With mapped security models like mapped-xattr and mapped-file, we save the
symlink target as file contents. Now if we ever expose a normal directory
with mapped security model and find real symlinks in export path, never
follow them and return proper error.
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

Signed-off-by: NDong Xu Wang <wdongxu@linux.vnet.ibm.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

Many of these should be cleaned up with proper qdev-/QOM-ification.
Right now there are many catch-all headers in include/hw/ARCH depending
on cpu.h, and this makes it necessary to compile these files per-target.
However, fixing this does not belong in these patches.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Note: the allocation in virtio_9p_init() is still leaked.  To be fixed
in a followup commit.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

In passthrough security model in local fs driver, after a file creation
chown and chmod are done to set the file credentials and mode as requested
by 9p client. But if there was a request to create a file with S_ISGID
bit, doing chown on that file resets the S_ISGID bit. So first call
chown and then invoking chmod with proper mode bit retains the S_ISGID
(if present/requested)

This resulted in LTP mknod02, mknod03, mknod05, open10 test case
failures. This patch fixes this issue.

man 2 chown
When the owner or group of an executable file are changed by an unprivileged
user the S_ISUID  and  S_ISGID mode  bits are cleared.  POSIX does not specify
whether this also should happen when root does the chown(); the Linux behavior
depends on the kernel version.
Signed-off-by: NM. Mohan Kumar <mohan@in.ibm.com>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This enable us to do passthrough equivalent security model on NFS directory.
NFS server mostly do root squashing and don't support xattr. Hence we cannot
use 'passthrough' or 'mapped' security model

Also added "mapped-xattr" security to indicate earlier "mapped" security model
Older name is still supported.

POSIX rules regarding ctime update on chmod are not followed by this security model.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This remove all conditional code from common code path and
make opt validation a FSDriver callback.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

Fsdriver callback that operate on file descriptor need to
differentiate between directory fd and file fd.

Based on the original patch from Sassan Panahinejad <sassan@sassan.me.uk>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

I guess we can also make sure we don't  call local_ioc_getversion at
all.
Reported-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Small requirements on "new" features have percolated to virtio-9p-local.c.
In particular, the utimensat wrapper actually only supports dirfd = AT_FDCWD
and flags = AT_SYMLINK_NOFOLLOW in the fallback code.  Remove the arguments
so that virtio-9p-local.c will not use AT_* constants.

At the same time, fail local_ioc_getversion if the ioctl is not supported
by the host.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Modern distributions place xattr.h in /usr/include/sys, and fold
libattr.so into libc.  They also don't have an ENOATTR.

Make configure detect this, and add a qemu-xattr.h file that
directs the #include to the right place.
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

To implement synthetic file system in Qemu we may not really
require file descriptor and Dir *. Make generic code use
V9fsFidOpenState instead.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

Update local_chown to remove unnecessary if loop
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This helps to remove some of the structure members
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This allows us to remove another member from the struct
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This patch use file system specific ioctl for getting i_generation
value. Not all file system support the ioctl. So we add an export
specific extended operation and assign right callback for the
file system that support i_generation ioctl

["M. Mohan Kumar" <mohan@in.ibm.com> we can do ioctl only for
regular files and directories on the server]
Signed-off-by: NHarsh Prateek Bora <harsh@linux.vnet.ibm.com>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

writeout=immediate implies the after pwritev we do a sync_file_range.
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

Add a new context flag PATHNAME_FSCONTEXT and indicate whether
the fs driver track fid using path names. Also add a private
pointer that help us to track fs driver specific values in there
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This call back can be used to do fs driver specific initialization.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This enables us to add handles to track fids later. The
V9fsPath added is similar to V9fsString except that the
size include the NULL byte also.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

Signed-off-by: NHarsh Prateek Bora <harsh@linux.vnet.ibm.com>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

Current rpath inline function is heavily used in all system calls.
This function has a static buffer making it a non-thread safe function.
This patch introduces new thread-safe routine and makes use of it.

Signed-off-by: Venkateswararao Jujjuri "<jvrao@linux.vnet.ibm.com>

Commit 353ac78d moved the files
without fixing the include paths. It used a modified CFLAGS
to add hw to the include search path, but this breaks builds
where the user wants to set special CFLAGS. Long include paths
also increase compilation time.

Therefore this patch removes the special CFLAGS for virtio
and fixes the include statements by using relative include paths.

v2: Remove special CFLAGS.
v3: Update needed for latest QEMU.
Signed-off-by: NStefan Weil <weil@mail.berlios.de>
Signed-off-by: NVenkateswararao Jujjuri (JV) <jvrao@linux.vnet.ibm.com>

This patch removes the addition of null char in symlink file
which is being appended to file in case of mapped security model.
Without this patch, the extra null char causes LTP testcase lstat03
to fail and hence this fix is required.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

Now that we start adding more files related to 9pfs
it make sense to move them to a separate directory
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

This patch introduce a fallback mechanism for old systems that do not
support utimensat().  This fix build failure with following warnings:

hw/virtio-9p-local.c: In function 'local_utimensat':
hw/virtio-9p-local.c:479: warning: implicit declaration of function 'utimensat'
hw/virtio-9p-local.c:479: warning: nested extern declaration of 'utimensat'

and:

hw/virtio-9p.c: In function 'v9fs_setattr_post_chmod':
hw/virtio-9p.c:1410: error: 'UTIME_NOW' undeclared (first use in this function)
hw/virtio-9p.c:1410: error: (Each undeclared identifier is reported only once
hw/virtio-9p.c:1410: error: for each function it appears in.)
hw/virtio-9p.c:1413: error: 'UTIME_OMIT' undeclared (first use in this function)
hw/virtio-9p.c: In function 'v9fs_wstat_post_chmod':
hw/virtio-9p.c:2905: error: 'UTIME_OMIT' undeclared (first use in this function)

[NOTE: At this time virtio-9p is only user of utimensat(), and is available
       only when host is linux and CONFIG_VIRTFS is defined.  So there are
       no similar warning for win32.  Please provide a wrapper for win32 in
       oslib-win32.c if new user really requires it.]

v5:
  - Allow fallback on runtime
  - Move qemu_utimensat() to oslib-posix.c
  - Rebased on latest qemu.git
v4:
  - Use tv_now.tv_usec
v3:
  - Use better alternative handling for UTIME_NOW/OMIT
  - Move qemu_utimensat() to cutils.c
V2:
  - Introduce qemu_utimensat()
Acked-by: NChris Wright <chrisw@sous-sol.org>
Acked-by: NM. Mohan Kumar <mohan@in.ibm.com>
Acked-by: NJes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: NHidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

SYNOPSIS
    size[4] Tfsync tag[2] fid[4] datasync[4]

    size[4] Rfsync tag[2]

DESCRIPTION

    The Tfsync transaction transfers ("flushes") all modified in-core data of
    file identified by fid to the disk device (or other  permanent  storage
    device)  where that  file  resides.

    If datasync flag is specified data will be fleshed but does not flush
    modified metadata unless  that  metadata  is  needed  in order to allow a
    subsequent data retrieval to be correctly handled.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

readv & writev, read & write respectively from the current offset
of the file & hence their use has to be preceeded by a call to lseek.
preadv/writev can be used instead, as they take the offset as an argument.
This saves one system call( lseek ).
In case preadv is not supported, it is implemented by an lseek
followed by a readv. Depending upon the configuration of QEMU, the
appropriate read & write methods are selected. This patch also fixes the
zero byte read/write bug & obviates the need to apply a fix for that bug separately.
Signed-off-by: NM. Mohan Kumar <mohan@in.ibm.com>
Signed-off-by: NSanchit Garg <sancgarg@linux.vnet.ibm.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

We would need this to make sure we handle the mapped
security model correctly for different xattr names.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

We should always use functions which don't follow
symlink on the server
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This is equivalent to SM_PASSTHROUGH security model.
The only exception is, failure of privilige operation like chown
are ignored. This makes a passthrough like security model usable
for people who runs kvm as non root
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

With mapped security mode we use "user.virtfs" namespace is used
to store the virtFs related attributes. So hide it from user.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

TXATTRCREATE:  Prepare a fid for setting xattr value on a file system object.

 size[4] TXATTRCREATE tag[2] fid[4] name[s] attr_size[8] flags[4]
 size[4] RXATTRWALK tag[2]

txattrcreate gets a fid pointing to xattr. This fid can later be
used to get set the xattr value.

flag value is derived from set Linux setxattr. The manpage says
"The flags parameter can be used to refine the semantics of the operation.
XATTR_CREATE specifies a pure create, which fails if the named attribute
exists already. XATTR_REPLACE specifies a pure replace operation, which
fails if the named attribute does not already exist. By default (no flags),
the extended attribute will be created if need be, or will simply replace
the value if the attribute exists."

The actual setxattr operation happens when the fid is clunked. At that point
the written byte count and the attr_size specified in TXATTRCREATE should be
same otherwise an error will be returned.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

TXATTRWALK: Descend a ATTR namespace

 size[4] TXATTRWALK tag[2] fid[4] newfid[4] name[s]
 size[4] RXATTRWALK tag[2] size[8]

txattrwalk gets a fid pointing to xattr. This fid can later be
used to get read the xattr value. If name is NULL the fid returned
can be used to get the list of extended attribute associated to
the file system object.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

SYNOPSIS

      size[4] Tsetattr tag[2] attr[n]

      size[4] Rsetattr tag[2]

   DESCRIPTION

      The setattr command changes some of the file status information.
      attr resembles the iattr structure used in Linux kernel. It
      specifies which status parameter is to be changed and to what
      value. It is laid out as follows:

         valid[4]
            specifies which status information is to be changed. Possible
            values are:
            ATTR_MODE       (1 << 0)
            ATTR_UID        (1 << 1)
            ATTR_GID        (1 << 2)
            ATTR_SIZE       (1 << 3)
            ATTR_ATIME      (1 << 4)
            ATTR_MTIME      (1 << 5)
            ATTR_CTIME      (1 << 5)
            ATTR_ATIME_SET  (1 << 7)
            ATTR_MTIME_SET  (1 << 8)

            The last two bits represent whether the time information
            is being sent by the client's user space. In the absense
            of these bits the server always uses server's time.

         mode[4]
            File permission bits

         uid[4]
            Owner id of file

         gid[4]
            Group id of the file

         size[8]
            File size

         atime_sec[8]
            Time of last file access, seconds

         atime_nsec[8]
            Time of last file access, nanoseconds

         mtime_sec[8]
            Time of last file modification, seconds

         mtime_nsec[8]
            Time of last file modification, nanoseconds

Explanation of the patches:
--------------------------

*) The kernel just copies relevent contents of iattr structure to p9_iattr_dotl
   structure and passes it down to the client. The only check it has is calling
   inode_change_ok()
*) The p9_iattr_dotl structure does not have ctime and ia_file parameters because
   I don't think these are needed in our case. The client user space can request
   updating just ctime by calling chown(fd, -1, -1). This is handled on server
   side without a need for putting ctime on the wire.
*) The server currently supports changing mode, time, ownership and size of the
   file.
*) 9P RFC says "Either all the changes in wstat request happen, or none of them
   does: if the request succeeds, all changes were made; if it fails, none were."
   I have not done anything to implement this specifically because I don't see
   a reason.

[jvrao@linux.vnet.ibm.com: Parts of code for handling chown(-1,-1)
Signed-off-by: NSripathi Kodi <sripathik@in.ibm.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

    Current code resets file's atime to 0 when there is a change in mtime.
    This results in resetting the atime to "1970-01-01 05:30:00". For
    example, truncate -s 0 filename results in changing the mtime to the
    truncate time, but resets the atime to "1970-01-01 05:30:00". utime
    system call does not have any provision to set only mtime or atime. So
    change v9fs_wstat_post_chmod function to use utimensat function to change
    the atime and mtime fields. If tv_nsec field is set to the special value
    "UTIME_OMIT", corresponding file time stamp is not updated.
Signed-off-by: NM. Mohan Kumar <mohan@in.ibm.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

Implement statfs support in qemu server based on Sripathi's
initial statfs patch.
Signed-off-by: NM. Mohan Kumar <mohan@in.ibm.com>
Signed-off-by: NSripathi Kodi <sripathik@in.ibm.com>
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

Found with this Coccinelle semantic patch:
@@
expression E;
identifier ptr;
identifier fn ~= "qemu_strn?dup";
@@

-ptr = fn(E);
-if (ptr == NULL) { ... }
-
+ptr = fn(E);
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>