qemu-gpiodev/libfuse.git
6 years agoTravis CI: Use Xenial instead of Trusty.
Nikolaus Rath [Wed, 27 Feb 2019 21:06:38 +0000 (21:06 +0000)]
Travis CI: Use Xenial instead of Trusty.

6 years agohello_ll: Fix null pointer dereference (#363)
Forty-Bot [Mon, 25 Feb 2019 21:06:42 +0000 (16:06 -0500)]
hello_ll: Fix null pointer dereference (#363)

If hello_ll is invoked without a mountpoint, it will try to call
fuse_session_mount anyway with the NULL mountpoint (which then causes a
segfault). Print out a short help message instead (taken from
passthrough_ll.c).

6 years agofuse_free_buf(): to check flags of each buffer, rather than only 0th
Albert Chen [Wed, 13 Feb 2019 09:42:15 +0000 (01:42 -0800)]
fuse_free_buf(): to check flags of each buffer, rather than only 0th

Fixes: #360
6 years agopassthrough_ll: lo_create() should honor CACHE_NEVER (#345)
Miklos Szeredi [Tue, 22 Jan 2019 20:03:00 +0000 (21:03 +0100)]
passthrough_ll: lo_create() should honor CACHE_NEVER (#345)

lo_create() did not honour CACHE_NEVER in lo_create(), which has an effect
on how I/O is performed after the open.

The value of CACHE_ALWAYS, which results in setting fi->keep_cache, only
has an effect for the state of the cache at open, and since the file was
just created the cache is always empty.  Hence setting this doesn't have an
effect on lo_create(), but keep it for symmetry with lo_open().

6 years agoClarify documentation of fuse_lowlevel_inval_inode
Nikolaus Rath [Mon, 21 Jan 2019 20:10:10 +0000 (20:10 +0000)]
Clarify documentation of fuse_lowlevel_inval_inode

Fixes: #341.
6 years agoAdd support for buildin under DragonFly BSD
Tomohiro Kusumi [Mon, 14 Jan 2019 20:28:41 +0000 (05:28 +0900)]
Add support for buildin under DragonFly BSD

70e25ea74e("Fix build on non-Linux") broke build on DragonFly BSD,
or likely anything other than FreeBSD and NetBSD that is not Linux.

Signed-off-by: Tomohiro Kusumi <kusumi.tomohiro@gmail.com>
6 years agoAdded OpenAFS to type whitelist
Nikolaus Rath [Fri, 4 Jan 2019 13:33:01 +0000 (13:33 +0000)]
Added OpenAFS to type whitelist

Fixes: #336.
6 years agoFixed memory leak.
Nikolaus Rath [Sat, 29 Dec 2018 14:52:42 +0000 (14:52 +0000)]
Fixed memory leak.

Fixes: #338.
6 years agoAdded missing date to Changelog.
Nikolaus Rath [Sat, 22 Dec 2018 14:48:37 +0000 (14:48 +0000)]
Added missing date to Changelog.

6 years agoReleased 3.4.1
Nikolaus Rath [Sat, 22 Dec 2018 14:45:30 +0000 (14:45 +0000)]
Released 3.4.1

6 years agofix memory leak in print_module_help method
alex [Thu, 20 Dec 2018 17:32:10 +0000 (18:32 +0100)]
fix memory leak in print_module_help method

6 years agoFix fd/inode leak
Nikolaus Rath [Tue, 27 Nov 2018 20:58:36 +0000 (20:58 +0000)]
Fix fd/inode leak

If do_readdir() calls do_lookup(), but the latter fails, we still have
to return any entries that we already stored in the readdir buffer to
avoid leaking inodes.

do_lookup() may fail if e.g. we reach the file descriptor limit.

6 years agoAvoid needless telldir() call.
Nikolaus Rath [Sat, 24 Nov 2018 20:27:12 +0000 (20:27 +0000)]
Avoid needless telldir() call.

6 years agoFixed lookup-count leak in do_readdir().
Nikolaus Rath [Sat, 24 Nov 2018 20:24:10 +0000 (20:24 +0000)]
Fixed lookup-count leak in do_readdir().

6 years agoAdded testcase for "big" readdir.
Nikolaus Rath [Sat, 24 Nov 2018 20:24:45 +0000 (20:24 +0000)]
Added testcase for "big" readdir.

6 years agoDon't segfault when called with -h.
Nikolaus Rath [Fri, 23 Nov 2018 17:12:43 +0000 (17:12 +0000)]
Don't segfault when called with -h.

Fixes: #327
6 years agoAdded .ackrc
Nikolaus Rath [Sun, 18 Nov 2018 17:11:30 +0000 (17:11 +0000)]
Added .ackrc

6 years agoKill filesystem process on test cleanup.
Nikolaus Rath [Sun, 18 Nov 2018 17:11:13 +0000 (17:11 +0000)]
Kill filesystem process on test cleanup.

6 years agotests: add copy_file_range() to the syscall tests
Niels de Vos [Tue, 26 Jun 2018 19:40:43 +0000 (21:40 +0200)]
tests: add copy_file_range() to the syscall tests

6 years agoexamples: add copy_file_range() support to passthrough(_fh)
Niels de Vos [Tue, 26 Jun 2018 19:40:21 +0000 (21:40 +0200)]
examples: add copy_file_range() support to passthrough(_fh)

The passthrough example filesystem can be used for validating the API
and the implementation in the FUSE kernel module.

6 years agolibfuse: add copy_file_range() support
Niels de Vos [Mon, 18 Jun 2018 17:31:43 +0000 (19:31 +0200)]
libfuse: add copy_file_range() support

Add support for the relatively new copy_file_range() syscall. Backend
filesystems can now implement an efficient way of cloning/duplicating
data ranges within files. See 'man 2 copy_file_range' for more details.

6 years agoUpdate kernel API headers
Niels de Vos [Mon, 18 Jun 2018 11:41:07 +0000 (13:41 +0200)]
Update kernel API headers

Taken from Linux kernel commit 3b7008b226f3.

6 years agoFix mounting on FreeBSD
Roman Bogorodskiy [Sun, 11 Nov 2018 10:46:14 +0000 (14:46 +0400)]
Fix mounting on FreeBSD

Currently, mounting on FreeBSD fails like this:

 mount_fusefs: ZZZZ<snip> on /mountpoint: No such file or directory

This happens because right after doing argv[a++] = fdnam it's
getting freed before calling execvp().

So move this free() call after execvp(). Also, when asprintf()
fails for fdnam, close device fd before calling exit().

6 years agoFix build on non-Linux
Roman Bogorodskiy [Sun, 11 Nov 2018 14:31:15 +0000 (18:31 +0400)]
Fix build on non-Linux

 * Update meson.build to add mount_util.c to libfuse_sources
   unconditionally, it's non Linux-only
 * FreeBSD, like NetBSD, doesn't have mntent.h, so don't include
   that and define IGNORE_MTAB for both
 * FreeBSD, like NetBSD, has no umount2() sysctl, so similarly define
   it to unmount()

6 years agoDon't crash if mountpoint is not specified.
Nikolaus Rath [Fri, 9 Nov 2018 10:45:27 +0000 (10:45 +0000)]
Don't crash if mountpoint is not specified.

Fixes: #319.
6 years agoReleased 3.3.0 fuse-3.3.0
Nikolaus Rath [Tue, 6 Nov 2018 18:57:47 +0000 (18:57 +0000)]
Released 3.3.0

6 years agoUpdate CI build script
Nikolaus Rath [Tue, 6 Nov 2018 18:54:06 +0000 (18:54 +0000)]
Update CI build script

There is no gcc-6 package anymore.

6 years agoRevert "Do not include struct fuse_buf in struct fuse_worker"
Nikolaus Rath [Tue, 6 Nov 2018 18:52:15 +0000 (18:52 +0000)]
Revert "Do not include struct fuse_buf in struct fuse_worker"

This reverts commit 161983e2416bc6e26bbbe89664fff62c48c70858,
because this causes resource leaks when threads are terminated
by pthread_cancel().

Fixes: #313.
6 years agoAvoid double unmount on normal unmount in auto_unmount mode.
Kevin Vigor [Tue, 16 Oct 2018 23:23:07 +0000 (17:23 -0600)]
Avoid double unmount on normal unmount in auto_unmount mode.

If a fuse filesystem was mounted in auto_unmount mode on top of an
already mounted filesystem, we would end up doing a double-unmount
when the fuse filesystem was unmounted properly.

Make the auto_unmount code less eager: unmount only if the mounted
filesystem has proper type and is returning 'Transport endpoint not
connected'.

6 years agoDocument when `fuse_lowlevel_notify_*` functions may block.
Nikolaus Rath [Tue, 6 Nov 2018 18:41:58 +0000 (18:41 +0000)]
Document when  `fuse_lowlevel_notify_*` functions may block.

7 years agoAdd SpectrumScale/GPFS and Lustre to FS whitelist
Valentin Plugaru [Fri, 19 Oct 2018 21:19:28 +0000 (23:19 +0200)]
Add SpectrumScale/GPFS and Lustre to FS whitelist

Fixes: #304
Signed-off-by: Valentin Plugaru <valentin.plugaru@uni.lu>
7 years agoDo not fail "ninja test" when running as subproject
Ahmed Masud [Fri, 19 Oct 2018 21:17:48 +0000 (17:17 -0400)]
Do not fail "ninja test" when running as subproject

7 years agoBump minimum Meson version
Nikolaus Rath [Tue, 16 Oct 2018 13:06:19 +0000 (06:06 -0700)]
Bump minimum Meson version

According to user reports (https://github.com/libfuse/libfuse/pull/300),
we need at least version 0.42.

7 years agoClarified licensing terms.
Nikolaus Rath [Thu, 11 Oct 2018 07:52:31 +0000 (08:52 +0100)]
Clarified licensing terms.

Fixes: #213.
7 years agoEnable more tests for passthrough_ll
Nikolaus Rath [Mon, 1 Oct 2018 10:10:36 +0000 (11:10 +0100)]
Enable more tests for passthrough_ll

7 years agopassthrough_ll: initialize unused memory
Miklos Szeredi [Wed, 15 Aug 2018 08:36:31 +0000 (10:36 +0200)]
passthrough_ll: initialize unused memory

For '.' and '..' entries only the file type in e.attr.st_mode and the inode
number in e.attr.st_ino are used.  But it's prudent to at least initialize
the other fields of struct fuse_entry_param as well, instead of using
random values from the stack.

7 years agopassthrough_ll: allow configuring caching
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: allow configuring caching

Caching can be controlled with the following options:

 "cache=never": disable caching
 "cache=normal": enable caching but also refresh after the timeout
 "cache=always": never refresh cache

The timeout can be controlled with the "timeout=SEC" option, where SEC is
the number of seconds and can be an arbitrary non-negative floating point
number.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add *xattr() operations
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: add *xattr() operations

The extended attribute functionality is enabled with the "xattr" option
(default) and disabled with the "no_xatt" option.

New operations added:

 - getxattr
 - listxattr
 - setxattr
 - removexattr

Caveat: none of these operations will work on a symbolic link, because it's
difficult to implement that without races that can result in incorrect
operation.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add flock()
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: add flock()

Conditionally enable flock() locking on underlying filesystem, based on the
flock/no_flock options.  Default is "no_flock", meaning locking will be
local to the fuse filesystem and won't be propagated to the filesystem
passed through.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: whitespace cleanup
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: whitespace cleanup

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add forget_multi()
Vivek Goyal [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: add forget_multi()

Add method forget_multi() to forget multiple inodes in a single message.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add source option
Vivek Goyal [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: add source option

Right now, passthrough_ll will use "/" as source directory for passthrough.
We need more flexibility where user can specify path of directory to be
passed through.  Hence add an option "source=<source-dir>".

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add some of the missing operations
Miklos Szeredi [Tue, 19 Jun 2018 18:33:21 +0000 (14:33 -0400)]
passthrough_ll: add some of the missing operations

New operations added:

 - mkdir
 - mknod
 - symlink
 - link
 - unlink
 - rmdir
 - rename
 - setattr
 - fsyncdir
 - flush
 - fsync
 - statfs
 - fallocate

Caveats:

 - The utimes(2) family of syscalls will fail on symlinks on 4.18 and
   earlier kernels.  Hoping to add support to later kernels.

 - The link(2) and linkat(2) system calls will fail on symlinks unless running
   with privileges (CAP_DAC_READ_SEARCH).

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add is_symlink to lo_inode
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: add is_symlink to lo_inode

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: set umask at startup
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: set umask at startup

Like all the other passthrough examples.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: fix refcount for "." and ".." entries
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: fix refcount for "." and ".." entries

Kernel is not expecting an elevated lookup count for the "." and ".."
entries when doing READDIRPLUS.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agopassthrough_ll: add locking to inode cache
Miklos Szeredi [Tue, 14 Aug 2018 19:37:02 +0000 (21:37 +0200)]
passthrough_ll: add locking to inode cache

Otherwise it may crash when running multithreaded.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
7 years agoAdd unprivileged option in `mount.fuse3`
Mattias Nissler [Fri, 31 Aug 2018 07:44:04 +0000 (09:44 +0200)]
Add unprivileged option in `mount.fuse3`

The unprivileged option allows to run the FUSE file system process
without privileges by dropping capabilities and preventing them from
being re-acquired via setuid / fscaps etc. To accomplish this,
mount.fuse sets up the `/dev/fuse` file descriptor and mount itself
and passes the file descriptor via the `/dev/fd/%u` mountpoint syntax
to the FUSE file system.

7 years agoAllow passing `/dev/fuse` file descriptor from parent process
Mattias Nissler [Mon, 27 Aug 2018 13:17:57 +0000 (15:17 +0200)]
Allow passing `/dev/fuse` file descriptor from parent process

This adds support for a mode of operation in which a privileged parent
process opens `/dev/fuse` and takes care of mounting. The FUSE file
system daemon can then run as an unprivileged child that merely
processes requests on the FUSE file descriptor, which get passed using
the special `/dev/fd/%u` syntax for the mountpoint parameter.

The main benefit is that no privileged operations need to be performed
by the FUSE file system daemon itself directly or indirectly, so the
FUSE process can run with fully unprivileged and mechanisms like
securebits and no_new_privs can be used to prevent subprocesses from
re-acquiring privilege via setuid, fscaps, etc. This reduces risk in
case the FUSE file system gets exploited by malicious file system
data.

Below is an example that illustrates this. Note that I'm using shell
for presentation purposes, the expectation is that the parent process
will implement the equivalent of the `mount -i` and `capsh` commands.

```
\# example/hello can mount successfully with privilege
$ sudo sh -c "LD_LIBRARY_PATH=build/lib ./example/hello /mnt/tmp"
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp

\# example/hello fails to mount without privilege
$ sudo capsh --drop=all --secbits=0x2f -- -c 'LD_LIBRARY_PATH=build/lib ./example/hello -f /mnt/tmp'
fusermount3: mount failed: Operation not permitted

\# Passing FUSE file descriptor via /dev/fd/%u allows example/hello to work without privilege
$ sudo sh -c '
      exec 17<>/dev/fuse
      mount -i -o nodev,nosuid,noexec,fd=17,rootmode=40000,user_id=0,group_id=0 -t fuse hello /mnt/tmp
      capsh --drop=all --secbits=0x2f -- -c "LD_LIBRARY_PATH=build/lib example/hello /dev/fd/17"
    '
$ sudo cat /mnt/tmp/hello
Hello World!
$ sudo umount /mnt/tmp
```

7 years agoAdd build options for utils and examples
Martin Blanchard [Thu, 6 Sep 2018 23:07:19 +0000 (00:07 +0100)]
Add build options for utils and examples

Allow skipping utils build & installation (-Dutils=false) and examples
build (-Dexamples=false). By default behaviour is unchanged (both are
true: utils and examples get build).

7 years agoFix unlink errno check
Scott Worley [Tue, 25 Sep 2018 23:05:16 +0000 (16:05 -0700)]
Fix unlink errno check

7 years agoClarify what qualifies as a "related operation" for notify_inval_entry.
Nikolaus Rath [Thu, 20 Sep 2018 07:56:16 +0000 (08:56 +0100)]
Clarify what qualifies as a "related operation" for notify_inval_entry.

7 years agoDon't enable adaptive readdirplus unless fs has readdir() handler.
Nikolaus Rath [Mon, 17 Sep 2018 13:53:30 +0000 (14:53 +0100)]
Don't enable adaptive readdirplus unless fs has readdir() handler.

7 years agoDo not include struct fuse_buf in struct fuse_worker
Nikolaus Rath [Mon, 17 Sep 2018 09:45:16 +0000 (10:45 +0100)]
Do not include struct fuse_buf in struct fuse_worker

This is only used in fuse_do_work(), so we can put it on
the stack.

7 years agoDon't special-case bulid of mount_util.c.
Nikolaus Rath [Mon, 17 Sep 2018 09:35:50 +0000 (10:35 +0100)]
Don't special-case bulid of mount_util.c.

We already support out of source builds without this.

7 years agoReleased 3.2.6 fuse-3.2.6
Nikolaus Rath [Fri, 31 Aug 2018 11:48:04 +0000 (13:48 +0200)]
Released 3.2.6

7 years agoDo not hardcode /etc/fuse.conf path.
Nikolaus Rath [Fri, 31 Aug 2018 11:38:26 +0000 (13:38 +0200)]
Do not hardcode /etc/fuse.conf path.

7 years agoUpdated ChangeLog with recent changes.
Nikolaus Rath [Thu, 30 Aug 2018 19:03:21 +0000 (21:03 +0200)]
Updated ChangeLog with recent changes.

7 years agoreturn different non-zero error codes (#290)
Oded Arbel [Wed, 29 Aug 2018 16:20:56 +0000 (19:20 +0300)]
return different non-zero error codes (#290)

Return different error codes from fuse_main()

7 years agoFix memory leak of FUSE modules
Rostislav [Sat, 25 Aug 2018 20:50:40 +0000 (20:50 +0000)]
Fix memory leak of FUSE modules

7 years agoFix invalid free of memory pointer in 'struct fuse_buf'
Rostislav [Sat, 25 Aug 2018 18:52:53 +0000 (18:52 +0000)]
Fix invalid free of memory pointer in 'struct fuse_buf'

7 years agoMake meson build scripts subprojects friendly
Martin Blanchard [Mon, 20 Aug 2018 19:32:10 +0000 (20:32 +0100)]
Make meson build scripts subprojects friendly

Multiple meson build scripts improvements including:
 * Bump meson requirement to 0.40.1 (0.40 already required)
 * Declare a dependency object for main library
 * Stop using add_global_arguments()
 * Various minor style fixes

7 years agoAdd bcachefs to mountpoint file system whitelist
Daniel Fullmer [Thu, 9 Aug 2018 01:24:44 +0000 (21:24 -0400)]
Add bcachefs to mountpoint file system whitelist

7 years agoAdd FAT to mountpoint file system whitelist
Benjamin Barenblat [Fri, 3 Aug 2018 15:22:37 +0000 (11:22 -0400)]
Add FAT to mountpoint file system whitelist

7 years agoRealphabetize and re-document mountpoint file system whitelist
Benjamin Barenblat [Fri, 3 Aug 2018 15:22:32 +0000 (11:22 -0400)]
Realphabetize and re-document mountpoint file system whitelist

7 years agoAdd autofs to mountpoint file system whitelist
Robo Shimmer [Tue, 31 Jul 2018 14:20:56 +0000 (16:20 +0200)]
Add autofs to mountpoint file system whitelist

7 years agoRemove unused member of 'struct fuse_dh'
Rostislav Skudnov [Tue, 24 Jul 2018 19:56:34 +0000 (19:56 +0000)]
Remove unused member of 'struct fuse_dh'

7 years agoReleased 3.2.5 fuse-3.2.5
Nikolaus Rath [Tue, 24 Jul 2018 06:45:33 +0000 (07:45 +0100)]
Released 3.2.5

7 years agoAdded ChangeLog entry for hardening patches.
Nikolaus Rath [Wed, 18 Jul 2018 19:35:46 +0000 (20:35 +0100)]
Added ChangeLog entry for hardening patches.

7 years agotest_write_cache: Use fuse_session_exit() to stop filesystem thread
Rostislav Skudnov [Mon, 23 Jul 2018 07:31:00 +0000 (07:31 +0000)]
test_write_cache: Use fuse_session_exit() to stop filesystem thread

Using fuse_session_exit() followed by fuse_session_unmount() ensures
that a proper cleanup and shutdown is performed.

7 years agoexample/{hello,null}: Fix memory leaks
Rostislav Skudnov [Sat, 21 Jul 2018 21:14:19 +0000 (21:14 +0000)]
example/{hello,null}: Fix memory leaks

7 years agotest_write_cache: Fix memory leaks
Rostislav Skudnov [Sat, 21 Jul 2018 21:14:13 +0000 (21:14 +0000)]
test_write_cache: Fix memory leaks

7 years agofusermount: Fix memory leaks
Rostislav Skudnov [Sat, 21 Jul 2018 21:14:06 +0000 (21:14 +0000)]
fusermount: Fix memory leaks

7 years agoFix readdir() bug when a non-zero offset is specified in filler (#269)
Rostislav [Sat, 21 Jul 2018 09:57:09 +0000 (12:57 +0300)]
Fix readdir() bug when a non-zero offset is specified in filler (#269)

The bug occurs when a filesystem client reads a directory until the end,
seeks using seekdir() to some valid non-zero position and calls
readdir(). A valid 'struct dirent *' is expected, but NULL is returned
instead. Pseudocode demonstrating the bug:

DIR *dp = opendir("some_dir");
struct dirent *de = readdir(dp);

/* Get offset of the second entry */
long offset = telldir(dp);

/* Read directory until the end */
while (de)
de = readdir(de);

seekdir(dp, offset);
de = readdir(dp);
/* de must contain the second entry, but NULL is returned instead */

The reason of the bug is that when the end of directory is reached, the
kernel calls FUSE_READDIR op with an offset at the end of directory, so
the filesystem's .readdir callback never calls the filler function, and
we end up with dh->filled set to 1. After seekdir(), FUSE_READDIR is
called again with a new offset, but this time the filesystem's .readdir
callback is never called, and an empty reply is returned.

Fix by setting dh->filled to 1 only when zero offsets are given to
filler function.

7 years agofusermount: whitelist known-good filesystems for mountpoints
Jann Horn [Sat, 14 Jul 2018 11:37:41 +0000 (13:37 +0200)]
fusermount: whitelist known-good filesystems for mountpoints

Before:

$ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "fd=3,rootmode=40000,user_id=379777,group_id=5001") = 0
sending file descriptor: Socket operation on non-socket
+++ exited with 1 +++

After:

$ _FUSE_COMMFD=1 priv_strace -s8000 -e trace=mount util/fusermount3 /proc/self/fd
util/fusermount3: mounting over filesystem type 0x009fa0 is forbidden
+++ exited with 1 +++

This patch could potentially have security
impact on some systems that are configured with allow_other;
see https://launchpad.net/bugs/1530566 for an example of how a similar
issue in the ecryptfs mount helper was exploitable. However, the FUSE
mount helper performs slightly different security checks, so that exact
attack doesn't work with fusermount; I don't know of any specific attack
you could perform using this, apart from faking the SELinux context of your
process when someone's looking at a process listing. Potential targets for
overwrite are (looking on a system with a 4.9 kernel):

writable only for the current process:
/proc/self/{fd,map_files}
(Yes, "ls -l" claims that you don't have write access, but that's not true;
"find -writable" will show you what access you really have.)

writable also for other owned processes:
/proc/$pid/{sched,autogroup,comm,mem,clear_refs,attr/*,oom_adj,
oom_score_adj,loginuid,coredump_filter,uid_map,gid_map,projid_map,
setgroups,timerslack_ns}

7 years agofusermount: refuse unknown options
Jann Horn [Sat, 14 Jul 2018 10:47:50 +0000 (03:47 -0700)]
fusermount: refuse unknown options

Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.

Whitelist known-harmless flags instead, even if it's slightly more
inconvenient.

7 years agofusermount: bail out on transient config read failure
Jann Horn [Fri, 13 Jul 2018 22:50:50 +0000 (15:50 -0700)]
fusermount: bail out on transient config read failure

If an attacker wishes to use the default configuration instead of the
system's actual configuration, they can attempt to trigger a failure in
read_conf(). This only permits increasing mount_max if it is lower than the
default, so it's not particularly interesting. Still, this should probably
be prevented robustly; bail out if funny stuff happens when we're trying to
read the config.

Note that the classic attack trick of opening so many files that the
system-wide limit is reached won't work here - because fusermount only
drops the fsuid, not the euid, the process is running with euid=0 and
CAP_SYS_ADMIN, so it bypasses the number-of-globally-open-files check in
get_empty_filp() (unless you're inside a user namespace).

7 years agofusermount: don't feed "escaped commas" into mount options
Jann Horn [Fri, 13 Jul 2018 22:15:36 +0000 (15:15 -0700)]
fusermount: don't feed "escaped commas" into mount options

The old code permits the following behavior:

$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)

However, backslashes do not have any special meaning for the kernel here.

As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work.

7 years agofusermount: prevent silent truncation of mount options
Jann Horn [Fri, 13 Jul 2018 21:51:17 +0000 (14:51 -0700)]
fusermount: prevent silent truncation of mount options

Currently, in the kernel, copy_mount_options() copies in one page of
userspace memory (or less if some of that memory area is not mapped).
do_mount() then writes a null byte to the last byte of the copied page.
This means that mount option strings longer than PAGE_SIZE-1 bytes get
truncated silently.

Therefore, this can happen:

user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4000')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1000 0 0
user@d9-ut:~$ fusermount -u mount
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4050')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=100 0 0
user@d9-ut:~$ fusermount -u mount
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4051')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=10 0 0
user@d9-ut:~$ fusermount -u mount
user@d9-ut:~$ _FUSE_COMMFD=10000 fusermount -o "$(perl -e 'print ","x4052')" mount
sending file descriptor: Bad file descriptor
user@d9-ut:~$ grep /mount /proc/mounts
/dev/fuse /home/user/mount fuse rw,nosuid,nodev,relatime,user_id=1000,group_id=1 0 0
user@d9-ut:~$ fusermount -u mount

I'm not aware of any context in which this is actually exploitable - you'd
still need the UIDs to fit, and you can't do it if the three GIDs of the
process don't match (in the case of a typical setgid binary), but it does
look like something that should be fixed.

I also plan to try to get this fixed on the kernel side.

7 years agoReleased 3.2.4 fuse-3.2.4
Nikolaus Rath [Wed, 11 Jul 2018 09:34:38 +0000 (10:34 +0100)]
Released 3.2.4

7 years agoDon't assume sub-second resolution for st_atime/st_mtime.
Nikolaus Rath [Wed, 11 Jul 2018 09:33:16 +0000 (10:33 +0100)]
Don't assume sub-second resolution for st_atime/st_mtime.

Fixes: #224
7 years agoUse triple quotes for multiline string.
Nikolaus Rath [Wed, 4 Jul 2018 18:43:23 +0000 (19:43 +0100)]
Use triple quotes for multiline string.

Single quotes will become an error in a future meson release.

7 years agoDocument that access() is also called on chdir().
Nikolaus Rath [Wed, 4 Jul 2018 18:40:20 +0000 (19:40 +0100)]
Document that access() is also called on chdir().

Source: Miklos Szeredi on fuse-devel, Wednesday, 4 July 2018 15:29.

7 years agoSource LSB init functions
Laszlo Boszormenyi (GCS) [Wed, 27 Jun 2018 15:02:07 +0000 (15:02 +0000)]
Source LSB init functions

7 years agoFix manpage filename for mount.fuse3
Laszlo Boszormenyi (GCS) [Wed, 27 Jun 2018 14:59:19 +0000 (14:59 +0000)]
Fix manpage filename for mount.fuse3

7 years agofuse.h: fix typo (currenlty -> currently)
William Woodruff [Mon, 2 Jul 2018 02:11:58 +0000 (22:11 -0400)]
fuse.h: fix typo (currenlty -> currently)

7 years agofix documentation for opendir in fuse_operations
Carl Edquist [Tue, 22 May 2018 22:04:07 +0000 (17:04 -0500)]
fix documentation for opendir in fuse_operations

the filehandle from opendir is passed to releasedir - there is no
closedir function in fuse_operations

7 years agorename: perform user mode dir loop check when not done in kernel
Bill Zissimooulos [Wed, 16 May 2018 19:36:19 +0000 (12:36 -0700)]
rename: perform user mode dir loop check when not done in kernel

    Fix conditionals as per maintainer's request.

7 years agochangelog: add info on rename deadlock fix
Bill Zissimopoulos [Wed, 16 May 2018 19:05:28 +0000 (12:05 -0700)]
changelog: add info on rename deadlock fix

7 years agorename: perform user mode dir loop check when not done in kernel
Bill Zissimooulos [Sun, 13 May 2018 01:51:44 +0000 (18:51 -0700)]
rename: perform user mode dir loop check when not done in kernel

    Linux performs the dir loop check (rename(a, a/b/c)
    or rename(a/b/c, a), etc.) in kernel. Unfortunately
    other systems do not perform this check (e.g. FreeBSD).
    This results in a deadlock in get_path2, because libfuse
    did not expect to handle such cases.

    We add a check_dir_loop function that performs the dir
    loop check in user mode and enable it on systems that
    need it.

7 years agoReleased 3.2.3 fuse-3.2.3
Nikolaus Rath [Fri, 11 May 2018 14:01:09 +0000 (15:01 +0100)]
Released 3.2.3

7 years agoadd_arg(): check for overflow
Nikolaus Rath [Fri, 11 May 2018 13:56:45 +0000 (14:56 +0100)]
add_arg(): check for overflow

Fixes: #222.
7 years agoFix compile-time warnings on IGNORE_MTAB
Tomohiro Kusumi [Tue, 8 May 2018 05:57:00 +0000 (22:57 -0700)]
Fix compile-time warnings on IGNORE_MTAB

Silence below warnings which appear if IGNORE_MTAB is defined.

[59/64] Compiling C object 'util/fusermount3@exe/fusermount.c.o'.
../util/fusermount.c:493:12: warning: function declaration isn't a prototype [-Wstrict-prototypes]
 static int count_fuse_fs()
            ^~~~~~~~~~~~~
../util/fusermount.c: In function 'unmount_fuse':
../util/fusermount.c:508:46: warning: unused parameter 'quiet' [-Wunused-parameter]
 static int unmount_fuse(const char *mnt, int quiet, int lazy)
                                              ^~~~~

7 years agoFix path to pytest cache directory.
Nikolaus Rath [Fri, 13 Apr 2018 17:28:27 +0000 (10:28 -0700)]
Fix path to pytest cache directory.

7 years agoInvert calloc(3) argument order (`nmemb` comes first)
Tomohiro Kusumi [Wed, 11 Apr 2018 16:40:13 +0000 (01:40 +0900)]
Invert calloc(3) argument order (`nmemb` comes first)

No functional difference expected, but should still follow the standard.
http://pubs.opengroup.org/onlinepubs/009695399/functions/calloc.html

7 years agoDrop unneeded void cast for actually used local variable
Tomohiro Kusumi [Wed, 11 Apr 2018 16:39:46 +0000 (01:39 +0900)]
Drop unneeded void cast for actually used local variable

`int sig` is acutually used, so `(void) sig;` is unneeded.

7 years agoDrop redundant ; from FUSE_REGISTER_MODULE()
Tomohiro Kusumi [Wed, 11 Apr 2018 16:39:27 +0000 (01:39 +0900)]
Drop redundant ; from FUSE_REGISTER_MODULE()

Callers do (and should) use ;.

7 years agoTravis: remove root-owned cache files.
Nikolaus Rath [Sat, 31 Mar 2018 12:33:05 +0000 (13:33 +0100)]
Travis: remove root-owned cache files.

7 years agoFix Travis build environment
Nikolaus Rath [Sat, 31 Mar 2018 12:21:08 +0000 (13:21 +0100)]
Fix Travis build environment

Newest Meson requires Python 3.5 which isn't available in Trusty.
Pip version pin no longer necessary.

7 years agoFixed up duplicate ChangeLog entry.
Nikolaus Rath [Sat, 31 Mar 2018 12:16:48 +0000 (13:16 +0100)]
Fixed up duplicate ChangeLog entry.