On 1/20/2011 1:45 PM, Stefan Hajnoczi wrote:
> On Thu, Jan 20, 2011 at 9:15 PM, Venkateswararao Jujjuri (JV)
> <jv...@linux.vnet.ibm.com> wrote:
>> On 1/20/2011 12:59 AM, Stefan Hajnoczi wrote:
>>> On Tue, Jan 18, 2011 at 01:54:16PM +0530, M. Mohan Kumar wrote:
>>>> After creating a file object, its permission and ownership details are
>>>> updated
>>>> as per client's request for both passthrough and none security model. But
>>>> with
>>>> chrooted environment its not required for passthrough security model. Move
>>>> all
>>>> post file creation changes to none security model
>>>>
>>>> Signed-off-by: M. Mohan Kumar <mo...@in.ibm.com>
>>>> ---
>>>> hw/9pfs/virtio-9p-local.c | 19 ++++++-------------
>>>> 1 files changed, 6 insertions(+), 13 deletions(-)
>>>>
>>>> diff --git a/hw/9pfs/virtio-9p-local.c b/hw/9pfs/virtio-9p-local.c
>>>> index 08fd67f..d2e32e2 100644
>>>> --- a/hw/9pfs/virtio-9p-local.c
>>>> +++ b/hw/9pfs/virtio-9p-local.c
>>>> @@ -208,21 +208,14 @@ static int local_set_xattr(const char *path, FsCred
>>>> *credp)
>>>> return 0;
>>>> }
>>>>
>>>> -static int local_post_create_passthrough(FsContext *fs_ctx, const char
>>>> *path,
>>>> +static int local_post_create_none(FsContext *fs_ctx, const char *path,
>>>> FsCred *credp)
>>>> {
>>>> + int retval;
>>>> if (chmod(rpath(fs_ctx, path), credp->fc_mode & 07777) < 0) {
>>>> return -1;
>>>> }
>>>> - if (lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid) < 0) {
>>>> - /*
>>>> - * If we fail to change ownership and if we are
>>>> - * using security model none. Ignore the error
>>>> - */
>>>> - if (fs_ctx->fs_sm != SM_NONE) {
>>>> - return -1;
>>>> - }
>>>> - }
>>>> + retval = lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
>>>> return 0;
>>>> }
>>>
>>> retval is unused.
>>>
>>> Can multiple virtio-9p requests execute at a time? chmod() and lchown()
>>> after creation is a race condition if other requests can execute
>>> concurrently.
>>
>> If some level of serialization is needed it will be done at the client/guest
>> inode level.
>> Are you worried about filesystem semantics? or do you see some corruption if
>> they
>> get executed in parallel?
>
> My main concern is unreliable results due to the race conditions
> between creation and the fixups that are performed afterwards.
>
> Is virtio-9p only useful for single guest exclusive access? I thought
> both guest and host could access files at the same time? What about
> multiple VMs sharing a directory? These scenarios can only work if
> operations are made atomic.
For now, there is only one exploiter for the filesystem. The Guest/client.
In the future it could be different and we 'may' support multiple
exploiters/users.
Note that we have two security models
1. Passthrough 2. Mapped. (3. None - can be ignored as it is intended for
developer)
Mapped model is advised when you have only one exploiter;
Passthrough model is for more practical application/uses and it can be
used for multiple exploiters (say guests).
In passthrough model we don't do chmod() lchmod() after creating files.
Thanks,
JV
>
> Stefan
