1. 11 Dec, 2018 1 commit
  2. 03 Dec, 2018 2 commits
  3. 15 Oct, 2018 3 commits
    • Dan Schatzberg's avatar
      fuse: enable caching of symlinks · 5571f1e6
      Dan Schatzberg authored
      FUSE file reads are cached in the page cache, but symlink reads are
      not. This patch enables FUSE READLINK operations to be cached which
      can improve performance of some FUSE workloads.
      In particular, I'm working on a FUSE filesystem for access to source
      code and discovered that about a 10% improvement to build times is
      achieved with this patch (there are a lot of symlinks in the source
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: don't need GETATTR after every READ · 802dc049
      Miklos Szeredi authored
      If 'auto_inval_data' mode is active, then fuse_file_read_iter() will call
      fuse_update_attributes(), which will check the attribute validity and send
      a GETATTR request if some of the attributes are no longer valid.  The page
      cache is then invalidated if the size or mtime have changed.
      Then, if a READ request was sent and reply received (which is the case if
      the data wasn't cached yet, or if the file is opened for O_DIRECT), the
      atime attribute is invalidated.
      This will result in the next read() also triggering a GETATTR, ...
      This can be fixed by only sending GETATTR if the mode or size are invalid,
      we don't need to do a refresh if only atime is invalid.
      More generally, none of the callers of fuse_update_attributes() need an
      up-to-date atime value, so for now just remove STATX_ATIME from the request
      mask when attributes are updated for internal use.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: allow fine grained attr cache invaldation · 2f1e8196
      Miklos Szeredi authored
      This patch adds the infrastructure for more fine grained attribute
      invalidation.  Currently only 'atime' is invalidated separately.
      The use of this infrastructure is extended to the statx(2) interface, which
      for now means that if only 'atime' is invalid and STATX_ATIME is not
      specified in the mask argument, then no GETATTR request will be generated.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
  4. 01 Oct, 2018 2 commits
  5. 28 Sep, 2018 1 commit
  6. 02 Aug, 2018 1 commit
    • Al Viro's avatar
      kill d_instantiate_no_diralias() · c971e6a0
      Al Viro authored
      The only user is fuse_create_new_entry(), and there it's used to
      mitigate the same mkdir/open-by-handle race as in nfs_mkdir().
      The same solution applies - unhash the mkdir argument, then
      call d_splice_alias() and if that returns a reference to preexisting
      alias, dput() and report success.  ->mkdir() argument left unhashed
      negative with the preexisting alias moved in the right place is just
      fine from the ->mkdir() callers point of view.
      Cc: Miklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  7. 26 Jul, 2018 1 commit
  8. 12 Jul, 2018 4 commits
  9. 20 Mar, 2018 5 commits
    • Miklos Szeredi's avatar
      fuse: honor AT_STATX_FORCE_SYNC · bf5c1898
      Miklos Szeredi authored
      Force a refresh of attributes from the fuse server in this case.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: honor AT_STATX_DONT_SYNC · ff1b89f3
      Miklos Szeredi authored
      The description of this flag says "Don't sync attributes with the server".
      In other words: always use the attributes cached in the kernel and don't
      send network or local messages to refresh the attributes.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Seth Forshee's avatar
      fuse: Restrict allow_other to the superblock's namespace or a descendant · 73f03c2b
      Seth Forshee authored
      Unprivileged users are normally restricted from mounting with the
      allow_other option by system policy, but this could be bypassed for a mount
      done with user namespace root permissions. In such cases allow_other should
      not allow users outside the userns to access the mount as doing so would
      give the unprivileged user the ability to manipulate processes it would
      otherwise be unable to manipulate. Restrict allow_other to apply to users
      in the same userns used at mount or a descendant of that namespace. Also
      export current_in_userns() for use by fuse when built as a module.
      Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Signed-off-by: default avatarDongsu Park <dongsu@kinvolk.io>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Eric W. Biederman's avatar
      fuse: Support fuse filesystems outside of init_user_ns · 8cb08329
      Eric W. Biederman authored
      In order to support mounts from namespaces other than init_user_ns, fuse
      must translate uids and gids to/from the userns of the process servicing
      requests on /dev/fuse. This patch does that, with a couple of restrictions
      on the namespace:
       - The userns for the fuse connection is fixed to the namespace
         from which /dev/fuse is opened.
       - The namespace must be the same as s_user_ns.
      These restrictions simplify the implementation by avoiding the need to pass
      around userns references and by allowing fuse to rely on the checks in
      setattr_prepare for ownership changes.  Either restriction could be relaxed
      in the future if needed.
      For cuse the userns used is the opener of /dev/cuse.  Semantically the cuse
      support does not appear safe for unprivileged users.  Practically the
      permissions on /dev/cuse only make it accessible to the global root user.
      If something slips through the cracks in a user namespace the only users
      who will be able to use the cuse device are those users mapped into the
      user namespace.
      Translation in the posix acl is updated to use the uuser namespace of the
      filesystem.  Avoiding cases which might bypass this translation is handled
      in a following change.
      This change is stronlgy based on a similar change from Seth Forshee and
      Dongsu Park.
      Cc: Seth Forshee <seth.forshee@canonical.com>
      Cc: Dongsu Park <dongsu@kinvolk.io>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: atomic_o_trunc should truncate pagecache · df0e91d4
      Miklos Szeredi authored
      Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the
      O_TRUNC flag in the OPEN request to truncate the file atomically with the
      In this mode there's no need to send a SETATTR request to userspace after
      the open, so fuse_do_setattr() checks this mode and returns.  But this
      misses the important step of truncating the pagecache.
      Add the missing parts of truncation to the ATTR_OPEN branch.
      Reported-by: default avatarChad Austin <chadaustin@fb.com>
      Fixes: 6ff958ed
       ("fuse: add atomic open+truncate support")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: <stable@vger.kernel.org>
  10. 25 Oct, 2017 1 commit
  11. 12 Sep, 2017 1 commit
  12. 03 Mar, 2017 1 commit
    • David Howells's avatar
      statx: Add a system call to make enhanced file info available · a528d35e
      David Howells authored
      Add a system call to make extended file information available, including
      file creation and some attribute flags where available through the
      underlying filesystem.
      The getattr inode operation is altered to take two additional arguments: a
      u32 request_mask and an unsigned int flags that indicate the
      synchronisation mode.  This change is propagated to the vfs_getattr*()
      Functions like vfs_stat() are now inline wrappers around new functions
      vfs_statx() and vfs_statx_fd() to reduce stack usage.
      The idea was initially proposed as a set of xattrs that could be retrieved
      with getxattr(), but the general preference proved to be for a new syscall
      with an extended stat structure.
      A number of requests were gathered for features to be included.  The
      following have been included:
       (1) Make the fields a consistent size on all arches and make them large.
       (2) Spare space, request flags and information flags are provided for
           future expansion.
       (3) Better support for the y2038 problem [Arnd Bergmann] (tv_sec is an
       (4) Creation time: The SMB protocol carries the creation time, which could
           be exported by Samba, which will in turn help CIFS make use of
           FS-Cache as that can be used for coherency data (stx_btime).
           This is also specified in NFSv4 as a recommended attribute and could
           be exported by NFSD [Steve French].
       (5) Lightweight stat: Ask for just those details of interest, and allow a
           netfs (such as NFS) to approximate anything not of interest, possibly
           without going to the server [Trond Myklebust, Ulrich Drepper, Andreas
           Dilger] (AT_STATX_DONT_SYNC).
       (6) Heavyweight stat: Force a netfs to go to the server, even if it thinks
           its cached attributes are up to date [Trond Myklebust]
      And the following have been left out for future extension:
       (7) Data version number: Could be used by userspace NFS servers [Aneesh
           Can also be used to modify fill_post_wcc() in NFSD which retrieves
           i_version directly, but has just called vfs_getattr().  It could get
           it from the kstat struct if it used vfs_xgetattr() instead.
           (There's disagreement on the exact semantics of a single field, since
           not all filesystems do this the same way).
       (8) BSD stat compatibility: Including more fields from the BSD stat such
           as creation time (st_btime) and inode generation number (st_gen)
           [Jeremy Allison, Bernd Schubert].
       (9) Inode generation number: Useful for FUSE and userspace NFS servers
           [Bernd Schubert].
           (This was asked for but later deemed unnecessary with the
           open-by-handle capability available and caused disagreement as to
           whether it's a security hole or not).
      (10) Extra coherency data may be useful in making backups [Andreas Dilger].
           (No particular data were offered, but things like last backup
           timestamp, the data version number and the DOS archive bit would come
           into this category).
      (11) Allow the filesystem to indicate what it can/cannot provide: A
           filesystem can now say it doesn't support a standard stat feature if
           that isn't available, so if, for instance, inode numbers or UIDs don't
           exist or are fabricated locally...
           (This requires a separate system call - I have an fsinfo() call idea
           for this).
      (12) Store a 16-byte volume ID in the superblock that can be returned in
           struct xstat [Steve French].
           (Deferred to fsinfo).
      (13) Include granularity fields in the time data to indicate the
           granularity of each of the times (NFSv4 time_delta) [Steve French].
           (Deferred to fsinfo).
      (14) FS_IOC_GETFLAGS value.  These could be translated to BSD's st_flags.
           Note that the Linux IOC flags are a mess and filesystems such as Ext4
           define flags that aren't in linux/fs.h, so translation in the kernel
           may be a necessity (or, possibly, we provide the filesystem type too).
           (Some attributes are made available in stx_attributes, but the general
           feeling was that the IOC flags were to ext[234]-specific and shouldn't
           be exposed through statx this way).
      (15) Mask of features available on file (eg: ACLs, seclabel) [Brad Boyer,
           Michael Kerrisk].
           (Deferred, probably to fsinfo.  Finding out if there's an ACL or
           seclabal might require extra filesystem operations).
      (16) Femtosecond-resolution timestamps [Dave Chinner].
           (A __reserved field has been left in the statx_timestamp struct for
           this - if there proves to be a need).
      (17) A set multiple attributes syscall to go with this.
      The new system call is:
      	int ret = statx(int dfd,
      			const char *filename,
      			unsigned int flags,
      			unsigned int mask,
      			struct statx *buffer);
      The dfd, filename and flags parameters indicate the file to query, in a
      similar way to fstatat().  There is no equivalent of lstat() as that can be
      emulated with statx() by passing AT_SYMLINK_NOFOLLOW in flags.  There is
      also no equivalent of fstat() as that can be emulated by passing a NULL
      filename to statx() with the fd of interest in dfd.
      Whether or not statx() synchronises the attributes with the backing store
      can be controlled by OR'ing a value into the flags argument (this typically
      only affects network filesystems):
       (1) AT_STATX_SYNC_AS_STAT tells statx() to behave as stat() does in this
       (2) AT_STATX_FORCE_SYNC will require a network filesystem to synchronise
           its attributes with the server - which might require data writeback to
           occur to get the timestamps correct.
       (3) AT_STATX_DONT_SYNC will suppress synchronisation with the server in a
           network filesystem.  The resulting values should be considered
      mask is a bitmask indicating the fields in struct statx that are of
      interest to the caller.  The user should set this to STATX_BASIC_STATS to
      get the basic set returned by stat().  It should be noted that asking for
      more information may entail extra I/O operations.
      buffer points to the destination for the data.  This must be 256 bytes in
      The following structures are defined in which to return the main attribute
      	struct statx_timestamp {
      		__s64	tv_sec;
      		__s32	tv_nsec;
      		__s32	__reserved;
      	struct statx {
      		__u32	stx_mask;
      		__u32	stx_blksize;
      		__u64	stx_attributes;
      		__u32	stx_nlink;
      		__u32	stx_uid;
      		__u32	stx_gid;
      		__u16	stx_mode;
      		__u16	__spare0[1];
      		__u64	stx_ino;
      		__u64	stx_size;
      		__u64	stx_blocks;
      		__u64	__spare1[1];
      		struct statx_timestamp	stx_atime;
      		struct statx_timestamp	stx_btime;
      		struct statx_timestamp	stx_ctime;
      		struct statx_timestamp	stx_mtime;
      		__u32	stx_rdev_major;
      		__u32	stx_rdev_minor;
      		__u32	stx_dev_major;
      		__u32	stx_dev_minor;
      		__u64	__spare2[14];
      The defined bits in request_mask and stx_mask are:
      	STATX_TYPE		Want/got stx_mode & S_IFMT
      	STATX_MODE		Want/got stx_mode & ~S_IFMT
      	STATX_NLINK		Want/got stx_nlink
      	STATX_UID		Want/got stx_uid
      	STATX_GID		Want/got stx_gid
      	STATX_ATIME		Want/got stx_atime{,_ns}
      	STATX_MTIME		Want/got stx_mtime{,_ns}
      	STATX_CTIME		Want/got stx_ctime{,_ns}
      	STATX_INO		Want/got stx_ino
      	STATX_SIZE		Want/got stx_size
      	STATX_BLOCKS		Want/got stx_blocks
      	STATX_BASIC_STATS	[The stuff in the normal stat struct]
      	STATX_BTIME		Want/got stx_btime{,_ns}
      	STATX_ALL		[All currently available stuff]
      stx_btime is the file creation time, stx_mask is a bitmask indicating the
      data provided and __spares*[] are where as-yet undefined fields can be
      Time fields are structures with separate seconds and nanoseconds fields
      plus a reserved field in case we want to add even finer resolution.  Note
      that times will be negative if before 1970; in such a case, the nanosecond
      fields will also be negative if not zero.
      The bits defined in the stx_attributes field convey information about a
      file, how it is accessed, where it is and what it does.  The following
      attributes map to FS_*_FL flags and are the same numerical value:
      	STATX_ATTR_COMPRESSED		File is compressed by the fs
      	STATX_ATTR_IMMUTABLE		File is marked immutable
      	STATX_ATTR_APPEND		File is append-only
      	STATX_ATTR_NODUMP		File is not to be dumped
      	STATX_ATTR_ENCRYPTED		File requires key to decrypt in fs
      Within the kernel, the supported flags are listed by:
      [Are any other IOC flags of sufficient general interest to be exposed
      through this interface?]
      New flags include:
      	STATX_ATTR_AUTOMOUNT		Object is an automount trigger
      These are for the use of GUI tools that might want to mark files specially,
      depending on what they are.
      Fields in struct statx come in a number of classes:
       (0) stx_dev_*, stx_blksize.
           These are local system information and are always available.
       (1) stx_mode, stx_nlinks, stx_uid, stx_gid, stx_[amc]time, stx_ino,
           stx_size, stx_blocks.
           These will be returned whether the caller asks for them or not.  The
           corresponding bits in stx_mask will be set to indicate whether they
           actually have valid values.
           If the caller didn't ask for them, then they may be approximated.  For
           example, NFS won't waste any time updating them from the server,
           unless as a byproduct of updating something requested.
           If the values don't actually exist for the underlying object (such as
           UID or GID on a DOS file), then the bit won't be set in the stx_mask,
           even if the caller asked for the value.  In such a case, the returned
           value will be a fabrication.
           Note that there are instances where the type might not be valid, for
           instance Windows reparse points.
       (2) stx_rdev_*.
           This will be set only if stx_mode indicates we're looking at a
           blockdev or a chardev, otherwise will be 0.
       (3) stx_btime.
           Similar to (1), except this will be set to 0 if it doesn't exist.
      The following test program can be used to test the statx system call:
      Just compile and run, passing it paths to the files you want to examine.
      The file is built automatically if CONFIG_SAMPLES is enabled.
      Here's some example output.  Firstly, an NFS directory that crosses to
      another FSID.  Note that the AUTOMOUNT attribute is set because transiting
      this directory will cause d_automount to be invoked by the VFS.
      	[root@andromeda ~]# /tmp/test-statx -A /warthog/data
      	statx(/warthog/data) = 0
      	  Size: 4096            Blocks: 8          IO Block: 1048576  directory
      	Device: 00:26           Inode: 1703937     Links: 125
      	Access: (3777/drwxrwxrwx)  Uid:     0   Gid:  4041
      	Access: 2016-11-24 09:02:12.219699527+0000
      	Modify: 2016-11-17 10:44:36.225653653+0000
      	Change: 2016-11-17 10:44:36.225653653+0000
      	Attributes: 0000000000001000 (-------- -------- -------- -------- -------- -------- ---m---- --------)
      Secondly, the result of automounting on that directory.
      	[root@andromeda ~]# /tmp/test-statx /warthog/data
      	statx(/warthog/data) = 0
      	  Size: 4096            Blocks: 8          IO Block: 1048576  directory
      	Device: 00:27           Inode: 2           Links: 125
      	Access: (3777/drwxrwxrwx)  Uid:     0   Gid:  4041
      	Access: 2016-11-24 09:02:12.219699527+0000
      	Modify: 2016-11-17 10:44:36.225653653+0000
      	Change: 2016-11-17 10:44:36.225653653+0000
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  13. 22 Feb, 2017 1 commit
  14. 13 Jan, 2017 1 commit
  15. 09 Dec, 2016 1 commit
  16. 06 Dec, 2016 1 commit
    • Miklos Szeredi's avatar
      fuse: fix clearing suid, sgid for chown() · c01638f5
      Miklos Szeredi authored
      Basically, the pjdfstests set the ownership of a file to 06555, and then
      chowns it (as root) to a new uid/gid. Prior to commit a09f99ed
      fix killing s[ug]id in setattr"), fuse would send down a setattr with both
      the uid/gid change and a new mode.  Now, it just sends down the uid/gid
      Technically this is NOTABUG, since POSIX doesn't _require_ that we clear
      these bits for a privileged process, but Linux (wisely) has done that and I
      think we don't want to change that behavior here.
      This is caused by the use of should_remove_suid(), which will always return
      0 when the process has CAP_FSETID.
      In fact we really don't need to be calling should_remove_suid() at all,
      since we've already been indicated that we should remove the suid, we just
      don't want to use a (very) stale mode for that.
      This patch should fix the above as well as simplify the logic.
      Reported-by: Jeff Layton <jlayton@redhat.com> 
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: a09f99ed
       ("fuse: fix killing s[ug]id in setattr")
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
  17. 18 Oct, 2016 1 commit
  18. 08 Oct, 2016 1 commit
  19. 01 Oct, 2016 9 commits
    • Seth Forshee's avatar
      fuse: Use generic xattr ops · 703c7362
      Seth Forshee authored
      In preparation for posix acl support, rework fuse to use xattr handlers and
      the generic setxattr/getxattr/listxattr callbacks.  Split the xattr code
      out into it's own file, and promote symbols to module-global scope as
      Functionally these changes have no impact, as fuse still uses a single
      handler for all xattrs which uses the old callbacks.
      Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: get rid of fc->flags · 29433a29
      Miklos Szeredi authored
      Only two flags: "default_permissions" and "allow_other".  All other flags
      are handled via bitfields.  So convert these two as well.  They don't
      change during the lifetime of the filesystem, so this is quite safe.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: listxattr: verify xattr list · cb3ae6d2
      Miklos Szeredi authored
      Make sure userspace filesystem is returning a well formed list of xattr
      names (zero or more nonzero length, null terminated strings).
      [Michael Theall: only verify in the nonzero size case]
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: <stable@vger.kernel.org>
    • Miklos Szeredi's avatar
      fuse: use timespec64 · bcb6f6d2
      Miklos Szeredi authored
      And check for valid nsec value before passing into timespec64_to_jiffies().
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: don't use ->d_time · f75fdf22
      Miklos Szeredi authored
      Store in memory pointed to by ->d_fsdata.  Use ->d_init() to allocate the
      storage.  Need to use RCU freeing because the data is used in RCU lookup
      We could cast ->d_fsdata directly on 64bit archs, but I don't think this is
      worth the extra complexity.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Seth Forshee's avatar
      fuse: Add posix ACL support · 60bcc88a
      Seth Forshee authored
      Add a new INIT flag, FUSE_POSIX_ACL, for negotiating ACL support with
      userspace.  When it is set in the INIT response, ACL support will be
      enabled.  ACL support also implies "default_permissions".
      When ACL support is enabled, the kernel will cache and have responsibility
      for enforcing ACLs.  ACL xattrs will be passed to userspace, which is
      responsible for updating the ACLs in the filesystem, keeping the file mode
      in sync, and inheritance of default ACLs when new filesystem nodes are
      Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: handle killpriv in userspace fs · 5e940c1d
      Miklos Szeredi authored
      Only userspace filesystem can do the killing of suid/sgid without races.
      So introduce an INIT flag and negotiate support for this.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    • Miklos Szeredi's avatar
      fuse: fix killing s[ug]id in setattr · a09f99ed
      Miklos Szeredi authored
      Fuse allowed VFS to set mode in setattr in order to clear suid/sgid on
      chown and truncate, and (since writeback_cache) write.  The problem with
      this is that it'll potentially restore a stale mode.
      The poper fix would be to let the filesystems do the suid/sgid clearing on
      the relevant operations.  Possibly some are already doing it but there's no
      way we can detect this.
      So fix this by refreshing and recalculating the mode.  Do this only if
      ATTR_KILL_S[UG]ID is set to not destroy performance for writes.  This is
      still racy but the size of the window is reduced.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: <stable@vger.kernel.org>
    • Miklos Szeredi's avatar
      fuse: invalidate dir dentry after chmod · 5e2b8828
      Miklos Szeredi authored
      Without "default_permissions" the userspace filesystem's lookup operation
      needs to perform the check for search permission on the directory.
      If directory does not allow search for everyone (this is quite rare) then
      userspace filesystem has to set entry timeout to zero to make sure
      permissions are always performed.
      Changing the mode bits of the directory should also invalidate the
      (previously cached) dentry to make sure the next lookup will have a chance
      of updating the timeout, if needed.
      Reported-by: default avatarJean-Pierre André <jean-pierre.andre@wanadoo.fr>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: <stable@vger.kernel.org>
  20. 28 Sep, 2016 1 commit
  21. 27 Sep, 2016 1 commit