Commit Graph

14 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
eb11cf6989
qfile-unpacker: do not call fdatasync() at each file (#1257)
POSIX  requires  that  a  read(2)  which  can be proved to occur after a
write() has returned returns the new data.
We want here only that other processes in the same VM will see the
file either fully written, or not see it at all. So ensuring that
linkat(2) is called after write is completed should be enough.

Fixes QubesOS/qubes-issues#1257

(cherry picked from commit c1d42f1602)
2015-10-11 02:51:00 +02:00
Marek Marczykowski-Górecki
d5c0761da5 debian: O_TMPFILE already defined 2015-02-17 13:15:32 +01:00
Marek Marczykowski-Górecki
fcbe0363d0 filecopy: fix handling ENOENT error
Do not fail when file was successfully created.

I will test before commit. I will test before commit. I will...
2015-01-30 00:55:46 +01:00
Marek Marczykowski-Górecki
7607b45eae filecopy: really do not use O_TMPFILE when use_tmpfile==0
When file opened with O_TMPFILE but use_tmpfile==0, the file will not be
linked to the directory (the code at the end of process_one_file_reg).
Additionally it is waste of time trying using O_TMPFILE when it's
already known it shouldn't be.
Also use_tmpfile==0 can mean we don't have access to /proc
(set_procfs_fd wasn't called), so even if linking the file to its
directory would be attempted, it would fail. This is the case for
dom0-updates copy.
2015-01-30 00:55:46 +01:00
Marek Marczykowski-Górecki
b0fe4d5868 filecopy: create new file unaccessible to the user until fully written
Otherwise source domain can modify (append) the file while the user
already is accessing it. While incoming files should be treated as
untrusted, this problem could allow file modification after the user
makes some sanity checks.
2015-01-30 00:55:46 +01:00
Marek Marczykowski-Górecki
12a9049cfe Fix some more -Wextra warnings 2014-02-16 11:10:31 +01:00
Vincent Penquerc'h
9f3a74fd77 unpack: prevent ability to bypass the byte limit
By passing an empty file with a declared negative size,
a hostile VM can decrease the total bytes counter, while
not have do supply a huge amount of data, thus disabing
the byte size check, and potentially filling the target
filesystem.
2014-02-15 14:14:20 +01:00
Vincent Penquerc'h
3a39c65e3e linux-utils: misc const/prototype fixups 2014-01-06 14:40:57 +01:00
Vincent Penquerc'h
af78e8d9e8 unpack: count directory and symlink sizes
Also do not rely on unpack being called just once if we don't
have to and initialize counts.

Since we don't know directory size before populating with files,
we just accumulate the size on the second pass, but do not actually
check for the limit being reached. If there's any file after that,
that'll trip the check.
2014-01-06 14:40:57 +01:00
Marek Marczykowski-Górecki
21612bfadf qrexec-lib: add support for verbose mode (echo just processed file) 2013-11-13 10:35:47 +01:00
Marek Marczykowski-Górecki
761305bc8b qrexec-lib: check files limit before processing the file
Off-by-one error.
2013-11-13 10:35:23 +01:00
Marek Marczykowski-Górecki
a73be3f126 qubes-rpc/filecopy: send last processed filename for diagnostic purposes
This will ease solving transfer problems - sender will known at which
file it failed.
2013-08-14 21:28:50 +02:00
Marek Marczykowski-Górecki
138d7899d9 Remove duplicated filecopy.h header
The same also exists as libqubes-rpc-filecopy.h.
2013-08-14 21:25:30 +02:00
Marek Marczykowski
42e133b753 Qrexec common code, qubes.Filecopy common code, udev scripts 2013-03-20 06:27:32 +01:00