| Age | Commit message (Collapse) | Author | Lines |
|---|
|
|
|
|
|
'FUSE_CAP_HANDLE_KILLPRIV' is not enabled by default anymore, as that
would be a sudden security issue introduced by a new ABI and API
compatible libfuse version.
|
|
Allowing parallel dir operations could result in a crash in a filesystem
implementation that is not prepared for this.
To be safe keep this flag off by default (this is not a regression, since
there was no public release where this flag wasn't ignored).
If the filesystem wants better performance, then it should set this flag
explicitly.
Fixes: c9905341ea34 ("Pass FUSE_PARALLEL_DIROPS to kernel (#861)")
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
|
|
This is not called FUSE_CAP_DIRECT_IO_RELAX, as the kernel flag
FUSE_DIRECT_IO_RELAX is supposed to be renamed to
FUSE_DIRECT_IO_ALLOW_MMAP. The corresponding kernel patches just
did not land yet.
|
|
This tells the kernel that parallel lookup/readdir operations are
supported. This is enabled by default but was not passed to the kernel
so you always get the synchronized version.
|
|
Instead of hardcoding the value to check against, use a more dynamic method to verify the error number before passing it to the kernel.
|
|
|
|
This syncs fuse_kernel.h to <linux-6.3>/include/uapi/linux/fuse.h
Special handling is done for setxattr as in linux commit
52a4c95f4d24b struct fuse_setxattr_in was extended. Extended
struct is only used when FUSE_SETXATTR_EXT is passed in FUSE_INIT
reply.
|
|
Right now fuse kernel serializes direct writes on the
same file. This serialization is good for such FUSE
implementations which rely on the inode lock to
avoid any data inconsistency issues but it hurts badly
such FUSE implementations which have their own mechanism
of dealing with cache/data integrity and can handle
parallel direct writes on the same file.
This patch allows parallel direct writes on the same file to be
enabled with the help of a flag FOPEN_PARALLEL_DIRECT_WRITES.
FUSE implementations which want to use this feature can
set this flag during fuse init. Default behaviour remains
same i.e no parallel direct writes on the same file.
Corresponding fuse kernel patch(Merged).
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.2&id=153524053bbb0d27bb2e0be36d1b46862e9ce74c
|
|
Such as for the xfstest-dev's generic/684 test case it will clear
suid and sgid if the fallocate request is commited by an unprivileged
user.
The kernel fuse passed the ATTR_KILL_SUID/ATTR_KILL_SGID flags to
userspace but it will be dropped.
Signed-off-by: Xiubo Li <xiubli@redhat.com>
|
|
This addresses: https://github.com/libfuse/libfuse/issues/724
HAVE_LIBC_VERSIONED_SYMBOLS configures the library if to use
versioned symbols and is set at meson configuration time.
External filesystems (the main target, actually)
include fuse headers and the preprocessor
then acts on HAVE_LIBC_VERSIONED_SYMBOLS. Problem was now that
'config.h' was not distributed with libfuse and so
HAVE_LIBC_VERSIONED_SYMBOLS was never defined with external
tools and the preprocessor did the wrong decision.
This commit also increases the the minimal meson version,
as this depends on meson feature only available in 0.50
<quote 'meson' >
WARNING: Project specifies a minimum meson_
version '>= 0.42' but uses features which were added
in newer versions:
* 0.50.0: {'install arg in configure_file'}
</quote>
Additionally the config file has been renamed to "fuse_config.h"
to avoid clashes - 'config.h' is not very specific.
|
|
The io for FUSE requests and responses can now be further customized by allowing to write custom functions for reading/writing the responses. This includes overriding the splice io.
The reason for this addition is that having a custom file descriptor is not sufficient to allow custom io. Different types of file descriptor require different mechanisms of io interaction. For example, some file descriptor communication has boundaries (SOCK_DGRAM, EOF, etc...), while other types of fd:s might be unbounded (SOCK_STREAMS, ...). For unbounded communication, you have to read the header of the FUSE request first, and then read the remaining packet data. Furthermore, the one read call does not necessarily return all the data expected, requiring further
calls in a loop.
|
|
|
|
|
|
This reverts commit 777663953382925c7403f0560c28ec9bbd14d7be.
|
|
libfuse can now be used without having a mount interface.
|
|
If we get the interrupt before the fuse op, the fuse_req is deleted without
decrementing the refcount on the cloned file descriptor. This leads to a
leak of the cloned /dev/fuse file descriptor.
|
|
It is better to tell the kernel that libfuse knows
about the 64 bit flag extension.
|
|
In fuse kernel, 'commit 53db28933e95 ("fuse: extend init flags")'
made the changes to handle flags going beyond 32 bits but i think
changes were not done in libfuse to handle the same.
This patch prepares the ground in libfuse for incoming FUSE kernel
patches (Atomic open + lookup) where flags went beyond 32 bits.
It makes struct same as in fuse kernel resulting in name change of
few fields.
|
|
do_interrupt would destroy_req on the request without decrementing the
channel's refcount. With clone_fd this could leak file descriptors if
the worker thread holding the cloned fd was destroyed. (Only
max_idle_threads are kept).
|
|
Allow requesting from kernel to avoid flush on close at file open
time. If kernel does not support FOPEN_NOFLUSH flag, the request
will be ignored.
For passthrough_hp example, request to avoid flush on close when
writeback cache is disabled and file is opened O_RDONLY.
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
|
|
This seems to have been added before 2006 to fix a uclibc bug. It
doesn't seem to be the case anymore so just get rid of it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
|
This commit defines a new capability called `FUSE_CAP_CACHE_SYMLINKS`.
It is off by default but you can now enable it by setting this flag in
in the `want` field of the `fuse_conn_info` structure.
When enabled, the kernel will save symlinks in its page cache,
by making use of the feature introduced in kernel 4.20:
https://github.com/torvalds/linux/commit/5571f1e65486be025f73fa6aa30fb03725d362a2
|
|
|
|
Fixes: #538.
|
|
Move assert for se before dereferencing it with se->debug.
Signed-off-by: Liao Pingfang <liao.pingfang@zte.com.cn>
Co-authored-by: Liao Pingfang <liao.pingfang@zte.com.cn>
|
|
If fuse_session_unmount is called before fuse_session_destroy, both
would try to close(se->fd). Avoid that by resetting it in
fuse_session_unmount.
|
|
Context: SPLICE_WRITE is not used with regular buffers
(i.e. when they are not file-descriptor backed buffers).
There is a bug which assumes file descriptors are used.
If the amount of data associated with those FD is lower
than twice the page size, SPLICE_WRITE is not utilized.
With regular buffers the aggregated size was always 0.
Because vmsplice (splice user pages to/from a pipe) is
called before splice in fuse_lowlevel.c, regular buffers
would also work with splice.
This patch prevents to fallback to non-splice enabled
copies when itheir is no FD involved.
|
|
|
|
fuse_init already refuses to start if we're on major < 7 ,
so we can kill off checks for old major versions.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
|
|
|
|
|
Introduce an API for custom log handler functions. This allows libfuse
applications to send messages to syslog(3) or other logging systems.
See include/fuse_log.h for details.
Convert libfuse from fprintf(stderr, ...) to log_fuse(level, ...). Most
messages are error messages with FUSE_LOG_ERR log level. There are also
some debug messages which now use the FUSE_LOG_DEBUG log level.
Note that lib/mount_util.c is used by both libfuse and fusermount3.
Since fusermount3 does not link against libfuse, we cannot call
fuse_log() from lib/mount_util.c. This file will continue to use
fprintf(stderr, ...) until someone figures out how to split it up.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
Recent GCC releases have warnings related to common strncpy(3) bugs.
These warnings can be avoided by explicitly NUL-terminating the buffer
or using memcpy(3) when the intention is to copy just the characters
without the NUL terminator.
This commit fixes the following warnings:
[1/27] Compiling C object 'test/9f86d08@@test_syscalls@exe/test_syscalls.c.o'.
In function ‘test_socket’,
inlined from ‘main’ at ../test/test_syscalls.c:1899:9:
../test/test_syscalls.c:1760:2: warning: ‘strncpy’ output may be truncated copying 108 bytes from a string of length 1023 [-Wstringop-truncation]
1760 | strncpy(su.sun_path, testsock, sizeof(su.sun_path));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[2/27] Compiling C object 'lib/76b5a35@@fuse3@sha/fuse.c.o'.
../lib/fuse.c: In function ‘add_name’:
../lib/fuse.c:968:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
968 | strncpy(s, name, len);
| ^~~~~~~~~~~~~~~~~~~~~
../lib/fuse.c:944:15: note: length computed here
944 | size_t len = strlen(name);
| ^~~~~~~~~~~~
[3/27] Compiling C object 'lib/76b5a35@@fuse3@sha/fuse_lowlevel.c.o'.
../lib/fuse_lowlevel.c: In function ‘fuse_add_direntry’:
../lib/fuse_lowlevel.c:288:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
288 | strncpy(dirent->name, name, namelen);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/fuse_lowlevel.c:276:12: note: length computed here
276 | namelen = strlen(name);
| ^~~~~~~~~~~~
../lib/fuse_lowlevel.c: In function ‘fuse_add_direntry_plus’:
../lib/fuse_lowlevel.c:381:2: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
381 | strncpy(dirent->name, name, namelen);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/fuse_lowlevel.c:366:12: note: length computed here
366 | namelen = strlen(name);
| ^~~~~~~~~~~~
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
on failure to set the pipe size, set it to the maximum allowed by the
kernel.
If the first request required more than the maximum allowed, the
can_grow flag would be reset thus preventing any further resize.
Grow the pipe to the maximum allowed to increase the likelihood of
using splice for successive requests instead of falling back to
read/write.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
|
|
Starting with kernel version 4.20 fuse supports a new property
'max_pages' which is the maximum number of pages that can be used per
request. This can be set via an argument during initialization.
This new property allows writes to be larger than 128k.
This patch sets the property if the matching capability is set
(FUSE_MAX_PAGES). It will also set max_write to 1MiB. Filesystems have
the possibility to decrease this size by setting max_write to a smaller
size. The max_pages and bufsize fields are adjusted accordingly.
Cc: Constantine Shulyupin <const@MakeLinux.com>
Signed-off-by: Markus Pargmann <scosu@quobyte.com>
|
|
The pointer operand to the binary `+` operator must be to a complete
object type. Since we are working with byte sizes, use `char *` instead.
|
|
|
|
Fixes: #394.
|
|
This constant is not defined in the kernel, so it will be lost when
fuse_kernel.h is not synchronized. Instead, the kernel just passes a
flag value of "1", so for now we also use a literal in userspace.
|
|
|
|
Add support for the relatively new copy_file_range() syscall. Backend
filesystems can now implement an efficient way of cloning/duplicating
data ranges within files. See 'man 2 copy_file_range' for more details.
|
|
This adds support for a mode of operation in which a privileged parent
process opens `/dev/fuse` and takes care of mounting. The FUSE file
system daemon can then run as an unprivileged child that merely
processes requests on the FUSE file descriptor, which get passed using
the special `/dev/fd/%u` syntax for the mountpoint parameter.
The main benefit is that no privileged operations need to be performed
by the FUSE file system daemon itself directly or indirectly, so the
FUSE process can run with fully unprivileged and mechanisms like
securebits and no_new_privs can be used to prevent subprocesses from
re-acquiring privilege via setuid, fscaps, etc. This reduces risk in
case the FUSE file system gets exploited by malicious file system
data.
Below is an example that illustrates this. Note that I'm using shell
for presentation purposes, the expectation is that the parent process
will implement the equivalent of the `mount -i` and `capsh` commands.
```
\# example/hello can mount successfully with privilege
$ sudo sh -c "LD_LIBRARY_PATH=build/lib ./example/hello /mnt/tmp"
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
\# example/hello fails to mount without privilege
$ sudo capsh --drop=all --secbits=0x2f -- -c 'LD_LIBRARY_PATH=build/lib ./example/hello -f /mnt/tmp'
fusermount3: mount failed: Operation not permitted
\# Passing FUSE file descriptor via /dev/fd/%u allows example/hello to work without privilege
$ sudo sh -c '
exec 17<>/dev/fuse
mount -i -o nodev,nosuid,noexec,fd=17,rootmode=40000,user_id=0,group_id=0 -t fuse hello /mnt/tmp
capsh --drop=all --secbits=0x2f -- -c "LD_LIBRARY_PATH=build/lib example/hello /dev/fd/17"
'
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
```
|
|
|
|
Fix spelling errors
|
|
|
|
|
|
|
|
The kernel may set the FUSE_POSIX_ACL flag in the FUSE_INIT request to
notify the userspace daemon that the OS does support POSIX ACLs for FUSE
file systems. If the filesystem implementation wants to enable POSIX
ACLs, it has to reply with the FUSE_POSIX_ACL flag set. However, the
reply to the kernel never includes this flag, even if the implementation
expresses the need by setting the FUSE_CAP_POSIX_ACL flag in the
fuse_conn_info::want variable passed to its init callback. We modify the
library to handle requests for FUSE_CAP_POSIX_ACL correctly, i.e., set
the FUSE_POSIX_ACL flag in the FUSE_INIT reply to the kernel.
Signed-off-by: Marcin Sulikowski <marcin.sulikowski@editshare.com>
|
