Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp303895pxk; Thu, 24 Sep 2020 06:15:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxetQ4Ybogl1HndL+MFA7V7prmxMHSjvTIF4eFSNcVEYAg9wnZdVS4Oy/6a/d7exb7nRHAv X-Received: by 2002:a17:906:868c:: with SMTP id g12mr935493ejx.230.1600953325921; Thu, 24 Sep 2020 06:15:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600953325; cv=none; d=google.com; s=arc-20160816; b=LbTVaQTpfaShjyDRapFmT5JcgXDXcF1C7P2NDJslw1OAVY5/gX8CQvvxWCU+PyQyhc aby1IvYfB3euemgSybg4RqM0IgRedA5XtLyVsXl0vQcLP2zzj8nwyukRzWmglrkQamgl K69KQ6kWlQMwK2e5qA12Bcg5+qdbkezt5E4eQQr/zujWedMmQ48rBT/+bc/+ZfRJwY9T vPMFUIcq/l2eprtPI45czoJ3OJVaWisI4wan5qAE4AosS7kRh48fD+NqJVftAA6E5QZh k5Pk4V1mS56iiUYSsXmcTqSs77SLA/b1bDmCWQ3jchU/SIbVtDwb0ADUgEHUSbdWGBN6 la6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=sZZlks3iSx8s9lDyxs+csuRoO2CrDNiUR/cHMJe+SwI=; b=dQXnBI/SdkGR6WlSbVSwU2NdUSEtcxkeNf12etqGbwiQkzfayvotK4n0SfqLRGBR5m 9n1z47LyhulRjoGLWJxxuAeuaRVIqHjPFcWshADDlSLo+2vUaIIp42qxAlMRSwXVO8iT gL0cGIq8Cl3H74jxDZN1MNXdphlsRsBfRIm7laHwMYpLih/oFfb8A+gGTl8dbb4smju0 HHng100xAaXrT8y/ifZOwEm1n13rOhCj8U/wu60EzEQxW4Tm3wb980KCqonL7fe6D8mk NQyZRNBG5a6Y/Bb8CgwF6HUxckKgG0noGQcEuH1jYq+jabJou+zWvoLZLHuFb0lBJRd6 Wy1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=E8qt9biX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d3si1917617ejm.474.2020.09.24.06.15.01; Thu, 24 Sep 2020 06:15:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@android.com header.s=20161025 header.b=E8qt9biX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=android.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728001AbgIXNNk (ORCPT + 99 others); Thu, 24 Sep 2020 09:13:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46158 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727976AbgIXNN1 (ORCPT ); Thu, 24 Sep 2020 09:13:27 -0400 Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC525C0613D3 for ; Thu, 24 Sep 2020 06:13:26 -0700 (PDT) Received: by mail-wr1-x443.google.com with SMTP id k15so3740669wrn.10 for ; Thu, 24 Sep 2020 06:13:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=android.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=sZZlks3iSx8s9lDyxs+csuRoO2CrDNiUR/cHMJe+SwI=; b=E8qt9biXDu4ZdSAEs5GUe2aO7q54VUVhM0P1BmTOJAm3tD9KdSwYME2DhFbsXBPnB+ skXPmvnOOCmdEJi46WORrGtsiNXzdPCs2zeg+hQ9RoOxA8a203tRl6r8fVgx2Mfu4bvS w7YYX3EFnRHoahvfhZGayGTwavSsCLPTis1qf+gexSfHtwM59xkvveX5a6ztWw5XAEd6 UVY1nA4fmcjim2G9dX25m6yyTwTumbkDtbJ5mO7v0FC9DnQJuKajp2TTlq2p8WJHHiTI Ww/A4DvFG6900AA7f+FGDYBn9XaFcTZjIe91GJTfNbYPe5kHDoxXlPewJ31aJgQDIH+L xvVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sZZlks3iSx8s9lDyxs+csuRoO2CrDNiUR/cHMJe+SwI=; b=ln9AScbE/IwJbo9rcED5lkJCj4WrwTp5j7vG1xLshDhmVKcG2dmmeTyUc2hTE12yhX J20TekJbaXueY9xVv+L2KT4pk6RZoN668+sDws1nZo/UjrUiApdD9oFjsXOlt1fuKGTW LTAk80BXrfJaUjK1jdlcLl906yY6LIMbKsTpi3ye+TzAqyZB8xHu1GZY/0K2sQH+28S/ kDFVcXNC5tvuxu1W9ZOrXGyog06qwLey5y/NaSW5+8Jr7s3h+LvqMxs/45VQla7iiRM4 N3lysF7vsZEdjn4b4xCKH2TvmY/9stOvcIEQQFr5bNTlINAi3AayBLWI4yzVOUmaEb+q XA8w== X-Gm-Message-State: AOAM533TLYk836A9g5/WP4Cz8J+xT5TOWfu/CzekBffw6JotXZsEQN8m 2g0hf/A97peY2dd10PzOULq7ag== X-Received: by 2002:adf:fc0a:: with SMTP id i10mr5034984wrr.111.1600953205562; Thu, 24 Sep 2020 06:13:25 -0700 (PDT) Received: from balsini.lon.corp.google.com ([2a00:79e0:d:210:7220:84ff:fe09:7d5c]) by smtp.gmail.com with ESMTPSA id k22sm3805044wrd.29.2020.09.24.06.13.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Sep 2020 06:13:25 -0700 (PDT) From: Alessio Balsini To: Miklos Szeredi Cc: Akilesh Kailash , Amir Goldstein , Antonio SJ Musumeci , David Anderson , Giuseppe Scrivano , Jann Horn , Jens Axboe , Martijn Coenen , Palmer Dabbelt , Paul Lawrence , Stefano Duo , Zimuzo Ezeozue , fuse-devel@lists.sourceforge.net, kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH V9 3/4] fuse: Introduce synchronous read and write for passthrough Date: Thu, 24 Sep 2020 14:13:17 +0100 Message-Id: <20200924131318.2654747-4-balsini@android.com> X-Mailer: git-send-email 2.28.0.681.g6f77f65b4e-goog In-Reply-To: <20200924131318.2654747-1-balsini@android.com> References: <20200924131318.2654747-1-balsini@android.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org All the read and write operations performed on fuse_files which have the passthrough feature enabled are forwarded to the associated lower file system file via VFS. Sending the request directly to the lower file system avoids the userspace round-trip that, because of possible context switches and additional operations might reduce the overall performance, especially in those cases where caching doesn't help, for example in reads at random offsets. Verifying if a fuse_file has a lower file system file associated for passthrough can be done by checking the validity of its passthrough_filp pointer. This pointer is not NULL only if passthrough has been successfully enabled via the appropriate ioctl(). When a read/write operation is requested for a FUSE file with passthrough enabled, a new equivalent VFS request is generated, which instead targets the lower file system file. The VFS layer performs additional checks that allows for safer operations, but may cause the operation to fail if the process accessing the FUSE file system does not have access to the lower file system. This often happens in passthrough file systems, where the FUSE daemon is responsible for the enforcement of the lower file system access policies. In order to preserve this behavior, the current process accessing the FUSE file with passthrough enabled receives the privileges of the FUSE daemon while performing the read/write operation, emulating a behavior used in overlayfs. These privileges will be reverted as soon as the IO operation completes. This feature does not provide any higher security privileges to those processes accessing the FUSE file system with passthrough enabled. This because it is still the FUSE daemon responsible for enabling or not the passthrough feature at file open time, and should enable the feature only after appropriate access policy checks. This change only implements synchronous requests in passthrough, returning an error in the case of ansynchronous operations, yet covering the majority of the use cases. Signed-off-by: Alessio Balsini --- fs/fuse/file.c | 8 +++- fs/fuse/fuse_i.h | 2 + fs/fuse/passthrough.c | 93 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 2 deletions(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 6c0ec742ce74..c3289ff0cd33 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1552,7 +1552,9 @@ static ssize_t fuse_file_read_iter(struct kiocb *iocb, struct iov_iter *to) if (is_bad_inode(file_inode(file))) return -EIO; - if (!(ff->open_flags & FOPEN_DIRECT_IO)) + if (ff->passthrough_filp) + return fuse_passthrough_read_iter(iocb, to); + else if (!(ff->open_flags & FOPEN_DIRECT_IO)) return fuse_cache_read_iter(iocb, to); else return fuse_direct_read_iter(iocb, to); @@ -1566,7 +1568,9 @@ static ssize_t fuse_file_write_iter(struct kiocb *iocb, struct iov_iter *from) if (is_bad_inode(file_inode(file))) return -EIO; - if (!(ff->open_flags & FOPEN_DIRECT_IO)) + if (ff->passthrough_filp) + return fuse_passthrough_write_iter(iocb, from); + else if (!(ff->open_flags & FOPEN_DIRECT_IO)) return fuse_cache_write_iter(iocb, from); else return fuse_direct_write_iter(iocb, from); diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index 67bf5919f8d6..b0764ca4c4fd 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -1109,5 +1109,7 @@ void fuse_free_conn(struct fuse_conn *fc); int fuse_passthrough_setup(struct fuse_req *req, unsigned int fd); void fuse_passthrough_release(struct fuse_file *ff); +ssize_t fuse_passthrough_read_iter(struct kiocb *iocb, struct iov_iter *to); +ssize_t fuse_passthrough_write_iter(struct kiocb *iocb, struct iov_iter *from); #endif /* _FS_FUSE_I_H */ diff --git a/fs/fuse/passthrough.c b/fs/fuse/passthrough.c index 86ab4eafa7bf..f70c0ef6945b 100644 --- a/fs/fuse/passthrough.c +++ b/fs/fuse/passthrough.c @@ -2,6 +2,99 @@ #include "fuse_i.h" +#include + +static void fuse_copyattr(struct file *dst_file, struct file *src_file) +{ + struct inode *dst = file_inode(dst_file); + struct inode *src = file_inode(src_file); + + i_size_write(dst, i_size_read(src)); +} + +static rwf_t iocbflags_to_rwf(int ifl) +{ + rwf_t flags = 0; + + if (ifl & IOCB_APPEND) + flags |= RWF_APPEND; + if (ifl & IOCB_DSYNC) + flags |= RWF_DSYNC; + if (ifl & IOCB_HIPRI) + flags |= RWF_HIPRI; + if (ifl & IOCB_NOWAIT) + flags |= RWF_NOWAIT; + if (ifl & IOCB_SYNC) + flags |= RWF_SYNC; + + return flags; +} + +static const struct cred * +fuse_passthrough_override_creds(const struct file *fuse_filp) +{ + struct inode *fuse_inode = file_inode(fuse_filp); + struct fuse_conn *fc = fuse_inode->i_sb->s_fs_info; + + return override_creds(fc->creator_cred); +} + +ssize_t fuse_passthrough_read_iter(struct kiocb *iocb_fuse, + struct iov_iter *iter) +{ + ssize_t ret; + const struct cred *old_cred; + struct file *fuse_filp = iocb_fuse->ki_filp; + struct fuse_file *ff = fuse_filp->private_data; + struct file *passthrough_filp = ff->passthrough_filp; + + if (!iov_iter_count(iter)) + return 0; + + old_cred = fuse_passthrough_override_creds(fuse_filp); + if (is_sync_kiocb(iocb_fuse)) { + ret = vfs_iter_read(passthrough_filp, iter, &iocb_fuse->ki_pos, + iocbflags_to_rwf(iocb_fuse->ki_flags)); + } else { + ret = -EIO; + } + revert_creds(old_cred); + + return ret; +} + +ssize_t fuse_passthrough_write_iter(struct kiocb *iocb_fuse, + struct iov_iter *iter) +{ + ssize_t ret; + const struct cred *old_cred; + struct file *fuse_filp = iocb_fuse->ki_filp; + struct fuse_file *ff = fuse_filp->private_data; + struct inode *fuse_inode = file_inode(fuse_filp); + struct file *passthrough_filp = ff->passthrough_filp; + + if (!iov_iter_count(iter)) + return 0; + + inode_lock(fuse_inode); + + old_cred = fuse_passthrough_override_creds(fuse_filp); + if (is_sync_kiocb(iocb_fuse)) { + file_start_write(passthrough_filp); + ret = vfs_iter_write(passthrough_filp, iter, &iocb_fuse->ki_pos, + iocbflags_to_rwf(iocb_fuse->ki_flags)); + file_end_write(passthrough_filp); + if (ret > 0) + fuse_copyattr(fuse_filp, passthrough_filp); + } else { + ret = -EIO; + } + revert_creds(old_cred); + inode_unlock(fuse_inode); + + return ret; +} + int fuse_passthrough_setup(struct fuse_req *req, unsigned int fd) { int ret; -- 2.28.0.681.g6f77f65b4e-goog