diff options
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/filesystems/fuse.txt | 341 |
1 files changed, 341 insertions, 0 deletions
diff --git a/Documentation/filesystems/fuse.txt b/Documentation/filesystems/fuse.txt new file mode 100644 index 000000000000..83f96cf56960 --- /dev/null +++ b/Documentation/filesystems/fuse.txt | |||
@@ -0,0 +1,341 @@ | |||
1 | Definitions | ||
2 | ~~~~~~~~~~~ | ||
3 | |||
4 | Userspace filesystem: | ||
5 | |||
6 | A filesystem in which data and metadata are provided by an ordinary | ||
7 | userspace process. The filesystem can be accessed normally through | ||
8 | the kernel interface. | ||
9 | |||
10 | Filesystem daemon: | ||
11 | |||
12 | The process(es) providing the data and metadata of the filesystem. | ||
13 | |||
14 | Non-privileged mount (or user mount): | ||
15 | |||
16 | A userspace filesystem mounted by a non-privileged (non-root) user. | ||
17 | The filesystem daemon is running with the privileges of the mounting | ||
18 | user. NOTE: this is not the same as mounts allowed with the "user" | ||
19 | option in /etc/fstab, which is not discussed here. | ||
20 | |||
21 | Mount owner: | ||
22 | |||
23 | The user who does the mounting. | ||
24 | |||
25 | User: | ||
26 | |||
27 | The user who is performing filesystem operations. | ||
28 | |||
29 | What is FUSE? | ||
30 | ~~~~~~~~~~~~~ | ||
31 | |||
32 | FUSE is a userspace filesystem framework. It consists of a kernel | ||
33 | module (fuse.ko), a userspace library (libfuse.*) and a mount utility | ||
34 | (fusermount). | ||
35 | |||
36 | One of the most important features of FUSE is allowing secure, | ||
37 | non-privileged mounts. This opens up new possibilities for the use of | ||
38 | filesystems. A good example is sshfs: a secure network filesystem | ||
39 | using the sftp protocol. | ||
40 | |||
41 | The userspace library and utilities are available from the FUSE | ||
42 | homepage: | ||
43 | |||
44 | http://fuse.sourceforge.net/ | ||
45 | |||
46 | Mount options | ||
47 | ~~~~~~~~~~~~~ | ||
48 | |||
49 | 'fd=N' | ||
50 | |||
51 | The file descriptor to use for communication between the userspace | ||
52 | filesystem and the kernel. The file descriptor must have been | ||
53 | obtained by opening the FUSE device ('/dev/fuse'). | ||
54 | |||
55 | 'rootmode=M' | ||
56 | |||
57 | The file mode of the filesystem's root in octal representation. | ||
58 | |||
59 | 'user_id=N' | ||
60 | |||
61 | The numeric user id of the mount owner. | ||
62 | |||
63 | 'group_id=N' | ||
64 | |||
65 | The numeric group id of the mount owner. | ||
66 | |||
67 | 'default_permissions' | ||
68 | |||
69 | By default FUSE doesn't check file access permissions, the | ||
70 | filesystem is free to implement it's access policy or leave it to | ||
71 | the underlying file access mechanism (e.g. in case of network | ||
72 | filesystems). This option enables permission checking, restricting | ||
73 | access based on file mode. This is option is usually useful | ||
74 | together with the 'allow_other' mount option. | ||
75 | |||
76 | 'allow_other' | ||
77 | |||
78 | This option overrides the security measure restricting file access | ||
79 | to the user mounting the filesystem. This option is by default only | ||
80 | allowed to root, but this restriction can be removed with a | ||
81 | (userspace) configuration option. | ||
82 | |||
83 | 'kernel_cache' | ||
84 | |||
85 | This option disables flushing the cache of the file contents on | ||
86 | every open(). This should only be enabled on filesystems, where the | ||
87 | file data is never changed externally (not through the mounted FUSE | ||
88 | filesystem). Thus it is not suitable for network filesystems and | ||
89 | other "intermediate" filesystems. | ||
90 | |||
91 | NOTE: if this option is not specified (and neither 'direct_io') data | ||
92 | is still cached after the open(), so a read() system call will not | ||
93 | always initiate a read operation. | ||
94 | |||
95 | 'direct_io' | ||
96 | |||
97 | This option disables the use of page cache (file content cache) in | ||
98 | the kernel for this filesystem. This has several affects: | ||
99 | |||
100 | - Each read() or write() system call will initiate one or more | ||
101 | read or write operations, data will not be cached in the | ||
102 | kernel. | ||
103 | |||
104 | - The return value of the read() and write() system calls will | ||
105 | correspond to the return values of the read and write | ||
106 | operations. This is useful for example if the file size is not | ||
107 | known in advance (before reading it). | ||
108 | |||
109 | 'max_read=N' | ||
110 | |||
111 | With this option the maximum size of read operations can be set. | ||
112 | The default is infinite. Note that the size of read requests is | ||
113 | limited anyway to 32 pages (which is 128kbyte on i386). | ||
114 | |||
115 | How do non-privileged mounts work? | ||
116 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
117 | |||
118 | Since the mount() system call is a privileged operation, a helper | ||
119 | program (fusermount) is needed, which is installed setuid root. | ||
120 | |||
121 | The implication of providing non-privileged mounts is that the mount | ||
122 | owner must not be able to use this capability to compromise the | ||
123 | system. Obvious requirements arising from this are: | ||
124 | |||
125 | A) mount owner should not be able to get elevated privileges with the | ||
126 | help of the mounted filesystem | ||
127 | |||
128 | B) mount owner should not get illegitimate access to information from | ||
129 | other users' and the super user's processes | ||
130 | |||
131 | C) mount owner should not be able to induce undesired behavior in | ||
132 | other users' or the super user's processes | ||
133 | |||
134 | How are requirements fulfilled? | ||
135 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
136 | |||
137 | A) The mount owner could gain elevated privileges by either: | ||
138 | |||
139 | 1) creating a filesystem containing a device file, then opening | ||
140 | this device | ||
141 | |||
142 | 2) creating a filesystem containing a suid or sgid application, | ||
143 | then executing this application | ||
144 | |||
145 | The solution is not to allow opening device files and ignore | ||
146 | setuid and setgid bits when executing programs. To ensure this | ||
147 | fusermount always adds "nosuid" and "nodev" to the mount options | ||
148 | for non-privileged mounts. | ||
149 | |||
150 | B) If another user is accessing files or directories in the | ||
151 | filesystem, the filesystem daemon serving requests can record the | ||
152 | exact sequence and timing of operations performed. This | ||
153 | information is otherwise inaccessible to the mount owner, so this | ||
154 | counts as an information leak. | ||
155 | |||
156 | The solution to this problem will be presented in point 2) of C). | ||
157 | |||
158 | C) There are several ways in which the mount owner can induce | ||
159 | undesired behavior in other users' processes, such as: | ||
160 | |||
161 | 1) mounting a filesystem over a file or directory which the mount | ||
162 | owner could otherwise not be able to modify (or could only | ||
163 | make limited modifications). | ||
164 | |||
165 | This is solved in fusermount, by checking the access | ||
166 | permissions on the mountpoint and only allowing the mount if | ||
167 | the mount owner can do unlimited modification (has write | ||
168 | access to the mountpoint, and mountpoint is not a "sticky" | ||
169 | directory) | ||
170 | |||
171 | 2) Even if 1) is solved the mount owner can change the behavior | ||
172 | of other users' processes. | ||
173 | |||
174 | i) It can slow down or indefinitely delay the execution of a | ||
175 | filesystem operation creating a DoS against the user or the | ||
176 | whole system. For example a suid application locking a | ||
177 | system file, and then accessing a file on the mount owner's | ||
178 | filesystem could be stopped, and thus causing the system | ||
179 | file to be locked forever. | ||
180 | |||
181 | ii) It can present files or directories of unlimited length, or | ||
182 | directory structures of unlimited depth, possibly causing a | ||
183 | system process to eat up diskspace, memory or other | ||
184 | resources, again causing DoS. | ||
185 | |||
186 | The solution to this as well as B) is not to allow processes | ||
187 | to access the filesystem, which could otherwise not be | ||
188 | monitored or manipulated by the mount owner. Since if the | ||
189 | mount owner can ptrace a process, it can do all of the above | ||
190 | without using a FUSE mount, the same criteria as used in | ||
191 | ptrace can be used to check if a process is allowed to access | ||
192 | the filesystem or not. | ||
193 | |||
194 | Note that the ptrace check is not strictly necessary to | ||
195 | prevent B/2/i, it is enough to check if mount owner has enough | ||
196 | privilege to send signal to the process accessing the | ||
197 | filesystem, since SIGSTOP can be used to get a similar effect. | ||
198 | |||
199 | I think these limitations are unacceptable? | ||
200 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
201 | |||
202 | If a sysadmin trusts the users enough, or can ensure through other | ||
203 | measures, that system processes will never enter non-privileged | ||
204 | mounts, it can relax the last limitation with a "user_allow_other" | ||
205 | config option. If this config option is set, the mounting user can | ||
206 | add the "allow_other" mount option which disables the check for other | ||
207 | users' processes. | ||
208 | |||
209 | Kernel - userspace interface | ||
210 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
211 | |||
212 | The following diagram shows how a filesystem operation (in this | ||
213 | example unlink) is performed in FUSE. | ||
214 | |||
215 | NOTE: everything in this description is greatly simplified | ||
216 | |||
217 | | "rm /mnt/fuse/file" | FUSE filesystem daemon | ||
218 | | | | ||
219 | | | >sys_read() | ||
220 | | | >fuse_dev_read() | ||
221 | | | >request_wait() | ||
222 | | | [sleep on fc->waitq] | ||
223 | | | | ||
224 | | >sys_unlink() | | ||
225 | | >fuse_unlink() | | ||
226 | | [get request from | | ||
227 | | fc->unused_list] | | ||
228 | | >request_send() | | ||
229 | | [queue req on fc->pending] | | ||
230 | | [wake up fc->waitq] | [woken up] | ||
231 | | >request_wait_answer() | | ||
232 | | [sleep on req->waitq] | | ||
233 | | | <request_wait() | ||
234 | | | [remove req from fc->pending] | ||
235 | | | [copy req to read buffer] | ||
236 | | | [add req to fc->processing] | ||
237 | | | <fuse_dev_read() | ||
238 | | | <sys_read() | ||
239 | | | | ||
240 | | | [perform unlink] | ||
241 | | | | ||
242 | | | >sys_write() | ||
243 | | | >fuse_dev_write() | ||
244 | | | [look up req in fc->processing] | ||
245 | | | [remove from fc->processing] | ||
246 | | | [copy write buffer to req] | ||
247 | | [woken up] | [wake up req->waitq] | ||
248 | | | <fuse_dev_write() | ||
249 | | | <sys_write() | ||
250 | | <request_wait_answer() | | ||
251 | | <request_send() | | ||
252 | | [add request to | | ||
253 | | fc->unused_list] | | ||
254 | | <fuse_unlink() | | ||
255 | | <sys_unlink() | | ||
256 | |||
257 | There are a couple of ways in which to deadlock a FUSE filesystem. | ||
258 | Since we are talking about unprivileged userspace programs, | ||
259 | something must be done about these. | ||
260 | |||
261 | Scenario 1 - Simple deadlock | ||
262 | ----------------------------- | ||
263 | |||
264 | | "rm /mnt/fuse/file" | FUSE filesystem daemon | ||
265 | | | | ||
266 | | >sys_unlink("/mnt/fuse/file") | | ||
267 | | [acquire inode semaphore | | ||
268 | | for "file"] | | ||
269 | | >fuse_unlink() | | ||
270 | | [sleep on req->waitq] | | ||
271 | | | <sys_read() | ||
272 | | | >sys_unlink("/mnt/fuse/file") | ||
273 | | | [acquire inode semaphore | ||
274 | | | for "file"] | ||
275 | | | *DEADLOCK* | ||
276 | |||
277 | The solution for this is to allow requests to be interrupted while | ||
278 | they are in userspace: | ||
279 | |||
280 | | [interrupted by signal] | | ||
281 | | <fuse_unlink() | | ||
282 | | [release semaphore] | [semaphore acquired] | ||
283 | | <sys_unlink() | | ||
284 | | | >fuse_unlink() | ||
285 | | | [queue req on fc->pending] | ||
286 | | | [wake up fc->waitq] | ||
287 | | | [sleep on req->waitq] | ||
288 | |||
289 | If the filesystem daemon was single threaded, this will stop here, | ||
290 | since there's no other thread to dequeue and execute the request. | ||
291 | In this case the solution is to kill the FUSE daemon as well. If | ||
292 | there are multiple serving threads, you just have to kill them as | ||
293 | long as any remain. | ||
294 | |||
295 | Moral: a filesystem which deadlocks, can soon find itself dead. | ||
296 | |||
297 | Scenario 2 - Tricky deadlock | ||
298 | ---------------------------- | ||
299 | |||
300 | This one needs a carefully crafted filesystem. It's a variation on | ||
301 | the above, only the call back to the filesystem is not explicit, | ||
302 | but is caused by a pagefault. | ||
303 | |||
304 | | Kamikaze filesystem thread 1 | Kamikaze filesystem thread 2 | ||
305 | | | | ||
306 | | [fd = open("/mnt/fuse/file")] | [request served normally] | ||
307 | | [mmap fd to 'addr'] | | ||
308 | | [close fd] | [FLUSH triggers 'magic' flag] | ||
309 | | [read a byte from addr] | | ||
310 | | >do_page_fault() | | ||
311 | | [find or create page] | | ||
312 | | [lock page] | | ||
313 | | >fuse_readpage() | | ||
314 | | [queue READ request] | | ||
315 | | [sleep on req->waitq] | | ||
316 | | | [read request to buffer] | ||
317 | | | [create reply header before addr] | ||
318 | | | >sys_write(addr - headerlength) | ||
319 | | | >fuse_dev_write() | ||
320 | | | [look up req in fc->processing] | ||
321 | | | [remove from fc->processing] | ||
322 | | | [copy write buffer to req] | ||
323 | | | >do_page_fault() | ||
324 | | | [find or create page] | ||
325 | | | [lock page] | ||
326 | | | * DEADLOCK * | ||
327 | |||
328 | Solution is again to let the the request be interrupted (not | ||
329 | elaborated further). | ||
330 | |||
331 | An additional problem is that while the write buffer is being | ||
332 | copied to the request, the request must not be interrupted. This | ||
333 | is because the destination address of the copy may not be valid | ||
334 | after the request is interrupted. | ||
335 | |||
336 | This is solved with doing the copy atomically, and allowing | ||
337 | interruption while the page(s) belonging to the write buffer are | ||
338 | faulted with get_user_pages(). The 'req->locked' flag indicates | ||
339 | when the copy is taking place, and interruption is delayed until | ||
340 | this flag is unset. | ||
341 | |||