {
398     int rq_servact = cdb[1];
399     struct prin_resp resp;
400     size_t written;
401     int r;
402 
403     switch (rq_servact) {
404     case MPATH_PRIN_RKEY_SA:
405     case MPATH_PRIN_RRES_SA:
406     case MPATH_PRIN_RCAP_SA:
407         break;
408     case MPATH_PRIN_RFSTAT_SA:
409         /* Nobody implements it anyway, so bail out. */
410     default:
411         /* Cannot parse any other output.  */
412         scsi_build_sense(sense, SENSE_CODE(INVALID_FIELD));
413         return CHECK_CONDITION;
414     }
415 
416     r = mpath_persistent_reserve_in(fd, rq_servact, &resp, noisy, verbose);
417     if (r == MPATH_PR_SUCCESS) {
418         switch (rq_servact) {
419         case MPATH_PRIN_RKEY_SA:
420         case MPATH_PRIN_RRES_SA: {
421             struct prin_readdescr *out = &resp.prin_descriptor.prin_readkeys;
422             assert(sz >= 8);
423             written = MIN(out->additional_length + 8, sz);
424             stl_be_p(&data[0], out->prgeneration);
425             stl_be_p(&data[4], out->additional_length);
426             memcpy(&data[8], out->key_list, written - 8);
427             break;
428         }
429         case MPATH_PRIN_RCAP_SA: {
430             struct prin_capdescr *out = &resp.prin_descriptor.prin_readcap;
431             assert(sz >= 6);
432             written = 6;
433             stw_be_p(&data[0], out->length);
434             data[2] = out->flags[0];
435             data[3] = out->flags[1];
436             stw_be_p(&data[4], out->pr_type_mask);
437             break;
438         }
439         default:
440             scsi_build_sense(sense, SENSE_CODE(INVALID_OPCODE));
441             return CHECK_CONDITION;
442         }
443         assert(written <= sz);
444         memset(data + written, 0, sz - written);
445     }
446 
447     return mpath_reconstruct_sense(fd, r, sense);
448 }
449 
450 static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
451                             const uint8_t *param, int sz)
452 {
453     int rq_servact = cdb[1];
454     int rq_scope = cdb[2] >> 4;
455     int rq_type = cdb[2] & 0xf;
456     struct prout_param_descriptor paramp;
457     char transportids[PR_HELPER_DATA_SIZE];
458     int r;
459 
460     if (sz < PR_OUT_FIXED_PARAM_SIZE) {
461         /* Illegal request, Parameter list length error.  This isn't fatal;
462          * we have read the data, send an error without closing the socket.
463          */
464         scsi_build_sense(sense, SENSE_CODE(INVALID_PARAM_LEN));
465         return CHECK_CONDITION;
466     }
467 
468     switch (rq_servact) {
469     case MPATH_PROUT_REG_SA:
470     case MPATH_PROUT_RES_SA:
471     case MPATH_PROUT_REL_SA:
472     case MPATH_PROUT_CLEAR_SA:
473     case MPATH_PROUT_PREE_SA:
474     case MPATH_PROUT_PREE_AB_SA:
475     case MPATH_PROUT_REG_IGN_SA:
476         break;
477     case MPATH_PROUT_REG_MOV_SA:
478         /* Not supported by struct prout_param_descriptor.  */
479     default:
480         /* Cannot parse any other input.  */
481         scsi_build_sense(sense, SENSE_CODE(INVALID_FIELD));
482         return CHECK_CONDITION;
483     }
484 
485     /* Convert input data, especially transport IDs, to the structs
486      * used by libmpathpersist (which, of course, will immediately
487      * do the opposite).
488      */
489     memset(&paramp, 0, sizeof(paramp));
490     memcpy(&paramp.key, &param[0], 8);
491     memcpy(&paramp.sa_key, &param[8], 8);
492     paramp.sa_flags = param[20];
493     if (sz > PR_OUT_FIXED_PARAM_SIZE) {
494         size_t transportid_len;
495         int i, j;
496         if (sz < PR_OUT_FIXED_PARAM_SIZE + 4) {
497             scsi_build_sense(sense, SENSE_CODE(INVALID_PARAM_LEN));
498             return CHECK_CONDITION;
499         }
500         transportid_len = ldl_be_p(&param[24]) + PR_OUT_FIXED_PARAM_SIZE + 4;
501         if (transportid_len > sz) {
502             scsi_build_sense(sense, SENSE_CODE(INVALID_PARAM));
503             return CHECK_CONDITION;
504         }
505         for (i = PR_OUT_FIXED_PARAM_SIZE + 4, j = 0; i < transportid_len; ) {
506             struct transportid *id = (struct transportid *) &transportids[j];
507             int len;
508 
509             id->format_code = param[i] & 0xc0;
510             id->protocol_id = param[i] & 0x0f;
511             switch (param[i] & 0xcf) {
512             case 0:
513                 /* FC transport.  */
514                 if (i + 24 > transportid_len) {
515                     goto illegal_req;
516                 }
517                 memcpy(id->n_port_name, &param[i + 8], 8);
518                 j += offsetof(struct transportid, n_port_name[8]);
519                 i += 24;
520                 break;
521             case 5:
522             case 0x45:
523                 /* iSCSI transport.  */
524                 len = lduw_be_p(&param[i + 2]);
525                 if (len > 252 || (len & 3) || i + len + 4 > transportid_len) {
526                     /* For format code 00, the standard says the maximum is 223
527                      * plus the NUL terminator.  For format code 01 there is no
528                      * maximum length, but libmpathpersist ignores the first
529                      * byte of id->iscsi_name so our maximum is 252.
530                      */
531                     goto illegal_req;
532                 }
533                 if (memchr(&param[i + 4], 0, len) == NULL) {
534                     goto illegal_req;
535                 }
536                 memcpy(id->iscsi_name, &param[i + 2], len + 2);
537                 j += offsetof(struct transportid, iscsi_name[len + 2]);
538                 i += len + 4;
539                 break;
540             case 6:
541                 /* SAS transport.  */
542                 if (i + 24 > transportid_len) {
543                     goto illegal_req;
544                 }
545                 memcpy(id->sas_address, &param[i + 4], 8);
546                 j += offsetof(struct transportid, sas_address[8]);
547                 i += 24;
548                 break;
549             default:
550             illegal_req:
551                 scsi_build_sense(sense, SENSE_CODE(INVALID_PARAM));
552                 return CHECK_CONDITION;
553             }
554 
555             paramp.trnptid_list[paramp.num_transportid++] = id;
556         }
557     }
558 
559     r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type,
560                                      &paramp, noisy, verbose);
561     return mpath_reconstruct_sense(fd, r, sense);
562 }
563 #endif
564 
565 static int do_pr_in(int fd, const uint8_t *cdb, uint8_t *sense,
566                     uint8_t *data, int *resp_sz)
567 {
568 #ifdef CONFIG_MPATH
569     if (is_mpath(fd)) {
570         /* multipath_pr_in fills the whole input buffer.  */
571         int r = multipath_pr_in(fd, cdb, sense, data, *resp_sz);
572         if (r != GOOD) {
573             *resp_sz = 0;
574         }
575         return r;
576     }
577 #endif
578 
579     return do_sgio(fd, cdb, sense, data, resp_sz,
580                    SG_DXFER_FROM_DEV);
581 }
582 
583 static int do_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
584                      const uint8_t *param, int sz)
585 {
586     int resp_sz;
587 
588     if ((fcntl(fd, F_GETFL) & O_ACCMODE) == O_RDONLY) {
589         scsi_build_sense(sense, SENSE_CODE(INVALID_OPCODE));
590         return CHECK_CONDITION;
591     }
592 
593 #ifdef CONFIG_MPATH
594     if (is_mpath(fd)) {
595         return multipath_pr_out(fd, cdb, sense, param, sz);
596     }
597 #endif
598 
599     resp_sz = sz;
600     return do_sgio(fd, cdb, sense, (uint8_t *)param, &resp_sz,
601                    SG_DXFER_TO_DEV);
602 }
603 
604 /* Client */
605 
606 typedef struct PRHelperClient {
607     QIOChannelSocket *ioc;
608     Coroutine *co;
609     int fd;
610     uint8_t data[PR_HELPER_DATA_SIZE];
611 } PRHelperClient;
612 
613 typedef struct PRHelperRequest {
614     int fd;
615     size_t sz;
616     uint8_t cdb[PR_HELPER_CDB_SIZE];
617 } PRHelperRequest;
618 
619 static int coroutine_fn prh_read(PRHelperClient *client, void *buf, int sz,
620                                  Error **errp)
621 {
622     int ret = 0;
623 
624     while (sz > 0) {
625         int *fds = NULL;
626         size_t nfds = 0;
627         int i;
628         struct iovec iov;
629         ssize_t n_read;
630 
631         iov.iov_base = buf;
632         iov.iov_len = sz;
633         n_read = qio_channel_readv_full(QIO_CHANNEL(client->ioc), &iov, 1,
634                                         &fds, &nfds, errp);
635 
636         if (n_read == QIO_CHANNEL_ERR_BLOCK) {
637             qio_channel_yield(QIO_CHANNEL(client->ioc), G_IO_IN);
638             continue;
639         }
640         if (n_read <= 0) {
641             ret = n_read ? n_read : -1;
642             goto err;
643         }
644 
645         /* Stash one file descriptor per request.  */
646         if (nfds) {
647             bool too_many = false;
648             for (i = 0; i < nfds; i++) {
649                 if (client->fd == -1) {
650                     client->fd = fds[i];
651                 } else {
652                     close(fds[i]);
653                     too_many = true;
654                 }
655             }
656             g_free(fds);
657             if (too_many) {
658                 ret = -1;
659                 goto err;
660             }
661         }
662 
663         buf += n_read;
664         sz -= n_read;
665     }
666 
667     return 0;
668 
669 err:
670     if (client->fd != -1) {
671         close(client->fd);
672         client->fd = -1;
673     }
674     return ret;
675 }
676 
677 static int coroutine_fn prh_read_request(PRHelperClient *client,
678                                          PRHelperRequest *req,
679                                          PRHelperResponse *resp, Error **errp)
680 {
681     uint32_t sz;
682 
683     if (prh_read(client, req->cdb, sizeof(req->cdb), NULL) < 0) {
684         return -1;
685     }
686 
687     if (client->fd == -1) {
688         error_setg(errp, "No file descriptor in request.");
689         return -1;
690     }
691 
692     if (req->cdb[0] != PERSISTENT_RESERVE_OUT &&
693         req->cdb[0] != PERSISTENT_RESERVE_IN) {
694         error_setg(errp, "Invalid CDB, closing socket.");
695         goto out_close;
696     }
697 
698     sz = scsi_cdb_xfer(req->cdb);
699     if (sz > sizeof(client->data)) {
700         goto out_close;
701     }
702 
703     if (req->cdb[0] == PERSISTENT_RESERVE_OUT) {
704         if (qio_channel_read_all(QIO_CHANNEL(client->ioc),
705                                  (char *)client->data, sz,
706                                  errp) < 0) {
707             goto out_close;
708         }
709     }
710 
711     req->fd = client->fd;
712     req->sz = sz;
713     client->fd = -1;
714     return sz;
715 
716 out_close:
717     close(client->fd);
718     client->fd = -1;
719     return -1;
720 }
721 
722 static int coroutine_fn prh_write_response(PRHelperClient *client,
723                                            PRHelperRequest *req,
724                                            PRHelperResponse *resp, Error **errp)
725 {
726     ssize_t r;
727     size_t sz;
728 
729     if (req->cdb[0] == PERSISTENT_RESERVE_IN && resp->result == GOOD) {
730         assert(resp->sz <= req->sz && resp->sz <= sizeof(client->data));
731     } else {
732         assert(resp->sz == 0);
733     }
734 
735     sz = resp->sz;
736 
737     resp->result = cpu_to_be32(resp->result);
738     resp->sz = cpu_to_be32(resp->sz);
739     r = qio_channel_write_all(QIO_CHANNEL(client->ioc),
740                               (char *) resp, sizeof(*resp), errp);
741     if (r < 0) {
742         return r;
743     }
744 
745     r = qio_channel_write_all(QIO_CHANNEL(client->ioc),
746                               (char *) client->data,
747                               sz, errp);
748     return r < 0 ? r : 0;
749 }
750 
751 static void coroutine_fn prh_co_entry(void *opaque)
752 {
753     PRHelperClient *client = opaque;
754     Error *local_err = NULL;
755     uint32_t flags;
756     int r;
757 
758     qio_channel_set_blocking(QIO_CHANNEL(client->ioc),
759                              false, NULL);
760     qio_channel_attach_aio_context(QIO_CHANNEL(client->ioc),
761                                    qemu_get_aio_context());
762 
763     /* A very simple negotiation for future extensibility.  No features
764      * are defined so write 0.
765      */
766     flags = cpu_to_be32(0);
767     r = qio_channel_write_all(QIO_CHANNEL(client->ioc),
768                              (char *) &flags, sizeof(flags), NULL);
769     if (r < 0) {
770         goto out;
771     }
772 
773     r = qio_channel_read_all(QIO_CHANNEL(client->ioc),
774                              (char *) &flags, sizeof(flags), NULL);
775     if (be32_to_cpu(flags) != 0 || r < 0) {
776         goto out;
777     }
778 
779     while (atomic_read(&state) == RUNNING) {
780         PRHelperRequest req;
781         PRHelperResponse resp;
782         int sz;
783 
784         sz = prh_read_request(client, &req, &resp, &local_err);
785         if (sz < 0) {
786             break;
787         }
788 
789         num_active_sockets++;
790         if (req.cdb[0] == PERSISTENT_RESERVE_OUT) {
791             r = do_pr_out(req.fd, req.cdb, resp.sense,
792                           client->data, sz);
793             resp.sz = 0;
794         } else {
795             resp.sz = sizeof(client->data);
796             r = do_pr_in(req.fd, req.cdb, resp.sense,
797                          client->data, &resp.sz);
798             resp.sz = MIN(resp.sz, sz);
799         }
800         num_active_sockets--;
801         close(req.fd);
802         if (r == -1) {
803             break;
804         }
805         resp.result = r;
806 
807         if (prh_write_response(client, &req, &resp, &local_err) < 0) {
808             break;
809         }
810     }
811 
812     if (local_err) {
813         if (verbose == 0) {
814             error_free(local_err);
815         } else {
816             error_report_err(local_err);
817         }
818     }
819 
820 out:
821     qio_channel_detach_aio_context(QIO_CHANNEL(client->ioc));
822     object_unref(OBJECT(client->ioc));
823     g_free(client);
824 }
825 
826 static gboolean accept_client(QIOChannel *ioc, GIOCondition cond, gpointer opaque)
827 {
828     QIOChannelSocket *cioc;
829     PRHelperClient *prh;
830 
831     cioc = qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc),
832                                      NULL);
833     if (!cioc) {
834         return TRUE;
835     }
836 
837     prh = g_new(PRHelperClient, 1);
838     prh->ioc = cioc;
839     prh->fd = -1;
840     prh->co = qemu_coroutine_create(prh_co_entry, prh);
841     qemu_coroutine_enter(prh->co);
842 
843     return TRUE;
844 }
845 
846 static void termsig_handler(int signum)
847 {
848     atomic_cmpxchg(&state, RUNNING, TERMINATE);
849     qemu_notify_event();
850 }
851 
852 static void close_server_socket(void)
853 {
854     assert(server_ioc);
855 
856     g_source_remove(server_watch);
857     server_watch = -1;
858     object_unref(OBJECT(server_ioc));
859     num_active_sockets--;
860 }
861 
862 #ifdef CONFIG_LIBCAP
863 static int drop_privileges(void)
864 {
865     /* clear all capabilities */
866     capng_clear(CAPNG_SELECT_BOTH);
867 
868     if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
869                      CAP_SYS_RAWIO) < 0) {
870         return -1;
871     }
872 
873 #ifdef CONFIG_MPATH
874     /* For /dev/mapper/control ioctls */
875     if (capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
876                      CAP_SYS_ADMIN) < 0) {
877         return -1;
878     }
879 #endif
880 
881     /* Change user/group id, retaining the capabilities.  Because file descriptors
882      * are passed via SCM_RIGHTS, we don't need supplementary groups (and in
883      * fact the helper can run as "nobody").
884      */
885     if (capng_change_id(uid != -1 ? uid : getuid(),
886                         gid != -1 ? gid : getgid(),
887                         CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) {
888         return -1;
889     }
890 
891     return 0;
892 }
893 #endif
894 
895 int main(int argc, char **argv)
896 {
897     const char *sopt = "hVk:f:dT:u:g:vq";
898     struct option lopt[] = {
899         { "help", no_argument, NULL, 'h' },
900         { "version", no_argument, NULL, 'V' },
901         { "socket", required_argument, NULL, 'k' },
902         { "pidfile", required_argument, NULL, 'f' },
903         { "daemon", no_argument, NULL, 'd' },
904         { "trace", required_argument, NULL, 'T' },
905         { "user", required_argument, NULL, 'u' },
906         { "group", required_argument, NULL, 'g' },
907         { "verbose", no_argument, NULL, 'v' },
908         { "quiet", no_argument, NULL, 'q' },
909         { NULL, 0, NULL, 0 }
910     };
911     int opt_ind = 0;
912     int loglevel = 1;
913     int quiet = 0;
914     int ch;
915     Error *local_err = NULL;
916     char *trace_file = NULL;
917     bool daemonize = false;
918     bool pidfile_specified = false;
919     bool socket_path_specified = false;
920     unsigned socket_activation;
921 
922     struct sigaction sa_sigterm;
923     memset(&sa_sigterm, 0, sizeof(sa_sigterm));
924     sa_sigterm.sa_handler = termsig_handler;
925     sigaction(SIGTERM, &sa_sigterm, NULL);
926     sigaction(SIGINT, &sa_sigterm, NULL);
927     sigaction(SIGHUP, &sa_sigterm, NULL);
928 
929     signal(SIGPIPE, SIG_IGN);
930 
931     module_call_init(MODULE_INIT_TRACE);
932     module_call_init(MODULE_INIT_QOM);
933     qemu_add_opts(&qemu_trace_opts);
934     qemu_init_exec_dir(argv[0]);
935 
936     compute_default_paths();
937 
938     while ((ch = getopt_long(argc, argv, sopt, lopt, &opt_ind)) != -1) {
939         switch (ch) {
940         case 'k':
941             g_free(socket_path);
942             socket_path = g_strdup(optarg);
943             socket_path_specified = true;
944             if (socket_path[0] != '/') {
945                 error_report("socket path must be absolute");
946                 exit(EXIT_FAILURE);
947             }
948             break;
949         case 'f':
950             g_free(pidfile);
951             pidfile = g_strdup(optarg);
952             pidfile_specified = true;
953             break;
954 #ifdef CONFIG_LIBCAP
955         case 'u': {
956             unsigned long res;
957             struct passwd *userinfo = getpwnam(optarg);
958             if (userinfo) {
959                 uid = userinfo->pw_uid;
960             } else if (qemu_strtoul(optarg, NULL, 10, &res) == 0 &&
961                        (uid_t)res == res) {
962                 uid = res;
963             } else {
964                 error_report("invalid user '%s'", optarg);
965                 exit(EXIT_FAILURE);
966             }
967             break;
968         }
969         case 'g': {
970             unsigned long res;
971             struct group *groupinfo = getgrnam(optarg);
972             if (groupinfo) {
973                 gid = groupinfo->gr_gid;
974             } else if (qemu_strtoul(optarg, NULL, 10, &res) == 0 &&
975                        (gid_t)res == res) {
976                 gid = res;
977             } else {
978                 error_report("invalid group '%s'", optarg);
979                 exit(EXIT_FAILURE);
980             }
981             break;
982         }
983 #else
984         case 'u':
985         case 'g':
986             error_report("-%c not supported by this %s", ch, argv[0]);
987             exit(1);
988 #endif
989         case 'd':
990             daemonize = true;
991             break;
992         case 'q':
993             quiet = 1;
994             break;
995         case 'v':
996             ++loglevel;
997             break;
998         case 'T':
999             g_free(trace_file);
1000             trace_file = trace_opt_parse(optarg);
1001             break;
1002         case 'V':
1003             version(argv[0]);
1004             exit(EXIT_SUCCESS);
1005             break;
1006         case 'h':
1007             usage(argv[0]);
1008             exit(EXIT_SUCCESS);
1009             break;
1010         case '?':
1011             error_report("Try `%s --help' for more information.", argv[0]);
1012             exit(EXIT_FAILURE);
1013         }
1014     }
1015 
1016     /* set verbosity */
1017     noisy = !quiet && (loglevel >= 3);
1018     verbose = quiet ? 0 : MIN(loglevel, 3);
1019 
1020     if (!trace_init_backends()) {
1021         exit(EXIT_FAILURE);
1022     }
1023     trace_init_file(trace_file);
1024     qemu_set_log(LOG_TRACE);
1025 
1026 #ifdef CONFIG_MPATH
1027     dm_init();
1028     multipath_pr_init();
1029 #endif
1030 
1031     socket_activation = check_socket_activation();
1032     if (socket_activation == 0) {
1033         SocketAddress saddr;
1034         saddr = (SocketAddress){
1035             .type = SOCKET_ADDRESS_TYPE_UNIX,
1036             .u.q_unix.path = socket_path,
1037         };
1038         server_ioc = qio_channel_socket_new();
1039         if (qio_channel_socket_listen_sync(server_ioc, &saddr, &local_err) < 0) {
1040             object_unref(OBJECT(server_ioc));
1041             error_report_err(local_err);
1042             return 1;
1043         }
1044     } else {
1045         /* Using socket activation - check user didn't use -p etc. */
1046         if (socket_path_specified) {
1047             error_report("Unix socket can't be set when using socket activation");
1048             exit(EXIT_FAILURE);
1049         }
1050 
1051         /* Can only listen on a single socket.  */
1052         if (socket_activation > 1) {
1053             error_report("%s does not support socket activation with LISTEN_FDS > 1",
1054                          argv[0]);
1055             exit(EXIT_FAILURE);
1056         }
1057         server_ioc = qio_channel_socket_new_fd(FIRST_SOCKET_ACTIVATION_FD,
1058                                                &local_err);
1059         if (server_ioc == NULL) {
1060             error_report("Failed to use socket activation: %s",
1061                          error_get_pretty(local_err));
1062             exit(EXIT_FAILURE);
1063         }
1064     }
1065 
1066     if (qemu_init_main_loop(&local_err)) {
1067         error_report_err(local_err);
1068         exit(EXIT_FAILURE);
1069     }
1070 
1071     server_watch = qio_channel_add_watch(QIO_CHANNEL(server_ioc),
1072                                          G_IO_IN,
1073                                          accept_client,
1074                                          NULL, NULL);
1075 
1076     if (daemonize) {
1077         if (daemon(0, 0) < 0) {
1078             error_report("Failed to daemonize: %s", strerror(errno));
1079             exit(EXIT_FAILURE);
1080         }
1081     }
1082 
1083     if (daemonize || pidfile_specified)
1084         write_pidfile();
1085 
1086 #ifdef CONFIG_LIBCAP
1087     if (drop_privileges() < 0) {
1088         error_report("Failed to drop privileges: %s", strerror(errno));
1089         exit(EXIT_FAILURE);
1090     }
1091 #endif
1092 
1093     state = RUNNING;
1094     do {
1095         main_loop_wait(false);
1096         if (state == TERMINATE) {
1097             state = TERMINATING;
1098             close_server_socket();
1099         }
1100     } while (num_active_sockets > 0);
1101 
1102     exit(EXIT_SUCCESS);
1103 }
1104