aboutsummaryrefslogtreecommitdiff
path: root/qapi
diff options
context:
space:
mode:
authorMax Reitz <mreitz@redhat.com>2021-06-25 16:23:13 +0200
committerKevin Wolf <kwolf@redhat.com>2021-07-09 12:26:05 +0200
commit8fc54f9428b9763f8003bd5f5dd440946210fc80 (patch)
tree1c68ffd8d5f152e7714e25559a68dd5d694b3d2a /qapi
parent2c7dd057aa7bd7a875e9b1a53975c220d6380bc4 (diff)
export/fuse: Add allow-other option
Without the allow_other mount option, no user (not even root) but the one who started qemu/the storage daemon can access the export. Allow users to configure the export such that such accesses are possible. While allow_other is probably what users want, we cannot make it an unconditional default, because passing it is only possible (for non-root users) if the global fuse.conf configuration file allows it. Thus, the default is an 'auto' mode, in which we first try with allow_other, and then fall back to without. FuseExport.allow_other reports whether allow_other was actually used as a mount option or not. Currently, this information is not used, but a future patch will let this field decide whether e.g. an export's UID and GID can be changed through chmod. One notable thing about 'auto' mode is that libfuse may print error messages directly to stderr, and so may fusermount (which it executes). Our export code cannot really filter or hide them. Therefore, if 'auto' fails its first attempt and has to fall back, fusermount will print an error message that mounting with allow_other failed. This behavior necessitates a change to iotest 308, namely we need to filter out this error message (because if the first attempt at mounting with allow_other succeeds, there will be no such message). Furthermore, common.rc's _make_test_img should use allow-other=off for FUSE exports, because iotests generally do not need to access images from other users, so allow-other=on or allow-other=auto have no advantage. OTOH, allow-other=on will not work on systems where user_allow_other is disabled, and with allow-other=auto, we get said error message that we would need to filter out again. Just disabling allow-other is simplest. Signed-off-by: Max Reitz <mreitz@redhat.com> Message-Id: <20210625142317.271673-3-mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Diffstat (limited to 'qapi')
-rw-r--r--qapi/block-export.json33
1 files changed, 32 insertions, 1 deletions
diff --git a/qapi/block-export.json b/qapi/block-export.json
index e819e70cac..0ed63442a8 100644
--- a/qapi/block-export.json
+++ b/qapi/block-export.json
@@ -121,6 +121,23 @@
'*num-queues': 'uint16'} }
##
+# @FuseExportAllowOther:
+#
+# Possible allow_other modes for FUSE exports.
+#
+# @off: Do not pass allow_other as a mount option.
+#
+# @on: Pass allow_other as a mount option.
+#
+# @auto: Try mounting with allow_other first, and if that fails, retry
+# without allow_other.
+#
+# Since: 6.1
+##
+{ 'enum': 'FuseExportAllowOther',
+ 'data': ['off', 'on', 'auto'] }
+
+##
# @BlockExportOptionsFuse:
#
# Options for exporting a block graph node on some (file) mountpoint
@@ -132,11 +149,25 @@
# @growable: Whether writes beyond the EOF should grow the block node
# accordingly. (default: false)
#
+# @allow-other: If this is off, only qemu's user is allowed access to
+# this export. That cannot be changed even with chmod or
+# chown.
+# Enabling this option will allow other users access to
+# the export with the FUSE mount option "allow_other".
+# Note that using allow_other as a non-root user requires
+# user_allow_other to be enabled in the global fuse.conf
+# configuration file.
+# In auto mode (the default), the FUSE export driver will
+# first attempt to mount the export with allow_other, and
+# if that fails, try again without.
+# (since 6.1; default: auto)
+#
# Since: 6.0
##
{ 'struct': 'BlockExportOptionsFuse',
'data': { 'mountpoint': 'str',
- '*growable': 'bool' },
+ '*growable': 'bool',
+ '*allow-other': 'FuseExportAllowOther' },
'if': 'defined(CONFIG_FUSE)' }
##