| Age | Commit message (Collapse) | Author | Lines |
|---|
|
Introduce an API for custom log handler functions. This allows libfuse
applications to send messages to syslog(3) or other logging systems.
See include/fuse_log.h for details.
Convert libfuse from fprintf(stderr, ...) to log_fuse(level, ...). Most
messages are error messages with FUSE_LOG_ERR log level. There are also
some debug messages which now use the FUSE_LOG_DEBUG log level.
Note that lib/mount_util.c is used by both libfuse and fusermount3.
Since fusermount3 does not link against libfuse, we cannot call
fuse_log() from lib/mount_util.c. This file will continue to use
fprintf(stderr, ...) until someone figures out how to split it up.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Recent GCC releases have warnings related to common strncpy(3) bugs.
These warnings can be avoided by explicitly NUL-terminating the buffer
or using memcpy(3) when the intention is to copy just the characters
without the NUL terminator.
This commit fixes the following warnings:
[1/27] Compiling C object 'test/9f86d08@@test_syscalls@exe/test_syscalls.c.o'.
In function ‘test_socket’,
inlined from ‘main’ at ../test/test_syscalls.c:1899:9:
../test/test_syscalls.c:1760:2: warning: ‘strncpy’ output may be truncated copying 108 bytes from a string of length 1023 [-Wstringop-truncation]
1760 | strncpy(su.sun_path, testsock, sizeof(su.sun_path));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[2/27] Compiling C object 'lib/76b5a35@@fuse3@sha/fuse.c.o'.
../lib/fuse.c: In function ‘add_name’:
../lib/fuse.c:968:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
968 | strncpy(s, name, len);
| ^~~~~~~~~~~~~~~~~~~~~
../lib/fuse.c:944:15: note: length computed here
944 | size_t len = strlen(name);
| ^~~~~~~~~~~~
[3/27] Compiling C object 'lib/76b5a35@@fuse3@sha/fuse_lowlevel.c.o'.
../lib/fuse_lowlevel.c: In function ‘fuse_add_direntry’:
../lib/fuse_lowlevel.c:288:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
288 | strncpy(dirent->name, name, namelen);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/fuse_lowlevel.c:276:12: note: length computed here
276 | namelen = strlen(name);
| ^~~~~~~~~~~~
../lib/fuse_lowlevel.c: In function ‘fuse_add_direntry_plus’:
../lib/fuse_lowlevel.c:381:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
381 | strncpy(dirent->name, name, namelen);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/fuse_lowlevel.c:366:12: note: length computed here
366 | namelen = strlen(name);
| ^~~~~~~~~~~~
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
on failure to set the pipe size, set it to the maximum allowed by the
kernel.
If the first request required more than the maximum allowed, the
can_grow flag would be reset thus preventing any further resize.
Grow the pipe to the maximum allowed to increase the likelihood of
using splice for successive requests instead of falling back to
read/write.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
Starting with kernel version 4.20 fuse supports a new property
'max_pages' which is the maximum number of pages that can be used per
request. This can be set via an argument during initialization.
This new property allows writes to be larger than 128k.
This patch sets the property if the matching capability is set
(FUSE_MAX_PAGES). It will also set max_write to 1MiB. Filesystems have
the possibility to decrease this size by setting max_write to a smaller
size. The max_pages and bufsize fields are adjusted accordingly.
Cc: Constantine Shulyupin <const@MakeLinux.com>
Signed-off-by: Markus Pargmann <scosu@quobyte.com>
|
|
The pointer operand to the binary `+` operator must be to a complete
object type. Since we are working with byte sizes, use `char *` instead.
|
|
|
|
Fixes: #394.
|
|
This constant is not defined in the kernel, so it will be lost when
fuse_kernel.h is not synchronized. Instead, the kernel just passes a
flag value of "1", so for now we also use a literal in userspace.
|
|
|
|
Add support for the relatively new copy_file_range() syscall. Backend
filesystems can now implement an efficient way of cloning/duplicating
data ranges within files. See 'man 2 copy_file_range' for more details.
|
|
This adds support for a mode of operation in which a privileged parent
process opens `/dev/fuse` and takes care of mounting. The FUSE file
system daemon can then run as an unprivileged child that merely
processes requests on the FUSE file descriptor, which get passed using
the special `/dev/fd/%u` syntax for the mountpoint parameter.
The main benefit is that no privileged operations need to be performed
by the FUSE file system daemon itself directly or indirectly, so the
FUSE process can run with fully unprivileged and mechanisms like
securebits and no_new_privs can be used to prevent subprocesses from
re-acquiring privilege via setuid, fscaps, etc. This reduces risk in
case the FUSE file system gets exploited by malicious file system
data.
Below is an example that illustrates this. Note that I'm using shell
for presentation purposes, the expectation is that the parent process
will implement the equivalent of the `mount -i` and `capsh` commands.
```
\# example/hello can mount successfully with privilege
$ sudo sh -c "LD_LIBRARY_PATH=build/lib ./example/hello /mnt/tmp"
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
\# example/hello fails to mount without privilege
$ sudo capsh --drop=all --secbits=0x2f -- -c 'LD_LIBRARY_PATH=build/lib ./example/hello -f /mnt/tmp'
fusermount3: mount failed: Operation not permitted
\# Passing FUSE file descriptor via /dev/fd/%u allows example/hello to work without privilege
$ sudo sh -c '
exec 17<>/dev/fuse
mount -i -o nodev,nosuid,noexec,fd=17,rootmode=40000,user_id=0,group_id=0 -t fuse hello /mnt/tmp
capsh --drop=all --secbits=0x2f -- -c "LD_LIBRARY_PATH=build/lib example/hello /dev/fd/17"
'
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
```
|
|
|
|
Fix spelling errors
|
|
|
|
|
|
|
|
The kernel may set the FUSE_POSIX_ACL flag in the FUSE_INIT request to
notify the userspace daemon that the OS does support POSIX ACLs for FUSE
file systems. If the filesystem implementation wants to enable POSIX
ACLs, it has to reply with the FUSE_POSIX_ACL flag set. However, the
reply to the kernel never includes this flag, even if the implementation
expresses the need by setting the FUSE_CAP_POSIX_ACL flag in the
fuse_conn_info::want variable passed to its init callback. We modify the
library to handle requests for FUSE_CAP_POSIX_ACL correctly, i.e., set
the FUSE_POSIX_ACL flag in the FUSE_INIT reply to the kernel.
Signed-off-by: Marcin Sulikowski <marcin.sulikowski@editshare.com>
|
|
At least on Linux kernel 4.9, a value of zero gives more
than 1-sec accuracy.
|
|
read() return value should always be positive or -1. However,
since we cast to unsigned a little later, it's clearer
to check for non-negativity.
|
|
Some variables of different size and sign were getting compared
without any safe casting.
The build system also throws warnings at this and, being this
library used for filesystems, it's really important to ensure
stability.
|
|
Currently libfuse has a hardcoded buffer limit to 128kib, while fuse
kernel module has a limit up to 32 pages.
This patch changes buffer limit to match the current page size, instead
of assuming 4096 bytes pages, enabling architectures with bigger pages
to use larger buffers, improving performance.
Also, add a new macro (HEADER_SIZE) to specify the space needed to
accommodate the header, making it easier to understand why those extra
4096 bytes are needed
Signed-off-by: Carlos Maiolino <cmaiolino-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
|
|
|
|
-oallow_root is handled in userspace, and requires passing -oallow_other
to the kernel. This patch should make the code easier to understand and
avoid the confusion that gave rise to issue #86.
|
|
Fixes #116.
|
|
Fixes #117.
|
|
Enabled by default since we haven't released libfuse 3.0 yet :-).
Fixes #112.
|
|
Fixes #112.
|
|
See also issue #114.
|
|
Instead of abort()ing, close the session properly and return an
error code.
|
|
|
|
Eventually, this setting should be negotiated in the filesystem's init()
handler (like e.g. max_write). However, this requires corresponding
changes in the FUSE kernel module. In preparation for this (and to allow
a transition period) we already allow (and require) filesystems to set
the value in the init() handler in addition to the mount option.
The end-goal is tracked in issue #91.
|
|
The fuse_session pointer is sometimes called f and at other times
se. The former is an artifact from the time when there still was a
separate struct fuse_ll object.
For consistency and to easy maintenance, this patch changes the name of
the fuse_session pointer to "se" wherever possible.
This patch was generated by the following Coccinelle script:
@@
symbol f, se;
@@
struct fuse_session *
-f
+se
;
<...
-f
+se
...>
@@
expression expr;
@@
struct fuse_session *
-f
+se
= expr;
<...
-f
+se
...>
@@
identifier fn;
@@
fn(...,struct fuse_session *
-f
+se
,...) { <...
-f
+se
...> }
Due to its complexity, the do_init() function had to be commented out
and then patched manually.
|
|
This should help avoid people to accidentally put options
into argv[0].
Fixes #100.
|
|
If fuse_session_mount() fails (or was never called in the first place)
we end up with the default fd value which happens to be 0. It hurts
long-running processes, which lifetime extends beyond session's
lifetime.
|
|
Fixes commit 3e022acf4076.
Thanks to Github user mtheall for the review!
|
|
Both the BSD and Linux implementation actually accept mostly the same
FUSE-specific mount options. Up to now, the BSD help function appended
the output of ``mount_fusefs --help``, but looking at
http://www.unix.com/man-page/freebsd/8/mount_fusefs/ this is likely more
confusing than helpful (since the user is not actually invoking
mount_fusefs directly, most of the options don't make sense).
|
|
|
|
We now only list options that are potentially useful for an
end-user (and unlikely to accidentally break a file system). The full
list of FUSE options has been moved to the documentation of the
fuse_new() and fuse_session_new() functions.
|
|
Instead of using command line options to modify struct fuse_conn_info
before and after calling the init() handler, we now give the file system
explicit control over this.
|
|
|
|
|
|
Previously, some command line options would change the FUSE defaults
but leave the final value to the file systems `init` handler while
others would override any changes made by `init`. Now, command line
options do both: they modify the default, *and* take precedence.
|
|
This option really affects the behavior of the session loop, not the
low-level interface. Therefore, it does not belong in the fuse_session
object.
|
|
The session options are used only once to determine the proper
conn->want flags. It is nice to have them clearly separated from the
other struct fuse_session members that are used throughout the life of
the file system.
|
|
|
|
|
|
|
|
This is redundant with the capability flags in `wants` and `capable`.
|
|
In commit 2ed7af, we accidentally set the default values *after*
parsing the command line arguments.
|
|
These changes were generated with the following Coccinelle semantic
patch:
@@
symbol f, se; // avoid unneeded warnings from Coccinelle
@@
struct fuse_session *
-f
+se
;
<...
-f
+se
...>
@@
identifier fn;
@@
fn(...,struct fuse_session *
-f
+se
,...) { <...
-f
+se
...> }
|
