| Age | Commit message (Collapse) | Author | Lines |
|---|
|
The unprivileged option allows to run the FUSE file system process
without privileges by dropping capabilities and preventing them from
being re-acquired via setuid / fscaps etc. To accomplish this,
mount.fuse sets up the `/dev/fuse` file descriptor and mount itself
and passes the file descriptor via the `/dev/fd/%u` mountpoint syntax
to the FUSE file system.
|
|
This adds support for a mode of operation in which a privileged parent
process opens `/dev/fuse` and takes care of mounting. The FUSE file
system daemon can then run as an unprivileged child that merely
processes requests on the FUSE file descriptor, which get passed using
the special `/dev/fd/%u` syntax for the mountpoint parameter.
The main benefit is that no privileged operations need to be performed
by the FUSE file system daemon itself directly or indirectly, so the
FUSE process can run with fully unprivileged and mechanisms like
securebits and no_new_privs can be used to prevent subprocesses from
re-acquiring privilege via setuid, fscaps, etc. This reduces risk in
case the FUSE file system gets exploited by malicious file system
data.
Below is an example that illustrates this. Note that I'm using shell
for presentation purposes, the expectation is that the parent process
will implement the equivalent of the `mount -i` and `capsh` commands.
```
\# example/hello can mount successfully with privilege
$ sudo sh -c "LD_LIBRARY_PATH=build/lib ./example/hello /mnt/tmp"
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
\# example/hello fails to mount without privilege
$ sudo capsh --drop=all --secbits=0x2f -- -c 'LD_LIBRARY_PATH=build/lib ./example/hello -f /mnt/tmp'
fusermount3: mount failed: Operation not permitted
\# Passing FUSE file descriptor via /dev/fd/%u allows example/hello to work without privilege
$ sudo sh -c '
exec 17<>/dev/fuse
mount -i -o nodev,nosuid,noexec,fd=17,rootmode=40000,user_id=0,group_id=0 -t fuse hello /mnt/tmp
capsh --drop=all --secbits=0x2f -- -c "LD_LIBRARY_PATH=build/lib example/hello /dev/fd/17"
'
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
```
|
|
|
|
This is only used in fuse_do_work(), so we can put it on
the stack.
|
|
Return different error codes from fuse_main()
|
|
|
|
|
|
Multiple meson build scripts improvements including:
* Bump meson requirement to 0.40.1 (0.40 already required)
* Declare a dependency object for main library
* Stop using add_global_arguments()
* Various minor style fixes
|
|
|
|
The bug occurs when a filesystem client reads a directory until the end,
seeks using seekdir() to some valid non-zero position and calls
readdir(). A valid 'struct dirent *' is expected, but NULL is returned
instead. Pseudocode demonstrating the bug:
DIR *dp = opendir("some_dir");
struct dirent *de = readdir(dp);
/* Get offset of the second entry */
long offset = telldir(dp);
/* Read directory until the end */
while (de)
de = readdir(de);
seekdir(dp, offset);
de = readdir(dp);
/* de must contain the second entry, but NULL is returned instead */
The reason of the bug is that when the end of directory is reached, the
kernel calls FUSE_READDIR op with an offset at the end of directory, so
the filesystem's .readdir callback never calls the filler function, and
we end up with dh->filled set to 1. After seekdir(), FUSE_READDIR is
called again with a new offset, but this time the filesystem's .readdir
callback is never called, and an empty reply is returned.
Fix by setting dh->filled to 1 only when zero offsets are given to
filler function.
|
|
Fix conditionals as per maintainer's request.
|
|
Linux performs the dir loop check (rename(a, a/b/c)
or rename(a/b/c, a), etc.) in kernel. Unfortunately
other systems do not perform this check (e.g. FreeBSD).
This results in a deadlock in get_path2, because libfuse
did not expect to handle such cases.
We add a check_dir_loop function that performs the dir
loop check in user mode and enable it on systems that
need it.
|
|
`int sig` is acutually used, so `(void) sig;` is unneeded.
|
|
Ensure that conf is always zero before it's read from to prevent
sporadic failure at startup if higher layers were build against
version 3.0
Signed-off-by: Ashley Pittman <ashley.m.pittman@intel.com>
|
|
Fix spelling errors
|
|
This change is bogus. fuse_module_factory_t is already a pointer
type. Additionally, if dlsym returns NULL, then you will be
dereferencing it causing a segfault. In my testing, a segfault will
happen even if dlsym returns successfully.
Thanks to Michael Theall for spotting!
|
|
dlsym() resolves the location of the loaded symbol,
therefore dlsym() returns the type (fuse_module_factory_t *), not (fuse_module_factory_t).
Added pinter dereferencing to correctly refer the factory function.
|
|
This was detected by using clang's undefined behavior sanitizer, but
didn't seem to cause problems in practice.
|
|
Fixes: #207.
|
|
|
|
The old versions of these symbols were defined with version
tag FUSE_3.0, so this is what we have to use in the .symver
directive.
|
|
According to "How to Write Shared Libraries" by Ulrich Drepper
(https://www.akkadia.org/drepper/dsohowto.pdf), the version script
should contain the exported name of the versioned symbol once in each
tag for which it has been defined by .symver.
|
|
The fuse_session_loop_mt() and fuse_loop_mt() symbols are only visible
when linking against the shared object. The code in lib/, however, is
compiled *into* the shared object and should thus use the internal
names of these functions.
Surprisingly enough, the code still worked before - but only when link
time optimization was disabled.
Unfortunately, we still can't compile with LTO because it seems that
enabling LTO somehow makes the tagged symbols vanish.
Without lto, we have:
$ nm lib/libfuse3.so | grep fuse_new
0000000000011070 T fuse_new_30
0000000000010a00 t fuse_new_31
0000000000011070 T fuse_new@FUSE_3.0
0000000000010a00 T fuse_new@@FUSE_3.1
and with LTO:
$ nm lib/libfuse3.so | grep fuse_new
0000000000019a70 T fuse_new_30
0000000000019270 t fuse_new_31
See also issue #198.
|
|
This is what the Linux version does, and it fixes a
timeout under FreeBSD when the kernel sends a FUSE_DESTROY
request that is never answered.
|
|
|
|
It's just too much pain to keep it working.
|
|
|
|
We re-introduce the functionality of invalidating the caches for an
inode specified by path by adding a new routine
fuse_invalidate_path. This is useful for network-based file systems
which use the high-level API, enabling them to notify the kernel about
external changes.
This is a revival of Miklos Szeredi's original code for the
fuse_invalidate routine.
|
|
|
|
|
|
|
|
|
|
cfg.has('HAVE_ICONV') was always true.
|
|
this fixes building with lto, which failed since commit 503e32d01e4db00e90d7acfd81ab05386559069f
|
|
FreeBSD kernel does not support this.
|
|
|
|
|
|
The kernel may set the FUSE_POSIX_ACL flag in the FUSE_INIT request to
notify the userspace daemon that the OS does support POSIX ACLs for FUSE
file systems. If the filesystem implementation wants to enable POSIX
ACLs, it has to reply with the FUSE_POSIX_ACL flag set. However, the
reply to the kernel never includes this flag, even if the implementation
expresses the need by setting the FUSE_CAP_POSIX_ACL flag in the
fuse_conn_info::want variable passed to its init callback. We modify the
library to handle requests for FUSE_CAP_POSIX_ACL correctly, i.e., set
the FUSE_POSIX_ACL flag in the FUSE_INIT reply to the kernel.
Signed-off-by: Marcin Sulikowski <marcin.sulikowski@editshare.com>
|
|
|
|
This should simplify the code a lot. It also corrects a bug in
that the (former) add_default_fsname() function actually set
the -osubtype option.
|
|
mount_bsd.c is only used when compiling for *BSD, and FreeBSD
is the only BSD that supports FUSE. So there really is no need
to check if this file is compiled under FreeBSD.
|
|
|
|
|
|
Signed-off-by: Banglang <banglang.huang@foxmail.com>
|
|
This function shouldn't be called when using a newer fuse
version, so we should not define it in that case.
|
|
I believe this function call is resolved by the compiler, not
the linker, so this seems safer.
Thanks to Chris Clayton for spotting this.
|
|
GCC 4.8 doesn't like to rename fuse_new_30 to fuse_new, if we
also define an implementation for fuse_new.
|
|
|
|
At least on Linux kernel 4.9, a value of zero gives more
than 1-sec accuracy.
|
|
There is a proper meson-mode now.
|
