diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2020-08-28 18:37:49 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2020-08-28 18:37:49 +0100 |
| commit | a4e236b7d4badcd7383ed3cb86655e9bba0583cf (patch) | |
| tree | 4e6f6ff37842641ea1670f010eb1f9462042b7e7 /tools | |
| parent | ea1bb830cb021cca2e361091cf728aaabc8c0654 (diff) | |
| parent | fd9279ec9985d9c8a0b533eff24839f93695b0f4 (diff) | |
| download | qemu-a4e236b7d4badcd7383ed3cb86655e9bba0583cf.zip qemu-a4e236b7d4badcd7383ed3cb86655e9bba0583cf.tar.gz qemu-a4e236b7d4badcd7383ed3cb86655e9bba0583cf.tar.bz2 | |
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200828a' into staging
Migration and virtiofsd pull 2020-08-28
Migration:
vsock support for migration
minor fixes
virtiofsd:
Disable remote posix locks by default - because we
never supported blocking variants and this breaks things
Some prep work for un/less priviliged modes
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
# gpg: Signature made Fri 28 Aug 2020 13:43:18 BST
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>" [full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20200828a:
virtiofsd: probe unshare(CLONE_FS) and print an error
virtiofsd: drop CAP_DAC_READ_SEARCH
virtiofsd: Remove "norace" from cmdline help and docs
virtiofsd: Disable remote posix locks by default
migration: tls: fix memory leak in migration_tls_get_creds
migration: improve error reporting of block driver state name
migration: add vsock as data channel support
migration: unify the framework of socket-type channel
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/virtiofsd/fuse_virtio.c | 16 | ||||
| -rw-r--r-- | tools/virtiofsd/helper.c | 2 | ||||
| -rw-r--r-- | tools/virtiofsd/passthrough_ll.c | 3 |
3 files changed, 17 insertions, 4 deletions
diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c index 3b6d16a..9e55375 100644 --- a/tools/virtiofsd/fuse_virtio.c +++ b/tools/virtiofsd/fuse_virtio.c @@ -949,6 +949,22 @@ int virtio_session_mount(struct fuse_session *se) { int ret; + /* + * Test that unshare(CLONE_FS) works. fv_queue_worker() will need it. It's + * an unprivileged system call but some Docker/Moby versions are known to + * reject it via seccomp when CAP_SYS_ADMIN is not given. + * + * Note that the program is single-threaded here so this syscall has no + * visible effect and is safe to make. + */ + ret = unshare(CLONE_FS); + if (ret == -1 && errno == EPERM) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_FS) failed with EPERM. If " + "running in a container please check that the container " + "runtime seccomp policy allows unshare.\n"); + return -1; + } + ret = fv_create_listen_socket(se); if (ret < 0) { return ret; diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c index 3105b6c..7bc5d7d 100644 --- a/tools/virtiofsd/helper.c +++ b/tools/virtiofsd/helper.c @@ -159,8 +159,6 @@ void fuse_cmdline_help(void) " -o max_idle_threads the maximum number of idle worker " "threads\n" " allowed (default: 10)\n" - " -o norace disable racy fallback\n" - " default: false\n" " -o posix_lock|no_posix_lock\n" " enable/disable remote posix lock\n" " default: posix_lock\n" diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index 63d1d00..784330e0 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2596,7 +2596,6 @@ static void setup_capabilities(char *modcaps_in) if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, CAP_CHOWN, CAP_DAC_OVERRIDE, - CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_SETGID, @@ -2823,7 +2822,7 @@ int main(int argc, char *argv[]) struct lo_data lo = { .debug = 0, .writeback = 0, - .posix_lock = 1, + .posix_lock = 0, .proc_self_fd = -1, }; struct lo_map_elem *root_elem; |