| Age | Commit message (Collapse) | Author | Lines |
|---|
|
kfreebsd is a FreeBSD kernel and a GNU libc
The only macro defined in that case is __FreeBSD_kernel__
Fix #580
|
|
70e25ea74e("Fix build on non-Linux") broke build on DragonFly BSD,
or likely anything other than FreeBSD and NetBSD that is not Linux.
Signed-off-by: Tomohiro Kusumi <kusumi.tomohiro@gmail.com>
|
|
* Update meson.build to add mount_util.c to libfuse_sources
unconditionally, it's non Linux-only
* FreeBSD, like NetBSD, doesn't have mntent.h, so don't include
that and define IGNORE_MTAB for both
* FreeBSD, like NetBSD, has no umount2() sysctl, so similarly define
it to unmount()
|
|
This adds support for a mode of operation in which a privileged parent
process opens `/dev/fuse` and takes care of mounting. The FUSE file
system daemon can then run as an unprivileged child that merely
processes requests on the FUSE file descriptor, which get passed using
the special `/dev/fd/%u` syntax for the mountpoint parameter.
The main benefit is that no privileged operations need to be performed
by the FUSE file system daemon itself directly or indirectly, so the
FUSE process can run with fully unprivileged and mechanisms like
securebits and no_new_privs can be used to prevent subprocesses from
re-acquiring privilege via setuid, fscaps, etc. This reduces risk in
case the FUSE file system gets exploited by malicious file system
data.
Below is an example that illustrates this. Note that I'm using shell
for presentation purposes, the expectation is that the parent process
will implement the equivalent of the `mount -i` and `capsh` commands.
```
\# example/hello can mount successfully with privilege
$ sudo sh -c "LD_LIBRARY_PATH=build/lib ./example/hello /mnt/tmp"
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
\# example/hello fails to mount without privilege
$ sudo capsh --drop=all --secbits=0x2f -- -c 'LD_LIBRARY_PATH=build/lib ./example/hello -f /mnt/tmp'
fusermount3: mount failed: Operation not permitted
\# Passing FUSE file descriptor via /dev/fd/%u allows example/hello to work without privilege
$ sudo sh -c '
exec 17<>/dev/fuse
mount -i -o nodev,nosuid,noexec,fd=17,rootmode=40000,user_id=0,group_id=0 -t fuse hello /mnt/tmp
capsh --drop=all --secbits=0x2f -- -c "LD_LIBRARY_PATH=build/lib example/hello /dev/fd/17"
'
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
```
|
|
Apparently, NetBSD does not have /etc/mtab. Setting IGNORE_MTAB
in this case makes the code a little nicer.
See also https://github.com/libfuse/libfuse/pull/123
|
|
This brings the default behavior in-line with that of the
regular `mount` command.
|
|
This should make more clear what file contains code for what
purpose.
|
|
|
|
Found by Tavis Ormandy (CVE-2015-3202).
|
|
|
|
This allows compiling fuse with musl.
|
|
add AC_SYS_LARGEFILE to your configure.ac instead.
|
|
|
|
|
|
--no-canonicalize
Remove "legacy" util-linux support as missing --no-canonicalize cannot
be worked around in fuse.
|
|
If umount(8) supports --fake and --no-canonicalize (util-linux-ng
version 2.18 or later), and umount(2) supports the UMOUNT_NOFOLLOW
flag (linux kernel version 2.6.35 or later) then, "fusermount -u" will
call the umount(2) system call and use "umount --fake ..." to update
/etc/mtab
Added --disable-legacy-umount option to configure. This disables the
runtime checking of umount(8) version. When built with this option
then "fusermount -u" will fail if umount(8) doesn't support the --fake
and --no-canonicalize options.
|
|
Open /dev/null for write instead of read for redirecting stdout and
stderr
|
|
|
|
The bulk of it is just about adding ifdef __NetBSD__ where there is
already an ifdef __FreeBSD__
Add a arch=netbsd to deal with NetBSD specifics. I suggests that
arch=bsd could be renamed to arch=freebsd
NetBSD specific linking with -lperfuse
NetBSD patches to lib/mount.c. It turned to be less itrusive to patch
mount;c than mount_bsd.c. I suggest mount_bsd.c could be renamed to
mount_freebsd.c
Patch from Emmanuel Dreyfus
|
|
* Using --no-canonicalize with umount(8) conflicts with the race
fix, sinceit assumes the supplied path is absolute, while the race
fix relies on the path being relative to the current directory
|
|
Reported by Dan Rosenberg
* Make sure that the path to be unmounted doesn't refer to a
symlink
|
|
util-linux-ng version 2.17 or greater) to avoid calling
readling(2) on the newly mounted filesystem before the mount
procedure is finished. This has caused a deadlock if audit was
enabled in the kernel. Also use '--no-canonicalize' for umount to
avoid touching the mounted filesystem.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
