fusefs: Allow update mounts

Allow "mount -u" to change some mount options for fusefs.

Sponsored by:	The FreeBSD Foundation

sys/fs/fuse/fuse_ipc.h

@@ -206,6 +206,7 @@ struct fuse_data {
 
 	int				daemon_timeout;
 	uint64_t			notimpl;
+	uint64_t			mnt_flag;
 };
 
 #define FSESS_DEAD                0x0001 /* session is to be closed */
@@ -221,6 +222,11 @@ struct fuse_data {
 #define FSESS_NO_NAMECACHE        0x0400 /* disable name cache */
 #define FSESS_NO_MMAP             0x0800 /* disable mmap */
 #define FSESS_POSIX_LOCKS         0x2000 /* daemon supports POSIX locks */
+#define FSESS_MNTOPTS_MASK	( \
+	FSESS_DAEMON_CAN_SPY | FSESS_PUSH_SYMLINKS_IN | \
+	FSESS_DEFAULT_PERMISSIONS | FSESS_NO_ATTRCACHE | \
+	FSESS_NO_READAHEAD | FSESS_NO_DATACACHE | \
+	FSESS_NO_NAMECACHE | FSESS_NO_MMAP)
 
 enum fuse_data_cache_mode {
 	FUSE_CACHE_UC,

sys/fs/fuse/fuse_vfsops.c

@@ -205,6 +205,57 @@ SDT_PROBE_DEFINE1(fusefs, , vfsops, mntopts, "uint64_t");
 SDT_PROBE_DEFINE4(fusefs, , vfsops, mount_err, "char*", "struct fuse_data*",
 	"struct mount*", "int");
 
+static int
+fuse_vfs_remount(struct mount *mp, struct thread *td, uint64_t mntopts,
+	uint32_t max_read, int daemon_timeout)
+{
+	int err = 0;
+	struct fuse_data *data = fuse_get_mpdata(mp);
+	/* Don't allow these options to be changed */
+	const static unsigned long long cant_update_opts = 
+		MNT_USER;	/* Mount owner must be the user running the daemon */
+
+	FUSE_LOCK();
+
+	if ((mp->mnt_flag ^ data->mnt_flag) & cant_update_opts) {
+		err = EOPNOTSUPP;
+		SDT_PROBE4(fusefs, , vfsops, mount_err,
+			"Can't change these mount options during remount",
+			data, mp, err);
+		goto out;
+	}
+	if (((data->dataflags ^ mntopts) & FSESS_MNTOPTS_MASK) ||
+	     (data->max_read != max_read) ||
+	     (data->daemon_timeout != daemon_timeout)) {
+		// TODO: allow changing options where it makes sense
+		err = EOPNOTSUPP;
+		SDT_PROBE4(fusefs, , vfsops, mount_err,
+			"Can't change fuse mount options during remount",
+			data, mp, err);
+		goto out;
+	}
+
+	if (fdata_get_dead(data)) {
+		err = ENOTCONN;
+		SDT_PROBE4(fusefs, , vfsops, mount_err,
+			"device is dead during mount", data, mp, err);
+		goto out;
+	}
+
+	/* Sanity + permission checks */
+	if (!data->daemoncred)
+		panic("fuse daemon found, but identity unknown");
+	if (mntopts & FSESS_DAEMON_CAN_SPY)
+		err = priv_check(td, PRIV_VFS_FUSE_ALLOWOTHER);
+	if (err == 0 && td->td_ucred->cr_uid != data->daemoncred->cr_uid)
+		/* are we allowed to do the first mount? */
+		err = priv_check(td, PRIV_VFS_FUSE_MOUNT_NONUSER);
+
+out:
+	FUSE_UNLOCK();
+	return err;
+}
+
 static int
 fuse_vfsop_mount(struct mount *mp)
 {
@@ -231,12 +282,8 @@ fuse_vfsop_mount(struct mount *mp)
 	__mntopts = 0;
 	td = curthread;
 
-	if (mp->mnt_flag & MNT_UPDATE)
-		return EOPNOTSUPP;
-
 	MNT_ILOCK(mp);
 	mp->mnt_flag |= MNT_SYNCHRONOUS;
-	mp->mnt_data = NULL;
 	MNT_IUNLOCK(mp);
 	/* Get the new options passed to mount */
 	opts = mp->mnt_optnew;
@@ -248,19 +295,6 @@ fuse_vfsop_mount(struct mount *mp)
 	if (!vfs_getopts(opts, "fspath", &err))
 		return err;
 
-	/* `from' contains the device name (eg. /dev/fuse0); REQUIRED */
-	fspec = vfs_getopts(opts, "from", &err);
-	if (!fspec)
-		return err;
-
-	/* `fd' contains the filedescriptor for this session; REQUIRED */
-	if (vfs_scanopt(opts, "fd", "%d", &fd) != 1)
-		return EINVAL;
-
-	err = fuse_getdevice(fspec, td, &fdev);
-	if (err != 0)
-		return err;
-
 	/*
 	 * With the help of underscored options the mount program
 	 * can inform us from the flags it sets by default
@@ -287,6 +321,25 @@ fuse_vfsop_mount(struct mount *mp)
 
 	SDT_PROBE1(fusefs, , vfsops, mntopts, mntopts);
 
+	if (mp->mnt_flag & MNT_UPDATE) {
+		/*dev_rel(fdev);*/
+		return fuse_vfs_remount(mp, td, mntopts, max_read,
+			daemon_timeout);
+	}
+
+	/* `from' contains the device name (eg. /dev/fuse0); REQUIRED */
+	fspec = vfs_getopts(opts, "from", &err);
+	if (!fspec)
+		return err;
+
+	/* `fd' contains the filedescriptor for this session; REQUIRED */
+	if (vfs_scanopt(opts, "fd", "%d", &fd) != 1)
+		return EINVAL;
+
+	err = fuse_getdevice(fspec, td, &fdev);
+	if (err != 0)
+		return err;
+
 	err = fget(td, fd, &cap_read_rights, &fp);
 	if (err != 0) {
 		SDT_PROBE2(fusefs, , vfsops, trace, 1,
@@ -330,6 +383,7 @@ fuse_vfsop_mount(struct mount *mp)
 	data->dataflags |= mntopts;
 	data->max_read = max_read;
 	data->daemon_timeout = daemon_timeout;
+	data->mnt_flag = mp->mnt_flag & MNT_UPDATEMASK;
 	FUSE_UNLOCK();
 
 	vfs_getnewfsid(mp);
@@ -365,6 +419,7 @@ out:
 			SDT_PROBE4(fusefs, , vfsops, mount_err,
 				"mount failed, destroy device", data, mp, err);
 			data->mp = NULL;
+			mp->mnt_data = NULL;
 			fdata_trydestroy(data);
 		}
 		FUSE_UNLOCK();

tests/sys/fs/fusefs/Makefile

@@ -25,6 +25,7 @@ GTESTS+=	locks
 GTESTS+=	lookup
 GTESTS+=	mkdir
 GTESTS+=	mknod
+GTESTS+=	mount
 GTESTS+=	open
 GTESTS+=	opendir
 GTESTS+=	read

tests/sys/fs/fusefs/mount.cc

@@ -0,0 +1,152 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2019 The FreeBSD Foundation
+ *
+ * This software was developed by BFF Storage Systems, LLC under sponsorship
+ * from the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+extern "C" {
+#include <sys/param.h>
+#include <sys/mount.h>
+#include <sys/uio.h>
+
+#include "mntopts.h"	// for build_iovec
+}
+
+#include "mockfs.hh"
+#include "utils.hh"
+
+using namespace testing;
+
+class UpdateOk: public FuseTest, public WithParamInterface<const char*> {};
+class UpdateErr: public FuseTest, public WithParamInterface<const char*> {};
+
+int mntflag_from_string(const char *s)
+{
+	if (0 == strcmp("MNT_RDONLY", s))
+		return MNT_RDONLY;
+	else if (0 == strcmp("MNT_NOEXEC", s))
+		return MNT_NOEXEC;
+	else if (0 == strcmp("MNT_NOSUID", s))
+		return MNT_NOSUID;
+	else if (0 == strcmp("MNT_NOATIME", s))
+		return MNT_NOATIME;
+	else if (0 == strcmp("MNT_SUIDDIR", s))
+		return MNT_SUIDDIR;
+	else if (0 == strcmp("MNT_USER", s))
+		return MNT_USER;
+	else
+		return 0;
+}
+
+/* Some mount options can be changed by mount -u */
+TEST_P(UpdateOk, update)
+{
+	struct statfs statbuf;
+	struct iovec *iov = NULL;
+	int iovlen = 0;
+	int flag;
+	int newflags = MNT_UPDATE | MNT_SYNCHRONOUS;
+
+	flag = mntflag_from_string(GetParam());
+	if (flag == MNT_NOSUID && 0 != geteuid())
+		GTEST_SKIP() << "Only root may clear MNT_NOSUID";
+	if (flag == MNT_SUIDDIR && 0 != geteuid())
+		GTEST_SKIP() << "Only root may set MNT_SUIDDIR";
+
+	EXPECT_CALL(*m_mock, process(
+		ResultOf([](auto in) {
+			return (in->header.opcode == FUSE_STATFS);
+		}, Eq(true)),
+		_)
+	).WillRepeatedly(Invoke(ReturnImmediate([=](auto in __unused, auto out) {
+		/* 
+		 * All of the fields except f_flags are don't care, and f_flags is set by
+		 * the VFS
+		 */
+		SET_OUT_HEADER_LEN(out, statfs);
+	})));
+
+	ASSERT_EQ(0, statfs("mountpoint", &statbuf)) << strerror(errno);
+	newflags = (statbuf.f_flags | MNT_UPDATE) ^ flag;
+
+	build_iovec(&iov, &iovlen, "fstype", (void*)statbuf.f_fstypename, -1);
+	build_iovec(&iov, &iovlen, "fspath", (void*)statbuf.f_mntonname, -1);
+	build_iovec(&iov, &iovlen, "from", __DECONST(void *, "/dev/fuse"), -1);
+	ASSERT_EQ(0, nmount(iov, iovlen, newflags)) << strerror(errno);
+
+	ASSERT_EQ(0, statfs("mountpoint", &statbuf)) << strerror(errno);
+	EXPECT_FALSE((newflags ^ statbuf.f_flags) & flag);
+}
+
+/* Some mount options cannnot be changed by mount -u */
+TEST_P(UpdateErr, update)
+{
+	struct statfs statbuf;
+	struct iovec *iov = NULL;
+	int iovlen = 0;
+	int flag;
+	int newflags = MNT_UPDATE | MNT_SYNCHRONOUS;
+
+	flag = mntflag_from_string(GetParam());
+	EXPECT_CALL(*m_mock, process(
+		ResultOf([](auto in) {
+			return (in->header.opcode == FUSE_STATFS);
+		}, Eq(true)),
+		_)
+	).WillRepeatedly(Invoke(ReturnImmediate([=](auto in __unused, auto out) {
+		/* 
+		 * All of the fields except f_flags are don't care, and f_flags is set by
+		 * the VFS
+		 */
+		SET_OUT_HEADER_LEN(out, statfs);
+	})));
+
+	ASSERT_EQ(0, statfs("mountpoint", &statbuf)) << strerror(errno);
+	newflags = (statbuf.f_flags | MNT_UPDATE) ^ flag;
+
+	build_iovec(&iov, &iovlen, "fstype", (void*)statbuf.f_fstypename, -1);
+	build_iovec(&iov, &iovlen, "fspath", (void*)statbuf.f_mntonname, -1);
+	build_iovec(&iov, &iovlen, "from", __DECONST(void *, "/dev/fuse"), -1);
+	/* 
+	 * Don't check nmount's return value, because vfs_domount may "fix" the
+	 * options for us.  The important thing is to check the final value of
+	 * statbuf.f_flags below.
+	 */
+	(void)nmount(iov, iovlen, newflags);
+
+	ASSERT_EQ(0, statfs("mountpoint", &statbuf)) << strerror(errno);
+	EXPECT_TRUE((newflags ^ statbuf.f_flags) & flag);
+}
+
+INSTANTIATE_TEST_CASE_P(Mount, UpdateOk,
+		::testing::Values("MNT_RDONLY", "MNT_NOEXEC", "MNT_NOSUID", "MNT_NOATIME",
+		"MNT_SUIDDIR")
+);
+
+INSTANTIATE_TEST_CASE_P(Mount, UpdateErr,
+		::testing::Values( "MNT_USER");
+);