OpenE2K
/
qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
qemu-e2k/hw/9pfs/9p-posix-acl.c

170 lines
4.6 KiB
C
Raw Permalink Normal View History

virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
/*
9pfs: rename virtio-9p-posix-acl.c to 9p-posix-acl.c This file is not virtio specific. Rename it to use generic name. Fix comment and remove unneeded inclusion of virtio.h. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2015-11-18 19:10:47 +01:00
* 9p system.posix* xattr callback
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
*
* Copyright IBM, Corp. 2010
*
* Authors:
* Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
*
* This work is licensed under the terms of the GNU GPL, version 2. See
* the COPYING file in the top-level directory.
*
*/
9pfs: add link to 9p developer docs To lower the entry level for new developers, add a link to the 9p developer docs (i.e. qemu wiki) to MAINTAINERS and to the beginning of 9p source files, that is to: https://wiki.qemu.org/Documentation/9p Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Acked-by: Greg Kurz <groug@kaod.org> Message-Id: <E1leeDf-0008GZ-9q@lizzy.crudebyte.com>
2021-05-06 15:12:23 +02:00
/*
* Not so fast! You might want to read the 9p developer docs first:
* https://wiki.qemu.org/Documentation/9p
*/
9pfs: Clean up includes Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 1453832250-766-18-git-send-email-peter.maydell@linaro.org
2016-01-26 19:17:10 +01:00
#include "qemu/osdep.h"
misc: move include files to include/qemu/ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2012-12-17 18:20:00 +01:00
#include "qemu/xattr.h"
9pfs: break out 9p.h from virtio-9p.h Move out generic definitions from virtio-9p.h to 9p.h. Fix header inclusions. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2016-01-07 19:18:02 +01:00
#include "9p.h"
virtio-9p: move 9p files around Now that we start adding more files related to 9pfs it make sense to move them to a separate directory Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2011-01-28 13:39:08 +01:00
#include "fsdev/file-op-9p.h"
9pfs: rename virtio-9p-xattr{,-user}.{c,h} to 9p-xattr{,-user}.{c,h} These three files are not virtio specific. Rename them to generic names. Fix comments and header inclusion in various files. Signed-off-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2015-11-18 19:31:52 +01:00
#include "9p-xattr.h"
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
#define MAP_ACL_ACCESS "user.virtfs.system.posix_acl_access"
#define MAP_ACL_DEFAULT "user.virtfs.system.posix_acl_default"
#define ACL_ACCESS "system.posix_acl_access"
#define ACL_DEFAULT "system.posix_acl_default"
static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
9pfs: local: lgetxattr: don't follow symlinks The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-26 23:42:26 +01:00
return local_getxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size);
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
}
static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path,
char *name, void *value, size_t osize)
{
ssize_t len = sizeof(ACL_ACCESS);
if (!value) {
return len;
}
if (osize < len) {
errno = ERANGE;
return -1;
}
virtio-9p: avoid unwarranted uses of strncpy In all of these cases, the uses of strncpy were unnecessary, since at each point of use we know that the NUL-terminated source bytes fit in the destination buffer. Use memcpy in place of strncpy. Acked-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-10-04 13:09:56 +02:00
/* len includes the trailing NUL */
memcpy(value, ACL_ACCESS, len);
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
return 0;
}
static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
9pfs: local: lsetxattr: don't follow symlinks The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fsetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lsetxattr(). local_lsetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-26 23:42:43 +01:00
return local_setxattr_nofollow(ctx, path, MAP_ACL_ACCESS, value, size,
flags);
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
}
static int mp_pacl_removexattr(FsContext *ctx,
const char *path, const char *name)
{
int ret;
hw/9pfs: use g_strdup_printf() instead of PATH_MAX limitation When path is truncated by PATH_MAX limitation, it causes QEMU to access incorrect file. So use original full path instead of PATH_MAX within 9pfs (need check/process ENOMEM for related memory allocation). The related test: - Environments (for qemu-devel): - Host is under fedora17 desktop with ext4fs: qemu-system-x86_64 -hda test.img -m 1024 \ -net nic,vlan=4,model=virtio,macaddr=00:16:35:AF:94:04 \ -net tap,vlan=4,ifname=tap4,script=no,downscript=no \ -device virtio-9p-pci,id=fs0,fsdev=fsdev0,mount_tag=hostshare \ -fsdev local,security_model=passthrough,id=fsdev0,\ path=/upstream/vm/data/share/1234567890abcdefghijklmnopqrstuvwxyz\ ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890acdefghijklmnopqrstuvwxyz\ ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890/111111111111111111111111111\ 1111111111111111111111111111111111111111111111111111222222222222\ 2222222222222222222222222222222222222222222222222222222222222222\ 2222222222222222222222222222222222233333333333333333333333333333\ 3333333333333333333333333333333333 - Guest is ubuntu12 server with 9pfs. mount -t 9p -o trans=virtio,version=9p2000.L hostshare /share - Limitations: full path limitation is PATH_MAX (4096B include nul) under Linux. file/dir node name maximized length is 256 (include nul) under ext4. - Special test: Under host, modify the file: "/upstream/vm/data/share/1234567890abcdefg\ hijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890acdefghijklmno\ pqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890/111111111111111111111\ 111111111111111111111111111111111111111111111111111111111122222222222\ 222222222222222222222222222222222222222222222222222222222222222222222\ 222222222222222222222222222222233333333333333333333333333333333333333\ 3333333333333333333333333/4444444444444444444444444444444444444444444\ 444444444444444444444444444444444444444444444444444444444444444444444\ 444444444444444444444444444444444444444444444444444444444444444444444\ 444444444444444444444444444444444444444/55555555555555555555555555555\ 555555555555555555555555555555555555555555555555555555555555555555555\ 555555555555555555555555555555555555555555555555555555555555555555555\ 555555555555555555555555555555555555555555555555555555555555555555555\ 55555555/666666666666666666666666666666666666666666666666666666666666\ 666666666666666666666666666666666666666666666666666666666666666666666\ 666666666666666666666666666666666666666666666666666666666666666666666\ 666666666666666666666/77777777777777777777777777777777777777777777777\ 777777777777777777777777777777777777777777777777777777777777777777777\ 777777777777777777777777777777777777777777777777777777777777777777777\ 77777777777777777777777777777777777777777777777777777777777/888888888\ 888888888888888888888888888888888888888888888888888888888888888888888\ 888888888888888888888888888888888888888888888888888888888888888888888\ 888888888888888888888888888888888888888888888888888888888888888888888\ 888888888/99999999999999999999999999999999999999999999999999999999999\ 999999999999999999999999999999999999999999999999999999999999999999999\ 999999999999999999999999999999999999999999999999999999999999999999999\ 99999999999999999999999999999999999999999/000000000000000000000000000\ 000000000000000000000000000000000000000000000000000000000000000000000\ 000000000000000000000000000000000000000000000000000000000000000000000\ 000000000000000000000000000000000000000000000000/aaaaaaaaaaaaaaaaaaaa\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbb\ bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\ bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\ bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ccccccccc\ ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc\ ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc\ ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc\ cccccccccc/dddddddddddddddddddddddddddddddddddddddddddddddddddddddddd\ ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd\ ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd\ dddddddddddddddddddddd/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/fffffffffffffff\ fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\ fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff/gggggggggg\ ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg\ ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg\ ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg\ ggggggggggggggggggggggg/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii\ iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii\ iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii\ iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii/jjjjjjjjjjjjj\ jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj\ jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj/ppppppppppppppppppppp\ ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp\ ppppppppppppppppppppppppppppppppppppppp/test1234567890file.log" (need enter dir firstly, then modify file, or can not open it). Under guest, still allow modify "test1234567890file.log" (will generate "test123456" file with contents). After apply this patch, can not open "test1234567890file.log" under guest (permission denied). - Common test: All are still OK after apply this path. "mkdir -p", "create/open file/dir", "modify file/dir", "rm file/dir". change various mount point paths under host and/or guest. Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2014-03-01 18:36:19 +01:00
9pfs: local: lremovexattr: don't follow symlinks The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-26 23:42:51 +01:00
ret = local_removexattr_nofollow(ctx, path, MAP_ACL_ACCESS);
9pfs: fix removing non-existent POSIX ACL xattr on macOS host When mapped POSIX ACL is used, we are ignoring errors when trying to remove a POSIX ACL xattr that does not exist. On Linux hosts we would get ENODATA in such cases, on macOS hosts however we get ENOATTR instead. As we can be sure that ENOATTR is defined as being identical on Linux hosts (at least by qemu/xattr.h), it is safe to fix this issue by simply comparing against ENOATTR instead of ENODATA. This patch fixes e.g. a command on Linux guest like: cp --preserve=mode old new Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Link: https://lore.kernel.org/qemu-devel/2866993.yOYK24bMf6@silver/ Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <34f81e9bffd7a3e65fb7aab5b56c107bd0aac960.1651228001.git.qemu_oss@crudebyte.com>
2022-04-29 12:25:22 +02:00
/*
* macOS returns ENOATTR (!=ENODATA on macOS), whereas Linux returns
* ENODATA (==ENOATTR on Linux), so checking for ENOATTR is fine
*/
if (ret == -1 && errno == ENOATTR) {
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
/*
virtio-9p: removexattr on default acl should return 0 If we don't have default acl, removexattr on default acl should return 0 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2011-04-27 08:56:43 +02:00
* We don't get ENODATA error when trying to remove a
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
* posix acl that is not present. So don't throw the error
* even in case of mapped security model
*/
errno = 0;
ret = 0;
}
return ret;
}
static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path,
const char *name, void *value, size_t size)
{
9pfs: local: lgetxattr: don't follow symlinks The local_lgetxattr() callback is vulnerable to symlink attacks because it calls lgetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fgetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lgetxattr(). local_lgetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-26 23:42:26 +01:00
return local_getxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size);
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
}
static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path,
char *name, void *value, size_t osize)
{
ssize_t len = sizeof(ACL_DEFAULT);
if (!value) {
return len;
}
if (osize < len) {
errno = ERANGE;
return -1;
}
virtio-9p: avoid unwarranted uses of strncpy In all of these cases, the uses of strncpy were unnecessary, since at each point of use we know that the NUL-terminated source bytes fit in the destination buffer. Use memcpy in place of strncpy. Acked-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-10-04 13:09:56 +02:00
/* len includes the trailing NUL */
hw/9pfs/virtio-9p-posix-acl: Fix out-of-bounds access It's detected by coverity. Fix out-of-bounds access of the function mp_dacl_listxattr. Signed-off-by: Shannon Zhao <zhaoshenglong@huawei.com> Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2015-03-13 06:48:07 +01:00
memcpy(value, ACL_DEFAULT, len);
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
return 0;
}
static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *name,
void *value, size_t size, int flags)
{
9pfs: local: lsetxattr: don't follow symlinks The local_lsetxattr() callback is vulnerable to symlink attacks because it calls lsetxattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fsetxattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lsetxattr(). local_lsetxattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-26 23:42:43 +01:00
return local_setxattr_nofollow(ctx, path, MAP_ACL_DEFAULT, value, size,
flags);
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
}
static int mp_dacl_removexattr(FsContext *ctx,
const char *path, const char *name)
{
virtio-9p: removexattr on default acl should return 0 If we don't have default acl, removexattr on default acl should return 0 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2011-04-27 08:56:43 +02:00
int ret;
hw/9pfs: use g_strdup_printf() instead of PATH_MAX limitation When path is truncated by PATH_MAX limitation, it causes QEMU to access incorrect file. So use original full path instead of PATH_MAX within 9pfs (need check/process ENOMEM for related memory allocation). The related test: - Environments (for qemu-devel): - Host is under fedora17 desktop with ext4fs: qemu-system-x86_64 -hda test.img -m 1024 \ -net nic,vlan=4,model=virtio,macaddr=00:16:35:AF:94:04 \ -net tap,vlan=4,ifname=tap4,script=no,downscript=no \ -device virtio-9p-pci,id=fs0,fsdev=fsdev0,mount_tag=hostshare \ -fsdev local,security_model=passthrough,id=fsdev0,\ path=/upstream/vm/data/share/1234567890abcdefghijklmnopqrstuvwxyz\ ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890acdefghijklmnopqrstuvwxyz\ ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890/111111111111111111111111111\ 1111111111111111111111111111111111111111111111111111222222222222\ 2222222222222222222222222222222222222222222222222222222222222222\ 2222222222222222222222222222222222233333333333333333333333333333\ 3333333333333333333333333333333333 - Guest is ubuntu12 server with 9pfs. mount -t 9p -o trans=virtio,version=9p2000.L hostshare /share - Limitations: full path limitation is PATH_MAX (4096B include nul) under Linux. file/dir node name maximized length is 256 (include nul) under ext4. - Special test: Under host, modify the file: "/upstream/vm/data/share/1234567890abcdefg\ hijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890acdefghijklmno\ pqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890/111111111111111111111\ 111111111111111111111111111111111111111111111111111111111122222222222\ 222222222222222222222222222222222222222222222222222222222222222222222\ 222222222222222222222222222222233333333333333333333333333333333333333\ 3333333333333333333333333/4444444444444444444444444444444444444444444\ 444444444444444444444444444444444444444444444444444444444444444444444\ 444444444444444444444444444444444444444444444444444444444444444444444\ 444444444444444444444444444444444444444/55555555555555555555555555555\ 555555555555555555555555555555555555555555555555555555555555555555555\ 555555555555555555555555555555555555555555555555555555555555555555555\ 555555555555555555555555555555555555555555555555555555555555555555555\ 55555555/666666666666666666666666666666666666666666666666666666666666\ 666666666666666666666666666666666666666666666666666666666666666666666\ 666666666666666666666666666666666666666666666666666666666666666666666\ 666666666666666666666/77777777777777777777777777777777777777777777777\ 777777777777777777777777777777777777777777777777777777777777777777777\ 777777777777777777777777777777777777777777777777777777777777777777777\ 77777777777777777777777777777777777777777777777777777777777/888888888\ 888888888888888888888888888888888888888888888888888888888888888888888\ 888888888888888888888888888888888888888888888888888888888888888888888\ 888888888888888888888888888888888888888888888888888888888888888888888\ 888888888/99999999999999999999999999999999999999999999999999999999999\ 999999999999999999999999999999999999999999999999999999999999999999999\ 999999999999999999999999999999999999999999999999999999999999999999999\ 99999999999999999999999999999999999999999/000000000000000000000000000\ 000000000000000000000000000000000000000000000000000000000000000000000\ 000000000000000000000000000000000000000000000000000000000000000000000\ 000000000000000000000000000000000000000000000000/aaaaaaaaaaaaaaaaaaaa\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbb\ bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\ bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\ bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ccccccccc\ ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc\ ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc\ ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc\ cccccccccc/dddddddddddddddddddddddddddddddddddddddddddddddddddddddddd\ ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd\ ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd\ dddddddddddddddddddddd/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee\ eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee/fffffffffffffff\ fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\ fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\ ffffffffffffffffffffffffffffffffffffffffffffffffffffffffff/gggggggggg\ ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg\ ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg\ ggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg\ ggggggggggggggggggggggg/iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii\ iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii\ iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii\ iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii/jjjjjjjjjjjjj\ jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj\ jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj/ppppppppppppppppppppp\ ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp\ ppppppppppppppppppppppppppppppppppppppp/test1234567890file.log" (need enter dir firstly, then modify file, or can not open it). Under guest, still allow modify "test1234567890file.log" (will generate "test123456" file with contents). After apply this patch, can not open "test1234567890file.log" under guest (permission denied). - Common test: All are still OK after apply this path. "mkdir -p", "create/open file/dir", "modify file/dir", "rm file/dir". change various mount point paths under host and/or guest. Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
2014-03-01 18:36:19 +01:00
9pfs: local: lremovexattr: don't follow symlinks The local_lremovexattr() callback is vulnerable to symlink attacks because it calls lremovexattr() which follows symbolic links in all path elements but the rightmost one. This patch introduces a helper to emulate the non-existing fremovexattrat() function: it is implemented with /proc/self/fd which provides a trusted path that can be safely passed to lremovexattr(). local_lremovexattr() is converted to use this helper and opendir_nofollow(). This partly fixes CVE-2016-9602. Signed-off-by: Greg Kurz <groug@kaod.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-02-26 23:42:51 +01:00
ret = local_removexattr_nofollow(ctx, path, MAP_ACL_DEFAULT);
9pfs: fix removing non-existent POSIX ACL xattr on macOS host When mapped POSIX ACL is used, we are ignoring errors when trying to remove a POSIX ACL xattr that does not exist. On Linux hosts we would get ENODATA in such cases, on macOS hosts however we get ENOATTR instead. As we can be sure that ENOATTR is defined as being identical on Linux hosts (at least by qemu/xattr.h), it is safe to fix this issue by simply comparing against ENOATTR instead of ENODATA. This patch fixes e.g. a command on Linux guest like: cp --preserve=mode old new Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Link: https://lore.kernel.org/qemu-devel/2866993.yOYK24bMf6@silver/ Reviewed-by: Greg Kurz <groug@kaod.org> Reviewed-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <34f81e9bffd7a3e65fb7aab5b56c107bd0aac960.1651228001.git.qemu_oss@crudebyte.com>
2022-04-29 12:25:22 +02:00
/*
* macOS returns ENOATTR (!=ENODATA on macOS), whereas Linux returns
* ENODATA (==ENOATTR on Linux), so checking for ENOATTR is fine
*/
if (ret == -1 && errno == ENOATTR) {
virtio-9p: removexattr on default acl should return 0 If we don't have default acl, removexattr on default acl should return 0 Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2011-04-27 08:56:43 +02:00
/*
* We don't get ENODATA error when trying to remove a
* posix acl that is not present. So don't throw the error
* even in case of mapped security model
*/
errno = 0;
ret = 0;
}
return ret;
virtio-9p: Support mapped posix acl Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
2010-10-18 11:58:16 +02:00
}
XattrOperations mapped_pacl_xattr = {
.name = "system.posix_acl_access",
.getxattr = mp_pacl_getxattr,
.setxattr = mp_pacl_setxattr,
.listxattr = mp_pacl_listxattr,
.removexattr = mp_pacl_removexattr,
};
XattrOperations mapped_dacl_xattr = {
.name = "system.posix_acl_default",
.getxattr = mp_dacl_getxattr,
.setxattr = mp_dacl_setxattr,
.listxattr = mp_dacl_listxattr,
.removexattr = mp_dacl_removexattr,
};
XattrOperations passthrough_acl_xattr = {
.name = "system.posix_acl_",
.getxattr = pt_getxattr,
.setxattr = pt_setxattr,
.listxattr = pt_listxattr,
.removexattr = pt_removexattr,
};
XattrOperations none_acl_xattr = {
.name = "system.posix_acl_",
.getxattr = notsup_getxattr,
.setxattr = notsup_setxattr,
.listxattr = notsup_listxattr,
.removexattr = notsup_removexattr,
};