diff options
author | Steve Kondik <steve@cyngn.com> | 2016-08-28 01:12:04 -0700 |
---|---|---|
committer | Steve Kondik <steve@cyngn.com> | 2016-08-28 01:12:04 -0700 |
commit | 3ecfa58e23f723914cb479262dbf393ee4821295 (patch) | |
tree | ea0a7d0e527ab7e4852118d561d12fd4a0998b0e | |
parent | cc5aa1ceaf16fedad2fbcc655b4b6fb844d925c7 (diff) | |
parent | df499bf1ce634f6e67d4d366c4475d32143f00f0 (diff) | |
download | android_external_fuse-lineage-15.0.tar.gz android_external_fuse-lineage-15.0.tar.bz2 android_external_fuse-lineage-15.0.zip |
Merge branch 'fuse_2_9_bugfix' of git://github.com/libfuse/libfuse into cm-14.0staging/lineage-15.1lineage-15.1lineage-15.0cm-14.1cm-14.0
Change-Id: I9e541e90baa225c25f3ca21050e406a42983f114
-rw-r--r-- | AUTHORS | 62 | ||||
-rw-r--r-- | ChangeLog | 64 | ||||
-rw-r--r-- | FAQ | 419 | ||||
-rw-r--r-- | Filesystems | 5 | ||||
-rw-r--r-- | Makefile.am | 5 | ||||
-rw-r--r-- | README | 380 | ||||
-rw-r--r-- | README.md | 108 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | doc/.gitignore | 2 | ||||
-rw-r--r-- | doc/Makefile.am | 2 | ||||
-rw-r--r-- | include/fuse_lowlevel.h | 5 | ||||
-rw-r--r-- | lib/Makefile.am | 3 | ||||
-rw-r--r-- | lib/fuse_lowlevel.c | 3 | ||||
-rw-r--r-- | lib/helper.c | 14 | ||||
-rw-r--r-- | lib/mount.c | 6 | ||||
-rwxr-xr-x | makeconf.sh | 33 | ||||
-rw-r--r-- | util/ulockmgr_server.c | 2 |
17 files changed, 245 insertions, 872 deletions
@@ -1,9 +1,59 @@ -FUSE ----- +Current Maintainer +------------------ -Miklos Szeredi <miklos@szeredi.hu> +Nikolaus Rath <Nikolaus@rath.org> + + +Past Maintainers +---------------- + +Miklos Szeredi <miklos@szeredi.hu> (until 12/2015) -CUSE ----- -Tejun Heo <teheo@suse.de> +Contributors +------------ + +CUSE has been written by Tejun Heo <teheo@suse.de>. Furthermore, the +following people have contributed patches (autogenerated list): + +Anatol Pomozov <anatol.pomozov@gmail.com> +Antonio SJ Musumeci <trapexit@spawn.link> +Christopher Harrison <ch12@sanger.ac.uk> +Csaba Henk <csaba.henk@creo.hu> +cvs2git <> +Dalvik Khertel <khertel@outlook.com> +Daniel Thau <danthau@bedrocklinux.org> +David McNab <david@rebirthing.co.nz> +David Sheets <sheets@alum.mit.edu> +Emmanuel Dreyfus <manu@netbsd.org> +Enke Chen <enkechen@yahoo.com> +Eric Engestrom <eric@engestrom.ch> +Eric Wong <normalperson@yhbt.net> +Fabrice Bauzac <fbauzac@amadeus.com> +Feng Shuo <steve.shuo.feng@gmail.com> +Hendrik Brueckner <brueckner@linux.vnet.ibm.com> +Ikey Doherty <michael.i.doherty@intel.com> +Jan Blumschein <jan@jan-blumschein.de> +Joachim Schiele <joachim.schiele@daimler.com> +Joachim Schiele <js@lastlog.de> +John Muir <john@jmuir.com> +Laszlo Papp <ext-laszlo.papp@nokia.com> +Madan Valluri <mvalluri@cumulus-systems.com> +Mark Glines <mark@glines.org> +Max Krasnyansky <maxk@kernel.org> +Michael Grigoriev <mag@luminal.org> +Miklos Szeredi <miklos@szeredi.hu> +Miklos Szeredi <mszeredi@suse.cz> +mkmm@gmx-topmail.de <mkmm@gmx-topmail.de> +Natanael Copa <ncopa@alpinelinux.org> +Nikolaus Rath <Nikolaus@rath.org> +Olivier Blin <olivier.blin@softathome.com> +Ratna_Bolla@dell.com <Ratna_Bolla@dell.com> +Reuben Hawkins <reubenhwk@gmail.com> +Richard W.M. Jones <rjones@redhat.com> +Riku Voipio <riku.voipio@linaro.org> +Roland Bauerschmidt <rb@debian.org> +Sam Stuewe <halosghost@archlinux.info> +Sebastian Pipping <sebastian@pipping.org> +therealneworld@gmail.com <therealneworld@gmail.com> +Winfried Koehler <w_scan@gmx-topmail.de> @@ -1,45 +1,57 @@ -2015-05-22 Miklos Szeredi <miklos@szeredi.hu> +FUSE 2.9.7 (2016-06-20) +======================= - * Released 2.9.4 +* Added SELinux support. +* Fixed race-condition when session is terminated right after starting + a FUSE file system. -2015-05-22 Miklos Szeredi <miklos@szeredi.hu> +FUSE 2.9.6 (2016-04-23) +======================= - * libfuse: fix exec environment for mount and umount. Found by - Tavis Ormandy (CVE-2015-3202). +* Tarball now includes documentation. +* Shared-object version has now been bumped correctly. -2015-02-26 Miklos Szeredi <miklos@szeredi.hu> +FUSE 2.9.5 (2016-01-14) +======================= - * libfuse: fix fuse_remove_signal_handlers() to properly restore - the default signal handler. Reported by: Chris Johnson +* New maintainer: Nikolaus Rath <Nikolaus@rath.org>. Many thanks to + Miklos Szeredi <miklos@szeredi.hu> for bringing FUSE to where it is + now! -2014-07-21 Miklos Szeredi <miklos@szeredi.hu> +* fix warning in mount.c:receive_fd(). Reported by Albert Berger - * libfuse: highlevel API: fix directory file handle passed to - ioctl() method. Reported by Eric Biggers +* fix possible memory leak. Reported by Jose R. Guzman -2014-07-15 Miklos Szeredi <miklos@szeredi.hu> +FUSE 2.9.4 (2015-05-22) +======================= - * libfuse: document deadlock avoidance for - fuse_notify_inval_entry() and fuse_notify_delete() +* fix exec environment for mount and umount. Found by Tavis Ormandy + (CVE-2015-3202). - * fusermount, libfuse: send value as unsigned in "user_id=" and - "group_id=" options. Uids/gids larger than 2147483647 would - result in EINVAL when mounting the filesystem. This also needs a - fix in the kernel. +* fix fuse_remove_signal_handlers() to properly restore the default + signal handler. Reported by: Chris Johnson -2014-03-26 Miklos Szeredi <miklos@szeredi.hu> +* highlevel API: fix directory file handle passed to ioctl() method. + Reported by Eric Biggers - * Initilaize stat buffer passed to ->getattr() and ->fgetattr() to - zero in all cases. Reported by Daniel Iwan +* libfuse: document deadlock avoidance for fuse_notify_inval_entry() + and fuse_notify_delete() -2013-08-26 Miklos Szeredi <miklos@szeredi.hu> +* fusermount, libfuse: send value as unsigned in "user_id=" and + "group_id=" options. Uids/gids larger than 2147483647 would result + in EINVAL when mounting the filesystem. This also needs a fix in + the kernel. - * libfuse: Add missing includes. This allows compiling fuse with - musl. Patch by Daniel Thau +* Initilaize stat buffer passed to ->getattr() and ->fgetattr() to + zero in all cases. Reported by Daniel Iwan -2013-07-01 Miklos Szeredi <miklos@szeredi.hu> +* libfuse: Add missing includes. This allows compiling fuse with + musl. Patch by Daniel Thau + + +Older Versions (before 2013-01-01) +================================== - * Released 2.9.3 2013-06-20 Miklos Szeredi <miklos@szeredi.hu> @@ -1,419 +0,0 @@ -This was generated on 2006/10/17 from - - http://sourceforge.net/apps/mediawiki/fuse/index.php?title=FAQ - -For an up to date version please see the above page. You can also add -new entries there. - -General -======= - -How can I umount a filesystem? ------------------------------- - -FUSE filesystems can be unmounted either with: - - umount mountpoint - -or - - fusermount -u mountpoint - -The later does not need root privileges if the filesystem was mounted by the -user doing the unmounting. - -What's the difference between FUSE and LUFS? --------------------------------------------- - -The main difference between them is that in LUFS the filesystem is a -shared object (.so) which is loaded by lufsmount, and in FUSE the -filesystem is a separate executable, which uses the fuse library. The -actual API is very similar, and there's a translator, that can load -LUFS modules and run them using the FUSE kernel module (see the lufis -package on the FUSE page). - -Another difference is that LUFS does some caching of directories and -file attributes. FUSE does not do this, so it provides a 'thinner' -interface. - -By now LUFS development seems to have completely ceased. - -Why is it called FUSE? There's a ZX Spectrum emulator called Fuse too. ----------------------------------------------------------------------- - -At the time of christening it, the author of FUSE (the filesystem) -hadn't heard of Fuse (the Speccy emulator). Which is ironic, since he -knew Philip Kendall, the author of that other Fuse from earlier times. -Btw. the author of FUSE (the filesystem) also created a Speccy -emulator called Spectemu. - -The name wanted to be a clever acronym for "Filesystem in USErspace", -but it turned out to be an unfortunate choice. The author has since -vowed never to name a project after a common term, not even anything -found more than a handful of times on Google. - -Is it possible to mount a fuse filesystem from fstab? ------------------------------------------------------ - -Yes, from version 2.4.0 this is possible. The filesystem must adhere -to some rules about command line options to be able to work this way. -Here's an example of mounting an sshfs filesystem: - -sshfs#user@host:/ /mnt/host fuse defaults 0 0 - -The mounting is performed by the /sbin/mount.fuse helper script. In -this example the FUSE-linked binary must be called sshfs and must -reside somewhere in $PATH. - -Licensing issues -~~~~~~~~~~~~~~~~ - -Under what license is FUSE released? ------------------------------------- - -The kernel part is released under the GNU GPL. - -Libfuse is released under the GNU LGPLv2. - -All other parts (examples, fusermount, etc) are released under the GNU -GPL. - -Under what conditions may I modify or distribute FUSE? ------------------------------------------------------- - -See the files COPYING and COPYING.LIB in the distribution. - -More information can be found at http://www.gnu.org/licenses/ - -Under what conditions may I distribute a filesystem which uses libfuse? ------------------------------------------------------------------------ - -See COPYING.LIB in the distribution. - -In simple terms as long as you are linking dynamically (the default) -there are no limitations on linking with libfuse. For example you may -distribute the filesystem itself in binary form, without source code, -under any proprietary license. - -Under what conditions may I distribute a filesystem that uses the raw ---------------------------------------------------------------------- -kernel interface of FUSE? -------------------------- - -There are no restrictions whatsoever for using the raw kernel interface. - -API -=== - -Which method is called on the close() system call? --------------------------------------------------- - -flush() and possibly release(). For details see the documentation of -these methods in <fuse.h> - -Wouldn't it be simpler if there were a single close() method? -------------------------------------------------------------- - -No, because the relationship between the close() system call and the -release of the file (the opposite of open) is not as simple as people -tend to imagine. UNIX allows open files to acquire multiple -references - - * after fork() two processes refer to the same open file - - * dup() and dup2() make another file descriptor refer to the same - file - - * mmap() makes a memory mapping refer to an open file - -This means, that for a single open() system call, there could be more -than one close() and possibly munmap() calls until the open file is -finally released. - -Can I return an error from release()? -------------------------------------- - -No, it's not possible. - -If you need to return errors on close, you must do that from flush(). - -How do I know which is the last flush() before release()? ---------------------------------------------------------- - -You can't. All flush() calls should be treated equally. Anyway it -wouldn't be worth optimizing away non-final flushes, since it's fairly -rare to have multiple write-flush sequences on an open file. - -Why doesn't FUSE forward ioctl() calls to the filesystem? ---------------------------------------------------------- - -Because it's not possible: data passed to ioctl() doesn't have a well -defined length and structure like read() and write(). Consider using -getxattr() and setxattr() instead. - -Is there a way to know the uid, gid or pid of the process performing --------------------------------------------------------------------- -the operation? --------------- - -Yes: fuse_get_context()->uid, etc. - -How should threads be started? ------------------------------- - -Miscellaneous threads should be started from the init() method. -Threads started before fuse_main() will exit when the process goes -into the background. - -Is it possible to store a pointer to private data in the --------------------------------------------------------- -fuse_file_info structure? -------------------------- - -Yes, the 'fh' filed is for this purpose. This filed may be set in the -open() and create() methods, and is available in all other methods -having a struct fuse_file_info parameter. Note, that changing the -value of 'fh' in any other method as open() or create() will have no -affect. - -Since the type of 'fh' is unsigned long, you need to use casts when -storing and retrieving a pointer. Under Linux (and most other -architectures) an unsigned long will be able to hold a pointer. - -This could have been done with a union of 'void *' and 'unsigned long' -but that would not have been any more type safe as having to use -explicit casts. The recommended type safe solution is to write a -small inline function that retrieves the pointer from the -fuse_file_info structure. - -Problems -======== - -Version problems -~~~~~~~~~~~~~~~~ - -Why do I get Connection Refused after mounting? ------------------------------------------------ - -Library is too old (< 2.3.0) - -You can check which version of the library is being used by foofs by -doing 'ldd path_to_foofs'. It will return something like this - - libfuse.so.2 => /usr/local/lib/libfuse.so.2 (0xb7fc9000) - libpthread.so.0 => /lib/tls/libpthread.so.0 (0xb7fb9000) - libglib-2.0.so.0 => /usr/lib/libglib-2.0.so.0 (0xb7f39000) - libc.so.6 => /lib/tls/libc.so.6 (0xb7e04000) - -Then do 'ls -l path_to_libfuse' - -> ls -l /usr/local/lib/libfuse.so.2 -lrwxrwxrwx 1 root root 16 Sep 26 13:41 /usr/local/lib/libfuse.so.2 -> libfuse.so.2.2.1 - -Why does fusermount fail with an Unknown option error? ------------------------------------------------------- - -Errors like 'fusermount: Unknown option -o' or 'fusermount: Unknown -option --' mean, that an old version of fusermount is being used. You -can check by doing 'which fusermount'. - -If you installed FUSE from source, then this is probably because there -exists a binary package on your system which also contains a -fusermount program, and is found first in the path, e.g. in -/usr/bin/fusermount. - -The solution is to remove the binary package. - -Installation problems -~~~~~~~~~~~~~~~~~~~~~ - -Why is there an error loading shared libraries? ------------------------------------------------ - -If you get the following error when starting a FUSE-based filesystem: - - foofs: error while loading shared libraries: libfuse.so.2: - cannot open shared object file: No such file or directory - -check /etc/ld.so.conf for a line containing '/usr/local/lib'. If it's -missing, add it, and run ldconfig afterwards. - -Why doesn't mounting as user work if installing FUSE from a package? --------------------------------------------------------------------- - -Distributions often package 'fusermount' without the suid bit, or only -executable to the 'fuse' group. - -This results in the following message, when trying to mount a -filesystem as an unprivileged user: - - fusermount: mount failed: Operation not permitted - -The simplest solution is to change the mode of 'fusermount': - - chmod 4755 /usr/bin/fusermount - -Note, you may have to do this after each upgrade. - -Other problems -~~~~~~~~~~~~~~ - -Why are some bytes zeroed when reading a file? ----------------------------------------------- - -This happens if the filesystem returns a short count from the read() -method. If the file wasn't opened in direct I/O mode, the read() -method must return exactly the requested number of bytes, unless it's -the end of the file. - -If the file was opened in direct I/O mode (with direct_io mount -option, or by setting the direct_io field of fuse_file_info at open) -the read can return a smaller value than requested. In this case the -end of file can be signalled by returning zero. - -What do I do if /dev/fuse does not exist? ------------------------------------------ - -Maybe the FUSE module is not loaded. As root, try: - - modprobe fuse - -If nothing changes, as root run: - - mknod /dev/fuse c 10 229 - -What do I do if you don't have access to /dev/fuse? ---------------------------------------------------- - -As root run: - - chmod o+rw /dev/fuse - -Remember that this will allow ordinary users to mount their own user -space filesystems. - -If that's not what you want then use different permissions. - -Why does cp return operation not permitted when copying a file with no ----------------------------------------------------------------------- -write permissions for the owner? --------------------------------- - -"cp" calls open(2) with read-only permissions and O_CREAT, the purpose -being to atomically obtain a read/write file handle and make the file -read-only. Unfortunately, this does not work very well in fuse, since -you first get a mknod, and then an open call. At the time of open, -you can't distinguish easily whether this is the first open issued by -cp, or another process trying to write a read-only file. - -Defining the 'create' method solves this problem, however this -requires a Linux kernel version of at least 2.6.15 and libfuse version -2.5 or greater (on FreeBSD you'll need fuse4bsd-0.3.0-pre1 or newer -for this). - -There can be other workarounds, however the easy one is to use the -"default_permissions" mount option, and to avoid checking permissions -on open. If you store files on a filesystem, this can get tricky -because you will have to change the file mode to allow writing. Using -the stateful API (i.e. returning an handle on open) will simplify -things. In this case, and using "-o default_permissions", when -implementing the open call you have to: - -1. check if the open is in write mode (i.e. mode has O_RDWR or - O_WRONLY) - -2. in that case (in mutual exclusion with other open, getattr - etc. calls on the same file) change the mode from "M" to "M OR - 0o200" - -3. open the file, change back the mode even in case of errors, and - return the obtained handle - -Why doesn't find work on my filesystem? ---------------------------------------- - -The st_nlink member must be set correctly for directories to make find -work. If it's not set correctly the -noleaf option of find can be -used to make it ignore the hard link count (see man find). - -The correct value of st_nlink for directories is NSUB + 2. Where NSUB -is the number of subdirectories. NOTE: regular-file/symlink/etc -entries do not count into NSUB, only directories. - -If calculating NSUB is hard, the filesystem can set st_nlink of -directories to 1, and find will still work. This is not documented -behavior of find, and it's not clear whether this is intended or just -by accident. But for example the NTFS filesysem relies on this, so -it's unlikely that this "feature" will go away. - -What is the reason for IO errors? ---------------------------------- - -The kernel part of FUSE returns the EIO error value, whenever the -userspace filesystem sends a "bad" reply. Sometimes these are -unavoidable, and not necessarily a fault of the filesystem. Possible -causes of this are (non-exhaustive) - - * the filesystem returned a short count on write() - - * the type of the file has changed (e.g. a directory suddenly - became a symlink) - - * a directory entry contained a filename that was too long (no, - ENAMETOOLONG is not the right error here) - - * the same node ID value was used for two different directories - (i.e. hard-linked directories are not allowed) - - * In the GETATTR function, st_mode needs to have a valid filetype - bit set, like S_IFREG or S_IFDIR, see the stat manual for more - - * You are running a 64 bit kernel but using a 32 bit libfuse. In this case - you will need to install a 64 bit version of the FUSE userspace library, - 64 bit versions of all of the FUSE filesystems or language bindings that - link to it, and 64 bit versions of all of their dependencies. Your - distribution may provide 64 bit versions of the basic dependencies like - libc even in its 32 bit environment - -Misc -==== - -Can the filesystem ask a question on the terminal of the user? --------------------------------------------------------------- - -It would not be possible generally speaking, since it might not be an -interactive program but rather a daemon, or a GUI program doing the -operation. However you should be able to get the PID for the caller, -and by looking in /proc you should be able to find the process tty or -something similar. - -But this is not recommended. You should rather think about solving -this another way. - -If a filesystem is mounted over a directory, how can I access the old ---------------------------------------------------------------------- -contents? ---------- - -There are two possibilities: - -The first is to use 'mount --bind DIR TMPDIR' to create a copy of the -namespace under DIR. After mounting the FUSE filesystem over DIR, -files can still be accessed through TMDIR. This needs root privileges. - -The second is to set the working directory to DIR after mounting the FUSE -filesystem. For example before fuse_main() do - - save_dir = open(DIR, O_RDONLY); - -And from the init() method do - - fchdir(save_dir); - close(save_dir); - -Then access the files with relative paths (with newer LIBC versions -the *at() functions may also be used instead of changing the CWD). - -This method doesn't need root privileges, but only works on Linux -(FreeBSD does path resolving in a different way), and it's not even -guaranteed to work on future Linux versions. diff --git a/Filesystems b/Filesystems deleted file mode 100644 index e96942b..0000000 --- a/Filesystems +++ /dev/null @@ -1,5 +0,0 @@ -Please see the following links: - -http://sourceforge.net/apps/mediawiki/fuse/index.php?title=FileSystems -http://sourceforge.net/apps/mediawiki/fuse/index.php?title=LanguageBindings -http://sourceforge.net/apps/mediawiki/fuse/index.php?title=OperatingSystems diff --git a/Makefile.am b/Makefile.am index 8bb0781..691b1bc 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3,12 +3,11 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = @subdirs2@ doc +AUTOMAKE_OPTIONS = subdir-objects EXTRA_DIST = \ fuse.pc.in \ - README* \ - Filesystems \ - FAQ + README* pkgconfigdir = @pkgconfigdir@ pkgconfig_DATA = fuse.pc @@ -1,380 +0,0 @@ -General Information -=================== - -FUSE (Filesystem in Userspace) is a simple interface for userspace -programs to export a virtual filesystem to the Linux kernel. FUSE -also aims to provide a secure method for non privileged users to -create and mount their own filesystem implementations. - -You can download the source code releases from - - http://sourceforge.net/projects/fuse - -or alternatively you can use CVS to get the very latest development -version: - - cvs -d :pserver:anonymous@fuse.cvs.sourceforge.net:/cvsroot/fuse co fuse - - -Dependencies -============ - -Linux kernel version 2.6.X where X >= 9. - -Alternatively a kernel module from FUSE release 2.5.* can be used with -this release, which supports kernels >= 2.4.21. - -Installation -============ - -./configure -make -make install -modprobe fuse - -You may also need to add '/usr/local/lib' to '/etc/ld.so.conf' and/or -run ldconfig. - -You'll also need a fuse kernel module, Linux kernels 2.6.14 or later -contain FUSE support. - -For more details see the file 'INSTALL' - -How To Use -========== - -FUSE is made up of three main parts: - - - A kernel filesystem module - - - A userspace library - - - A mount/unmount program - - -Here's how to create your very own virtual filesystem in five easy -steps (after installing FUSE): - - 1) Edit the file example/fusexmp.c to do whatever you want... - - 2) Build the fusexmp program - - 3) run 'example/fusexmp /mnt/fuse -d' - - 4) ls -al /mnt/fuse - - 5) Be glad - -If it doesn't work out, please ask! Also see the file 'include/fuse.h' for -detailed documentation of the library interface. - -Security -======== - -If you run 'make install', the fusermount program is installed -set-user-id to root. This is done to allow normal users to mount -their own filesystem implementations. - -There must however be some limitations, in order to prevent Bad User from -doing nasty things. Currently those limitations are: - - - The user can only mount on a mountpoint, for which it has write - permission - - - The mountpoint is not a sticky directory which isn't owned by the - user (like /tmp usually is) - - - No other user (including root) can access the contents of the mounted - filesystem. - -Configuration -============= - -Some options regarding mount policy can be set in the file -'/etc/fuse.conf' - -Currently these options are: - -mount_max = NNN - - Set the maximum number of FUSE mounts allowed to non-root users. - The default is 1000. - -user_allow_other - - Allow non-root users to specify the 'allow_other' or 'allow_root' - mount options. - - -Mount options -============= - -Most of the generic mount options described in 'man mount' are -supported (ro, rw, suid, nosuid, dev, nodev, exec, noexec, atime, -noatime, sync async, dirsync). Filesystems are mounted with -'-onodev,nosuid' by default, which can only be overridden by a -privileged user. - -These are FUSE specific mount options that can be specified for all -filesystems: - -default_permissions - - By default FUSE doesn't check file access permissions, the - filesystem is free to implement it's access policy or leave it to - the underlying file access mechanism (e.g. in case of network - filesystems). This option enables permission checking, restricting - access based on file mode. This is option is usually useful - together with the 'allow_other' mount option. - -allow_other - - This option overrides the security measure restricting file access - to the user mounting the filesystem. So all users (including root) - can access the files. This option is by default only allowed to - root, but this restriction can be removed with a configuration - option described in the previous section. - -allow_root - - This option is similar to 'allow_other' but file access is limited - to the user mounting the filesystem and root. This option and - 'allow_other' are mutually exclusive. - -kernel_cache - - This option disables flushing the cache of the file contents on - every open(). This should only be enabled on filesystems, where the - file data is never changed externally (not through the mounted FUSE - filesystem). Thus it is not suitable for network filesystems and - other "intermediate" filesystems. - - NOTE: if this option is not specified (and neither 'direct_io') data - is still cached after the open(), so a read() system call will not - always initiate a read operation. - -auto_cache - - This option enables automatic flushing of the data cache on open(). - The cache will only be flushed if the modification time or the size - of the file has changed. - -large_read - - Issue large read requests. This can improve performance for some - filesystems, but can also degrade performance. This option is only - useful on 2.4.X kernels, as on 2.6 kernels requests size is - automatically determined for optimum performance. - -direct_io - - This option disables the use of page cache (file content cache) in - the kernel for this filesystem. This has several affects: - - - Each read() or write() system call will initiate one or more - read or write operations, data will not be cached in the - kernel. - - - The return value of the read() and write() system calls will - correspond to the return values of the read and write - operations. This is useful for example if the file size is not - known in advance (before reading it). - -max_read=N - - With this option the maximum size of read operations can be set. - The default is infinite. Note that the size of read requests is - limited anyway to 32 pages (which is 128kbyte on i386). - -max_readahead=N - - Set the maximum number of bytes to read-ahead. The default is - determined by the kernel. On linux-2.6.22 or earlier it's 131072 - (128kbytes) - -max_write=N - - Set the maximum number of bytes in a single write operation. The - default is 128kbytes. Note, that due to various limitations, the - size of write requests can be much smaller (4kbytes). This - limitation will be removed in the future. - -async_read - - Perform reads asynchronously. This is the default - -sync_read - - Perform all reads (even read-ahead) synchronously. - -hard_remove - - The default behavior is that if an open file is deleted, the file is - renamed to a hidden file (.fuse_hiddenXXX), and only removed when - the file is finally released. This relieves the filesystem - implementation of having to deal with this problem. This option - disables the hiding behavior, and files are removed immediately in - an unlink operation (or in a rename operation which overwrites an - existing file). - - It is recommended that you not use the hard_remove option. When - hard_remove is set, the following libc functions fail on unlinked - files (returning errno of ENOENT): - - read() - - write() - - fsync() - - close() - - f*xattr() - - ftruncate() - - fstat() - - fchmod() - - fchown() - -debug - - Turns on debug information printing by the library. - -fsname=NAME - - Sets the filesystem source (first field in /etc/mtab). The default - is the program name. - -subtype=TYPE - - Sets the filesystem type (third field in /etc/mtab). The default is - the program name. - - If the kernel suppports it, /etc/mtab and /proc/mounts will show the - filesystem type as "fuse.TYPE" - - If the kernel doesn't support subtypes, the source filed will be - "TYPE#NAME", or if fsname option is not specified, just "TYPE". - -use_ino - - Honor the 'st_ino' field in getattr() and fill_dir(). This value is - used to fill in the 'st_ino' field in the stat()/lstat()/fstat() - functions and the 'd_ino' field in the readdir() function. The - filesystem does not have to guarantee uniqueness, however some - applications rely on this value being unique for the whole - filesystem. - -readdir_ino - - If 'use_ino' option is not given, still try to fill in the 'd_ino' - field in readdir(). If the name was previously looked up, and is - still in the cache, the inode number found there will be used. - Otherwise it will be set to '-1'. If 'use_ino' option is given, - this option is ignored. - -nonempty - - Allows mounts over a non-empty file or directory. By default these - mounts are rejected (from version 2.3.1) to prevent accidental - covering up of data, which could for example prevent automatic - backup. - -umask=M - - Override the permission bits in 'st_mode' set by the filesystem. - The resulting permission bits are the ones missing from the given - umask value. The value is given in octal representation. - -uid=N - - Override the 'st_uid' field set by the filesystem. - -gid=N - - Override the 'st_gid' field set by the filesystem. - -blkdev - - Mount a filesystem backed by a block device. This is a privileged - option. The device must be specified with the 'fsname=NAME' option. - -entry_timeout=T - - The timeout in seconds for which name lookups will be cached. The - default is 1.0 second. For all the timeout options, it is possible - to give fractions of a second as well (e.g. "-oentry_timeout=2.8") - -negative_timeout=T - - The timeout in seconds for which a negative lookup will be cached. - This means, that if file did not exist (lookup retuned ENOENT), the - lookup will only be redone after the timeout, and the file/directory - will be assumed to not exist until then. The default is 0.0 second, - meaning that caching negative lookups are disabled. - -attr_timeout=T - - The timeout in seconds for which file/directory attributes are - cached. The default is 1.0 second. - -ac_attr_timeout=T - - The timeout in seconds for which file attributes are cached for the - purpose of checking if "auto_cache" should flush the file data on - open. The default is the value of 'attr_timeout' - -intr - - Allow requests to be interrupted. Turning on this option may result - in unexpected behavior, if the filesystem does not support request - interruption. - -intr_signal=NUM - - Specify which signal number to send to the filesystem when a request - is interrupted. The default is 10 (USR1). - -modules=M1[:M2...] - - Add modules to the filesystem stack. Modules are pushed in the - order they are specified, with the original filesystem being on the - bottom of the stack. - - -Modules distributed with fuse ------------------------------ - -iconv -````` -Perform file name character set conversion. Options are: - -from_code=CHARSET - - Character set to convert from (see iconv -l for a list of possible - values). Default is UTF-8. - -to_code=CHARSET - - Character set to convert to. Default is determined by the current - locale. - - -subdir -`````` -Prepend a given directory to each path. Options are: - -subdir=DIR - - Directory to prepend to all paths. This option is mandatory. - -rellinks - - Transform absolute symlinks into relative - -norellinks - - Do not transform absolute symlinks into relative. This is the default. - - -Reporting bugs -============== - -Please send bug reports to the <fuse-devel@lists.sourceforge.net> -mailing list. - -The list is open, you need not be subscribed to post. diff --git a/README.md b/README.md new file mode 100644 index 0000000..2243a12 --- /dev/null +++ b/README.md @@ -0,0 +1,108 @@ +libfuse +======= + +Warning: unresolved security issue +---------------------------------- + +Be aware that FUSE has an unresolved security bug +([bug #15](https://github.com/libfuse/libfuse/issues/15)): the +permission check for accessing a cached directory is only done once +when the directory entry is first loaded into the cache. Subsequent +accesses will re-use the results of the first check, even if the +directory permissions have since changed, and even if the subsequent +access is made by a different user. + +This bug needs to be fixed in the Linux kernel and has been known +since 2006 but unfortunately no fix has been applied yet. If you +depend on correct permission handling for FUSE file systems, the only +workaround is to completely disable caching of directory +entries. Alternatively, the severity of the bug can be somewhat +reduced by not using the `allow_other` mount option. + + +About +----- + +FUSE (Filesystem in Userspace) is an interface for userspace programs +to export a filesystem to the Linux kernel. The FUSE project consists +of two components: the *fuse* kernel module (maintained in the regular +kernel repositories) and the *libfuse* userspace library (maintained +in this repository). libfuse provides the reference implementation +for communicating with the FUSE kernel module. + +A FUSE file system is typically implemented as a standalone +application that links with libfuse. libfuse provides functions to +mount the file system, unmount it, read requests from the kernel, and +send responses back. libfuse offers two APIs: a "high-level", +synchronous API, and a "low-level" asynchronous API. In both cases, +incoming requests from the kernel are passed to the main program using +callbacks. When using the high-level API, the callbacks may work with +file names and paths instead of inodes, and processing of a request +finishes when the callback function returns. When using the low-level +API, the callbacks must work with inodes and responses must be sent +explicitly using a separate set of API functions. + + +Installation +------------ + + ./configure + make -j8 + make install + +You may also need to add `/usr/local/lib` to `/etc/ld.so.conf` and/or +run *ldconfig*. If you're building from the git repository (instead of +using a release tarball), you also need to run `./makeconf.sh` to +create the `configure` script. + +You'll also need a fuse kernel module (Linux kernels 2.6.14 or later +contain FUSE support). + +For more details see the file `INSTALL` + +Security implications +--------------------- + +If you run `make install`, the *fusermount* program is installed +set-user-id to root. This is done to allow normal users to mount +their own filesystem implementations. + +There must however be some limitations, in order to prevent Bad User from +doing nasty things. Currently those limitations are: + + - The user can only mount on a mountpoint, for which it has write + permission + + - The mountpoint is not a sticky directory which isn't owned by the + user (like /tmp usually is) + + - No other user (including root) can access the contents of the + mounted filesystem (though this can be relaxed by allowing the use + of the `allow_other` and `allow_root` mount options in `fuse.conf`) + + +Building your own filesystem +------------------------------ + +FUSE comes with several example file systems in the `examples` +directory. For example, the *fusexmp* example mirrors the contents of +the root directory under the mountpoint. Start from there and adapt +the code! + +The documentation of the API functions and necessary callbacks is +mostly contained in the files `include/fuse.h` (for the high-level +API) and `include/fuse_lowlevel.h` (for the low-level API). An +autogenerated html version of the API is available in the `doc/html` +directory and at http://libfuse.github.io/doxygen. + + +Getting Help +------------ + +If you need help, please ask on the <fuse-devel@lists.sourceforge.net> +mailing list (subscribe at +https://lists.sourceforge.net/lists/listinfo/fuse-devel). + +Please report any bugs on the GitHub issue tracker at +https://github.com/libfuse/main/issues. + diff --git a/configure.ac b/configure.ac index eff1dd8..8f1a63a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,9 +1,9 @@ -AC_INIT(fuse, 2.9.4) +AC_INIT(fuse, 2.9.7) AC_PREREQ(2.59d) AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_TARGET -AM_INIT_AUTOMAKE +AM_INIT_AUTOMAKE([foreign]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES(yes)]) AC_CONFIG_HEADERS(include/config.h) diff --git a/doc/.gitignore b/doc/.gitignore new file mode 100644 index 0000000..1b0a5aa --- /dev/null +++ b/doc/.gitignore @@ -0,0 +1,2 @@ +doxygen_sqlite3.db +html/ diff --git a/doc/Makefile.am b/doc/Makefile.am index ebc9679..1d38e48 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -2,4 +2,4 @@ dist_man_MANS = fusermount.1 mount.fuse.8 ulockmgr_server.1 -EXTRA_DIST = how-fuse-works kernel.txt Doxyfile +EXTRA_DIST = how-fuse-works kernel.txt Doxyfile html diff --git a/include/fuse_lowlevel.h b/include/fuse_lowlevel.h index 6971f73..26dc429 100644 --- a/include/fuse_lowlevel.h +++ b/include/fuse_lowlevel.h @@ -927,6 +927,11 @@ struct fuse_lowlevel_ops { * kernel supports splicing from the fuse device, then the * data will be made available in pipe for supporting zero * copy data transfer. + * + * buf->count is guaranteed to be one (and thus buf->idx is + * always zero). The write_buf handler must ensure that + * bufv->off is correctly updated (reflecting the number of + * bytes read from bufv->buf[0]). * * Introduced in version 2.9 * diff --git a/lib/Makefile.am b/lib/Makefile.am index 8b43ffe..b0f195e 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -1,5 +1,6 @@ ## Process this file with automake to produce Makefile.in +AUTOMAKE_OPTIONS = subdir-objects AM_CPPFLAGS = -I$(top_srcdir)/include -DFUSERMOUNT_DIR=\"$(bindir)\" \ -D_FILE_OFFSET_BITS=64 -D_REENTRANT -DFUSE_USE_VERSION=26 @@ -36,7 +37,7 @@ libfuse_la_SOURCES = \ $(iconv_source) \ $(mount_source) -libfuse_la_LDFLAGS = -pthread @libfuse_libs@ -version-number 2:9:4 \ +libfuse_la_LDFLAGS = -pthread @libfuse_libs@ -version-number 2:9:7 \ -Wl,--version-script,$(srcdir)/fuse_versionscript if NETBSD diff --git a/lib/fuse_lowlevel.c b/lib/fuse_lowlevel.c index 97dd678..232956c 100644 --- a/lib/fuse_lowlevel.c +++ b/lib/fuse_lowlevel.c @@ -688,11 +688,11 @@ static int fuse_send_data_iov(struct fuse_ll *f, struct fuse_chan *ch, goto clear_pipe; } res = read_back(llp->pipe[0], tmpbuf, headerlen); + free(tmpbuf); if (res != 0) { free(mbuf); goto clear_pipe; } - free(tmpbuf); res = read_back(llp->pipe[0], mbuf, now_len); if (res != 0) { free(mbuf); @@ -2087,6 +2087,7 @@ int fuse_lowlevel_notify_store(struct fuse_chan *ch, fuse_ino_t ino, outarg.nodeid = ino; outarg.offset = offset; outarg.size = size; + outarg.padding = 0; iov[0].iov_base = &out; iov[0].iov_len = sizeof(out); diff --git a/lib/helper.c b/lib/helper.c index c5349bf..1f13c87 100644 --- a/lib/helper.c +++ b/lib/helper.c @@ -181,6 +181,13 @@ int fuse_daemonize(int foreground) { if (!foreground) { int nullfd; + int waiter[2]; + char completed; + + if (pipe(waiter)) { + perror("fuse_daemonize: pipe"); + return -1; + } /* * demonize current process by forking it and killing the @@ -193,6 +200,7 @@ int fuse_daemonize(int foreground) case 0: break; default: + read(waiter[0], &completed, sizeof(completed)); _exit(0); } @@ -211,6 +219,12 @@ int fuse_daemonize(int foreground) if (nullfd > 2) close(nullfd); } + + /* Propagate completion of daemon initializatation */ + completed = 1; + write(waiter[1], &completed, sizeof(completed)); + close(waiter[0]); + close(waiter[1]); } return 0; } diff --git a/lib/mount.c b/lib/mount.c index eb0bb17..7a629f1 100644 --- a/lib/mount.c +++ b/lib/mount.c @@ -102,6 +102,10 @@ static const struct fuse_opt fuse_mount_opts[] = { FUSE_OPT_KEY("large_read", KEY_KERN_OPT), FUSE_OPT_KEY("blksize=", KEY_KERN_OPT), FUSE_OPT_KEY("default_permissions", KEY_KERN_OPT), + FUSE_OPT_KEY("context=", KEY_KERN_OPT), + FUSE_OPT_KEY("fscontext=", KEY_KERN_OPT), + FUSE_OPT_KEY("defcontext=", KEY_KERN_OPT), + FUSE_OPT_KEY("rootcontext=", KEY_KERN_OPT), FUSE_OPT_KEY("max_read=", KEY_KERN_OPT), FUSE_OPT_KEY("max_read=", FUSE_OPT_KEY_KEEP), FUSE_OPT_KEY("user=", KEY_MTAB_OPT), @@ -282,7 +286,7 @@ static int receive_fd(int fd) } cmsg = CMSG_FIRSTHDR(&msg); - if (!cmsg->cmsg_type == SCM_RIGHTS) { + if (cmsg->cmsg_type != SCM_RIGHTS) { fprintf(stderr, "got control message of unknown type %d\n", cmsg->cmsg_type); return -1; diff --git a/makeconf.sh b/makeconf.sh index 6678bdd..3388390 100755 --- a/makeconf.sh +++ b/makeconf.sh @@ -1,8 +1,10 @@ #! /bin/sh -echo Running libtoolize... -libtoolize --automake -c -f +echo "Running libtoolize..." +libtoolize -c +# We use iconv directly rather than via gettext, so +# we need to manually copy config.rpath. CONFIG_RPATH=/usr/share/gettext/config.rpath if ! [ -f $CONFIG_RPATH ]; then CONFIG_RPATH=/usr/local/share/gettext/config.rpath @@ -11,7 +13,7 @@ if ! [ -f $CONFIG_RPATH ]; then if [ -f config.rpath ]; then CONFIG_RPATH= else - echo "config.rpath not found!" >&2 + echo "config.rpath not found! - is gettext installed?" >&2 exit 1 fi fi @@ -19,27 +21,6 @@ if ! [ -z "$CONFIG_RPATH" ]; then cp "$CONFIG_RPATH" . fi -if test ! -z "`which autoreconf`"; then - echo Running autoreconf... - autoreconf -i -f -else - echo Running aclocal... - aclocal - echo Running autoheader... - autoheader - echo Running autoconf... - autoconf - echo Running automake... - automake -a -c - ( - echo Entering directory: kernel - cd kernel - echo Running autoheader... - autoheader - echo Running autoconf... - autoconf - ) -fi +echo "Running autoreconf..." +autoreconf -i -rm -f config.cache config.status -echo "To compile run './configure', and then 'make'." diff --git a/util/ulockmgr_server.c b/util/ulockmgr_server.c index baef45d..273c7d9 100644 --- a/util/ulockmgr_server.c +++ b/util/ulockmgr_server.c @@ -92,7 +92,7 @@ static int receive_message(int sock, void *buf, size_t buflen, int *fdp, cmsg = CMSG_FIRSTHDR(&msg); if (cmsg) { - if (!cmsg->cmsg_type == SCM_RIGHTS) { + if (cmsg->cmsg_type != SCM_RIGHTS) { fprintf(stderr, "ulockmgr_server: unknown control message %d\n", cmsg->cmsg_type); |