1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 mod file;
18 mod mount;
19
20 use anyhow::{anyhow, bail, Result};
21 use fuse::filesystem::{
22 Context, DirEntry, DirectoryIterator, Entry, FileSystem, FsOptions, GetxattrReply,
23 SetattrValid, ZeroCopyReader, ZeroCopyWriter,
24 };
25 use fuse::sys::OpenOptions as FuseOpenOptions;
26 use log::{error, trace, warn};
27 use std::collections::{btree_map, BTreeMap};
28 use std::convert::{TryFrom, TryInto};
29 use std::ffi::{CStr, CString, OsStr};
30 use std::io;
31 use std::mem::{zeroed, MaybeUninit};
32 use std::option::Option;
33 use std::os::unix::ffi::OsStrExt;
34 use std::path::{Component, Path, PathBuf};
35 use std::sync::atomic::{AtomicU64, Ordering};
36 use std::sync::{Arc, RwLock};
37 use std::time::Duration;
38
39 use crate::common::{divide_roundup, ChunkedSizeIter, CHUNK_SIZE};
40 use crate::file::{
41 validate_basename, Attr, InMemoryDir, RandomWrite, ReadByChunk, RemoteDirEditor,
42 RemoteFileEditor, RemoteFileReader,
43 };
44 use crate::fsstat::RemoteFsStatsReader;
45 use crate::fsverity::VerifiedFileEditor;
46
47 pub use self::file::LazyVerifiedReadonlyFile;
48 pub use self::mount::mount_and_enter_message_loop;
49 use self::mount::MAX_WRITE_BYTES;
50
51 pub type Inode = u64;
52 type Handle = u64;
53
54 /// Maximum time for a file's metadata to be cached by the kernel. Since any file and directory
55 /// changes (if not read-only) has to go through AuthFS to be trusted, the timeout can be maximum.
56 const DEFAULT_METADATA_TIMEOUT: Duration = Duration::MAX;
57
58 const ROOT_INODE: Inode = 1;
59
60 /// `AuthFsEntry` defines the filesystem entry type supported by AuthFS.
61 pub enum AuthFsEntry {
62 /// A read-only directory (writable during initialization). Root directory is an example.
63 ReadonlyDirectory { dir: InMemoryDir },
64 /// A file type that is verified against fs-verity signature (thus read-only). The file is
65 /// served from a remote server.
66 VerifiedReadonly { reader: LazyVerifiedReadonlyFile },
67 /// A file type that is a read-only passthrough from a file on a remote server.
68 UnverifiedReadonly { reader: RemoteFileReader, file_size: u64 },
69 /// A file type that is initially empty, and the content is stored on a remote server. File
70 /// integrity is guaranteed with private Merkle tree.
71 VerifiedNew { editor: VerifiedFileEditor<RemoteFileEditor>, attr: Attr },
72 /// A directory type that is initially empty. One can create new file (`VerifiedNew`) and new
73 /// directory (`VerifiedNewDirectory` itself) with integrity guaranteed within the VM.
74 VerifiedNewDirectory { dir: RemoteDirEditor, attr: Attr },
75 }
76
77 impl AuthFsEntry {
expect_empty_deletable_directory(&self) -> io::Result<()>78 fn expect_empty_deletable_directory(&self) -> io::Result<()> {
79 match self {
80 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
81 if dir.number_of_entries() == 0 {
82 Ok(())
83 } else {
84 Err(io::Error::from_raw_os_error(libc::ENOTEMPTY))
85 }
86 }
87 AuthFsEntry::ReadonlyDirectory { .. } => {
88 Err(io::Error::from_raw_os_error(libc::EACCES))
89 }
90 _ => Err(io::Error::from_raw_os_error(libc::ENOTDIR)),
91 }
92 }
93 }
94
95 struct InodeState {
96 /// Actual inode entry.
97 entry: AuthFsEntry,
98
99 /// Number of `Handle`s (i.e. file descriptors) that are currently referring to the this inode.
100 ///
101 /// Technically, this does not matter to readonly entries, since they live forever. The
102 /// reference count is only needed for manageing lifetime of writable entries like
103 /// `VerifiedNew` and `VerifiedNewDirectory`. That is, when an entry is deleted, the actual
104 /// entry needs to stay alive until the reference count reaches zero.
105 ///
106 /// Note: This is not to be confused with hardlinks, which AuthFS doesn't currently implement.
107 handle_ref_count: AtomicU64,
108
109 /// Whether the inode is already unlinked, i.e. should be removed, once `handle_ref_count` is
110 /// down to zero.
111 unlinked: bool,
112 }
113
114 impl InodeState {
new(entry: AuthFsEntry) -> Self115 fn new(entry: AuthFsEntry) -> Self {
116 InodeState { entry, handle_ref_count: AtomicU64::new(0), unlinked: false }
117 }
118
new_with_ref_count(entry: AuthFsEntry, handle_ref_count: u64) -> Self119 fn new_with_ref_count(entry: AuthFsEntry, handle_ref_count: u64) -> Self {
120 InodeState { entry, handle_ref_count: AtomicU64::new(handle_ref_count), unlinked: false }
121 }
122 }
123
124 /// Data type that a directory implementation should be able to present its entry to `AuthFs`.
125 #[derive(Clone)]
126 pub struct AuthFsDirEntry {
127 pub inode: Inode,
128 pub name: CString,
129 pub is_dir: bool,
130 }
131
132 /// A snapshot of a directory entries for supporting `readdir` operation.
133 ///
134 /// The `readdir` implementation is required by FUSE to not return any entries that have been
135 /// returned previously (while it's fine to not return new entries). Snapshot is the easiest way to
136 /// be compliant. See `fuse::filesystem::readdir` for more details.
137 ///
138 /// A `DirEntriesSnapshot` is created on `opendir`, and is associated with the returned
139 /// `Handle`/FD. The snapshot is deleted when the handle is released in `releasedir`.
140 type DirEntriesSnapshot = Vec<AuthFsDirEntry>;
141
142 /// An iterator for reading from `DirEntriesSnapshot`.
143 pub struct DirEntriesSnapshotIterator {
144 /// A reference to the `DirEntriesSnapshot` in `AuthFs`.
145 snapshot: Arc<DirEntriesSnapshot>,
146
147 /// A value determined by `Self` to identify the last entry. 0 is a reserved value by FUSE to
148 /// mean reading from the beginning.
149 prev_offset: usize,
150 }
151
152 impl DirectoryIterator for DirEntriesSnapshotIterator {
next(&mut self) -> Option<DirEntry>153 fn next(&mut self) -> Option<DirEntry> {
154 // This iterator should not be the only reference to the snapshot. The snapshot should
155 // still be hold in `dir_handle_table`, i.e. when the FD is not yet closed.
156 //
157 // This code is unreachable when `readdir` is called with a closed FD. Only when the FD is
158 // not yet closed, `DirEntriesSnapshotIterator` can be created (but still short-lived
159 // during `readdir`).
160 debug_assert!(Arc::strong_count(&self.snapshot) >= 2);
161
162 // Since 0 is reserved, let's use 1-based index for the offset. This allows us to
163 // resume from the previous read in the snapshot easily.
164 let current_offset = if self.prev_offset == 0 {
165 1 // first element in the vector
166 } else {
167 self.prev_offset + 1 // next element in the vector
168 };
169 if current_offset > self.snapshot.len() {
170 None
171 } else {
172 let AuthFsDirEntry { inode, name, is_dir } = &self.snapshot[current_offset - 1];
173 let entry = DirEntry {
174 offset: current_offset as u64,
175 ino: *inode,
176 name,
177 type_: if *is_dir { libc::DT_DIR.into() } else { libc::DT_REG.into() },
178 };
179 self.prev_offset = current_offset;
180 Some(entry)
181 }
182 }
183 }
184
185 type DirHandleTable = BTreeMap<Handle, Arc<DirEntriesSnapshot>>;
186
187 // AuthFS needs to be `Sync` to be used with the `fuse` crate.
188 pub struct AuthFs {
189 /// Table for `Inode` to `InodeState` lookup.
190 inode_table: RwLock<BTreeMap<Inode, InodeState>>,
191
192 /// The next available inode number.
193 next_inode: AtomicU64,
194
195 /// Table for `Handle` to `Arc<DirEntriesSnapshot>` lookup. On `opendir`, a new directory
196 /// handle is created and the snapshot of the current directory is created. This is not
197 /// super efficient, but is the simplest way to be compliant to the FUSE contract (see
198 /// `fuse::filesystem::readdir`).
199 ///
200 /// Currently, no code locks `dir_handle_table` and `inode_table` at the same time to avoid
201 /// deadlock.
202 dir_handle_table: RwLock<DirHandleTable>,
203
204 /// The next available handle number.
205 next_handle: AtomicU64,
206
207 /// A reader to access the remote filesystem stats, which is supposed to be of "the" output
208 /// directory. We assume all output are stored in the same partition.
209 remote_fs_stats_reader: RemoteFsStatsReader,
210 }
211
212 // Implementation for preparing an `AuthFs` instance, before starting to serve.
213 // TODO(victorhsieh): Consider implement a builder to separate the mutable initialization from the
214 // immutable / interiorly mutable serving phase.
215 impl AuthFs {
new(remote_fs_stats_reader: RemoteFsStatsReader) -> AuthFs216 pub fn new(remote_fs_stats_reader: RemoteFsStatsReader) -> AuthFs {
217 let mut inode_table = BTreeMap::new();
218 inode_table.insert(
219 ROOT_INODE,
220 InodeState::new(AuthFsEntry::ReadonlyDirectory { dir: InMemoryDir::new() }),
221 );
222
223 AuthFs {
224 inode_table: RwLock::new(inode_table),
225 next_inode: AtomicU64::new(ROOT_INODE + 1),
226 dir_handle_table: RwLock::new(BTreeMap::new()),
227 next_handle: AtomicU64::new(1),
228 remote_fs_stats_reader,
229 }
230 }
231
232 /// Add an `AuthFsEntry` as `basename` to the filesystem root.
add_entry_at_root_dir( &mut self, basename: PathBuf, entry: AuthFsEntry, ) -> Result<Inode>233 pub fn add_entry_at_root_dir(
234 &mut self,
235 basename: PathBuf,
236 entry: AuthFsEntry,
237 ) -> Result<Inode> {
238 validate_basename(&basename)?;
239 self.add_entry_at_ro_dir_by_path(ROOT_INODE, &basename, entry)
240 }
241
242 /// Add an `AuthFsEntry` by path from the `ReadonlyDirectory` represented by `dir_inode`. The
243 /// path must be a related path. If some ancestor directories do not exist, they will be
244 /// created (also as `ReadonlyDirectory`) automatically.
add_entry_at_ro_dir_by_path( &mut self, dir_inode: Inode, path: &Path, entry: AuthFsEntry, ) -> Result<Inode>245 pub fn add_entry_at_ro_dir_by_path(
246 &mut self,
247 dir_inode: Inode,
248 path: &Path,
249 entry: AuthFsEntry,
250 ) -> Result<Inode> {
251 // 1. Make sure the parent directories all exist. Derive the entry's parent inode.
252 let parent_path =
253 path.parent().ok_or_else(|| anyhow!("No parent directory: {:?}", path))?;
254 let parent_inode =
255 parent_path.components().try_fold(dir_inode, |current_dir_inode, path_component| {
256 match path_component {
257 Component::RootDir => bail!("Absolute path is not supported"),
258 Component::Normal(name) => {
259 let inode_table = self.inode_table.get_mut().unwrap();
260 // Locate the internal directory structure.
261 let current_dir_entry = &mut inode_table
262 .get_mut(¤t_dir_inode)
263 .ok_or_else(|| {
264 anyhow!("Unknown directory inode {}", current_dir_inode)
265 })?
266 .entry;
267 let dir = match current_dir_entry {
268 AuthFsEntry::ReadonlyDirectory { dir } => dir,
269 _ => unreachable!("Not a ReadonlyDirectory"),
270 };
271 // Return directory inode. Create first if not exists.
272 if let Some(existing_inode) = dir.lookup_inode(name.as_ref()) {
273 Ok(existing_inode)
274 } else {
275 let new_inode = self.next_inode.fetch_add(1, Ordering::Relaxed);
276 let new_dir_entry =
277 AuthFsEntry::ReadonlyDirectory { dir: InMemoryDir::new() };
278
279 // Actually update the tables.
280 dir.add_dir(name.as_ref(), new_inode)?;
281 if inode_table
282 .insert(new_inode, InodeState::new(new_dir_entry))
283 .is_some()
284 {
285 bail!("Unexpected to find a duplicated inode");
286 }
287 Ok(new_inode)
288 }
289 }
290 _ => Err(anyhow!("Path is not canonical: {:?}", path)),
291 }
292 })?;
293
294 // 2. Insert the entry to the parent directory, as well as the inode table.
295 let inode_table = self.inode_table.get_mut().unwrap();
296 let inode_state = inode_table.get_mut(&parent_inode).expect("previously returned inode");
297 match &mut inode_state.entry {
298 AuthFsEntry::ReadonlyDirectory { dir } => {
299 let basename =
300 path.file_name().ok_or_else(|| anyhow!("Bad file name: {:?}", path))?;
301 let new_inode = self.next_inode.fetch_add(1, Ordering::Relaxed);
302
303 // Actually update the tables.
304 dir.add_file(basename.as_ref(), new_inode)?;
305 if inode_table.insert(new_inode, InodeState::new(entry)).is_some() {
306 bail!("Unexpected to find a duplicated inode");
307 }
308 Ok(new_inode)
309 }
310 _ => unreachable!("Not a ReadonlyDirectory"),
311 }
312 }
313 }
314
315 // Implementation for serving requests.
316 impl AuthFs {
317 /// Handles the file associated with `inode` if found. This function returns whatever
318 /// `handle_fn` returns.
handle_inode<F, R>(&self, inode: &Inode, handle_fn: F) -> io::Result<R> where F: FnOnce(&AuthFsEntry) -> io::Result<R>,319 fn handle_inode<F, R>(&self, inode: &Inode, handle_fn: F) -> io::Result<R>
320 where
321 F: FnOnce(&AuthFsEntry) -> io::Result<R>,
322 {
323 let inode_table = self.inode_table.read().unwrap();
324 handle_inode_locked(&inode_table, inode, |inode_state| handle_fn(&inode_state.entry))
325 }
326
327 /// Adds a new entry `name` created by `create_fn` at `parent_inode`, with an initial ref count
328 /// of one.
329 ///
330 /// The operation involves two updates: adding the name with a new allocated inode to the
331 /// parent directory, and insert the new inode and the actual `AuthFsEntry` to the global inode
332 /// table.
333 ///
334 /// `create_fn` receives the parent directory, through which it can create the new entry at and
335 /// register the new inode to. Its returned entry is then added to the inode table.
create_new_entry_with_ref_count<F>( &self, parent_inode: Inode, name: &CStr, create_fn: F, ) -> io::Result<Inode> where F: FnOnce(&mut AuthFsEntry, &Path, Inode) -> io::Result<AuthFsEntry>,336 fn create_new_entry_with_ref_count<F>(
337 &self,
338 parent_inode: Inode,
339 name: &CStr,
340 create_fn: F,
341 ) -> io::Result<Inode>
342 where
343 F: FnOnce(&mut AuthFsEntry, &Path, Inode) -> io::Result<AuthFsEntry>,
344 {
345 let mut inode_table = self.inode_table.write().unwrap();
346 let (new_inode, new_file_entry) = handle_inode_mut_locked(
347 &mut inode_table,
348 &parent_inode,
349 |InodeState { entry, .. }| {
350 let new_inode = self.next_inode.fetch_add(1, Ordering::Relaxed);
351 let basename: &Path = cstr_to_path(name);
352 let new_file_entry = create_fn(entry, basename, new_inode)?;
353 Ok((new_inode, new_file_entry))
354 },
355 )?;
356
357 if let btree_map::Entry::Vacant(entry) = inode_table.entry(new_inode) {
358 entry.insert(InodeState::new_with_ref_count(new_file_entry, 1));
359 Ok(new_inode)
360 } else {
361 unreachable!("Unexpected duplication of inode {}", new_inode);
362 }
363 }
364
open_dir_store_snapshot( &self, dir_entries: Vec<AuthFsDirEntry>, ) -> io::Result<(Option<Handle>, FuseOpenOptions)>365 fn open_dir_store_snapshot(
366 &self,
367 dir_entries: Vec<AuthFsDirEntry>,
368 ) -> io::Result<(Option<Handle>, FuseOpenOptions)> {
369 let handle = self.next_handle.fetch_add(1, Ordering::Relaxed);
370 let mut dir_handle_table = self.dir_handle_table.write().unwrap();
371 if let btree_map::Entry::Vacant(value) = dir_handle_table.entry(handle) {
372 value.insert(Arc::new(dir_entries));
373 Ok((Some(handle), FuseOpenOptions::empty()))
374 } else {
375 unreachable!("Unexpected to see new handle {} to existing in the table", handle);
376 }
377 }
378 }
379
check_access_mode(flags: u32, mode: libc::c_int) -> io::Result<()>380 fn check_access_mode(flags: u32, mode: libc::c_int) -> io::Result<()> {
381 if (flags & libc::O_ACCMODE as u32) == mode as u32 {
382 Ok(())
383 } else {
384 Err(io::Error::from_raw_os_error(libc::EACCES))
385 }
386 }
387
388 #[allow(clippy::enum_variant_names)]
389 enum AccessMode {
390 ReadOnly,
391 Variable(u32),
392 }
393
create_stat( ino: libc::ino_t, file_size: u64, access_mode: AccessMode, ) -> io::Result<libc::stat64>394 fn create_stat(
395 ino: libc::ino_t,
396 file_size: u64,
397 access_mode: AccessMode,
398 ) -> io::Result<libc::stat64> {
399 // SAFETY: stat64 is a plan C struct without pointer.
400 let mut st = unsafe { MaybeUninit::<libc::stat64>::zeroed().assume_init() };
401
402 st.st_ino = ino;
403 st.st_mode = match access_mode {
404 AccessMode::ReadOnly => {
405 // Until needed, let's just grant the owner access.
406 libc::S_IFREG | libc::S_IRUSR
407 }
408 AccessMode::Variable(mode) => libc::S_IFREG | mode,
409 };
410 st.st_nlink = 1;
411 st.st_uid = 0;
412 st.st_gid = 0;
413 st.st_size = libc::off64_t::try_from(file_size)
414 .map_err(|_| io::Error::from_raw_os_error(libc::EFBIG))?;
415 st.st_blksize = CHUNK_SIZE.try_into().unwrap();
416 // Per man stat(2), st_blocks is "Number of 512B blocks allocated".
417 st.st_blocks = libc::c_longlong::try_from(divide_roundup(file_size, 512))
418 .map_err(|_| io::Error::from_raw_os_error(libc::EFBIG))?;
419 Ok(st)
420 }
421
create_dir_stat( ino: libc::ino_t, file_number: u16, access_mode: AccessMode, ) -> io::Result<libc::stat64>422 fn create_dir_stat(
423 ino: libc::ino_t,
424 file_number: u16,
425 access_mode: AccessMode,
426 ) -> io::Result<libc::stat64> {
427 // SAFETY: stat64 is a plan C struct without pointer.
428 let mut st = unsafe { MaybeUninit::<libc::stat64>::zeroed().assume_init() };
429
430 st.st_ino = ino;
431 st.st_mode = match access_mode {
432 AccessMode::ReadOnly => {
433 // Until needed, let's just grant the owner access and search to group and others.
434 libc::S_IFDIR | libc::S_IXUSR | libc::S_IRUSR | libc::S_IXGRP | libc::S_IXOTH
435 }
436 AccessMode::Variable(mode) => libc::S_IFDIR | mode,
437 };
438
439 // 2 extra for . and ..
440 st.st_nlink = file_number
441 .checked_add(2)
442 .ok_or_else(|| io::Error::from_raw_os_error(libc::EOVERFLOW))?
443 .into();
444
445 st.st_uid = 0;
446 st.st_gid = 0;
447 Ok(st)
448 }
449
offset_to_chunk_index(offset: u64) -> u64450 fn offset_to_chunk_index(offset: u64) -> u64 {
451 offset / CHUNK_SIZE
452 }
453
read_chunks<W: io::Write, T: ReadByChunk>( mut w: W, file: &T, file_size: u64, offset: u64, size: u32, ) -> io::Result<usize>454 fn read_chunks<W: io::Write, T: ReadByChunk>(
455 mut w: W,
456 file: &T,
457 file_size: u64,
458 offset: u64,
459 size: u32,
460 ) -> io::Result<usize> {
461 let remaining = file_size.saturating_sub(offset);
462 let size_to_read = std::cmp::min(size as usize, remaining as usize);
463 let total = ChunkedSizeIter::new(size_to_read, offset, CHUNK_SIZE as usize).try_fold(
464 0,
465 |total, (current_offset, planned_data_size)| {
466 // TODO(victorhsieh): There might be a non-trivial way to avoid this copy. For example,
467 // instead of accepting a buffer, the writer could expose the final destination buffer
468 // for the reader to write to. It might not be generally applicable though, e.g. with
469 // virtio transport, the buffer may not be continuous.
470 let mut buf = [0u8; CHUNK_SIZE as usize];
471 let read_size = file.read_chunk(offset_to_chunk_index(current_offset), &mut buf)?;
472 if read_size < planned_data_size {
473 return Err(io::Error::from_raw_os_error(libc::ENODATA));
474 }
475
476 let begin = (current_offset % CHUNK_SIZE) as usize;
477 let end = begin + planned_data_size;
478 let s = w.write(&buf[begin..end])?;
479 if s != planned_data_size {
480 return Err(io::Error::from_raw_os_error(libc::EIO));
481 }
482 Ok(total + s)
483 },
484 )?;
485
486 Ok(total)
487 }
488
489 impl FileSystem for AuthFs {
490 type Inode = Inode;
491 type Handle = Handle;
492 type DirIter = DirEntriesSnapshotIterator;
493
max_buffer_size(&self) -> u32494 fn max_buffer_size(&self) -> u32 {
495 MAX_WRITE_BYTES
496 }
497
init(&self, _capable: FsOptions) -> io::Result<FsOptions>498 fn init(&self, _capable: FsOptions) -> io::Result<FsOptions> {
499 // Enable writeback cache for better performance especially since our bandwidth to the
500 // backend service is limited.
501 Ok(FsOptions::WRITEBACK_CACHE)
502 }
503
lookup(&self, _ctx: Context, parent: Inode, name: &CStr) -> io::Result<Entry>504 fn lookup(&self, _ctx: Context, parent: Inode, name: &CStr) -> io::Result<Entry> {
505 let inode_table = self.inode_table.read().unwrap();
506
507 // Look up the entry's inode number in parent directory.
508 let inode =
509 handle_inode_locked(&inode_table, &parent, |inode_state| match &inode_state.entry {
510 AuthFsEntry::ReadonlyDirectory { dir } => {
511 let path = cstr_to_path(name);
512 dir.lookup_inode(path).ok_or_else(|| io::Error::from_raw_os_error(libc::ENOENT))
513 }
514 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
515 let path = cstr_to_path(name);
516 dir.find_inode(path)
517 }
518 _ => Err(io::Error::from_raw_os_error(libc::ENOTDIR)),
519 })?;
520
521 // Create the entry's stat if found.
522 let st = handle_inode_locked(
523 &inode_table,
524 &inode,
525 |InodeState { entry, handle_ref_count, .. }| {
526 let st = match entry {
527 AuthFsEntry::ReadonlyDirectory { dir } => {
528 create_dir_stat(inode, dir.number_of_entries(), AccessMode::ReadOnly)
529 }
530 AuthFsEntry::UnverifiedReadonly { file_size, .. } => {
531 create_stat(inode, *file_size, AccessMode::ReadOnly)
532 }
533 AuthFsEntry::VerifiedReadonly { reader } => {
534 create_stat(inode, reader.file_size()?, AccessMode::ReadOnly)
535 }
536 AuthFsEntry::VerifiedNew { editor, attr, .. } => {
537 create_stat(inode, editor.size(), AccessMode::Variable(attr.mode()))
538 }
539 AuthFsEntry::VerifiedNewDirectory { dir, attr } => create_dir_stat(
540 inode,
541 dir.number_of_entries(),
542 AccessMode::Variable(attr.mode()),
543 ),
544 }?;
545 if handle_ref_count.fetch_add(1, Ordering::Relaxed) == u64::MAX {
546 panic!("Handle reference count overflow");
547 }
548 Ok(st)
549 },
550 )?;
551
552 Ok(Entry {
553 inode,
554 generation: 0,
555 attr: st,
556 entry_timeout: DEFAULT_METADATA_TIMEOUT,
557 attr_timeout: DEFAULT_METADATA_TIMEOUT,
558 })
559 }
560
forget(&self, _ctx: Context, inode: Self::Inode, count: u64)561 fn forget(&self, _ctx: Context, inode: Self::Inode, count: u64) {
562 let mut inode_table = self.inode_table.write().unwrap();
563 let delete_now = handle_inode_mut_locked(
564 &mut inode_table,
565 &inode,
566 |InodeState { handle_ref_count, unlinked, .. }| {
567 let current = handle_ref_count.get_mut();
568 if count > *current {
569 error!(
570 "Trying to decrease refcount of inode {} by {} (> current {})",
571 inode, count, *current
572 );
573 panic!(); // log to logcat with error!
574 }
575 *current -= count;
576 Ok(*unlinked && *current == 0)
577 },
578 );
579
580 match delete_now {
581 Ok(true) => {
582 let _ignored = inode_table.remove(&inode).expect("Removed an existing entry");
583 }
584 Ok(false) => { /* Let the inode stay */ }
585 Err(e) => {
586 warn!(
587 "Unexpected failure when tries to forget an inode {} by refcount {}: {:?}",
588 inode, count, e
589 );
590 }
591 }
592 }
593
getattr( &self, _ctx: Context, inode: Inode, _handle: Option<Handle>, ) -> io::Result<(libc::stat64, Duration)>594 fn getattr(
595 &self,
596 _ctx: Context,
597 inode: Inode,
598 _handle: Option<Handle>,
599 ) -> io::Result<(libc::stat64, Duration)> {
600 self.handle_inode(&inode, |config| {
601 Ok((
602 match config {
603 AuthFsEntry::ReadonlyDirectory { dir } => {
604 create_dir_stat(inode, dir.number_of_entries(), AccessMode::ReadOnly)
605 }
606 AuthFsEntry::UnverifiedReadonly { file_size, .. } => {
607 create_stat(inode, *file_size, AccessMode::ReadOnly)
608 }
609 AuthFsEntry::VerifiedReadonly { reader } => {
610 create_stat(inode, reader.file_size()?, AccessMode::ReadOnly)
611 }
612 AuthFsEntry::VerifiedNew { editor, attr, .. } => {
613 create_stat(inode, editor.size(), AccessMode::Variable(attr.mode()))
614 }
615 AuthFsEntry::VerifiedNewDirectory { dir, attr } => create_dir_stat(
616 inode,
617 dir.number_of_entries(),
618 AccessMode::Variable(attr.mode()),
619 ),
620 }?,
621 DEFAULT_METADATA_TIMEOUT,
622 ))
623 })
624 }
625
open( &self, _ctx: Context, inode: Self::Inode, flags: u32, ) -> io::Result<(Option<Self::Handle>, FuseOpenOptions)>626 fn open(
627 &self,
628 _ctx: Context,
629 inode: Self::Inode,
630 flags: u32,
631 ) -> io::Result<(Option<Self::Handle>, FuseOpenOptions)> {
632 // Since file handle is not really used in later operations (which use Inode directly),
633 // return None as the handle.
634 self.handle_inode(&inode, |config| {
635 match config {
636 AuthFsEntry::VerifiedReadonly { .. } | AuthFsEntry::UnverifiedReadonly { .. } => {
637 check_access_mode(flags, libc::O_RDONLY)?;
638 }
639 AuthFsEntry::VerifiedNew { .. } => {
640 // TODO(victorhsieh): Imeplement ACL check using the attr and ctx. Always allow
641 // for now.
642 }
643 AuthFsEntry::ReadonlyDirectory { .. }
644 | AuthFsEntry::VerifiedNewDirectory { .. } => {
645 // TODO(victorhsieh): implement when needed.
646 return Err(io::Error::from_raw_os_error(libc::ENOSYS));
647 }
648 }
649 // Always cache the file content. There is currently no need to support direct I/O or
650 // avoid the cache buffer. Memory mapping is only possible with cache enabled.
651 Ok((None, FuseOpenOptions::KEEP_CACHE))
652 })
653 }
654
create( &self, _ctx: Context, parent: Self::Inode, name: &CStr, mode: u32, _flags: u32, umask: u32, _security_ctx: Option<&CStr>, ) -> io::Result<(Entry, Option<Self::Handle>, FuseOpenOptions)>655 fn create(
656 &self,
657 _ctx: Context,
658 parent: Self::Inode,
659 name: &CStr,
660 mode: u32,
661 _flags: u32,
662 umask: u32,
663 _security_ctx: Option<&CStr>,
664 ) -> io::Result<(Entry, Option<Self::Handle>, FuseOpenOptions)> {
665 let new_inode = self.create_new_entry_with_ref_count(
666 parent,
667 name,
668 |parent_entry, basename, new_inode| match parent_entry {
669 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
670 if dir.has_entry(basename) {
671 return Err(io::Error::from_raw_os_error(libc::EEXIST));
672 }
673 let mode = mode & !umask;
674 let (new_file, new_attr) = dir.create_file(basename, new_inode, mode)?;
675 Ok(AuthFsEntry::VerifiedNew { editor: new_file, attr: new_attr })
676 }
677 _ => Err(io::Error::from_raw_os_error(libc::EBADF)),
678 },
679 )?;
680
681 Ok((
682 Entry {
683 inode: new_inode,
684 generation: 0,
685 attr: create_stat(new_inode, /* file_size */ 0, AccessMode::Variable(mode))?,
686 entry_timeout: DEFAULT_METADATA_TIMEOUT,
687 attr_timeout: DEFAULT_METADATA_TIMEOUT,
688 },
689 // See also `open`.
690 /* handle */ None,
691 FuseOpenOptions::KEEP_CACHE,
692 ))
693 }
694
read<W: io::Write + ZeroCopyWriter>( &self, _ctx: Context, inode: Inode, _handle: Handle, w: W, size: u32, offset: u64, _lock_owner: Option<u64>, _flags: u32, ) -> io::Result<usize>695 fn read<W: io::Write + ZeroCopyWriter>(
696 &self,
697 _ctx: Context,
698 inode: Inode,
699 _handle: Handle,
700 w: W,
701 size: u32,
702 offset: u64,
703 _lock_owner: Option<u64>,
704 _flags: u32,
705 ) -> io::Result<usize> {
706 self.handle_inode(&inode, |config| {
707 match config {
708 AuthFsEntry::VerifiedReadonly { reader } => {
709 read_chunks(w, reader, reader.file_size()?, offset, size)
710 }
711 AuthFsEntry::UnverifiedReadonly { reader, file_size } => {
712 read_chunks(w, reader, *file_size, offset, size)
713 }
714 AuthFsEntry::VerifiedNew { editor, .. } => {
715 // Note that with FsOptions::WRITEBACK_CACHE, it's possible for the kernel to
716 // request a read even if the file is open with O_WRONLY.
717 read_chunks(w, editor, editor.size(), offset, size)
718 }
719 AuthFsEntry::ReadonlyDirectory { .. }
720 | AuthFsEntry::VerifiedNewDirectory { .. } => {
721 Err(io::Error::from_raw_os_error(libc::EISDIR))
722 }
723 }
724 })
725 }
726
write<R: io::Read + ZeroCopyReader>( &self, _ctx: Context, inode: Self::Inode, _handle: Self::Handle, mut r: R, size: u32, offset: u64, _lock_owner: Option<u64>, _delayed_write: bool, _flags: u32, ) -> io::Result<usize>727 fn write<R: io::Read + ZeroCopyReader>(
728 &self,
729 _ctx: Context,
730 inode: Self::Inode,
731 _handle: Self::Handle,
732 mut r: R,
733 size: u32,
734 offset: u64,
735 _lock_owner: Option<u64>,
736 _delayed_write: bool,
737 _flags: u32,
738 ) -> io::Result<usize> {
739 self.handle_inode(&inode, |config| match config {
740 AuthFsEntry::VerifiedNew { editor, .. } => {
741 let mut buf = vec![0; size as usize];
742 r.read_exact(&mut buf)?;
743 editor.write_at(&buf, offset)
744 }
745 AuthFsEntry::VerifiedReadonly { .. } | AuthFsEntry::UnverifiedReadonly { .. } => {
746 Err(io::Error::from_raw_os_error(libc::EPERM))
747 }
748 AuthFsEntry::ReadonlyDirectory { .. } | AuthFsEntry::VerifiedNewDirectory { .. } => {
749 Err(io::Error::from_raw_os_error(libc::EISDIR))
750 }
751 })
752 }
753
setattr( &self, _ctx: Context, inode: Inode, in_attr: libc::stat64, _handle: Option<Handle>, valid: SetattrValid, ) -> io::Result<(libc::stat64, Duration)>754 fn setattr(
755 &self,
756 _ctx: Context,
757 inode: Inode,
758 in_attr: libc::stat64,
759 _handle: Option<Handle>,
760 valid: SetattrValid,
761 ) -> io::Result<(libc::stat64, Duration)> {
762 let mut inode_table = self.inode_table.write().unwrap();
763 handle_inode_mut_locked(&mut inode_table, &inode, |InodeState { entry, .. }| match entry {
764 AuthFsEntry::VerifiedNew { editor, attr } => {
765 check_unsupported_setattr_request(valid)?;
766
767 // Initialize the default stat.
768 let mut new_attr =
769 create_stat(inode, editor.size(), AccessMode::Variable(attr.mode()))?;
770 // `valid` indicates what fields in `attr` are valid. Update to return correctly.
771 if valid.contains(SetattrValid::SIZE) {
772 // st_size is i64, but the cast should be safe since kernel should not give a
773 // negative size.
774 debug_assert!(in_attr.st_size >= 0);
775 new_attr.st_size = in_attr.st_size;
776 editor.resize(in_attr.st_size as u64)?;
777 }
778 if valid.contains(SetattrValid::MODE) {
779 attr.set_mode(in_attr.st_mode)?;
780 new_attr.st_mode = in_attr.st_mode;
781 }
782 Ok((new_attr, DEFAULT_METADATA_TIMEOUT))
783 }
784 AuthFsEntry::VerifiedNewDirectory { dir, attr } => {
785 check_unsupported_setattr_request(valid)?;
786 if valid.contains(SetattrValid::SIZE) {
787 return Err(io::Error::from_raw_os_error(libc::EISDIR));
788 }
789
790 // Initialize the default stat.
791 let mut new_attr = create_dir_stat(
792 inode,
793 dir.number_of_entries(),
794 AccessMode::Variable(attr.mode()),
795 )?;
796 if valid.contains(SetattrValid::MODE) {
797 attr.set_mode(in_attr.st_mode)?;
798 new_attr.st_mode = in_attr.st_mode;
799 }
800 Ok((new_attr, DEFAULT_METADATA_TIMEOUT))
801 }
802 _ => Err(io::Error::from_raw_os_error(libc::EPERM)),
803 })
804 }
805
getxattr( &self, _ctx: Context, inode: Self::Inode, name: &CStr, size: u32, ) -> io::Result<GetxattrReply>806 fn getxattr(
807 &self,
808 _ctx: Context,
809 inode: Self::Inode,
810 name: &CStr,
811 size: u32,
812 ) -> io::Result<GetxattrReply> {
813 self.handle_inode(&inode, |config| {
814 match config {
815 AuthFsEntry::VerifiedNew { editor, .. } => {
816 // FUSE ioctl is limited, thus we can't implement fs-verity ioctls without a
817 // kernel change (see b/196635431). Until it's possible, use
818 // xattr to expose what we need as an authfs specific API.
819 if name != CStr::from_bytes_with_nul(b"authfs.fsverity.digest\0").unwrap() {
820 return Err(io::Error::from_raw_os_error(libc::ENODATA));
821 }
822
823 if size == 0 {
824 // Per protocol, when size is 0, return the value size.
825 Ok(GetxattrReply::Count(editor.get_fsverity_digest_size() as u32))
826 } else {
827 let digest = editor.calculate_fsverity_digest()?;
828 if digest.len() > size as usize {
829 Err(io::Error::from_raw_os_error(libc::ERANGE))
830 } else {
831 Ok(GetxattrReply::Value(digest.to_vec()))
832 }
833 }
834 }
835 _ => Err(io::Error::from_raw_os_error(libc::ENODATA)),
836 }
837 })
838 }
839
mkdir( &self, _ctx: Context, parent: Self::Inode, name: &CStr, mode: u32, umask: u32, _security_ctx: Option<&CStr>, ) -> io::Result<Entry>840 fn mkdir(
841 &self,
842 _ctx: Context,
843 parent: Self::Inode,
844 name: &CStr,
845 mode: u32,
846 umask: u32,
847 _security_ctx: Option<&CStr>,
848 ) -> io::Result<Entry> {
849 let new_inode = self.create_new_entry_with_ref_count(
850 parent,
851 name,
852 |parent_entry, basename, new_inode| match parent_entry {
853 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
854 if dir.has_entry(basename) {
855 return Err(io::Error::from_raw_os_error(libc::EEXIST));
856 }
857 let mode = mode & !umask;
858 let (new_dir, new_attr) = dir.mkdir(basename, new_inode, mode)?;
859 Ok(AuthFsEntry::VerifiedNewDirectory { dir: new_dir, attr: new_attr })
860 }
861 AuthFsEntry::ReadonlyDirectory { .. } => {
862 Err(io::Error::from_raw_os_error(libc::EACCES))
863 }
864 _ => Err(io::Error::from_raw_os_error(libc::EBADF)),
865 },
866 )?;
867
868 Ok(Entry {
869 inode: new_inode,
870 generation: 0,
871 attr: create_dir_stat(new_inode, /* file_number */ 0, AccessMode::Variable(mode))?,
872 entry_timeout: DEFAULT_METADATA_TIMEOUT,
873 attr_timeout: DEFAULT_METADATA_TIMEOUT,
874 })
875 }
876
unlink(&self, _ctx: Context, parent: Self::Inode, name: &CStr) -> io::Result<()>877 fn unlink(&self, _ctx: Context, parent: Self::Inode, name: &CStr) -> io::Result<()> {
878 let mut inode_table = self.inode_table.write().unwrap();
879 handle_inode_mut_locked(
880 &mut inode_table,
881 &parent,
882 |InodeState { entry, unlinked, .. }| match entry {
883 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
884 let basename: &Path = cstr_to_path(name);
885 // Delete the file from in both the local and remote directories.
886 let _inode = dir.delete_file(basename)?;
887 *unlinked = true;
888 Ok(())
889 }
890 AuthFsEntry::ReadonlyDirectory { .. } => {
891 Err(io::Error::from_raw_os_error(libc::EACCES))
892 }
893 AuthFsEntry::VerifiedNew { .. } => {
894 // Deleting a entry in filesystem root is not currently supported.
895 Err(io::Error::from_raw_os_error(libc::ENOSYS))
896 }
897 AuthFsEntry::UnverifiedReadonly { .. } | AuthFsEntry::VerifiedReadonly { .. } => {
898 Err(io::Error::from_raw_os_error(libc::ENOTDIR))
899 }
900 },
901 )
902 }
903
rmdir(&self, _ctx: Context, parent: Self::Inode, name: &CStr) -> io::Result<()>904 fn rmdir(&self, _ctx: Context, parent: Self::Inode, name: &CStr) -> io::Result<()> {
905 let mut inode_table = self.inode_table.write().unwrap();
906
907 // Check before actual removal, with readonly borrow.
908 handle_inode_locked(&inode_table, &parent, |inode_state| match &inode_state.entry {
909 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
910 let basename: &Path = cstr_to_path(name);
911 let existing_inode = dir.find_inode(basename)?;
912 handle_inode_locked(&inode_table, &existing_inode, |inode_state| {
913 inode_state.entry.expect_empty_deletable_directory()
914 })
915 }
916 AuthFsEntry::ReadonlyDirectory { .. } => {
917 Err(io::Error::from_raw_os_error(libc::EACCES))
918 }
919 _ => Err(io::Error::from_raw_os_error(libc::ENOTDIR)),
920 })?;
921
922 // Look up again, this time with mutable borrow. This needs to be done separately because
923 // the previous lookup needs to borrow multiple entry references in the table.
924 handle_inode_mut_locked(
925 &mut inode_table,
926 &parent,
927 |InodeState { entry, unlinked, .. }| match entry {
928 AuthFsEntry::VerifiedNewDirectory { dir, .. } => {
929 let basename: &Path = cstr_to_path(name);
930 let _inode = dir.force_delete_directory(basename)?;
931 *unlinked = true;
932 Ok(())
933 }
934 _ => unreachable!("Mismatched entry type that is just checked"),
935 },
936 )
937 }
938
opendir( &self, _ctx: Context, inode: Self::Inode, _flags: u32, ) -> io::Result<(Option<Self::Handle>, FuseOpenOptions)>939 fn opendir(
940 &self,
941 _ctx: Context,
942 inode: Self::Inode,
943 _flags: u32,
944 ) -> io::Result<(Option<Self::Handle>, FuseOpenOptions)> {
945 let entries = self.handle_inode(&inode, |config| match config {
946 AuthFsEntry::VerifiedNewDirectory { dir, .. } => dir.retrieve_entries(),
947 AuthFsEntry::ReadonlyDirectory { dir } => dir.retrieve_entries(),
948 _ => Err(io::Error::from_raw_os_error(libc::ENOTDIR)),
949 })?;
950 self.open_dir_store_snapshot(entries)
951 }
952
readdir( &self, _ctx: Context, _inode: Self::Inode, handle: Self::Handle, _size: u32, offset: u64, ) -> io::Result<Self::DirIter>953 fn readdir(
954 &self,
955 _ctx: Context,
956 _inode: Self::Inode,
957 handle: Self::Handle,
958 _size: u32,
959 offset: u64,
960 ) -> io::Result<Self::DirIter> {
961 let dir_handle_table = self.dir_handle_table.read().unwrap();
962 if let Some(entry) = dir_handle_table.get(&handle) {
963 Ok(DirEntriesSnapshotIterator {
964 snapshot: entry.clone(),
965 prev_offset: offset.try_into().unwrap(),
966 })
967 } else {
968 Err(io::Error::from_raw_os_error(libc::EBADF))
969 }
970 }
971
releasedir( &self, _ctx: Context, inode: Self::Inode, _flags: u32, handle: Self::Handle, ) -> io::Result<()>972 fn releasedir(
973 &self,
974 _ctx: Context,
975 inode: Self::Inode,
976 _flags: u32,
977 handle: Self::Handle,
978 ) -> io::Result<()> {
979 let mut dir_handle_table = self.dir_handle_table.write().unwrap();
980 if dir_handle_table.remove(&handle).is_none() {
981 unreachable!("Unknown directory handle {}, inode {}", handle, inode);
982 }
983 Ok(())
984 }
985
statfs(&self, _ctx: Context, _inode: Self::Inode) -> io::Result<libc::statvfs64>986 fn statfs(&self, _ctx: Context, _inode: Self::Inode) -> io::Result<libc::statvfs64> {
987 let remote_stat = self.remote_fs_stats_reader.statfs()?;
988
989 // SAFETY: We are zero-initializing a struct with only POD fields. Not all fields matter to
990 // FUSE. See also:
991 // https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/fuse/inode.c?h=v5.15#n460
992 let mut st: libc::statvfs64 = unsafe { zeroed() };
993
994 // Use the remote stat as a template, since it'd matter the most to consider the writable
995 // files/directories that are written to the remote.
996 st.f_bsize = remote_stat.block_size;
997 st.f_frsize = remote_stat.fragment_size;
998 st.f_blocks = remote_stat.block_numbers;
999 st.f_bavail = remote_stat.block_available;
1000 st.f_favail = remote_stat.inodes_available;
1001 st.f_namemax = remote_stat.max_filename;
1002 // Assuming we are not privileged to use all free spaces on the remote server, set the free
1003 // blocks/fragment to the same available amount.
1004 st.f_bfree = st.f_bavail;
1005 st.f_ffree = st.f_favail;
1006 // Number of inodes on the filesystem
1007 st.f_files = self.inode_table.read().unwrap().len() as u64;
1008
1009 Ok(st)
1010 }
1011 }
1012
handle_inode_locked<F, R>( inode_table: &BTreeMap<Inode, InodeState>, inode: &Inode, handle_fn: F, ) -> io::Result<R> where F: FnOnce(&InodeState) -> io::Result<R>,1013 fn handle_inode_locked<F, R>(
1014 inode_table: &BTreeMap<Inode, InodeState>,
1015 inode: &Inode,
1016 handle_fn: F,
1017 ) -> io::Result<R>
1018 where
1019 F: FnOnce(&InodeState) -> io::Result<R>,
1020 {
1021 if let Some(inode_state) = inode_table.get(inode) {
1022 handle_fn(inode_state)
1023 } else {
1024 Err(io::Error::from_raw_os_error(libc::ENOENT))
1025 }
1026 }
1027
handle_inode_mut_locked<F, R>( inode_table: &mut BTreeMap<Inode, InodeState>, inode: &Inode, handle_fn: F, ) -> io::Result<R> where F: FnOnce(&mut InodeState) -> io::Result<R>,1028 fn handle_inode_mut_locked<F, R>(
1029 inode_table: &mut BTreeMap<Inode, InodeState>,
1030 inode: &Inode,
1031 handle_fn: F,
1032 ) -> io::Result<R>
1033 where
1034 F: FnOnce(&mut InodeState) -> io::Result<R>,
1035 {
1036 if let Some(inode_state) = inode_table.get_mut(inode) {
1037 handle_fn(inode_state)
1038 } else {
1039 Err(io::Error::from_raw_os_error(libc::ENOENT))
1040 }
1041 }
1042
check_unsupported_setattr_request(valid: SetattrValid) -> io::Result<()>1043 fn check_unsupported_setattr_request(valid: SetattrValid) -> io::Result<()> {
1044 if valid.contains(SetattrValid::UID) {
1045 warn!("Changing st_uid is not currently supported");
1046 return Err(io::Error::from_raw_os_error(libc::ENOSYS));
1047 }
1048 if valid.contains(SetattrValid::GID) {
1049 warn!("Changing st_gid is not currently supported");
1050 return Err(io::Error::from_raw_os_error(libc::ENOSYS));
1051 }
1052 if valid.intersects(
1053 SetattrValid::CTIME
1054 | SetattrValid::ATIME
1055 | SetattrValid::ATIME_NOW
1056 | SetattrValid::MTIME
1057 | SetattrValid::MTIME_NOW,
1058 ) {
1059 trace!("Ignoring ctime/atime/mtime change as authfs does not maintain timestamp currently");
1060 }
1061 Ok(())
1062 }
1063
cstr_to_path(cstr: &CStr) -> &Path1064 fn cstr_to_path(cstr: &CStr) -> &Path {
1065 OsStr::from_bytes(cstr.to_bytes()).as_ref()
1066 }
1067