BUG=chromium:1053847
TEST=Listen to the socket from VmLogForwarder, observer messages
forwarded into separate output file.
Change-Id: Ia472e34b78db599e91f63e72a13bf8539d0d6312
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2287077
Tested-by: kokoro <noreply+kokoro@google.com>
Tested-by: Nicholas Verne <nverne@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Nicholas Verne <nverne@chromium.org>
Auto-Submit: Nicholas Verne <nverne@chromium.org>
Posix acls are a truly incredible example of API design. The presence
of a default posix acl in a directory completely changes the meaning of
the `mode` parameter for all system call that create inodes. However,
this new behavior only applies when the inode is first created and not
for any subsequent operations that use the mode, like fchmod.
When a directory has a default posix acl, all inodes created in that
directory get the permissions specified in the default acl. The mode
parameter is treated like a umask where any permissions allowed by the
default acl that are not allowed by the mode parameter are blocked. The
actual umask is ignored in this case.
So to handle this properly we need to set FUSE_DONT_MASK to prevent the
kernel driver from preemptively applying the umask. Then we have to
check if the parent directory has a default posix acl and only apply the
umask to the mode if it does not. This also means that we cannot use
`mkdtemp` because that always creates directories with a mode of 0o700
and since the default posix acl calculation only applies on creation and
not on later operations, we need to apply the proper mode in the very
beginning.
BUG=b:159285544,b:152806644
TEST=vm.Virtiofs. Use a test program to create files/directories in
directories that have a default acl and ones that don't, and verify
that the mode is correctly set after creation
Change-Id: Ieca8ac9db391feebe5719630c5f3b57b04b71533
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2260253
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Needed by arcvm.
BUG=b:159297591
TEST=run a test program that calls the ioctl
Change-Id: I1f8c17fa2b2457f5a9e73045c3dbee3440eb943d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2265932
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
MALI GPU driver calls this for printing debug information. Just
enable it since it could help debug.
BUG=None
TEST=manual - Run ARCVM on kukui with debug build of mali driver
Change-Id: If65121520071a1df9b8ba932272428cbac844984
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2262176
Tested-by: Lepton Wu <lepton@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Auto-Submit: Lepton Wu <lepton@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Commit-Queue: Lepton Wu <lepton@chromium.org>
Arcvm needs this ioctl for looking up the project id of an inode.
BUG=b:157189438
TEST=Call the ioctl inside a vm and verify that it succeeds
Change-Id: Ib178cf32b09056f9b1e9acedb49de068d5525a66
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2214964
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Matthias Springer <springerm@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
When creating a file or directory the virtio-fs server changes its
effective uid and gid to the uid and gid of the process that made the
call. This ensures that the file or directory has the correct owner and
group when it is created and also serves as an access check to ensure
that the process that made the call has permission to modify the parent
directory.
However, this causes an EACCES error when the following conditions are
met:
* The parent directory has g+rw permissions with gid A
* The process has gid B but has A in its list of supplementary groups
In this case the fuse context only contains gid B, which doesn't have
permission to modify the parent directory.
Unfortunately there's no way for us to detect this on the server side so
instead we just have to rely on the permission checks carried out by the
kernel driver. If the server receives a create call, then assume that
the kernel has verified that the process is allowed to create that
file/directory and just create it without changing the server thread's
uid and gid.
Additionally, in order to ensure that a newly created file appears
atomically in the parent directory with the proper owner and group,
change the create implementation to use `O_TMPFILE` and `linkat` as
described in the open(2) manpage. There is no `O_TMPFILE` equivalent
for directories so create a "hidden" directory with a randomly generated
name, modify the uid/gid and mode, and then rename it into place.
BUG=b:156696212
TEST=tast run $DUT vm.Virtiofs
TEST=Create a test directory with group wayland and permissions g+rw.
Then run `su -s /bin/bash -c 'touch ${dir}/foo' - crosvm` and
`su -s /bin/bash -c 'mkdir ${dir}/bar' - crosvm`.
Change-Id: If5fbcb1b011664c7c1ac29542a2f90d129c34962
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2217534
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Using the `open_inode` method on an fd for a symlink results in the
kernel returning -ELOOP. Since there are no `*at` methods for extended
attributes, manually read the path for the file and then use the
l{get,set,list,remove}xattr method on the returned path.
BUG=b:136128512
TEST=boot arcvm with virtio-fs and selinux enabled
Change-Id: I2fde57db8a075838a3a877309f6cf89059f19258
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2120763
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
The build-time seccomp compiler for aarch64 complains that it doesn't
recognize open, epoll_wait, recv, mmap2, dup2, poll, mkdir, or stat.
I tried to propose a change to upstream minijail to make it aware of
these syscalls, but the calls are in various forms of deprecation
so upstream is doubting the sanity of the policy files.
I applied the following mapping: open->openat, epoll_wait->epoll_pwait,
recv->recvfrom, mmap2->mmap, dup2->dup3, poll->ppoll, mkdir->mkdirat,
and stat->statx. In many cases the new syscall was already present so I
just deleted the old one.
BUG=None
TEST=Ran compile_seccomp_policy.py with an unmodified minijail until
it stopped complaining. I don't have an arm device for runtime testing.
Wrote an app to emulate the execution of the first 400 syscall #s though
the bpf filter and verified that the list that matches the filter is the
same as the policy file.
Change-Id: I599aa549a1712b898eb6b73492872a9676e7215d
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2036218
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Minijail's policy compiler complains when there's multiple
unconditional rules for a syscall. In most cases the rules
are redundant to common_device.policy.
BUG=None
TEST=Ran compile_seccomp_policy.py until it stopped
complaining.
Change-Id: Ic43d1fd13f9c012641d71e526942229eb8b08ed4
Signed-off-by: Matt Delco <delco@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2034024
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This is used in Rust 1.40.0's libstd in place of stat/fstat; update the
whitelists to allow the new syscall as well.
BUG=chromium:1042461
TEST=`crosvm disk resize` does not trigger seccomp failure
Change-Id: Ia3f0e49ee009547295c7af7412dfb5eb3ac1efcb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2003685
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
This allows us to use export a directory to a VM with the
'--shared-dir tag:/dir' crosvm command line flag without relying
on seneschal. The fs device's policy already does the same.
BUG=b:123309049
TEST=Start tot ARCVM, run 'mkdir /var/run/arc/arcvm && mount -t 9p
-o "trans=virtio,version=9p2000.L,cache=none,access=any"
host_generated /var/run/arc/arcvm && ls /var/run/arc/arcvm',
verify ls prints files.
Change-Id: I8f8b265fc8a7de159508afbee5114b6a3f084d01
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1995319
Tested-by: Yusuke Sato <yusukes@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Lepton Wu <lepton@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Commit-Queue: Yusuke Sato <yusukes@chromium.org>
Add a control queue for virtio_net, and implement the command to set
available networking offloads.
Set offloads initially when acking features from the guest. We previously set
offloads on unconditionally.
Add TUNSETOFFLOAD to the allowed ioctls for virtio_net.
BUG=chromium:1031413
TEST=boot 5.4 guest, check vmtap offloads enabled with ethtool
TEST=enable ip_forward in guest, check vmtap offloads disabled with ethtool
Change-Id: I4129aa03419798906bd95cf65a6a4ab63069f50b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1968200
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Seccomp policy for ARM hosts was recently moved from aarch64 to arm to
accurately match the ABI used on the host. Move 9s policy to match this.
BUG=none
TEST=vm.Webserver on kevin succeeds
Change-Id: I97daa524edcd411618561ce07525738bc65457cb
Reviewed-on: https://chromium-review.googlesource.com/1180470
Commit-Ready: Stephen Barber <smbarber@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
Implement a new virtio_9p device to be used for sharing directories with
the VM.
BUG=chromium:703939
TEST=mount inside a VM and run `bonnie++ -r 256`
Append the shared directory to the crosvm command line:
--shared-dir /path/to/dir:test_9p
Then mount in the guest:
mkdir /tmp/9p
mount -t 9p -o trans=virtio test_9p /tmp/9p -oversion=9p2000.L
Or for a 9p root:
run --shared-dir /mnt/vm_root:/dev/root -p 'root=/dev/root ro rootflags=ro,trans=virtio,version=9p2000.L,cache=loose rootfstype=9p' vmlinux.bin
CQ-DEPEND=CL:1065170
Change-Id: I41fc21306ab5fa318a271f172d7057b767b29f31
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1065173
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Add the 9s crate, which provides an executable that can serve the 9p
file system protocol. It initially only supports connections over vsock
but can easily be extended to support network and unix domain socket
based connections.
BUG=chromium:703939
TEST=Run the server, have maitred connect to it over vsock, mount the
9p file system in the guest kernel, share it with the penguin
container, and run `bonnie++ -r 256 -s 512`
CQ-DEPEND=CL:1121550, CL:1166446
Change-Id: Ia0c72bcf29188bba4c07b6c0a2dd5a83d02339b5
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1112870
Reviewed-by: Dylan Reid <dgreid@chromium.org>
These policies are not for aarch64 but use the 32-bit system calls.
We call it aarch64 support because that's what we're targetting for
the guest kernel, but it doesn't really make any sense to call the
seccomp policies aarch64 when we're building a 32-bit binary.
We can add real aarch64 seccomp policies when we start building a
aarch64 crosvm binary.
BUG=chromium:866197
TEST=emerge-kevin crosvm, run vm_CrosVmStart
CQ-DEPEND=CL:1145903
Change-Id: I7c5e70fbc127e4209ed392cfcf10ea36a6dd4b2c
Reviewed-on: https://chromium-review.googlesource.com/1145909
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
These syscalls were added to the x86 policy when vfd pipe support was
added, but they were never added to the arm version, for whatever
reason. This is needed to keep crosvm from getting killed by SIGSYS
whenver the user copies to or from guest applications.
BUG=chromium:864218
TEST=on kevin, copy/paste to/from gedit
Change-Id: Ibe385d50e367c362e911badd640bab2c98e07030
Reviewed-on: https://chromium-review.googlesource.com/1145876
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
This provides proper synchronization for guest access to
DMABufs.
Virtio wayland device is given access to the DMA_BUF_SYNC ioctl
in order to implement this. Being able to use this directly in
the virtio wayland device process is important as these calls
can sometimes be relatively expensive and they are frequent
enough that avoiding another context switch is useful for good
performance.
TEST=cache-line artifacts no longer noticeable
BUG=chromium:837209
Change-Id: Ibb8d7c01f70ed5b74afd69288015a65186fec52a
Reviewed-on: https://chromium-review.googlesource.com/1076928
Commit-Ready: David Reveman <reveman@chromium.org>
Tested-by: David Reveman <reveman@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
It looks like on ARM we use the real gettimeofday system call when
we're outputting error messages, so we need to whitelist this to avoid
crashing instead of seeing the error messages.
BUG=chromium:843807
TEST=run vm_CrosVmStart and make sure there are no crashes for crosvm
Change-Id: I9f47da8dabe31f0677bcaa1d431e56545e20c9c9
Reviewed-on: https://chromium-review.googlesource.com/1081390
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Signal to the OS that we want these writes committed all the way to
disk. Replace an existing call to flush as that's not sufficient.
Change-Id: I9df9e55d2182e283e15eebc02a54c1ce08434f42
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1060696
Reviewed-by: Zach Reizner <zachr@chromium.org>
Like block_device, also needs to use ftruncate64 instead of ftruncate.
BUG=chromium:840048
TEST=manual test of graphics on kevin
Change-Id: Ib24b12fd681c96ecc2fec796fe480e94a96a0626
Reviewed-on: https://chromium-review.googlesource.com/1050916
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Aarch64 seems to use ftruncate64 rather than ftruncate.
BUG=chromium:816692
TEST=run VM on kevin using concierge
Change-Id: I944f52d75fb9f5a3aaf5fe9e85708c48f249bb1a
Reviewed-on: https://chromium-review.googlesource.com/1031175
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Add a seccomp policy for virtio wayland devices on aarch64.
BUG=chromium:797868
TEST=./build_test passes on all architectures
TEST=crosvm runs on kevin built with USE="kvm_host" with a
wayland socket passed in
Change-Id: I89e9904b48598d78be0721ba8b3242d1b43f7aa3
Reviewed-on: https://chromium-review.googlesource.com/999169
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Switching to PollContext so that there is one less user of Poller, which
will be removed.
TEST=run any vm with a block device
BUG=chromium:816692
Change-Id: I2e1301ea9d66012262f1fcb69eaeee9f7464f3b3
Reviewed-on: https://chromium-review.googlesource.com/983036
Commit-Ready: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
- removes old ARMv7a (32-bit) bindings as we're only supporting aarch64
guests right now
- switches both ARMv7 and aarch64 builds to use aarch64 kvm bindings
- adds support for ARMv8 Linux guest with dynamic flattened-device-tree
CQ-DEPEND=990894
BUG=chromium:797868
TEST=./build_test passes on all architectures
TEST=crosvm runs on caroline
TEST=crosvm runs on kevin built with USE="kvm_host"
Change-Id: I7fc4fc4017ed87fd23a1bc50e3ebb05377040006
Reviewed-on: https://chromium-review.googlesource.com/969987
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Reviewed-by: Zach Reizner <zachr@chromium.org>
