[RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Vivek Goyal]

Hi Miklos,

Here is the updated RFC patch for implementing FUSE_HANDLE_KILLPRIV_V2
and enabling SB_NOSEC. Previous discussion was here.

https://lore.kernel.org/linux-fsdevel/20200716144032.GC422759@redhat.com/

Based on previous discussion, you preferred that enabling SB_NOSEC
should dependent on FUSE_HANDLE_KILLPRIV. We also agreed that
implementing FUSE_HANDLE_KILLPRIV_V2 probably is a good idea because
current version clears suid/sgid even if caller has CAP_FSETID in
certain cases.

So I decided to give it a try and here are the RFC patches. This is only
compile and boot tested. Before I spend more time, I want to make sure
I am heading in right direction.

I have done some virtiofsd changes as well to enable handle_killpriv_v2
and proof of concept patch is here.

https://github.com/rhvgoyal/qemu/commit/5c8b40dd94e094942df3fd2796b1ee468f9d3df3

TODO: I want to set set SB_NOSEC flag after I get a response from file
      server. But we send init request asynchronously. That means
      by the time fill_super finishes, we might not get resoponse
      from server and that means we might not enable SB_NOSEC.

Before I improve these patches, I have my doubts that enabling
SB_NOSEC should be dependent on FUSE_HANDLE_KILLPRIV_V2. And here
is my rationale.

If server clears suid/sgid/caps on chown/trunc/write always, then
it probably just provides little better coherency in certain cases
where client B might have modified file metadata and client A does
not know about it.

So those who have even stricter coherency requirement can enable
FUSE_HANDLE_KILLPRIV_V2. But I am not sure why it should be a
pre-requisite for SB_NOSEC.

Even now, clearing of suid/sgid happens based on cached state of
inode->mode. So even with SB_NOSEC disabled, it is very much possible
that client B sets suid/sgid and client A write will not clear it.

Only exception seems to be security.capability. Because we don't
cache this xattr, currently we always check with file server if
this xattr is set. If it is, we clear it. So while suid/sgid
clearing is dedendent on cached attributes in client, clearing
of caps is not. I feel this is probably more by accident and
not design.

To me, I can think of following two models.

- weak coherency

  Clearing of suid/sgid/caps is driven by cached attributes in client.
  If attributes are stale, then suid/sgid/caps might not be cleared.
  This is the current default (except the case of caps).

- strong coherency

  File server takes care of clearing suid/sgid/caps so that even if
  client cache is old/stale, server will still be able to clear it.
  This is what FUSE_HANDLE_KILLPRIV_V2 can achieve based on the
  use case.

IOW, FUSE_HANDLE_KILLPRIV_V2 will help choose between weak/strong
coherency model when it comes to clearing suid/sgid/caps. But
notion of SB_NOSEC seems to be orthogonal to FUSE_HANDLE_KILLPRIV_V2
and SB_NOSEC should work both with and without FUSE_HANDLE_KILLPRIV_V2.

FUSE_HANDLE_KILLPRIV_V2 has its own issues. Right now enabling it does
not disable client driven clearing of suid/sgid/caps
(file_remove_privs() and other chown/trucnation paths).

If we actively work on supressing file_remove_privs/setattr when
FUSE_HANDLE_KILLPRIV_V2 is set, then we have the issue of client
attributes going stale (suid/sgid), as server might clear suid/sgid
upon write but client will have no idea. May be we can keep track
of completion of writes and clear suid/sgid in local cache or
invalidate attrs etc. Something to think about.
  
In short, I feel more inclined that SB_NOSEC should not be dependent
on FUSE_HANDLE_KILLPRIV_V2. It should be a separate feature which
works both with and without and user chooses FUSE_HANDLE_KILLPRIV_V2
if they want stronger coherency.

If you are concerned about regression w.r.t clear of caps, then we
can think of enabling SB_NOSEC conditionally. Say user chooses it
as mount option. But given caps is just an outlier and currently
we clear suid/sgid based on cache (and not based on state on server),
I feel it might not be a huge issue.

What do you think?

Thanks
Vivek

Vivek Goyal (5):
  fuse: Introduce the notion of FUSE_HANDLE_KILLPRIV_V2
  fuse: Set FUSE_WRITE_KILL_PRIV in cached write path
  fuse: Add a flag FUSE_SETATTR_KILL_PRIV
  fuse: For sending setattr in case of open(O_TRUNC)
  virtiofs: Support SB_NOSEC flag to improve direct write performance

 fs/fuse/dir.c             | 13 +++++++++----
 fs/fuse/file.c            |  2 ++
 fs/fuse/fuse_i.h          |  6 ++++++
 fs/fuse/inode.c           | 17 ++++++++++++++++-
 fs/fuse/virtio_fs.c       |  3 +++
 include/uapi/linux/fuse.h | 18 +++++++++++++++++-
 6 files changed, 53 insertions(+), 6 deletions(-)

-- 
2.25.4

[Virtio-fs] [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Vivek Goyal]

Hi Miklos,

Here is the updated RFC patch for implementing FUSE_HANDLE_KILLPRIV_V2
and enabling SB_NOSEC. Previous discussion was here.

https://lore.kernel.org/linux-fsdevel/20200716144032.GC422759@redhat.com/

Based on previous discussion, you preferred that enabling SB_NOSEC
should dependent on FUSE_HANDLE_KILLPRIV. We also agreed that
implementing FUSE_HANDLE_KILLPRIV_V2 probably is a good idea because
current version clears suid/sgid even if caller has CAP_FSETID in
certain cases.

So I decided to give it a try and here are the RFC patches. This is only
compile and boot tested. Before I spend more time, I want to make sure
I am heading in right direction.

I have done some virtiofsd changes as well to enable handle_killpriv_v2
and proof of concept patch is here.

https://github.com/rhvgoyal/qemu/commit/5c8b40dd94e094942df3fd2796b1ee468f9d3df3

TODO: I want to set set SB_NOSEC flag after I get a response from file
      server. But we send init request asynchronously. That means
      by the time fill_super finishes, we might not get resoponse
      from server and that means we might not enable SB_NOSEC.

Before I improve these patches, I have my doubts that enabling
SB_NOSEC should be dependent on FUSE_HANDLE_KILLPRIV_V2. And here
is my rationale.

If server clears suid/sgid/caps on chown/trunc/write always, then
it probably just provides little better coherency in certain cases
where client B might have modified file metadata and client A does
not know about it.

So those who have even stricter coherency requirement can enable
FUSE_HANDLE_KILLPRIV_V2. But I am not sure why it should be a
pre-requisite for SB_NOSEC.

Even now, clearing of suid/sgid happens based on cached state of
inode->mode. So even with SB_NOSEC disabled, it is very much possible
that client B sets suid/sgid and client A write will not clear it.

Only exception seems to be security.capability. Because we don't
cache this xattr, currently we always check with file server if
this xattr is set. If it is, we clear it. So while suid/sgid
clearing is dedendent on cached attributes in client, clearing
of caps is not. I feel this is probably more by accident and
not design.

To me, I can think of following two models.

- weak coherency

  Clearing of suid/sgid/caps is driven by cached attributes in client.
  If attributes are stale, then suid/sgid/caps might not be cleared.
  This is the current default (except the case of caps).

- strong coherency

  File server takes care of clearing suid/sgid/caps so that even if
  client cache is old/stale, server will still be able to clear it.
  This is what FUSE_HANDLE_KILLPRIV_V2 can achieve based on the
  use case.

IOW, FUSE_HANDLE_KILLPRIV_V2 will help choose between weak/strong
coherency model when it comes to clearing suid/sgid/caps. But
notion of SB_NOSEC seems to be orthogonal to FUSE_HANDLE_KILLPRIV_V2
and SB_NOSEC should work both with and without FUSE_HANDLE_KILLPRIV_V2.

FUSE_HANDLE_KILLPRIV_V2 has its own issues. Right now enabling it does
not disable client driven clearing of suid/sgid/caps
(file_remove_privs() and other chown/trucnation paths).

If we actively work on supressing file_remove_privs/setattr when
FUSE_HANDLE_KILLPRIV_V2 is set, then we have the issue of client
attributes going stale (suid/sgid), as server might clear suid/sgid
upon write but client will have no idea. May be we can keep track
of completion of writes and clear suid/sgid in local cache or
invalidate attrs etc. Something to think about.
  
In short, I feel more inclined that SB_NOSEC should not be dependent
on FUSE_HANDLE_KILLPRIV_V2. It should be a separate feature which
works both with and without and user chooses FUSE_HANDLE_KILLPRIV_V2
if they want stronger coherency.

If you are concerned about regression w.r.t clear of caps, then we
can think of enabling SB_NOSEC conditionally. Say user chooses it
as mount option. But given caps is just an outlier and currently
we clear suid/sgid based on cache (and not based on state on server),
I feel it might not be a huge issue.

What do you think?

Thanks
Vivek

Vivek Goyal (5):
  fuse: Introduce the notion of FUSE_HANDLE_KILLPRIV_V2
  fuse: Set FUSE_WRITE_KILL_PRIV in cached write path
  fuse: Add a flag FUSE_SETATTR_KILL_PRIV
  fuse: For sending setattr in case of open(O_TRUNC)
  virtiofs: Support SB_NOSEC flag to improve direct write performance

 fs/fuse/dir.c             | 13 +++++++++----
 fs/fuse/file.c            |  2 ++
 fs/fuse/fuse_i.h          |  6 ++++++
 fs/fuse/inode.c           | 17 ++++++++++++++++-
 fs/fuse/virtio_fs.c       |  3 +++
 include/uapi/linux/fuse.h | 18 +++++++++++++++++-
 6 files changed, 53 insertions(+), 6 deletions(-)

-- 
2.25.4

[PATCH 1/5] fuse: Introduce the notion of FUSE_HANDLE_KILLPRIV_V2

[Vivek Goyal]

FUSE_HANDLE_KILLPRIV flag says that file server will remove suid/sgid/caps
on truncate/chown/write.

But to be consistent with VFS behavior what we want is.

- caps are always cleared on chown/write/truncate
- suid is always cleared on chown, while for truncate/write it is cleared
  only if caller does not have CAP_FSETID.
- sgid is always cleared on chown, while for truncate/write it is cleared
  only if caller does not have CAP_FSETID as well as file has group execute
  permission.

As previous flag did not provide above semantics. Implement a V2 of the
protocol with above said constraints.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/fuse_i.h          | 6 ++++++
 fs/fuse/inode.c           | 5 ++++-
 include/uapi/linux/fuse.h | 7 +++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 740a8a7d7ae6..71bede0a57c9 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -610,6 +610,12 @@ struct fuse_conn {
 	/** cache READLINK responses in page cache */
 	unsigned cache_symlinks:1;
 
+	/** fs kills suid/sgid/cap on write/chown/trunc. suid is
+	    killed on write/trunc only if caller did not have CAP_FSETID.
+	    sgid is killed on write/truncate only if caller did not have
+	    CAP_FSETID as well as file has group execute permission. */
+	unsigned handle_killpriv_v2:1;
+
 	/*
 	 * The following bitfields are only for optimization purposes
 	 * and hence races in setting them will not cause malfunction
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index bba747520e9b..113ba149e08d 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -965,6 +965,8 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_args *args,
 					min_t(unsigned int, FUSE_MAX_MAX_PAGES,
 					max_t(unsigned int, arg->max_pages, 1));
 			}
+			if (arg->flags & FUSE_HANDLE_KILLPRIV_V2)
+				fc->handle_killpriv_v2 = 1;
 		} else {
 			ra_pages = fc->max_read / PAGE_SIZE;
 			fc->no_lock = 1;
@@ -1002,7 +1004,8 @@ void fuse_send_init(struct fuse_conn *fc)
 		FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |
 		FUSE_PARALLEL_DIROPS | FUSE_HANDLE_KILLPRIV | FUSE_POSIX_ACL |
 		FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS |
-		FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA;
+		FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |
+		FUSE_HANDLE_KILLPRIV_V2;
 	ia->args.opcode = FUSE_INIT;
 	ia->args.in_numargs = 1;
 	ia->args.in_args[0].size = sizeof(ia->in);
diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 373cada89815..960ba8af5cf4 100644
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -172,6 +172,7 @@
  *  - add FUSE_WRITE_KILL_PRIV flag
  *  - add FUSE_SETUPMAPPING and FUSE_REMOVEMAPPING
  *  - add map_alignment to fuse_init_out, add FUSE_MAP_ALIGNMENT flag
+ *  - add FUSE_HANDLE_KILLPRIV_V2
  */
 
 #ifndef _LINUX_FUSE_H
@@ -314,6 +315,11 @@ struct fuse_file_lock {
  * FUSE_NO_OPENDIR_SUPPORT: kernel supports zero-message opendir
  * FUSE_EXPLICIT_INVAL_DATA: only invalidate cached pages on explicit request
  * FUSE_MAP_ALIGNMENT: map_alignment field is valid
+ * FUSE_HANDLE_KILLPRIV_V2: fs kills suid/sgid/cap on write/chown/trunc.
+ * 			Upon write/truncate suid/sgid is only killed if caller
+ * 			does not have CAP_FSETID. Additionally upon
+ * 			write/truncate sgid is killed only if file has group
+ * 			execute permission. (Same as Linux VFS behavior).
  */
 #define FUSE_ASYNC_READ		(1 << 0)
 #define FUSE_POSIX_LOCKS	(1 << 1)
@@ -342,6 +348,7 @@ struct fuse_file_lock {
 #define FUSE_NO_OPENDIR_SUPPORT (1 << 24)
 #define FUSE_EXPLICIT_INVAL_DATA (1 << 25)
 #define FUSE_MAP_ALIGNMENT	(1 << 26)
+#define FUSE_HANDLE_KILLPRIV_V2	(1 << 27)
 
 /**
  * CUSE INIT request/reply flags
-- 
2.25.4

[Virtio-fs] [PATCH 1/5] fuse: Introduce the notion of FUSE_HANDLE_KILLPRIV_V2

[Vivek Goyal]

FUSE_HANDLE_KILLPRIV flag says that file server will remove suid/sgid/caps
on truncate/chown/write.

But to be consistent with VFS behavior what we want is.

- caps are always cleared on chown/write/truncate
- suid is always cleared on chown, while for truncate/write it is cleared
  only if caller does not have CAP_FSETID.
- sgid is always cleared on chown, while for truncate/write it is cleared
  only if caller does not have CAP_FSETID as well as file has group execute
  permission.

As previous flag did not provide above semantics. Implement a V2 of the
protocol with above said constraints.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/fuse_i.h          | 6 ++++++
 fs/fuse/inode.c           | 5 ++++-
 include/uapi/linux/fuse.h | 7 +++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 740a8a7d7ae6..71bede0a57c9 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -610,6 +610,12 @@ struct fuse_conn {
 	/** cache READLINK responses in page cache */
 	unsigned cache_symlinks:1;
 
+	/** fs kills suid/sgid/cap on write/chown/trunc. suid is
+	    killed on write/trunc only if caller did not have CAP_FSETID.
+	    sgid is killed on write/truncate only if caller did not have
+	    CAP_FSETID as well as file has group execute permission. */
+	unsigned handle_killpriv_v2:1;
+
 	/*
 	 * The following bitfields are only for optimization purposes
 	 * and hence races in setting them will not cause malfunction
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index bba747520e9b..113ba149e08d 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -965,6 +965,8 @@ static void process_init_reply(struct fuse_conn *fc, struct fuse_args *args,
 					min_t(unsigned int, FUSE_MAX_MAX_PAGES,
 					max_t(unsigned int, arg->max_pages, 1));
 			}
+			if (arg->flags & FUSE_HANDLE_KILLPRIV_V2)
+				fc->handle_killpriv_v2 = 1;
 		} else {
 			ra_pages = fc->max_read / PAGE_SIZE;
 			fc->no_lock = 1;
@@ -1002,7 +1004,8 @@ void fuse_send_init(struct fuse_conn *fc)
 		FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT |
 		FUSE_PARALLEL_DIROPS | FUSE_HANDLE_KILLPRIV | FUSE_POSIX_ACL |
 		FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS |
-		FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA;
+		FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA |
+		FUSE_HANDLE_KILLPRIV_V2;
 	ia->args.opcode = FUSE_INIT;
 	ia->args.in_numargs = 1;
 	ia->args.in_args[0].size = sizeof(ia->in);
diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 373cada89815..960ba8af5cf4 100644
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -172,6 +172,7 @@
  *  - add FUSE_WRITE_KILL_PRIV flag
  *  - add FUSE_SETUPMAPPING and FUSE_REMOVEMAPPING
  *  - add map_alignment to fuse_init_out, add FUSE_MAP_ALIGNMENT flag
+ *  - add FUSE_HANDLE_KILLPRIV_V2
  */
 
 #ifndef _LINUX_FUSE_H
@@ -314,6 +315,11 @@ struct fuse_file_lock {
  * FUSE_NO_OPENDIR_SUPPORT: kernel supports zero-message opendir
  * FUSE_EXPLICIT_INVAL_DATA: only invalidate cached pages on explicit request
  * FUSE_MAP_ALIGNMENT: map_alignment field is valid
+ * FUSE_HANDLE_KILLPRIV_V2: fs kills suid/sgid/cap on write/chown/trunc.
+ * 			Upon write/truncate suid/sgid is only killed if caller
+ * 			does not have CAP_FSETID. Additionally upon
+ * 			write/truncate sgid is killed only if file has group
+ * 			execute permission. (Same as Linux VFS behavior).
  */
 #define FUSE_ASYNC_READ		(1 << 0)
 #define FUSE_POSIX_LOCKS	(1 << 1)
@@ -342,6 +348,7 @@ struct fuse_file_lock {
 #define FUSE_NO_OPENDIR_SUPPORT (1 << 24)
 #define FUSE_EXPLICIT_INVAL_DATA (1 << 25)
 #define FUSE_MAP_ALIGNMENT	(1 << 26)
+#define FUSE_HANDLE_KILLPRIV_V2	(1 << 27)
 
 /**
  * CUSE INIT request/reply flags
-- 
2.25.4

[PATCH 2/5] fuse: Set FUSE_WRITE_KILL_PRIV in cached write path

[Vivek Goyal]

If caller does not have CAP_FSETID, we set FUSE_WRITE_KILL_PRIV in direct
I/O path but not in cached write path. Set it there as well so that server
can clear suid/sgid/caps as needed.

Set it only if fc->handle_killpriv_v2 is set. Otherwise client is responsible
for kill suid/sgid. We do it direct I/O path anyway because we do't call
file_remove_privs() there (with cache=none option).

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 83d917f7e542..57899afc7cba 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1083,6 +1083,8 @@ static ssize_t fuse_send_write_pages(struct fuse_io_args *ia,
 
 	fuse_write_args_fill(ia, ff, pos, count);
 	ia->write.in.flags = fuse_write_flags(iocb);
+	if (fc->handle_killpriv_v2 && !capable(CAP_FSETID))
+		ia->write.in.write_flags |= FUSE_WRITE_KILL_PRIV;
 
 	err = fuse_simple_request(fc, &ap->args);
 	if (!err && ia->write.out.size > count)
-- 
2.25.4

[Virtio-fs] [PATCH 2/5] fuse: Set FUSE_WRITE_KILL_PRIV in cached write path

[Vivek Goyal]

If caller does not have CAP_FSETID, we set FUSE_WRITE_KILL_PRIV in direct
I/O path but not in cached write path. Set it there as well so that server
can clear suid/sgid/caps as needed.

Set it only if fc->handle_killpriv_v2 is set. Otherwise client is responsible
for kill suid/sgid. We do it direct I/O path anyway because we do't call
file_remove_privs() there (with cache=none option).

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 83d917f7e542..57899afc7cba 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1083,6 +1083,8 @@ static ssize_t fuse_send_write_pages(struct fuse_io_args *ia,
 
 	fuse_write_args_fill(ia, ff, pos, count);
 	ia->write.in.flags = fuse_write_flags(iocb);
+	if (fc->handle_killpriv_v2 && !capable(CAP_FSETID))
+		ia->write.in.write_flags |= FUSE_WRITE_KILL_PRIV;
 
 	err = fuse_simple_request(fc, &ap->args);
 	if (!err && ia->write.out.size > count)
-- 
2.25.4

[PATCH 3/5] fuse: Add a flag FUSE_SETATTR_KILL_PRIV

[Vivek Goyal]

With handle_killpriv_v2, server needs to kill suid/sgid on truncate (setattr)
but it does not know if caller has CAP_FSETID or not. So like write, send
killpriv information in fuse_setattr_in and add a flag FUSE_SETATTR_KILL_PRIV.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/dir.c             | 11 ++++++++---
 include/uapi/linux/fuse.h | 11 ++++++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 26f028bc760b..82747ca4c5c8 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1437,13 +1437,15 @@ void fuse_release_nowrite(struct inode *inode)
 static void fuse_setattr_fill(struct fuse_conn *fc, struct fuse_args *args,
 			      struct inode *inode,
 			      struct fuse_setattr_in *inarg_p,
-			      struct fuse_attr_out *outarg_p)
+			      struct fuse_attr_out *outarg_p,
+			      uint32_t setattr_flags)
 {
 	args->opcode = FUSE_SETATTR;
 	args->nodeid = get_node_id(inode);
 	args->in_numargs = 1;
 	args->in_args[0].size = sizeof(*inarg_p);
 	args->in_args[0].value = inarg_p;
+	inarg_p->setattr_flags = setattr_flags;
 	args->out_numargs = 1;
 	args->out_args[0].size = sizeof(*outarg_p);
 	args->out_args[0].value = outarg_p;
@@ -1474,7 +1476,7 @@ int fuse_flush_times(struct inode *inode, struct fuse_file *ff)
 		inarg.valid |= FATTR_FH;
 		inarg.fh = ff->fh;
 	}
-	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg);
+	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg, 0);
 
 	return fuse_simple_request(fc, &args);
 }
@@ -1501,6 +1503,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 	loff_t oldsize;
 	int err;
 	bool trust_local_cmtime = is_wb && S_ISREG(inode->i_mode);
+	uint32_t setattr_flags = 0;
 
 	if (!fc->default_permissions)
 		attr->ia_valid |= ATTR_FORCE;
@@ -1529,6 +1532,8 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 	if (attr->ia_valid & ATTR_SIZE) {
 		if (WARN_ON(!S_ISREG(inode->i_mode)))
 			return -EIO;
+		if (fc->handle_killpriv_v2 && !capable(CAP_FSETID))
+			setattr_flags |= FUSE_SETATTR_KILL_PRIV;
 		is_truncate = true;
 	}
 
@@ -1565,7 +1570,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 		inarg.valid |= FATTR_LOCKOWNER;
 		inarg.lock_owner = fuse_lock_owner_id(fc, current->files);
 	}
-	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg);
+	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg, setattr_flags);
 	err = fuse_simple_request(fc, &args);
 	if (err) {
 		if (err == -EINTR)
diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 960ba8af5cf4..4b275653ac2e 100644
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -173,6 +173,7 @@
  *  - add FUSE_SETUPMAPPING and FUSE_REMOVEMAPPING
  *  - add map_alignment to fuse_init_out, add FUSE_MAP_ALIGNMENT flag
  *  - add FUSE_HANDLE_KILLPRIV_V2
+ *  - add FUSE_SETATTR_KILL_PRIV
  */
 
 #ifndef _LINUX_FUSE_H
@@ -368,6 +369,14 @@ struct fuse_file_lock {
  */
 #define FUSE_GETATTR_FH		(1 << 0)
 
+/**
+ * Setattr flags
+ * FUSE_SETATTR_KILL_PRIV: kill suid and sgid bits. sgid should be killed
+ * only if group execute bit (S_IXGRP) is set. Meant to be used together
+ * with FUSE_HANDLE_KILLPRIV_V2.
+ */
+#define FUSE_SETATTR_KILL_PRIV	(1 << 0)
+
 /**
  * Lock flags
  */
@@ -566,7 +575,7 @@ struct fuse_link_in {
 
 struct fuse_setattr_in {
 	uint32_t	valid;
-	uint32_t	padding;
+	uint32_t	setattr_flags;
 	uint64_t	fh;
 	uint64_t	size;
 	uint64_t	lock_owner;
-- 
2.25.4

[Virtio-fs] [PATCH 3/5] fuse: Add a flag FUSE_SETATTR_KILL_PRIV

[Vivek Goyal]

With handle_killpriv_v2, server needs to kill suid/sgid on truncate (setattr)
but it does not know if caller has CAP_FSETID or not. So like write, send
killpriv information in fuse_setattr_in and add a flag FUSE_SETATTR_KILL_PRIV.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/dir.c             | 11 ++++++++---
 include/uapi/linux/fuse.h | 11 ++++++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 26f028bc760b..82747ca4c5c8 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1437,13 +1437,15 @@ void fuse_release_nowrite(struct inode *inode)
 static void fuse_setattr_fill(struct fuse_conn *fc, struct fuse_args *args,
 			      struct inode *inode,
 			      struct fuse_setattr_in *inarg_p,
-			      struct fuse_attr_out *outarg_p)
+			      struct fuse_attr_out *outarg_p,
+			      uint32_t setattr_flags)
 {
 	args->opcode = FUSE_SETATTR;
 	args->nodeid = get_node_id(inode);
 	args->in_numargs = 1;
 	args->in_args[0].size = sizeof(*inarg_p);
 	args->in_args[0].value = inarg_p;
+	inarg_p->setattr_flags = setattr_flags;
 	args->out_numargs = 1;
 	args->out_args[0].size = sizeof(*outarg_p);
 	args->out_args[0].value = outarg_p;
@@ -1474,7 +1476,7 @@ int fuse_flush_times(struct inode *inode, struct fuse_file *ff)
 		inarg.valid |= FATTR_FH;
 		inarg.fh = ff->fh;
 	}
-	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg);
+	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg, 0);
 
 	return fuse_simple_request(fc, &args);
 }
@@ -1501,6 +1503,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 	loff_t oldsize;
 	int err;
 	bool trust_local_cmtime = is_wb && S_ISREG(inode->i_mode);
+	uint32_t setattr_flags = 0;
 
 	if (!fc->default_permissions)
 		attr->ia_valid |= ATTR_FORCE;
@@ -1529,6 +1532,8 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 	if (attr->ia_valid & ATTR_SIZE) {
 		if (WARN_ON(!S_ISREG(inode->i_mode)))
 			return -EIO;
+		if (fc->handle_killpriv_v2 && !capable(CAP_FSETID))
+			setattr_flags |= FUSE_SETATTR_KILL_PRIV;
 		is_truncate = true;
 	}
 
@@ -1565,7 +1570,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 		inarg.valid |= FATTR_LOCKOWNER;
 		inarg.lock_owner = fuse_lock_owner_id(fc, current->files);
 	}
-	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg);
+	fuse_setattr_fill(fc, &args, inode, &inarg, &outarg, setattr_flags);
 	err = fuse_simple_request(fc, &args);
 	if (err) {
 		if (err == -EINTR)
diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 960ba8af5cf4..4b275653ac2e 100644
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -173,6 +173,7 @@
  *  - add FUSE_SETUPMAPPING and FUSE_REMOVEMAPPING
  *  - add map_alignment to fuse_init_out, add FUSE_MAP_ALIGNMENT flag
  *  - add FUSE_HANDLE_KILLPRIV_V2
+ *  - add FUSE_SETATTR_KILL_PRIV
  */
 
 #ifndef _LINUX_FUSE_H
@@ -368,6 +369,14 @@ struct fuse_file_lock {
  */
 #define FUSE_GETATTR_FH		(1 << 0)
 
+/**
+ * Setattr flags
+ * FUSE_SETATTR_KILL_PRIV: kill suid and sgid bits. sgid should be killed
+ * only if group execute bit (S_IXGRP) is set. Meant to be used together
+ * with FUSE_HANDLE_KILLPRIV_V2.
+ */
+#define FUSE_SETATTR_KILL_PRIV	(1 << 0)
+
 /**
  * Lock flags
  */
@@ -566,7 +575,7 @@ struct fuse_link_in {
 
 struct fuse_setattr_in {
 	uint32_t	valid;
-	uint32_t	padding;
+	uint32_t	setattr_flags;
 	uint64_t	fh;
 	uint64_t	size;
 	uint64_t	lock_owner;
-- 
2.25.4

[PATCH 4/5] fuse: For sending setattr in case of open(O_TRUNC)

[Vivek Goyal]

open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not
have information if caller has CAP_FSETID or not.

So force sending setattr() which is called after open(O_TRUNC) so that
server clears setuid/setgid.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 82747ca4c5c8..0572779abbbe 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1516,7 +1516,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 		/* This is coming from open(..., ... | O_TRUNC); */
 		WARN_ON(!(attr->ia_valid & ATTR_SIZE));
 		WARN_ON(attr->ia_size != 0);
-		if (fc->atomic_o_trunc) {
+		if (fc->atomic_o_trunc && !fc->handle_killpriv_v2) {
 			/*
 			 * No need to send request to userspace, since actual
 			 * truncation has already been done by OPEN.  But still
-- 
2.25.4

[Virtio-fs] [PATCH 4/5] fuse: For sending setattr in case of open(O_TRUNC)

[Vivek Goyal]

open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not
have information if caller has CAP_FSETID or not.

So force sending setattr() which is called after open(O_TRUNC) so that
server clears setuid/setgid.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/dir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index 82747ca4c5c8..0572779abbbe 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1516,7 +1516,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
 		/* This is coming from open(..., ... | O_TRUNC); */
 		WARN_ON(!(attr->ia_valid & ATTR_SIZE));
 		WARN_ON(attr->ia_size != 0);
-		if (fc->atomic_o_trunc) {
+		if (fc->atomic_o_trunc && !fc->handle_killpriv_v2) {
 			/*
 			 * No need to send request to userspace, since actual
 			 * truncation has already been done by OPEN.  But still
-- 
2.25.4

[PATCH 5/5] virtiofs: Support SB_NOSEC flag to improve direct write performance

[Vivek Goyal]

Ganesh Mahalingam reported that virtiofs is slow with small direct random
writes when virtiofsd is run with cache=always.

https://github.com/kata-containers/runtime/issues/2815

Little debugging showed that that file_remove_privs() is called in cached
write path on every write. And everytime it calls
security_inode_need_killpriv() which results in call to
__vfs_getxattr(XATTR_NAME_CAPS). And this goes to file server to fetch
xattr. This extra round trip for every write slows down writes a lot.

Normally to avoid paying this penalty on every write, vfs has the
notion of caching this information in inode (S_NOSEC). So vfs
sets S_NOSEC, if filesystem opted for it using super block flag
SB_NOSEC. And S_NOSEC is cleared when setuid/setgid bit is set or
when security xattr is set on inode so that next time a write
happens, we check inode again for clearing setuid/setgid bits as well
clear any security.capability xattr.

This seems to work well for local file systems but for remote file
systems it is possible that VFS does not have full picture and a
different client sets setuid/setgid bit or security.capability xattr
on file and that means VFS information about S_NOSEC on another client
will be stale. So for remote filesystems SB_NOSEC was disabled by
default.

commit 9e1f1de02c2275d7172e18dc4e7c2065777611bf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Jun 3 18:24:58 2011 -0400

    more conservative S_NOSEC handling

That commit mentioned that these filesystems can still make use of
SB_NOSEC as long as they clear S_NOSEC when they are refreshing inode
attriutes from server.

So this patch tries to enable SB_NOSEC on fuse (regular fuse as well
as virtiofs). And clear SB_NOSEC when we are refreshing inode attributes.

We need to clear SB_NOSEC either when inode has setuid/setgid bit set
or security.capability xattr has been set. We have the first piece of
information available in FUSE_GETATTR response. But we don't know if
security.capability has been set on file or not. Question is, do we
really need to know about security.capability. file_remove_privs()
always removes security.capability if a file is being written to. That
means when server writes to file, security.capability should be removed
without guest having to tell anything to it.

That means we don't have to worry about knowing if security.capability
was set or not as long as writes by client don't get cached and go to
server always. And server write should clear security.capability. Hence,
I clear SB_NOSEC when writeback cache is enabled.

This change improves random write performance very significantly. I
am running virtiofsd with cache=auto and following fio command.

fio --ioengine=libaio --direct=1  --name=test --filename=/mnt/virtiofs/random_read_write.fio --bs=4k --iodepth=64 --size=4G --readwrite=randwrite

Before this patch I get around 40MB/s and after the patch I get around
300MB/s bandwidth. So improvement is very significant.

Reported-by: "Mahalingam, Ganesh" <ganesh.mahalingam@intel.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/inode.c     | 12 ++++++++++++
 fs/fuse/virtio_fs.c |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 113ba149e08d..412ab08607ca 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -187,6 +187,16 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
 		inode->i_mode &= ~S_ISVTX;
 
 	fi->orig_ino = attr->ino;
+
+	/*
+	 * We are refreshing inode data and it is possible that another
+	 * client set suid/sgid or security.capability xattr. So clear
+	 * S_NOSEC. Ideally, we could have cleared it only if suid/sgid
+	 * was set or if security.capability xattr was set. But we don't
+	 * know if security.capability has been set or not. So clear it
+	 * anyway. Its less efficient but should is safe.
+	 */
+	inode->i_flags &= ~S_NOSEC;
 }
 
 void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
@@ -1281,6 +1291,8 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
 	 */
 	fput(file);
 	fuse_send_init(get_fuse_conn_super(sb));
+	if (fc->handle_killpriv_v2)
+		sb->s_flags |= SB_NOSEC;
 	return 0;
 
  err_put_conn:
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
index 4c4ef5d69298..be05e4995e60 100644
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -1126,6 +1126,9 @@ static int virtio_fs_fill_super(struct super_block *sb)
 	/* Previous unmount will stop all queues. Start these again */
 	virtio_fs_start_all_queues(fs);
 	fuse_send_init(fc);
+
+	if (fc->handle_killpriv_v2)
+		sb->s_flags |= SB_NOSEC;
 	mutex_unlock(&virtio_fs_mutex);
 	return 0;
 
-- 
2.25.4

[Virtio-fs] [PATCH 5/5] virtiofs: Support SB_NOSEC flag to improve direct write performance

[Vivek Goyal]

Ganesh Mahalingam reported that virtiofs is slow with small direct random
writes when virtiofsd is run with cache=always.

https://github.com/kata-containers/runtime/issues/2815

Little debugging showed that that file_remove_privs() is called in cached
write path on every write. And everytime it calls
security_inode_need_killpriv() which results in call to
__vfs_getxattr(XATTR_NAME_CAPS). And this goes to file server to fetch
xattr. This extra round trip for every write slows down writes a lot.

Normally to avoid paying this penalty on every write, vfs has the
notion of caching this information in inode (S_NOSEC). So vfs
sets S_NOSEC, if filesystem opted for it using super block flag
SB_NOSEC. And S_NOSEC is cleared when setuid/setgid bit is set or
when security xattr is set on inode so that next time a write
happens, we check inode again for clearing setuid/setgid bits as well
clear any security.capability xattr.

This seems to work well for local file systems but for remote file
systems it is possible that VFS does not have full picture and a
different client sets setuid/setgid bit or security.capability xattr
on file and that means VFS information about S_NOSEC on another client
will be stale. So for remote filesystems SB_NOSEC was disabled by
default.

commit 9e1f1de02c2275d7172e18dc4e7c2065777611bf
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Fri Jun 3 18:24:58 2011 -0400

    more conservative S_NOSEC handling

That commit mentioned that these filesystems can still make use of
SB_NOSEC as long as they clear S_NOSEC when they are refreshing inode
attriutes from server.

So this patch tries to enable SB_NOSEC on fuse (regular fuse as well
as virtiofs). And clear SB_NOSEC when we are refreshing inode attributes.

We need to clear SB_NOSEC either when inode has setuid/setgid bit set
or security.capability xattr has been set. We have the first piece of
information available in FUSE_GETATTR response. But we don't know if
security.capability has been set on file or not. Question is, do we
really need to know about security.capability. file_remove_privs()
always removes security.capability if a file is being written to. That
means when server writes to file, security.capability should be removed
without guest having to tell anything to it.

That means we don't have to worry about knowing if security.capability
was set or not as long as writes by client don't get cached and go to
server always. And server write should clear security.capability. Hence,
I clear SB_NOSEC when writeback cache is enabled.

This change improves random write performance very significantly. I
am running virtiofsd with cache=auto and following fio command.

fio --ioengine=libaio --direct=1  --name=test --filename=/mnt/virtiofs/random_read_write.fio --bs=4k --iodepth=64 --size=4G --readwrite=randwrite

Before this patch I get around 40MB/s and after the patch I get around
300MB/s bandwidth. So improvement is very significant.

Reported-by: "Mahalingam, Ganesh" <ganesh.mahalingam@intel.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/fuse/inode.c     | 12 ++++++++++++
 fs/fuse/virtio_fs.c |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 113ba149e08d..412ab08607ca 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -187,6 +187,16 @@ void fuse_change_attributes_common(struct inode *inode, struct fuse_attr *attr,
 		inode->i_mode &= ~S_ISVTX;
 
 	fi->orig_ino = attr->ino;
+
+	/*
+	 * We are refreshing inode data and it is possible that another
+	 * client set suid/sgid or security.capability xattr. So clear
+	 * S_NOSEC. Ideally, we could have cleared it only if suid/sgid
+	 * was set or if security.capability xattr was set. But we don't
+	 * know if security.capability has been set or not. So clear it
+	 * anyway. Its less efficient but should is safe.
+	 */
+	inode->i_flags &= ~S_NOSEC;
 }
 
 void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
@@ -1281,6 +1291,8 @@ static int fuse_fill_super(struct super_block *sb, struct fs_context *fsc)
 	 */
 	fput(file);
 	fuse_send_init(get_fuse_conn_super(sb));
+	if (fc->handle_killpriv_v2)
+		sb->s_flags |= SB_NOSEC;
 	return 0;
 
  err_put_conn:
diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
index 4c4ef5d69298..be05e4995e60 100644
--- a/fs/fuse/virtio_fs.c
+++ b/fs/fuse/virtio_fs.c
@@ -1126,6 +1126,9 @@ static int virtio_fs_fill_super(struct super_block *sb)
 	/* Previous unmount will stop all queues. Start these again */
 	virtio_fs_start_all_queues(fs);
 	fuse_send_init(fc);
+
+	if (fc->handle_killpriv_v2)
+		sb->s_flags |= SB_NOSEC;
 	mutex_unlock(&virtio_fs_mutex);
 	return 0;
 
-- 
2.25.4

Re: [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Miklos Szeredi]

On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:

> If you are concerned about regression w.r.t clear of caps, then we
> can think of enabling SB_NOSEC conditionally. Say user chooses it
> as mount option. But given caps is just an outlier and currently
> we clear suid/sgid based on cache (and not based on state on server),
> I feel it might not be a huge issue.
>
> What do you think?

I think enabling xattr caching should be a separate feature, and yes,
SB_NOSEC would effectively enable xattr caching.

We could add the FUSE_CACHE_XATTR feature flag without actually adding
real caching, just SB_NOSEC...

Does that sound sane?

Thanks,
Miklos

Re: [Virtio-fs] [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Miklos Szeredi]

On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:

> If you are concerned about regression w.r.t clear of caps, then we
> can think of enabling SB_NOSEC conditionally. Say user chooses it
> as mount option. But given caps is just an outlier and currently
> we clear suid/sgid based on cache (and not based on state on server),
> I feel it might not be a huge issue.
>
> What do you think?

I think enabling xattr caching should be a separate feature, and yes,
SB_NOSEC would effectively enable xattr caching.

We could add the FUSE_CACHE_XATTR feature flag without actually adding
real caching, just SB_NOSEC...

Does that sound sane?

Thanks,
Miklos

Re: [PATCH 3/5] fuse: Add a flag FUSE_SETATTR_KILL_PRIV

[Miklos Szeredi]

On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> With handle_killpriv_v2, server needs to kill suid/sgid on truncate (setattr)
> but it does not know if caller has CAP_FSETID or not. So like write, send
> killpriv information in fuse_setattr_in and add a flag FUSE_SETATTR_KILL_PRIV.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

[...]

> +/**
> + * Setattr flags
> + * FUSE_SETATTR_KILL_PRIV: kill suid and sgid bits. sgid should be killed
> + * only if group execute bit (S_IXGRP) is set. Meant to be used together
> + * with FUSE_HANDLE_KILLPRIV_V2.
> + */
> +#define FUSE_SETATTR_KILL_PRIV (1 << 0)

Why not a FATTR_KILL_PRIV set in fuse_setattr_in.valid?

Thanks,
Miklos

Re: [Virtio-fs] [PATCH 3/5] fuse: Add a flag FUSE_SETATTR_KILL_PRIV

[Miklos Szeredi]

On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> With handle_killpriv_v2, server needs to kill suid/sgid on truncate (setattr)
> but it does not know if caller has CAP_FSETID or not. So like write, send
> killpriv information in fuse_setattr_in and add a flag FUSE_SETATTR_KILL_PRIV.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

[...]

> +/**
> + * Setattr flags
> + * FUSE_SETATTR_KILL_PRIV: kill suid and sgid bits. sgid should be killed
> + * only if group execute bit (S_IXGRP) is set. Meant to be used together
> + * with FUSE_HANDLE_KILLPRIV_V2.
> + */
> +#define FUSE_SETATTR_KILL_PRIV (1 << 0)

Why not a FATTR_KILL_PRIV set in fuse_setattr_in.valid?

Thanks,
Miklos

Re: [PATCH 4/5] fuse: For sending setattr in case of open(O_TRUNC)

[Miklos Szeredi]

On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not
> have information if caller has CAP_FSETID or not.
>
> So force sending setattr() which is called after open(O_TRUNC) so that
> server clears setuid/setgid.

I don't really like the fact that we lose atomicity if
handle_killpriv_v2 is enabled.

Let's just add a new flag to open as well.  If a filesystem doesn't
want to add the complexity of handling that it can still just disable
atomic_o_trunc.

Thanks,
Miklos

Re: [Virtio-fs] [PATCH 4/5] fuse: For sending setattr in case of open(O_TRUNC)

[Miklos Szeredi]

On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
>
> open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not
> have information if caller has CAP_FSETID or not.
>
> So force sending setattr() which is called after open(O_TRUNC) so that
> server clears setuid/setgid.

I don't really like the fact that we lose atomicity if
handle_killpriv_v2 is enabled.

Let's just add a new flag to open as well.  If a filesystem doesn't
want to add the complexity of handling that it can still just disable
atomic_o_trunc.

Thanks,
Miklos

Re: [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Vivek Goyal]

On Fri, Aug 21, 2020 at 04:46:44PM +0200, Miklos Szeredi wrote:
> On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> 
> > If you are concerned about regression w.r.t clear of caps, then we
> > can think of enabling SB_NOSEC conditionally. Say user chooses it
> > as mount option. But given caps is just an outlier and currently
> > we clear suid/sgid based on cache (and not based on state on server),
> > I feel it might not be a huge issue.
> >
> > What do you think?
> 
> I think enabling xattr caching should be a separate feature, and yes,
> SB_NOSEC would effectively enable xattr caching.
> 
> We could add the FUSE_CACHE_XATTR feature flag without actually adding
> real caching, just SB_NOSEC...
> 
> Does that sound sane?

Hi Miklos,

I found one the old threads on this topic here.

https://patchwork.kernel.org/patch/9306393/

In the end you have suggested few solutions to the problem and frankly
speaking I think I like following the best one.

"Perhaps add a "local fs" mode where we can assume proper consistency
 between cache and backing."

Distributed filesystems are complicated and we need a proper protocol
so that file server can tell fuse its a distributed filesystem and
also come up with a way to invalidate various cached attributes
(depending on cache coherency model). For example, shouldn't file
server notify fuse that certain attr got invalidated. (If it detects
that another client modified it). Even that will be racy because
some other operation might already be making use of stale attribute
while we are invalidating it. That's where a better method like
delegation or something else will be needed, probably

But in case of local fs (ex. non-shared mode of virtiofs), all the
cached data should be valid as all changes should go through single
fuse instance. If fuse knows that, then probably lot of code can be
simplified for this important use case. Including setting SB_NOSEC.

To me caching xattr will bring another set of complex considrations
about how and when xattrs are invalidated and a lot will depend on
what guarantees said distributed filesystem is providing. So I am
little vary of going in that direction and make SB_NOSEC
conditional on FUSE_CACHE_XATTR. I am afraid that I will just
define this flag today without defining rest of the behavior
of xattr caching and that will probably break things later. This
probably should be done when we are actually implementing xattr
caching and keeping distributed filesystems in mind.

So how about, we instead implement a flag which tells fuse that
file server is implementing a local filesystem and it does not
expect anything to changed outside fuse. This will make sure
distributed filesystems like gluster don't regress because
of this change and a class of local filesystems can gain from
this. Once we support sharing mode in virtiofs, then we will
need to revisit it again and do it right for distributed
filesystems (depending on their invalidation mechanism).

Thanks
Vivek

Re: [Virtio-fs] [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Vivek Goyal]

On Fri, Aug 21, 2020 at 04:46:44PM +0200, Miklos Szeredi wrote:
> On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> 
> > If you are concerned about regression w.r.t clear of caps, then we
> > can think of enabling SB_NOSEC conditionally. Say user chooses it
> > as mount option. But given caps is just an outlier and currently
> > we clear suid/sgid based on cache (and not based on state on server),
> > I feel it might not be a huge issue.
> >
> > What do you think?
> 
> I think enabling xattr caching should be a separate feature, and yes,
> SB_NOSEC would effectively enable xattr caching.
> 
> We could add the FUSE_CACHE_XATTR feature flag without actually adding
> real caching, just SB_NOSEC...
> 
> Does that sound sane?

Hi Miklos,

I found one the old threads on this topic here.

https://patchwork.kernel.org/patch/9306393/

In the end you have suggested few solutions to the problem and frankly
speaking I think I like following the best one.

"Perhaps add a "local fs" mode where we can assume proper consistency
 between cache and backing."

Distributed filesystems are complicated and we need a proper protocol
so that file server can tell fuse its a distributed filesystem and
also come up with a way to invalidate various cached attributes
(depending on cache coherency model). For example, shouldn't file
server notify fuse that certain attr got invalidated. (If it detects
that another client modified it). Even that will be racy because
some other operation might already be making use of stale attribute
while we are invalidating it. That's where a better method like
delegation or something else will be needed, probably

But in case of local fs (ex. non-shared mode of virtiofs), all the
cached data should be valid as all changes should go through single
fuse instance. If fuse knows that, then probably lot of code can be
simplified for this important use case. Including setting SB_NOSEC.

To me caching xattr will bring another set of complex considrations
about how and when xattrs are invalidated and a lot will depend on
what guarantees said distributed filesystem is providing. So I am
little vary of going in that direction and make SB_NOSEC
conditional on FUSE_CACHE_XATTR. I am afraid that I will just
define this flag today without defining rest of the behavior
of xattr caching and that will probably break things later. This
probably should be done when we are actually implementing xattr
caching and keeping distributed filesystems in mind.

So how about, we instead implement a flag which tells fuse that
file server is implementing a local filesystem and it does not
expect anything to changed outside fuse. This will make sure
distributed filesystems like gluster don't regress because
of this change and a class of local filesystems can gain from
this. Once we support sharing mode in virtiofs, then we will
need to revisit it again and do it right for distributed
filesystems (depending on their invalidation mechanism).

Thanks
Vivek

Re: [PATCH 3/5] fuse: Add a flag FUSE_SETATTR_KILL_PRIV

[Vivek Goyal]

On Fri, Aug 21, 2020 at 04:53:59PM +0200, Miklos Szeredi wrote:
> On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > With handle_killpriv_v2, server needs to kill suid/sgid on truncate (setattr)
> > but it does not know if caller has CAP_FSETID or not. So like write, send
> > killpriv information in fuse_setattr_in and add a flag FUSE_SETATTR_KILL_PRIV.
> >
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> 
> [...]
> 
> > +/**
> > + * Setattr flags
> > + * FUSE_SETATTR_KILL_PRIV: kill suid and sgid bits. sgid should be killed
> > + * only if group execute bit (S_IXGRP) is set. Meant to be used together
> > + * with FUSE_HANDLE_KILLPRIV_V2.
> > + */
> > +#define FUSE_SETATTR_KILL_PRIV (1 << 0)
> 
> Why not a FATTR_KILL_PRIV set in fuse_setattr_in.valid?

Yes, I should be able to do that. ATTR_KILL_PRIV is already there
which can map to FATTR_KILL_PRIV. Not sure why didn't I think of it.

Vivek

Re: [Virtio-fs] [PATCH 3/5] fuse: Add a flag FUSE_SETATTR_KILL_PRIV

[Vivek Goyal]

On Fri, Aug 21, 2020 at 04:53:59PM +0200, Miklos Szeredi wrote:
> On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > With handle_killpriv_v2, server needs to kill suid/sgid on truncate (setattr)
> > but it does not know if caller has CAP_FSETID or not. So like write, send
> > killpriv information in fuse_setattr_in and add a flag FUSE_SETATTR_KILL_PRIV.
> >
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> 
> [...]
> 
> > +/**
> > + * Setattr flags
> > + * FUSE_SETATTR_KILL_PRIV: kill suid and sgid bits. sgid should be killed
> > + * only if group execute bit (S_IXGRP) is set. Meant to be used together
> > + * with FUSE_HANDLE_KILLPRIV_V2.
> > + */
> > +#define FUSE_SETATTR_KILL_PRIV (1 << 0)
> 
> Why not a FATTR_KILL_PRIV set in fuse_setattr_in.valid?

Yes, I should be able to do that. ATTR_KILL_PRIV is already there
which can map to FATTR_KILL_PRIV. Not sure why didn't I think of it.

Vivek

Re: [PATCH 4/5] fuse: For sending setattr in case of open(O_TRUNC)

[Vivek Goyal]

On Fri, Aug 21, 2020 at 05:05:16PM +0200, Miklos Szeredi wrote:
> On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not
> > have information if caller has CAP_FSETID or not.
> >
> > So force sending setattr() which is called after open(O_TRUNC) so that
> > server clears setuid/setgid.
> 
> I don't really like the fact that we lose atomicity if
> handle_killpriv_v2 is enabled.
> 
> Let's just add a new flag to open as well.  If a filesystem doesn't
> want to add the complexity of handling that it can still just disable
> atomic_o_trunc.

Ok, will look into adding flag to open.

Vivek

Re: [Virtio-fs] [PATCH 4/5] fuse: For sending setattr in case of open(O_TRUNC)

[Vivek Goyal]

On Fri, Aug 21, 2020 at 05:05:16PM +0200, Miklos Szeredi wrote:
> On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote:
> >
> > open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not
> > have information if caller has CAP_FSETID or not.
> >
> > So force sending setattr() which is called after open(O_TRUNC) so that
> > server clears setuid/setgid.
> 
> I don't really like the fact that we lose atomicity if
> handle_killpriv_v2 is enabled.
> 
> Let's just add a new flag to open as well.  If a filesystem doesn't
> want to add the complexity of handling that it can still just disable
> atomic_o_trunc.

Ok, will look into adding flag to open.

Vivek

Re: [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Miklos Szeredi]

On Fri, Aug 21, 2020 at 10:02 PM Vivek Goyal <vgoyal@redhat.com> wrote:

> So how about, we instead implement a flag which tells fuse that
> file server is implementing a local filesystem and it does not
> expect anything to changed outside fuse. This will make sure
> distributed filesystems like gluster don't regress because
> of this change and a class of local filesystems can gain from
> this. Once we support sharing mode in virtiofs, then we will
> need to revisit it again and do it right for distributed
> filesystems (depending on their invalidation mechanism).

Okay, sounds good.

This flag can be set on "cache=always" in virtiofsd.

Thanks,
Miklos

Re: [Virtio-fs] [RFC PATCH 0/5] fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC

[Miklos Szeredi]

On Fri, Aug 21, 2020 at 10:02 PM Vivek Goyal <vgoyal@redhat.com> wrote:

> So how about, we instead implement a flag which tells fuse that
> file server is implementing a local filesystem and it does not
> expect anything to changed outside fuse. This will make sure
> distributed filesystems like gluster don't regress because
> of this change and a class of local filesystems can gain from
> this. Once we support sharing mode in virtiofs, then we will
> need to revisit it again and do it right for distributed
> filesystems (depending on their invalidation mechanism).

Okay, sounds good.

This flag can be set on "cache=always" in virtiofsd.

Thanks,
Miklos