We are going to remove the bluetooth backend, so the USB bluetooth
dongle can not work anymore. It's a completely optional device, no
board depends on it, so let's simply remove it now.
Message-Id: <20191120091014.16883-3-th...@redhat.com>
Reviewed-by: Ján Tomko
Acked-by: Paolo Bonzini
Signed-of
On Thu, 12 Dec 2019 12:09:48 +0800
Jason Wang wrote:
> On 2019/12/7 上午1:42, Alex Williamson wrote:
> > On Fri, 6 Dec 2019 17:40:02 +0800
> > Jason Wang wrote:
> >
> >> On 2019/12/6 下午4:22, Yan Zhao wrote:
> >>> On Thu, Dec 05, 2019 at 09:05:54PM +0800, Jason Wang wrote:
> On 2019/12/5
Patchew URL:
https://patchew.org/QEMU/20191212163904.159893-1-dgilb...@redhat.com/
Hi,
This series failed the docker-mingw@fedora build test. Please find the testing
commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.
=== TEST SCRIPT BEGIN ==
Implement the check whether the emulator backend is suspended.
Signed-off-by: Stefan Berger
diff --git a/hw/tpm/tpm_emulator.c b/hw/tpm/tpm_emulator.c
index 22f9113432..7be7d3a91b 100644
--- a/hw/tpm/tpm_emulator.c
+++ b/hw/tpm/tpm_emulator.c
@@ -80,6 +80,8 @@ typedef struct TPMEmulator {
u
On Wed, Dec 11, 2019 at 8:01 PM Richard Henderson
wrote:
>
> The functions generated by these macros are unused.
>
> Cc: Max Filippov
> Signed-off-by: Richard Henderson
> ---
> target/xtensa/cpu.h | 4
> 1 file changed, 4 deletions(-)
Acked-by: Max Filippov
--
Thanks.
-- Max
On Wed, Dec 11, 2019 at 8:00 PM Richard Henderson
wrote:
>
> We don't actually need the result of the read, only to probe that the
> memory mapping exists. This is exactly what probe_access does.
>
> This is also the only user of any cpu_ld*_code_ra function.
> Removing this allows the interface
Implement support for TPM on ppc64 by implementing the vTPM CRQ interface
as a frontend. It can use the tpm_emulator driver backend with the external
swtpm.
The Linux vTPM driver for ppc64 works with this emulation.
This TPM emulator also handles the TPM 2 case.
Signed-off-by: Stefan Berger
Rev
Some frontends need to know whether the backend is suspended.
Implement tpm_backend_is_suspended().
Signed-off-by: Stefan Berger
diff --git a/backends/tpm.c b/backends/tpm.c
index 375587e743..424c9fd485 100644
--- a/backends/tpm.c
+++ b/backends/tpm.c
@@ -163,6 +163,13 @@ size_t tpm_backend_get_
Signed-off-by: Stefan Berger
diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig
index f927ec9c74..b5b3519158 100644
--- a/hw/ppc/Kconfig
+++ b/hw/ppc/Kconfig
@@ -10,6 +10,7 @@ config PSERIES
select XICS_SPAPR
select XIVE_SPAPR
select MSI_NONBROKEN
+select TPM_SPAPR
config SPAPR_RN
Extend the tpm_spapr frontend with VM suspend and resume support.
Signed-off-by: Stefan Berger
diff --git a/hw/tpm/tpm_spapr.c b/hw/tpm/tpm_spapr.c
index c4a67e2403..52e0405ab4 100644
--- a/hw/tpm/tpm_spapr.c
+++ b/hw/tpm/tpm_spapr.c
@@ -87,6 +87,8 @@ typedef struct {
TPMVersion be_tpm_vers
On 12/12/19 1:07 PM, Stefan Berger wrote:
Implement the check whether the emulator backend is suspended.
Signed-off-by: Stefan Berger
diff --git a/hw/tpm/tpm_emulator.c b/hw/tpm/tpm_emulator.c
index 22f9113432..7be7d3a91b 100644
--- a/hw/tpm/tpm_emulator.c
+++ b/hw/tpm/tpm_emulator.c
@@ -80,6
Implement the callback for whether the passthrough backend is
suspended. We always respond with false.
Signed-off-by: Stefan Berger
diff --git a/hw/tpm/tpm_passthrough.c b/hw/tpm/tpm_passthrough.c
index f67244b5d4..b759c7d30c 100644
--- a/hw/tpm/tpm_passthrough.c
+++ b/hw/tpm/tpm_passthrough.c
@
The following series of patches adds vTPM emulator support for the
ppc64 platform (pSeries).
It can be tested as follows with swtpm/libtpms:
mkdir /tmp/mytpm1
swtpm socket --tpmstate dir=/tmp/mytpm1 \
--ctrl type=unixio,path=/tmp/mytpm1/swtpm-sock \
--log level=20
If TPM 2 is desired, add -
On 12.12.19 18:33, Andrew Jones wrote:
> Add 5.0 machine types for arm/i440fx/q35/s390x/spapr.
>
> Signed-off-by: Andrew Jones
>
[...]
> /*
> * pseries-4.1
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index d3edeef0ad92..a40f79e20733 100644
> --- a/hw/s390x/s390-
Add an example to the TPM docs for how to add a TPM SPAPR
device model to a QEMU VM emulating a pSeries machine.
Signed-off-by: Stefan Berger
diff --git a/docs/specs/tpm.txt b/docs/specs/tpm.txt
index 9c8cca042d..9c3e67d8a7 100644
--- a/docs/specs/tpm.txt
+++ b/docs/specs/tpm.txt
@@ -34,6 +34,12
When a VM is stopped (guest is paused) guest virtual time
should stop counting. Otherwise, when the VM is resumed it
will experience time jumps and its kernel may report soft
lockups. Not counting virtual time while the VM is stopped
has the side effect of making the guest's time appear to lag
when
v2:
- Reworked it enough that I brought back the RFC tag and retitled the
series. Also had to drop r-b's from a couple of patches, and even
drop patches.
- Changed approach from writing the QEMU virtual time to the guest
vtime counter to saving and restoring the guest vtime counter.
- C
Add 5.0 machine types for arm/i440fx/q35/s390x/spapr.
Signed-off-by: Andrew Jones
---
Hi Eduardo,
If we need to do something special for i440fx and q35, as
9aec2e52ce9d ("hw: add compat machines for 4.2") implies, then
I'll need guidance as to what.
---
hw/arm/virt.c | 9 +++
kvm-no-adjvtime is a KVM specific CPU property and a first of its kind.
To accommodate it we also add kvm_arm_add_vcpu_properties() and a
KVM specific CPU properties description to the CPU features document.
Signed-off-by: Andrew Jones
---
docs/arm-cpu-features.rst | 31 +
These are needed by microvm too, so move them outside of PC-specific files.
With this patch, microvm.c need not include pc.h anymore.
Signed-off-by: Paolo Bonzini
---
hw/i386/acpi-build.c | 1 +
hw/i386/fw_cfg.c | 1 -
hw/i386/fw_cfg.h | 2 +
hw/i386/kvm/ioapic.c | 2 +-
hw/i
Remove the need to include i386/pc.h to get to the i8259 functions.
This is enough to remove the inclusion of hw/i386/pc.h from all non-x86
files.
Signed-off-by: Paolo Bonzini
---
hw/alpha/alpha_sys.h| 3 ++-
hw/alpha/dp264.c| 1 +
hw/hppa/hppa_sys.h |
Add the missing GENERIC_TIMER feature to kvm64 cpus.
We don't currently use these registers when KVM is enabled, but it's
probably best we add the feature flag for consistency and potential
future use. There's also precedent, as we add the PMU feature flag to
KVM enabled guests, even though we don
Return true in case we had to wait for an outstanding response
to come back, false otherwise.
Signed-off-by: Stefan Berger
diff --git a/backends/tpm.c b/backends/tpm.c
index 424c9fd485..ae4d8c526b 100644
--- a/backends/tpm.c
+++ b/backends/tpm.c
@@ -49,11 +49,15 @@ static int tpm_backend_worker_
On x86, KVM needs some function from the PCI subsystem in order to set
up interrupt routes. Provide some stubs to support x86 machines that
lack PCI.
Reviewed-by: Sergio Lopez
Signed-off-by: Paolo Bonzini
---
hw/pci/pci-stub.c | 27 +++
1 file changed, 27 insertions(+)
This is a small cleanup that lets libqemuutil build without
include/hw/i386/pc.h.
Signed-off-by: Paolo Bonzini
---
hw/acpi/Makefile.objs| 1 +
stubs/pc_madt_cpu_entry.c => hw/acpi/acpi-x86-stub.c | 0
stubs/Makefile.objs | 1 -
3 f
In fact I went one step further and ensured that microvm could build
without pc.h even. :)
Paolo
v1->v2: more thorough cleansing of pc.h (new patches 3/7/8) [Sergio]
move SMM property to X86MachineState (patch 5) [Sergio]
Paolo Bonzini (8):
i386: conditionally compile more files
fw_c
From: Stefan Hajnoczi
Introduce a thread pool so that fv_queue_thread() just pops
VuVirtqElements and hands them to the thread pool. For the time being
only one worker thread is allowed since passthrough_ll.c is not
thread-safe yet. Future patches will lift this restriction so that
multiple FUS
If we know what the default value should be then we can test for
that as well as the feature existence.
Signed-off-by: Andrew Jones
Reviewed-by: Richard Henderson
---
tests/arm-cpu-features.c | 44
1 file changed, 35 insertions(+), 9 deletions(-)
diff -
On 12/12/19 8:22 AM, Stefan Berger wrote:
On 12/12/19 6:00 AM, Marc-André Lureau wrote:
Hi
On Wed, Dec 11, 2019 at 8:27 PM Stefan Berger
wrote:
Extend the tpm_spapr frontend with VM suspend and resume support.
Signed-off-by: Stefan Berger
---
hw/tpm/tpm_spapr.c | 42 ++
From: piaojun
Define fuse_buf_writev() which use pwritev and writev to improve io
bandwidth. Especially, the src bufs with 0 size should be skipped as
their mems are not *block_size* aligned which will cause writev failed
in direct io mode.
Signed-off-by: Jun Piao
Suggested-by: Stefan Hajnoczi
Allow building microvm without x86-iommu.c and in turn hw/i386/pc.h.
Signed-off-by: Paolo Bonzini
---
hw/i386/Kconfig | 6 ++
hw/i386/Makefile.objs| 3 ++-
hw/i386/x86-iommu-stub.c | 34 ++
3 files changed, 42 insertions(+), 1 deletions(-)
crea
Add it to microvm as well, it is a generic property of the x86
architecture.
Suggested-by: Sergio Lopez
Signed-off-by: Paolo Bonzini
---
hw/i386/pc.c | 49 -
hw/i386/pc_piix.c | 6 +++---
hw/i386/pc_q35.c | 2 +-
hw/i386/x86.c
From: Stefan Hajnoczi
If thread A is using an inode it must not be deleted by thread B when
processing a FUSE_FORGET request.
The FUSE protocol itself already has a counter called nlookup that is
used in FUSE_FORGET messages. We cannot trust this counter since the
untrusted client can manipulat
From: Misono Tomohiro
When writeback mode is enabled (-o writeback), O_APPEND handling is
done in kernel. Therefore virtiofsd clears O_APPEND flag when open.
Otherwise O_APPEND flag takes precedence over pwrite() and write
data may corrupt.
Currently clearing O_APPEND flag is done in lo_open(),
From: Eryu Guan
Signed-off-by: Eryu Guan
---
tools/virtiofsd/fuse_signals.c | 6 +-
tools/virtiofsd/helper.c | 9 ++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/tools/virtiofsd/fuse_signals.c b/tools/virtiofsd/fuse_signals.c
index 10a6f88088..edabf24e0d 1006
The microvm machine type uses fw_cfg but lacks SMBIOS and ACPI. Do not
include the files if the symbol is not present in QEMU and remove
dependencies on machine-specific files.
Reviewed-by: Sergio Lopez
Signed-off-by: Paolo Bonzini
---
hw/i386/fw_cfg.c | 7 +++
hw/i386/pc.c | 2 --
2 f
From: "Dr. David Alan Gilbert"
If a new setmemtable command comes in once the vhost threads are
running, it will remap the guests address space and the threads
will now be looking in the wrong place.
Fortunately we're running this command under lock, so we can
update the queue mappings so that t
From: Peng Tao
Right now we always enable it regardless of given commandlines.
Fix it by setting the flag relying on the lo->flock bit.
Signed-off-by: Peng Tao
---
tools/virtiofsd/passthrough_ll.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/tools/virtiofsd/p
Reviewed-by: Sergio Lopez
Signed-off-by: Paolo Bonzini
---
hw/i386/Makefile.objs | 6 +++---
hw/i386/kvm/Makefile.objs | 6 +-
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/hw/i386/Makefile.objs b/hw/i386/Makefile.objs
index 0d195b5..01ae202 100644
--- a/hw/i386/Makefile
From: Stefan Hajnoczi
This reference counter plays a specific role in the FUSE protocol. It's
not a generic object reference counter and the FUSE kernel code calls it
"nlookup".
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 37 +---
1 file c
From: "Dr. David Alan Gilbert"
lo_destroy was relying on some implicit knowledge of the locking;
we can avoid this if we create an unref_inode that doesn't take
the lock and then grab it for the whole of the lo_destroy.
Suggested-by: Vivek Goyal
Signed-off-by: Dr. David Alan Gilbert
---
tools
From: Stefan Hajnoczi
Introduce lo_dirp_put() so that FUSE_RELEASEDIR does not cause
use-after-free races with other threads that are accessing lo_dirp.
Also make lo_releasedir() atomic to prevent FUSE_RELEASEDIR racing with
itself. This prevents double-frees.
Signed-off-by: Stefan Hajnoczi
-
From: Stefan Hajnoczi
Hold the lock across both lo_map_get() and lo_map_remove() to prevent
races between two FUSE_RELEASE requests. In this case I don't see a
serious bug but it's safer to do things atomically.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 12
From: Stefan Hajnoczi
Now that lo_destroy() is serialized we can call unref_inode() so that
all inode resources are freed.
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/passthrough_ll.c | 41
1 file changed, 20 insert
From: Stefan Hajnoczi
We call into libvhost-user from the virtqueue handler thread and the
vhost-user message processing thread without a lock. There is nothing
protecting the virtqueue handler thread if the vhost-user message
processing thread changes the virtqueue or memory table while it is
r
From: Liu Bo
lookup is a RO operations, PARALLEL_DIROPS can be enabled.
Signed-off-by: Liu Bo
---
tools/virtiofsd/fuse_lowlevel.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
index b1ff684de9..4b5fe1d7a1 100644
--- a/t
From: Vivek Goyal
Doing posix locks with-in guest kernel are not sufficient if a file/dir
is being shared by multiple guests. So we need the notion of daemon doing
the locks which are visible to rest of the guests.
Given posix locks are per process, one can not call posix lock API on host,
other
From: Stefan Hajnoczi
Signed-off-by: Stefan Hajnoczi
---
Makefile | 7 +++
tools/virtiofsd/virtiofsd.texi | 85 ++
2 files changed, 92 insertions(+)
create mode 100644 tools/virtiofsd/virtiofsd.texi
diff --git a/Makefile b/Makefile
index
From: "Dr. David Alan Gilbert"
Clear out our inodes and fd's on a 'destroy' - so we get rid
of them if we reboot the guest.
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/passthrough_ll.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/tools/virtiofsd
From: Eric Ren
Signed-off-by: Eric Ren
---
tools/virtiofsd/passthrough_ll.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 097033aa00..fbcc222860 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/pas
From: Stefan Hajnoczi
vu_socket_path is NULL when --fd=FDNUM was used. Use
fuse_lowlevel_is_virtio() instead.
Signed-off-by: Stefan Hajnoczi
pull request 10
---
tools/virtiofsd/fuse_lowlevel.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/tools/virtiofsd/fuse_lo
From: Miklos Szeredi
- Rename "cache=never" to "cache=none" to match 9p's similar option.
- Rename CACHE_NORMAL constant to CACHE_AUTO to match the "cache=auto"
option.
Signed-off-by: Miklos Szeredi
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/passthrough_ll.c | 20
From: Liu Bo
This cleans up unfreed resources in se on quiting, including
se->virtio_dev, se->vu_socket_path, se->vu_socketfd.
Signed-off-by: Liu Bo
---
tools/virtiofsd/fuse_lowlevel.c | 7 +++
tools/virtiofsd/fuse_virtio.c | 7 +++
tools/virtiofsd/fuse_virtio.h | 2 +-
3 files cha
From: Liu Bo
This offers an helper function for lo_data's cleanup.
Signed-off-by: Liu Bo
---
tools/virtiofsd/passthrough_ll.c | 37 ++--
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll
From: Stefan Hajnoczi
When running with multiple threads it can be tricky to handle
FUSE_INIT/FUSE_DESTROY in parallel with other request types or in
parallel with themselves. Serialize FUSE_INIT and FUSE_DESTROY so that
malicious clients cannot trigger race conditions.
Signed-off-by: Stefan Ha
From: Miklos Szeredi
Inititialize the root inode in a single place.
Signed-off-by: Miklos Szeredi
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 26 --
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.
From: Jiufei Xue
Define HAVE_STRUCT_STAT_ST_ATIM to 1 if `st_atim' is member of `struct
stat' which means support nanosecond resolution for the file timestamp
fields.
Signed-off-by: Jiufei Xue
---
configure | 16
tools/virtiofsd/fuse_misc.h | 1 +
2 files ch
From: Liu Bo
Neither fuse_parse_cmdline() nor fuse_opt_parse() goes to the right place
to do cleanup.
Signed-off-by: Liu Bo
---
tools/virtiofsd/passthrough_ll.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrou
From: Stefan Hajnoczi
Add an option to control the size of the thread pool. Requests are now
processed in parallel by default.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/fuse_i.h| 1 +
tools/virtiofsd/fuse_lowlevel.c | 7 ++-
tools/virtiofsd/fuse_virtio.c | 5 +++--
3 fi
From: Miklos Szeredi
Signed-off-by: Miklos Szeredi
---
tools/virtiofsd/passthrough_ll.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 0d70a367bd..c3e8bde5cf 100644
--- a/tools/virtiofsd/passthr
Dear David Gibson,
I know you are under no obligation to respond, but if it's possible for you
to find the time to respond to my question, I would be extremely grateful.
My team at Boeing has been stuck trying to get KVM working for our project
for the last few months. A good explanation of why t
From: Miklos Szeredi
Improve performance of inode lookup by using a hash table.
Signed-off-by: Miklos Szeredi
Signed-off-by: Dr. David Alan Gilbert
Signed-off-by: Liu Bo
---
tools/virtiofsd/passthrough_ll.c | 81 ++--
1 file changed, 45 insertions(+), 36 deletions
From: piaojun
fuse_buf_writev() only handles the normal write in which src is buffer
and dest is fd. Specially if src buffer represents guest physical
address that can't be mapped by the daemon process, IO must be bounced
back to the VMM to do it by fuse_buf_copy().
Signed-off-by: Jun Piao
Sugg
From: Miklos Szeredi
No glibc support yet, so use syscall().
Signed-off-by: Miklos Szeredi
---
tools/virtiofsd/passthrough_ll.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 91d3120033..bed2270141 10064
From: Miklos Szeredi
The Linux file handle APIs (struct export_operations) can access inodes
that are not attached to parents because path name traversal is not
performed. Refuse if there is no parent in lo_do_lookup().
Also clean up lo_do_lookup() while we're here.
Signed-off-by: Miklos Szere
From: "Dr. David Alan Gilbert"
Allow init->destroy->init for mount->umount->mount
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/fuse_lowlevel.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c
index 0abb369b3d.
From: Vivek Goyal
If an application wants to do direct IO and opens a file with O_DIRECT
in guest, that does not necessarily mean that we need to bypass page
cache on host as well. So reset this flag on host.
If somebody needs to bypass page cache on host as well (and it is safe to
do so), we ca
From: Masayoshi Mizuma
virtiofsd has some threads, so we see a lot of logs with debug option.
It would be useful for debugging if we can identify the specific thread
from the log.
Add ID, which is got by gettid(), to the log with FUSE_LOG_DEBUG level
so that we can grep the specific thread.
The
From: Miklos Szeredi
...because the attributes sent in the READDIRPLUS reply would be discarded
anyway.
Signed-off-by: Miklos Szeredi
---
tools/virtiofsd/passthrough_ll.c | 4
1 file changed, 4 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
From: Masayoshi Mizuma
virtiofsd has some threads, so we see a lot of logs with debug option.
It would be useful for debugging if we can see the timestamp.
Add nano second timestamp, which got by get_clock(), to the log with
FUSE_LOG_DEBUG level if the syslog option isn't set.
The log is like a
From: Masayoshi Mizuma
virtiofsd can run multiply even if the vhost_user_socket is same path.
]# ./virtiofsd -o vhost_user_socket=/tmp/vhostqemu -o source=/tmp/share &
[1] 244965
virtio_session_mount: Waiting for vhost-user socket connection...
]# ./virtiofsd -o vhost_user_socket=/tmp/vh
From: Vivek Goyal
If client requested killing setuid/setgid bits on file being written, drop
CAP_FSETID capability so that setuid/setgid bits are cleared upon write
automatically.
pjdfstest chown/12.t needs this.
Signed-off-by: Vivek Goyal
dgilbert: reworked for libcap-ng
---
tools/virtiofs
From: "Dr. David Alan Gilbert"
In future patches we'll be performing commands on the slave-fd driven
by commands on queues, since those queues will be driven by individual
threads we need to make sure they don't attempt to use the slave-fd
for multiple commands in parallel.
Signed-off-by: Dr. Da
From: Liu Bo
For fuse's queueinfo, both queueinfo array and queueinfos are allocated in
fv_queue_set_started() but not cleaned up when the daemon process quits.
This fixes the leak in proper places.
Signed-off-by: Liu Bo
Signed-off-by: Eric Ren
---
tools/virtiofsd/fuse_virtio.c | 9 +
From: Stefan Hajnoczi
Many people want to know: what's up with virtiofsd and security? This
document provides the answers!
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/security.rst | 118 +++
1 file changed, 118 insertions(+)
create mode 100644 tools/vir
From: "Dr. David Alan Gilbert"
libcap-ng reads /proc during capng_get_caps_process, and virtiofsd's
sandboxing doesn't have /proc mounted; thus we have to do the
caps read before we sandbox it and save/restore the state.
Signed-off-by: Dr. David Alan Gilbert
---
Makefile
From: "Dr. David Alan Gilbert"
Kill the threads we've started when the queues get stopped.
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/fuse_virtio.c | 37 +++
1 file changed, 33 insertions(+), 4 deletions(-)
diff --git a/tools/virtiofsd/fuse_virti
From: Liu Bo
valgrind reported that lo.source is leaked on quiting, but it was defined
as (const char*) as it may point to a const string "/".
Signed-off-by: Liu Bo
---
tools/virtiofsd/passthrough_ll.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/virtiofsd/pas
From: Stefan Hajnoczi
virtiofsd needs access to /proc/self/fd. Let's move to a new pid
namespace so that a compromised process cannot see another other
processes running on the system.
One wrinkle in this approach: unshare(CLONE_NEWPID) affects *child*
processes and not the current process. Th
From: Stefan Hajnoczi
Only allow system calls that are needed by virtiofsd. All other system
calls cause SIGSYS to be directed at the thread and the process will
coredump.
Restricting system calls reduces the kernel attack surface and limits
what the process can do when compromised.
Signed-off
From: "Dr. David Alan Gilbert"
Handle a
mount
hard reboot (without unmount)
mount
we get another 'init' which FUSE doesn't normally expect.
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/fuse_lowlevel.c | 16 +++-
1 file changed, 15 insertions(+), 1 deletion(-)
d
From: Stefan Hajnoczi
Construct a fake dirent for the root directory's ".." entry. This hides
the parent directory from the FUSE client.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 36 +++-
1 file changed, 22 insertions(+), 14 deletions(-)
From: Miklos Szeredi
Signed-off-by: Miklos Szeredi
---
tools/virtiofsd/passthrough_ll.c | 50 +++-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 0f33c3c5e9..1b84d4f313 100644
--
From: Vivek Goyal
Caller can set FUSE_WRITE_KILL_PRIV in write_flags. Parse it and pass it
to the filesystem.
Signed-off-by: Vivek Goyal
---
tools/virtiofsd/fuse_common.h | 6 +-
tools/virtiofsd/fuse_lowlevel.c | 4 +++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/tool
From: Miklos Szeredi
Signed-off-by: Miklos Szeredi
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index c3e8bde5cf..1618d
From: Eryu Guan
Introduce "-o log_level=" command line option to specify current log
level (priority), valid values are "debug info warn err", e.g.
./virtiofsd -o log_level=debug ...
So only log priority higher than "debug" will be printed to
stderr/syslog. And the default level is info.
T
From: "Dr. David Alan Gilbert"
Pass the write iov pointing to guest RAM all the way through rather
than copying the data.
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/fuse_virtio.c | 79 ---
1 file changed, 73 insertions(+), 6 deletions(-)
diff --g
From: Stefan Hajnoczi
Some FUSE message replies contain padding fields that are not
initialized by libfuse. This is fine in traditional FUSE applications
because the kernel is trusted. virtiofsd does not trust the guest and
must not expose uninitialized memory.
Use C struct initializers to aut
From: Stefan Hajnoczi
If the process is compromised there should be no network access. Use an
empty network namespace to sandbox networking.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/tools/virtiofsd/
From: "Dr. David Alan Gilbert"
When we receive an unexpected message type on the slave fd, print
the type.
Signed-off-by: Dr. David Alan Gilbert
---
hw/virtio/vhost-user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index
From: Stefan Hajnoczi
Several FUSE requests contain single path components. A correct FUSE
client sends well-formed path components but there is currently no input
validation in case something went wrong or the client is malicious.
Refuse ".", "..", and paths containing '/' when we expect a pat
From: Stefan Hajnoczi
There is a small change in behavior: if fuse_write_in->size doesn't
match the input buffer size then the request is failed. Previously
write requests with 1 fuse_buf element would truncate to
fuse_write_in->size.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/fuse_lo
From: Stefan Hajnoczi
Use a mount namespace with the shared directory tree mounted at "/" and
no other mounts.
This prevents symlink escape attacks because symlink targets are
resolved only against the shared directory and cannot go outside it.
Signed-off-by: Stefan Hajnoczi
Signed-off-by: Pen
From: Stefan Hajnoczi
Sometimes collecting output from stderr is inconvenient or does not fit
within the overall logging architecture. Add syslog(3) support for
cases where stderr cannot be used.
Signed-off-by: Stefan Hajnoczi
dgilbert: Reworked as a logging function
Signed-off-by: Dr. David A
From: Stefan Hajnoczi
Install a vhost-user.json file describing virtiofsd. This allows
libvirt and other management tools to enumerate vhost-user backend
programs.
Signed-off-by: Stefan Hajnoczi
---
.gitignore| 1 +
Makefile | 1
From: Stefan Hajnoczi
virtiofsd can exceed the default open file descriptor limit easily on
most systems. Take advantage of the fact that it runs as root to raise
the limit.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 32
1 file chang
From: Stefan Hajnoczi
Sandboxing will remove /proc from the mount namespace so we can no
longer build string paths into "/proc/self/fd/...".
Keep an O_PATH file descriptor so we can still re-open fds via
/proc/self/fd.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 129
From: Stefan Hajnoczi
Do not expose lo_dirp pointers to clients.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/passthrough_ll.c | 103 +++
1 file changed, 76 insertions(+), 27 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthr
From: "Dr. David Alan Gilbert"
Route fuse out messages back through the same queue elements
that had the command that triggered the request.
Signed-off-by: Dr. David Alan Gilbert
---
tools/virtiofsd/fuse_lowlevel.c | 4 ++
tools/virtiofsd/fuse_virtio.c | 107 ++-
From: Stefan Hajnoczi
Introduce an API for consuming bytes from a buffer with size checks.
All FUSE operations will be converted to use this safe API instead of
void *inarg.
Signed-off-by: Stefan Hajnoczi
---
tools/virtiofsd/buffer.c | 28
tools/virtiofsd/fuse_common.
101 - 200 of 417 matches
Mail list logo