[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/*
|
|
|
|
FUSE: Filesystem in Userspace
|
|
|
|
Copyright (C) 2001-2005 Miklos Szeredi <miklos@szeredi.hu>
|
|
|
|
|
|
|
|
This program can be distributed under the terms of the GNU GPL.
|
|
|
|
See the file COPYING.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/fuse.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/wait.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/backing-dev.h>
|
|
|
|
#include <asm/semaphore.h>
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** Max number of pages that can be used in a single read request */
|
|
|
|
#define FUSE_MAX_PAGES_PER_REQ 32
|
|
|
|
|
|
|
|
/** If more requests are outstanding, then the operation will block */
|
|
|
|
#define FUSE_MAX_OUTSTANDING 10
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** If the FUSE_DEFAULT_PERMISSIONS flag is given, the filesystem
|
|
|
|
module will check permissions based on the file mode. Otherwise no
|
|
|
|
permission checking is done in the kernel */
|
|
|
|
#define FUSE_DEFAULT_PERMISSIONS (1 << 0)
|
|
|
|
|
|
|
|
/** If the FUSE_ALLOW_OTHER flag is given, then not only the user
|
|
|
|
doing the mount will be allowed to access the filesystem */
|
|
|
|
#define FUSE_ALLOW_OTHER (1 << 1)
|
|
|
|
|
|
|
|
/** If the FUSE_KERNEL_CACHE flag is given, then cached data will not
|
|
|
|
be flushed on open */
|
|
|
|
#define FUSE_KERNEL_CACHE (1 << 2)
|
|
|
|
|
2005-09-09 14:10:35 -06:00
|
|
|
/** Bypass the page cache for read and write operations */
|
|
|
|
#define FUSE_DIRECT_IO (1 << 3)
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/** FUSE inode */
|
|
|
|
struct fuse_inode {
|
|
|
|
/** Inode data */
|
|
|
|
struct inode inode;
|
|
|
|
|
|
|
|
/** Unique ID, which identifies the inode between userspace
|
|
|
|
* and kernel */
|
|
|
|
u64 nodeid;
|
|
|
|
|
2005-09-09 14:10:29 -06:00
|
|
|
/** Number of lookups on this inode */
|
|
|
|
u64 nlookup;
|
|
|
|
|
2005-09-09 14:10:28 -06:00
|
|
|
/** The request used for sending the FORGET message */
|
|
|
|
struct fuse_req *forget_req;
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/** Time in jiffies until the file attributes are valid */
|
|
|
|
unsigned long i_time;
|
|
|
|
};
|
|
|
|
|
2005-09-09 14:10:30 -06:00
|
|
|
/** FUSE specific file data */
|
|
|
|
struct fuse_file {
|
|
|
|
/** Request reserved for flush and release */
|
|
|
|
struct fuse_req *release_req;
|
|
|
|
|
|
|
|
/** File handle used by userspace */
|
|
|
|
u64 fh;
|
|
|
|
};
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** One input argument of a request */
|
|
|
|
struct fuse_in_arg {
|
|
|
|
unsigned size;
|
|
|
|
const void *value;
|
|
|
|
};
|
|
|
|
|
|
|
|
/** The request input */
|
|
|
|
struct fuse_in {
|
|
|
|
/** The request header */
|
|
|
|
struct fuse_in_header h;
|
|
|
|
|
|
|
|
/** True if the data for the last argument is in req->pages */
|
|
|
|
unsigned argpages:1;
|
|
|
|
|
|
|
|
/** Number of arguments */
|
|
|
|
unsigned numargs;
|
|
|
|
|
|
|
|
/** Array of arguments */
|
|
|
|
struct fuse_in_arg args[3];
|
|
|
|
};
|
|
|
|
|
|
|
|
/** One output argument of a request */
|
|
|
|
struct fuse_arg {
|
|
|
|
unsigned size;
|
|
|
|
void *value;
|
|
|
|
};
|
|
|
|
|
|
|
|
/** The request output */
|
|
|
|
struct fuse_out {
|
|
|
|
/** Header returned from userspace */
|
|
|
|
struct fuse_out_header h;
|
|
|
|
|
|
|
|
/** Last argument is variable length (can be shorter than
|
|
|
|
arg->size) */
|
|
|
|
unsigned argvar:1;
|
|
|
|
|
|
|
|
/** Last argument is a list of pages to copy data to */
|
|
|
|
unsigned argpages:1;
|
|
|
|
|
|
|
|
/** Zero partially or not copied pages */
|
|
|
|
unsigned page_zeroing:1;
|
|
|
|
|
|
|
|
/** Number or arguments */
|
|
|
|
unsigned numargs;
|
|
|
|
|
|
|
|
/** Array of arguments */
|
|
|
|
struct fuse_arg args[3];
|
|
|
|
};
|
|
|
|
|
|
|
|
struct fuse_req;
|
|
|
|
struct fuse_conn;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* A request to the client
|
|
|
|
*/
|
|
|
|
struct fuse_req {
|
|
|
|
/** This can be on either unused_list, pending or processing
|
|
|
|
lists in fuse_conn */
|
|
|
|
struct list_head list;
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** Entry on the background list */
|
|
|
|
struct list_head bg_entry;
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** refcount */
|
|
|
|
atomic_t count;
|
|
|
|
|
|
|
|
/** True if the request has reply */
|
|
|
|
unsigned isreply:1;
|
|
|
|
|
|
|
|
/** The request is preallocated */
|
|
|
|
unsigned preallocated:1;
|
|
|
|
|
|
|
|
/** The request was interrupted */
|
|
|
|
unsigned interrupted:1;
|
|
|
|
|
|
|
|
/** Request is sent in the background */
|
|
|
|
unsigned background:1;
|
|
|
|
|
|
|
|
/** Data is being copied to/from the request */
|
|
|
|
unsigned locked:1;
|
|
|
|
|
|
|
|
/** Request has been sent to userspace */
|
|
|
|
unsigned sent:1;
|
|
|
|
|
|
|
|
/** The request is finished */
|
|
|
|
unsigned finished:1;
|
|
|
|
|
|
|
|
/** The request input */
|
|
|
|
struct fuse_in in;
|
|
|
|
|
|
|
|
/** The request output */
|
|
|
|
struct fuse_out out;
|
|
|
|
|
|
|
|
/** Used to wake up the task waiting for completion of request*/
|
|
|
|
wait_queue_head_t waitq;
|
|
|
|
|
|
|
|
/** Data for asynchronous requests */
|
|
|
|
union {
|
2005-09-09 14:10:28 -06:00
|
|
|
struct fuse_forget_in forget_in;
|
2005-09-09 14:10:30 -06:00
|
|
|
struct fuse_release_in release_in;
|
2005-09-09 14:10:27 -06:00
|
|
|
struct fuse_init_in_out init_in_out;
|
|
|
|
} misc;
|
|
|
|
|
|
|
|
/** page vector */
|
|
|
|
struct page *pages[FUSE_MAX_PAGES_PER_REQ];
|
|
|
|
|
|
|
|
/** number of pages in vector */
|
|
|
|
unsigned num_pages;
|
|
|
|
|
|
|
|
/** offset of data on first page */
|
|
|
|
unsigned page_offset;
|
|
|
|
|
|
|
|
/** Inode used in the request */
|
|
|
|
struct inode *inode;
|
|
|
|
|
|
|
|
/** Second inode used in the request (or NULL) */
|
|
|
|
struct inode *inode2;
|
|
|
|
|
|
|
|
/** File used in the request (or NULL) */
|
|
|
|
struct file *file;
|
|
|
|
};
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/**
|
|
|
|
* A Fuse connection.
|
|
|
|
*
|
|
|
|
* This structure is created, when the filesystem is mounted, and is
|
|
|
|
* destroyed, when the client device is closed and the filesystem is
|
|
|
|
* unmounted.
|
|
|
|
*/
|
|
|
|
struct fuse_conn {
|
2005-09-09 14:10:31 -06:00
|
|
|
/** Reference count */
|
|
|
|
int count;
|
2005-09-09 14:10:27 -06:00
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/** The user id for this mount */
|
|
|
|
uid_t user_id;
|
|
|
|
|
2005-09-09 14:10:34 -06:00
|
|
|
/** The group id for this mount */
|
|
|
|
gid_t group_id;
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** The fuse mount flags for this mount */
|
|
|
|
unsigned flags;
|
|
|
|
|
2005-09-09 14:10:33 -06:00
|
|
|
/** Maximum read size */
|
|
|
|
unsigned max_read;
|
|
|
|
|
2005-09-09 14:10:35 -06:00
|
|
|
/** Maximum write size */
|
|
|
|
unsigned max_write;
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** Readers of the connection are waiting on this */
|
|
|
|
wait_queue_head_t waitq;
|
|
|
|
|
|
|
|
/** The list of pending requests */
|
|
|
|
struct list_head pending;
|
|
|
|
|
|
|
|
/** The list of requests being processed */
|
|
|
|
struct list_head processing;
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** Requests put in the background (RELEASE or any other
|
|
|
|
interrupted request) */
|
|
|
|
struct list_head background;
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** Controls the maximum number of outstanding requests */
|
|
|
|
struct semaphore outstanding_sem;
|
|
|
|
|
|
|
|
/** This counts the number of outstanding requests if
|
|
|
|
outstanding_sem would go negative */
|
|
|
|
unsigned outstanding_debt;
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** RW semaphore for exclusion with fuse_put_super() */
|
|
|
|
struct rw_semaphore sbput_sem;
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** The list of unused requests */
|
|
|
|
struct list_head unused_list;
|
|
|
|
|
|
|
|
/** The next unique request id */
|
|
|
|
u64 reqctr;
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** Mount is active */
|
|
|
|
unsigned mounted : 1;
|
|
|
|
|
|
|
|
/** Connection established */
|
|
|
|
unsigned connected : 1;
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** Connection failed (version mismatch) */
|
|
|
|
unsigned conn_error : 1;
|
|
|
|
|
2005-09-09 14:10:30 -06:00
|
|
|
/** Is fsync not implemented by fs? */
|
|
|
|
unsigned no_fsync : 1;
|
|
|
|
|
|
|
|
/** Is flush not implemented by fs? */
|
|
|
|
unsigned no_flush : 1;
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/** Is setxattr not implemented by fs? */
|
|
|
|
unsigned no_setxattr : 1;
|
|
|
|
|
|
|
|
/** Is getxattr not implemented by fs? */
|
|
|
|
unsigned no_getxattr : 1;
|
|
|
|
|
|
|
|
/** Is listxattr not implemented by fs? */
|
|
|
|
unsigned no_listxattr : 1;
|
|
|
|
|
|
|
|
/** Is removexattr not implemented by fs? */
|
|
|
|
unsigned no_removexattr : 1;
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/** Backing dev info */
|
|
|
|
struct backing_dev_info bdi;
|
|
|
|
};
|
|
|
|
|
2005-09-09 14:10:28 -06:00
|
|
|
struct fuse_getdir_out_i {
|
|
|
|
int fd;
|
|
|
|
void *file; /* Used by kernel only */
|
|
|
|
};
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
static inline struct fuse_conn **get_fuse_conn_super_p(struct super_block *sb)
|
|
|
|
{
|
|
|
|
return (struct fuse_conn **) &sb->s_fs_info;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct fuse_conn *get_fuse_conn_super(struct super_block *sb)
|
|
|
|
{
|
|
|
|
return *get_fuse_conn_super_p(sb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct fuse_conn *get_fuse_conn(struct inode *inode)
|
|
|
|
{
|
|
|
|
return get_fuse_conn_super(inode->i_sb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct fuse_inode *get_fuse_inode(struct inode *inode)
|
|
|
|
{
|
|
|
|
return container_of(inode, struct fuse_inode, inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline u64 get_node_id(struct inode *inode)
|
|
|
|
{
|
|
|
|
return get_fuse_inode(inode)->nodeid;
|
|
|
|
}
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/** Device operations */
|
|
|
|
extern struct file_operations fuse_dev_operations;
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/**
|
|
|
|
* This is the single global spinlock which protects FUSE's structures
|
|
|
|
*
|
|
|
|
* The following data is protected by this lock:
|
|
|
|
*
|
2005-09-09 14:10:27 -06:00
|
|
|
* - the private_data field of the device file
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
* - the s_fs_info field of the super block
|
2005-09-09 14:10:27 -06:00
|
|
|
* - unused_list, pending, processing lists in fuse_conn
|
2005-09-09 14:10:31 -06:00
|
|
|
* - background list in fuse_conn
|
2005-09-09 14:10:27 -06:00
|
|
|
* - the unique request ID counter reqctr in fuse_conn
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
* - the sb (super_block) field in fuse_conn
|
2005-09-09 14:10:27 -06:00
|
|
|
* - the file (device file) field in fuse_conn
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
*/
|
|
|
|
extern spinlock_t fuse_lock;
|
|
|
|
|
2005-09-09 14:10:28 -06:00
|
|
|
/**
|
|
|
|
* Get a filled in inode
|
|
|
|
*/
|
|
|
|
struct inode *fuse_iget(struct super_block *sb, unsigned long nodeid,
|
2005-09-09 14:10:29 -06:00
|
|
|
int generation, struct fuse_attr *attr);
|
2005-09-09 14:10:28 -06:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Send FORGET command
|
|
|
|
*/
|
|
|
|
void fuse_send_forget(struct fuse_conn *fc, struct fuse_req *req,
|
2005-09-09 14:10:29 -06:00
|
|
|
unsigned long nodeid, u64 nlookup);
|
2005-09-09 14:10:28 -06:00
|
|
|
|
2005-09-09 14:10:30 -06:00
|
|
|
/**
|
|
|
|
* Initialise file operations on a regular file
|
|
|
|
*/
|
|
|
|
void fuse_init_file_inode(struct inode *inode);
|
|
|
|
|
2005-09-09 14:10:28 -06:00
|
|
|
/**
|
|
|
|
* Initialise inode operations on regular files and special files
|
|
|
|
*/
|
|
|
|
void fuse_init_common(struct inode *inode);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Initialise inode and file operations on a directory
|
|
|
|
*/
|
|
|
|
void fuse_init_dir(struct inode *inode);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Initialise inode operations on a symlink
|
|
|
|
*/
|
|
|
|
void fuse_init_symlink(struct inode *inode);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Change attributes of an inode
|
|
|
|
*/
|
|
|
|
void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr);
|
|
|
|
|
[PATCH] FUSE - core
This patch adds FUSE core.
This contains the following files:
o inode.c
- superblock operations (alloc_inode, destroy_inode, read_inode,
clear_inode, put_super, show_options)
- registers FUSE filesystem
o fuse_i.h
- private header file
Requirements
============
The most important difference between orinary filesystems and FUSE is
the fact, that the filesystem data/metadata is provided by a userspace
process run with the privileges of the mount "owner" instead of the
kernel, or some remote entity usually running with elevated
privileges.
The security implication of this is that a non-privileged user must
not be able to use this capability to compromise the system. Obvious
requirements arising from this are:
- mount owner should not be able to get elevated privileges with the
help of the mounted filesystem
- mount owner should not be able to induce undesired behavior in
other users' or the super user's processes
- mount owner should not get illegitimate access to information from
other users' and the super user's processes
These are currently ensured with the following constraints:
1) mount is only allowed to directory or file which the mount owner
can modify without limitation (write access + no sticky bit for
directories)
2) nosuid,nodev mount options are forced
3) any process running with fsuid different from the owner is denied
all access to the filesystem
1) and 2) are ensured by the "fusermount" mount utility which is a
setuid root application doing the actual mount operation.
3) is ensured by a check in the permission() method in kernel
I started thinking about doing 3) in a different way because Christoph
H. made a big deal out of it, saying that FUSE is unacceptable into
mainline in this form.
The suggested use of private namespaces would be OK, but in their
current form have many limitations that make their use impractical (as
discussed in this thread).
Suggested improvements that would address these limitations:
- implement shared subtrees
- allow a process to join an existing namespace (make namespaces
first-class objects)
- implement the namespace creation/joining in a PAM module
With all that in place the check of owner against current->fsuid may
be removed from the FUSE kernel module, without compromising the
security requirements.
Suid programs still interesting questions, since they get access even
to the private namespace causing some information leak (exact
order/timing of filesystem operations performed), giving some
ptrace-like capabilities to unprivileged users. BTW this problem is
not strictly limited to the namespace approach, since suid programs
setting fsuid and accessing users' files will succeed with the current
approach too.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-09-09 14:10:26 -06:00
|
|
|
/**
|
|
|
|
* Check if the connection can be released, and if yes, then free the
|
|
|
|
* connection structure
|
|
|
|
*/
|
|
|
|
void fuse_release_conn(struct fuse_conn *fc);
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/**
|
|
|
|
* Initialize the client device
|
|
|
|
*/
|
|
|
|
int fuse_dev_init(void);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Cleanup the client device
|
|
|
|
*/
|
|
|
|
void fuse_dev_cleanup(void);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Allocate a request
|
|
|
|
*/
|
|
|
|
struct fuse_req *fuse_request_alloc(void);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Free a request
|
|
|
|
*/
|
|
|
|
void fuse_request_free(struct fuse_req *req);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Reinitialize a request, the preallocated flag is left unmodified
|
|
|
|
*/
|
|
|
|
void fuse_reset_request(struct fuse_req *req);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Reserve a preallocated request
|
|
|
|
*/
|
|
|
|
struct fuse_req *fuse_get_request(struct fuse_conn *fc);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Reserve a preallocated request, only interruptible by SIGKILL
|
|
|
|
*/
|
|
|
|
struct fuse_req *fuse_get_request_nonint(struct fuse_conn *fc);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Decrement reference count of a request. If count goes to zero put
|
|
|
|
* on unused list (preallocated) or free reqest (not preallocated).
|
|
|
|
*/
|
|
|
|
void fuse_put_request(struct fuse_conn *fc, struct fuse_req *req);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Send a request (synchronous, interruptible)
|
|
|
|
*/
|
|
|
|
void request_send(struct fuse_conn *fc, struct fuse_req *req);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Send a request (synchronous, non-interruptible except by SIGKILL)
|
|
|
|
*/
|
|
|
|
void request_send_nonint(struct fuse_conn *fc, struct fuse_req *req);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Send a request with no reply
|
|
|
|
*/
|
|
|
|
void request_send_noreply(struct fuse_conn *fc, struct fuse_req *req);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Send a request in the background
|
|
|
|
*/
|
|
|
|
void request_send_background(struct fuse_conn *fc, struct fuse_req *req);
|
|
|
|
|
2005-09-09 14:10:31 -06:00
|
|
|
/**
|
|
|
|
* Release inodes and file assiciated with background request
|
|
|
|
*/
|
|
|
|
void fuse_release_background(struct fuse_req *req);
|
|
|
|
|
2005-09-09 14:10:28 -06:00
|
|
|
/**
|
|
|
|
* Get the attributes of a file
|
|
|
|
*/
|
|
|
|
int fuse_do_getattr(struct inode *inode);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Invalidate inode attributes
|
|
|
|
*/
|
|
|
|
void fuse_invalidate_attr(struct inode *inode);
|
|
|
|
|
2005-09-09 14:10:27 -06:00
|
|
|
/**
|
|
|
|
* Send the INIT message
|
|
|
|
*/
|
|
|
|
void fuse_send_init(struct fuse_conn *fc);
|