[Bug 236844] [FUSEFS] fusefs should send FUSE_OPEN for every open(2)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Mar 28 01:59:36 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236844

            Bug ID: 236844
           Summary: [FUSEFS] fusefs should send FUSE_OPEN for every
                    open(2)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: asomers at FreeBSD.org

The design of the fuse protocol requires the client to send FUSE_OPEN every
time that a file is opened.  That's necessary for two reasons:
1) Permission checks are handled by the server
2) The server may need to know what open(2) flags were used with each open and
with subsequent operations associated with that file descriptor.  It uses the
fh parameter to track that.

However, FreeBSD's fuse module takes a shortcut: it tries to reuse the same fh
for multiple files, as long as their open flags were the same.  But this
approach has multiple problems:

1) It only checks the first 2 bits of the open flags.  To do otherwise would
take a prohibitive amount of RAM (bug 236340).

2) It will reuse file handles between multiple different processes as long as
their open flags are the same, defeating the ability of the daemon to validate
permissions.

3) It isn't even ok to reuse filehandles within the same process for opens that
have the exact same flags.  The daemon might be doing something weird like
treating each file descriptor as a socket or something.  It's allowed to do
that.

This bug may be very hard to solve.  The problem is that our vnode ops are all
file-agnostic.  VOP_WRITE, for example, doesn't know what file descriptor was
used to initiate a write.  We could solve the problem by implementing a custom
fileops structure for fuse.  However, that may require re-implementing most of
kern/vfs_vnops.c just for fuse.  Or, we could add a struct file* argument to
most VOPs, but that would probably meet with some justified resistance.  Or, we
could always operate as if the default_permissions mount option were used and
do all privilege checking in the kernel.  Then we could get away with only
sending FUSE_OPEN the first time that a file is opened.  Of course, we would
need to actually make default_permissions work first, but that's another bug...

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list