From: Vivek Goyal <vgoyal@redhat.com>
To: Hanna Reitz <hreitz@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
qemu-devel@nongnu.org,
"Dr . David Alan Gilbert" <dgilbert@redhat.com>,
virtio-fs@redhat.com, Ioannis Angelakopoulos <jaggel@bu.edu>,
Max Reitz <mreitz@redhat.com>
Subject: Re: [PATCH v3 09/10] virtiofsd: Optionally fill lo_inode.fhandle
Date: Tue, 17 Aug 2021 20:14:46 -0400 [thread overview]
Message-ID: <YRxQ9rClxWux/UHs@redhat.com> (raw)
In-Reply-To: <YRwRz8aZGq6QLpx/@redhat.com>
On Tue, Aug 17, 2021 at 03:45:19PM -0400, Vivek Goyal wrote:
> On Tue, Aug 17, 2021 at 10:27:16AM +0200, Hanna Reitz wrote:
> > On 16.08.21 21:44, Vivek Goyal wrote:
> > > On Wed, Aug 11, 2021 at 08:41:18AM +0200, Hanna Reitz wrote:
> > >
> > > [..]
> > > > > > But given the inotify complications, there’s really a good reason we should
> > > > > > use mountinfo.
> > > > > >
> > > > > > > > It’s a bit tricky because our sandboxing prevents easy access to mountinfo,
> > > > > > > > but if that’s the only way...
> > > > > > > yes. We already have lo->proc_self_fd. Maybe we need to keep
> > > > > > > /proc/self/mountinfo open in lo->proc_self_mountinfo. I am assuming
> > > > > > > that any mount table changes will still be visible despite the fact
> > > > > > > I have fd open (and don't have to open new fd to notice new mount/unmount
> > > > > > > changes).
> > > > > > Well, yes, that was my idea. Unfortunately, I wasn’t quite successful yet;
> > > > > > when I tried keeping the fd open, reading from it would just return 0
> > > > > > bytes. Perhaps that’s because we bind-mount /proc/self/fd to /proc so that
> > > > > > nothing else in /proc is visible. Perhaps we need to bind-mount
> > > > > > /proc/self/mountinfo into /proc/self/fd before that...
> > > > > Or perhaps open /proc/self/mountinfo and save fd in lo->proc_mountinfo
> > > > > before /proc/self/fd is bind mounted on /proc?
> > > > Yes, I tried that, and then reading would just return 0 bytes.
> > > Hi Hanna,
> > >
> > > I tried this simple patch and I can read /proc/self/mountinfo before
> > > bind mounting /proc/self/fd and after bind mounting /proc/self/fd. Am
> > > I missing something.
> >
> > Yes, but I tried reading it in the main loop (where we’d actually need it).
> > It looks like the umount2(".", MNT_DETACH) in setup_mounts() breaks it.
>
> Good point. I modified my code and notice too that after umoutn2() it
> always reads 0 bytes. I can understand that all the other mount points
> could go away but new rootfs mount point of virtiofsd should still be
> visible, IIUC. I don't understand why.
>
> Anyway, I tried re-opening /proc/self/mountinfo file after umount2(".",
> MNT_DETACH), and that seems to work and it shows root mount point. I
> created a bind mount and it shows that too.
>
> So looks like quick fix can be that we re-open /proc/self/mountinfo. But
> that means we can't bind /proc/self/fd on /proc/. We could bind mount
> /proc/self on /proc. Not sure is it safe enough.
Or may be I can do this.
- Open O_PATH fd for /proc/self
proc_self = open("/proc/self");
- Bind mount /proc/self/fd on /proc
- pivot_root() and umount() stuff
- Openat(proc_self, "mountinfo")
- close(proc_self)
If this works, then we don't have the security issue and we managed
to open mountinfo after pivot_root() and umount(). Will give it a
try and see if it works tomorrow.
Vivek
WARNING: multiple messages have this Message-ID (diff)
From: Vivek Goyal <vgoyal@redhat.com>
To: Hanna Reitz <hreitz@redhat.com>
Cc: qemu-devel@nongnu.org, virtio-fs@redhat.com,
Max Reitz <mreitz@redhat.com>
Subject: Re: [Virtio-fs] [PATCH v3 09/10] virtiofsd: Optionally fill lo_inode.fhandle
Date: Tue, 17 Aug 2021 20:14:46 -0400 [thread overview]
Message-ID: <YRxQ9rClxWux/UHs@redhat.com> (raw)
In-Reply-To: <YRwRz8aZGq6QLpx/@redhat.com>
On Tue, Aug 17, 2021 at 03:45:19PM -0400, Vivek Goyal wrote:
> On Tue, Aug 17, 2021 at 10:27:16AM +0200, Hanna Reitz wrote:
> > On 16.08.21 21:44, Vivek Goyal wrote:
> > > On Wed, Aug 11, 2021 at 08:41:18AM +0200, Hanna Reitz wrote:
> > >
> > > [..]
> > > > > > But given the inotify complications, there’s really a good reason we should
> > > > > > use mountinfo.
> > > > > >
> > > > > > > > It’s a bit tricky because our sandboxing prevents easy access to mountinfo,
> > > > > > > > but if that’s the only way...
> > > > > > > yes. We already have lo->proc_self_fd. Maybe we need to keep
> > > > > > > /proc/self/mountinfo open in lo->proc_self_mountinfo. I am assuming
> > > > > > > that any mount table changes will still be visible despite the fact
> > > > > > > I have fd open (and don't have to open new fd to notice new mount/unmount
> > > > > > > changes).
> > > > > > Well, yes, that was my idea. Unfortunately, I wasn’t quite successful yet;
> > > > > > when I tried keeping the fd open, reading from it would just return 0
> > > > > > bytes. Perhaps that’s because we bind-mount /proc/self/fd to /proc so that
> > > > > > nothing else in /proc is visible. Perhaps we need to bind-mount
> > > > > > /proc/self/mountinfo into /proc/self/fd before that...
> > > > > Or perhaps open /proc/self/mountinfo and save fd in lo->proc_mountinfo
> > > > > before /proc/self/fd is bind mounted on /proc?
> > > > Yes, I tried that, and then reading would just return 0 bytes.
> > > Hi Hanna,
> > >
> > > I tried this simple patch and I can read /proc/self/mountinfo before
> > > bind mounting /proc/self/fd and after bind mounting /proc/self/fd. Am
> > > I missing something.
> >
> > Yes, but I tried reading it in the main loop (where we’d actually need it).
> > It looks like the umount2(".", MNT_DETACH) in setup_mounts() breaks it.
>
> Good point. I modified my code and notice too that after umoutn2() it
> always reads 0 bytes. I can understand that all the other mount points
> could go away but new rootfs mount point of virtiofsd should still be
> visible, IIUC. I don't understand why.
>
> Anyway, I tried re-opening /proc/self/mountinfo file after umount2(".",
> MNT_DETACH), and that seems to work and it shows root mount point. I
> created a bind mount and it shows that too.
>
> So looks like quick fix can be that we re-open /proc/self/mountinfo. But
> that means we can't bind /proc/self/fd on /proc/. We could bind mount
> /proc/self on /proc. Not sure is it safe enough.
Or may be I can do this.
- Open O_PATH fd for /proc/self
proc_self = open("/proc/self");
- Bind mount /proc/self/fd on /proc
- pivot_root() and umount() stuff
- Openat(proc_self, "mountinfo")
- close(proc_self)
If this works, then we don't have the security issue and we managed
to open mountinfo after pivot_root() and umount(). Will give it a
try and see if it works tomorrow.
Vivek
next prev parent reply other threads:[~2021-08-18 0:16 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-30 15:01 [PATCH v3 00/10] virtiofsd: Allow using file handles instead of O_PATH FDs Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-07-30 15:01 ` [PATCH v3 01/10] virtiofsd: Limit setxattr()'s creds-dropped region Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-06 14:16 ` Vivek Goyal
2021-08-06 14:16 ` [Virtio-fs] " Vivek Goyal
2021-08-09 10:30 ` Max Reitz
2021-08-09 10:30 ` [Virtio-fs] " Max Reitz
2021-07-30 15:01 ` [PATCH v3 02/10] virtiofsd: Add TempFd structure Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-06 14:41 ` Vivek Goyal
2021-08-06 14:41 ` [Virtio-fs] " Vivek Goyal
2021-08-09 10:44 ` Max Reitz
2021-08-09 10:44 ` [Virtio-fs] " Max Reitz
2021-07-30 15:01 ` [PATCH v3 03/10] virtiofsd: Use lo_inode_open() instead of openat() Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-06 15:42 ` Vivek Goyal
2021-08-06 15:42 ` [Virtio-fs] " Vivek Goyal
2021-07-30 15:01 ` [PATCH v3 04/10] virtiofsd: Add lo_inode_fd() helper Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-06 18:25 ` Vivek Goyal
2021-08-06 18:25 ` [Virtio-fs] " Vivek Goyal
2021-08-09 10:48 ` Max Reitz
2021-08-09 10:48 ` [Virtio-fs] " Max Reitz
2021-07-30 15:01 ` [PATCH v3 05/10] virtiofsd: Let lo_fd() return a TempFd Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-07-30 15:01 ` [PATCH v3 06/10] virtiofsd: Let lo_inode_open() " Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-06 19:55 ` Vivek Goyal
2021-08-06 19:55 ` [Virtio-fs] " Vivek Goyal
2021-08-09 13:40 ` Max Reitz
2021-08-09 13:40 ` [Virtio-fs] " Max Reitz
2021-07-30 15:01 ` [PATCH v3 07/10] virtiofsd: Add lo_inode.fhandle Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-09 15:21 ` Vivek Goyal
2021-08-09 15:21 ` [Virtio-fs] " Vivek Goyal
2021-08-09 16:41 ` Hanna Reitz
2021-08-09 16:41 ` [Virtio-fs] " Hanna Reitz
2021-07-30 15:01 ` [PATCH v3 08/10] virtiofsd: Add inodes_by_handle hash table Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-09 16:10 ` Vivek Goyal
2021-08-09 16:10 ` [Virtio-fs] " Vivek Goyal
2021-08-09 16:47 ` Hanna Reitz
2021-08-09 16:47 ` [Virtio-fs] " Hanna Reitz
2021-08-10 14:07 ` Vivek Goyal
2021-08-10 14:07 ` [Virtio-fs] " Vivek Goyal
2021-08-10 14:13 ` Hanna Reitz
2021-08-10 14:13 ` [Virtio-fs] " Hanna Reitz
2021-08-10 17:51 ` Vivek Goyal
2021-08-10 17:51 ` [Virtio-fs] " Vivek Goyal
2021-07-30 15:01 ` [PATCH v3 09/10] virtiofsd: Optionally fill lo_inode.fhandle Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-09 18:41 ` Vivek Goyal
2021-08-09 18:41 ` [Virtio-fs] " Vivek Goyal
2021-08-10 8:32 ` Hanna Reitz
2021-08-10 8:32 ` [Virtio-fs] " Hanna Reitz
2021-08-10 15:23 ` Vivek Goyal
2021-08-10 15:23 ` [Virtio-fs] " Vivek Goyal
2021-08-10 15:26 ` Hanna Reitz
2021-08-10 15:26 ` [Virtio-fs] " Hanna Reitz
2021-08-10 15:57 ` Vivek Goyal
2021-08-10 15:57 ` [Virtio-fs] " Vivek Goyal
2021-08-11 6:41 ` Hanna Reitz
2021-08-11 6:41 ` [Virtio-fs] " Hanna Reitz
2021-08-16 19:44 ` Vivek Goyal
2021-08-16 19:44 ` [Virtio-fs] " Vivek Goyal
2021-08-17 8:27 ` Hanna Reitz
2021-08-17 8:27 ` [Virtio-fs] " Hanna Reitz
2021-08-17 19:45 ` Vivek Goyal
2021-08-17 19:45 ` [Virtio-fs] " Vivek Goyal
2021-08-18 0:14 ` Vivek Goyal [this message]
2021-08-18 0:14 ` Vivek Goyal
2021-08-18 13:32 ` Vivek Goyal
2021-08-18 13:32 ` [Virtio-fs] " Vivek Goyal
2021-08-18 13:48 ` Hanna Reitz
2021-08-18 13:48 ` [Virtio-fs] " Hanna Reitz
2021-08-19 16:38 ` Dr. David Alan Gilbert
2021-08-19 16:38 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-07-30 15:01 ` [PATCH v3 10/10] virtiofsd: Add lazy lo_do_find() Max Reitz
2021-07-30 15:01 ` [Virtio-fs] " Max Reitz
2021-08-09 19:08 ` Vivek Goyal
2021-08-09 19:08 ` [Virtio-fs] " Vivek Goyal
2021-08-10 8:38 ` Hanna Reitz
2021-08-10 8:38 ` [Virtio-fs] " Hanna Reitz
2021-08-10 14:12 ` Vivek Goyal
2021-08-10 14:12 ` [Virtio-fs] " Vivek Goyal
2021-08-10 14:17 ` Hanna Reitz
2021-08-10 14:17 ` [Virtio-fs] " Hanna Reitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YRxQ9rClxWux/UHs@redhat.com \
--to=vgoyal@redhat.com \
--cc=dgilbert@redhat.com \
--cc=hreitz@redhat.com \
--cc=jaggel@bu.edu \
--cc=mreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.