Commit Graph

50 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
ddcbe6fbc4
qrexec: add clarification commends in qrexec.h
QubesOS/qubes-issues#1392

(cherry picked from commit cd277485bb)
2015-12-11 21:08:16 +01:00
Rusty Bird
f3ffcfe9ba
qfile-unpacker: syncfs() to avoid qvm-move-to-vm data loss
Commit https://github.com/QubesOS/qubes-linux-utils/commit/c1d42f1 --
"qfile-unpacker: do not call fdatasync() at each file" fixing
QubesOS/qubes-issues#1257 -- increased the chance of data loss with
qvm-move-to-vm: Say it nominally succeeds, and *deletes* the files from
the source VM. Soon after, the destination VM or the system could crash,
or an external drive hosting ~/QubesIncoming/srcVM could get unplugged
by accident, all before the data had really been persisted to disk.

But reverting the commit (ignoring the performance issue) wouldn't
completely solve this:

  "Calling fsync() does not necessarily ensure that the entry in the
   directory containing the file has also reached disk. For that an
   explicit fsync() on a file descriptor for the directory is also
   needed."  - fsync(2)

It gets even worse for "slow symlinks" (whose target is too long to be
stored directly in the inode metadata), apparently they can't be synced
at all individually.

So instead, just call syncfs() once after everything has been unpacked:

  + Should prevent all data loss (if fs and disk are well behaved)
  + Allows caching and reordering -> no slowdown with many small files
  - Blocks until any unrelated writes on the filesystem finish :\

(cherry picked from commit 4f59b3df6f)
2015-12-11 21:08:02 +01:00
Rusty Bird
c78b2c3a7a
Check if QubesIncoming filesystem supports O_TMPFILE
The filesystem hosting ~/QubesIncoming/srcVM/ needs to support O_TMPFILE
too, in addition to the kernel. If it doesn't, take the use_tmpfile = 0
fallback.

(cherry picked from commit 74a1b4cc50)
2015-11-13 06:06:50 +01:00
Marek Marczykowski-Górecki
d77658b115
libqrexec-utils: bump SO version because of ABI change
New functions were introduced.

(cherry picked from commit 1a3be481b5)
2015-10-30 15:33:16 +01:00
Marek Marczykowski-Górecki
61c3357ce1
libqrexec-utils: bring back buffered write helpers
It is required to prevent deadlocks in single-threaded select-based IO
programs (namely: qrexec). POSIX API doesn't support checking how much
can be written to pipe/socket without blocking, so to prevent blocking
application must use O_NONBLOCK mode, and somehow deal with non-written
data (buffer it).

QubesOS/qubes-issues#1347

(cherry picked from commit 6a44eaeb09)
2015-10-30 15:33:12 +01:00
Marek Marczykowski-Górecki
aa6e51f369
libqrexec-utils: fix linker options
Fix linking with libvchan. Previously it worked because all the users
were also linked with libvchan.

(cherry picked from commit 632522b35e)
2015-10-30 15:33:07 +01:00
Marek Marczykowski-Górecki
eb11cf6989
qfile-unpacker: do not call fdatasync() at each file (#1257)
POSIX  requires  that  a  read(2)  which  can be proved to occur after a
write() has returned returns the new data.
We want here only that other processes in the same VM will see the
file either fully written, or not see it at all. So ensuring that
linkat(2) is called after write is completed should be enough.

Fixes QubesOS/qubes-issues#1257

(cherry picked from commit c1d42f1602)
2015-10-11 02:51:00 +02:00
Marek Marczykowski-Górecki
015015d940 qrexec-lib: enable compiler optimization 2015-03-20 12:17:32 +01:00
Marek Marczykowski-Górecki
14f7f284d4 Revert "Removed -Werror from qrexec Makefile to allow unpack to compile for both Fedora 20 and 21"
This reverts commit 96a3d98f60.
This problem is already fixed.
2015-02-17 14:21:39 +01:00
Marek Marczykowski-Górecki
b92b87388e Tag for commit 96301f3cc1
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJU3OKsAAoJEBu5sftaTG2teD4P/2AgLmFI2x8RHqHz17T+lDZW
 gD4QoQlTFm1jysvexwLSCKYh4yYOKmMOaCs8UVc44k1KTxr1l/XYPhTFpzDg1gmb
 6zAKV36yxRZuB/3oRQ1tpUFN8obgV3GQh9Uz7zyOV8a34xSLkulUqp86ceW8gEyR
 XHlUF2XSNpOLca56IOTHzSlvje+kTxTON9OAfNv18cPv+Um27xt+IAz2nl7jytlc
 2SgZnJgcdf+blFvdxoEJQ9Dky3jLxcE/W4HMNmMPBEknSJYhoVNaSWtfgvJO66E9
 M0CIUk2v068vDSdmC7OUIDgQ/URE6SW85OyTvQlKOft3k33mZkSWog6y7FEbuXAS
 lWpXMR4xwnOqJtFTpKsGNyylqhNZhS1UQ4TpMgQijjxqs6oCWH42KwzSpPjd+zyq
 Vn151qsBg2UGMT5OqePDBq0fLFbN1Jfk1Oja78XFZ4PAKsvTmKdMd2oEaU10Wzkr
 jOpiEXtOK6QBWQYRySJH5GdFqEc2K4HFtHJPZPg6oIX7nMq9p8k3khfRDTgQ94nW
 qMwOoGa/rfuh/8PmSoMsvsceGHDzVV1zZtIVPHnzoQcDjp4wkKodD0dSRV/FC/4B
 lFsBS+UJMgOIvywzoRaU4lJowY0TPokg/MYPPYou3efWzDZCvB555n75gtRxYdg1
 TQz5tLSVBp9E2JNqt7is
 =ZgPE
 -----END PGP SIGNATURE-----

Merge tag 'jm_96301f3c'

Tag for commit 96301f3cc1

# gpg: Signature made Thu Feb 12 18:28:12 2015 CET using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007  8F27 1BB9 B1FB 5A4C 6DAD
2015-02-17 14:21:24 +01:00
Marek Marczykowski-Górecki
d5c0761da5 debian: O_TMPFILE already defined 2015-02-17 13:15:32 +01:00
Marek Marczykowski-Górecki
1b5533ae10 qrexec: create stdin/out/err as sockets instead of pipes
Instead of pipes, stdin/out/err are created as sockets. This allows
qrexec-agent/daemon to decide to use some of them bidirectional. This is
up to qrexec-agent/daemon, such socket can still be used as
unidirectional channel.

The main reason for this feature is to use USBIP over qrexec, which
require single socket.
2015-02-16 23:11:37 +01:00
Jason Mehring
96a3d98f60
Removed -Werror from qrexec Makefile to allow unpack to compile for both Fedora 20 and 21
linux-utils/qrexec-lib/unpack.c:

Different compile errors will abort.  Both different for fc20/21 but
based on same error below:
*
 * FC21 ERROR:  (but FC20 needs the code)
 * unpack.c:31:0: error: "O_TMPFILE" redefined [-Werror]
 *  #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY)
 *   ^
 *   In file included from /usr/include/bits/fcntl.h:61:0,
 *                    from /usr/include/fcntl.h:35,
 *                                     from unpack.c:4:
 * /usr/include/bits/fcntl-linux.h:151:0: note: this is the location of the previous definition
 * # define O_TMPFILE __O_TMPFILE / * Atomically create nameless file.  * /
 * ^
 * cc1: all warnings being treated as errors
 * <builtin>: recipe for target 'unpack.o' failed
 */
/* #define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) */
2015-02-10 11:07:20 -05:00
Marek Marczykowski-Górecki
fcbe0363d0 filecopy: fix handling ENOENT error
Do not fail when file was successfully created.

I will test before commit. I will test before commit. I will...
2015-01-30 00:55:46 +01:00
Marek Marczykowski-Górecki
7607b45eae filecopy: really do not use O_TMPFILE when use_tmpfile==0
When file opened with O_TMPFILE but use_tmpfile==0, the file will not be
linked to the directory (the code at the end of process_one_file_reg).
Additionally it is waste of time trying using O_TMPFILE when it's
already known it shouldn't be.
Also use_tmpfile==0 can mean we don't have access to /proc
(set_procfs_fd wasn't called), so even if linking the file to its
directory would be attempted, it would fail. This is the case for
dom0-updates copy.
2015-01-30 00:55:46 +01:00
Marek Marczykowski-Górecki
b0fe4d5868 filecopy: create new file unaccessible to the user until fully written
Otherwise source domain can modify (append) the file while the user
already is accessing it. While incoming files should be treated as
untrusted, this problem could allow file modification after the user
makes some sanity checks.
2015-01-30 00:55:46 +01:00
Marek Marczykowski-Górecki
680c36934e Fix compile warnings 2014-11-19 15:10:59 +01:00
Marek Marczykowski-Górecki
020f341f98 qrexec-utils: add read_vchan_all and write_vchan_all
Similar to read_all and write_all.
2014-11-19 15:10:59 +01:00
Marek Marczykowski-Górecki
591fb10a32 qrexec: update protocol
- add new messages
- uniform packet header
- organize #defines
2014-11-19 15:10:59 +01:00
Marek Marczykowski-Górecki
0ca9e06877 code style: change tabs to spaces 2014-11-19 15:10:59 +01:00
Marek Marczykowski-Górecki
aa31c67e24 qrexec-utils: disable write-stdin (buffered writes) compilation
Not compatible with new qrexec protocol yet. To be done.
2014-11-19 15:10:58 +01:00
Marek Marczykowski-Górecki
3e0c5a74d2 New qrexec protocol
Use separate vchan to pass I/O for each process, which greatly simplify
protocol implementation (eg. no flow control needed).
2014-11-19 15:10:58 +01:00
Marek Marczykowski
08f6f18af7 qrexec-lib: prevent deadlock on vchan
It can happen that we already cleared libvchan_fd pending state via
libvchan_wait, but data arrived later. This is especially true just
after connection, when client send unsolicited notification to server,
which can confuse it with some requested notification.
2014-11-19 15:10:58 +01:00
Marek Marczykowski
a91a8c8312 Update for new vchan API, remove code not needed anymore
Remove some vchan wrappers, which are not necessary now.
2014-11-19 15:10:58 +01:00
Davíð Steinn Geirsson
bc75b6559b Use xenstore.h when xen >= 4.2 2014-07-23 04:32:46 +02:00
Marek Marczykowski-Górecki
821a1c2fe9 qrexec-lib: use _exit in child process to not fire atexit hooks
Otherwise it would remove qrexec socket.
2014-05-19 16:52:27 +02:00
Marek Marczykowski-Górecki
b8b4e105c0 qrexec-lib: return unsigned where only non-negative value is returned 2014-02-19 20:52:24 +01:00
Marek Marczykowski-Górecki
b12f1539a4 Add -Wextra -Werror to all C code
Not only the security-critical one.
2014-02-16 11:10:38 +01:00
Marek Marczykowski-Górecki
12a9049cfe Fix some more -Wextra warnings 2014-02-16 11:10:31 +01:00
Vincent Penquerc'h
03c9cb1388 Add a few consts where appropriate 2014-02-16 11:08:22 +01:00
Vincent Penquerc'h
9f3a74fd77 unpack: prevent ability to bypass the byte limit
By passing an empty file with a declared negative size,
a hostile VM can decrease the total bytes counter, while
not have do supply a huge amount of data, thus disabing
the byte size check, and potentially filling the target
filesystem.
2014-02-15 14:14:20 +01:00
Marek Marczykowski-Górecki
516815a266 qrexec-lib: make it shared library 2014-02-07 05:29:59 +01:00
Marek Marczykowski-Górecki
113826aa1a qrexec-lib: use registered callbacks
...instead of exported symbols of certain name. This is first step to
use change it to shared libraries.
2014-02-07 05:27:29 +01:00
Marek Marczykowski-Górecki
1c6f44d7fa qrexec-lib: fix compile warnings 2014-02-07 05:26:52 +01:00
Vincent Penquerc'h
f7e943f7ec txrx-vchan: guard against invalid buffer sizes from libvchan
These APIs can now return -1 when invalid indices are detected.
2014-01-21 20:57:20 +01:00
Marek Marczykowski-Górecki
e36f03db2d unix-server: do not check for unlink() error when creating socket
The socket most likely do not exists yet.
2014-01-07 00:27:57 +01:00
Vincent Penquerc'h
a2e4f9a8aa ioall: do not reset file flags when they're already as requested
This was changed on a copy of that file elsewhere, might as well
keep this in sync too.
2014-01-06 14:40:57 +01:00
Vincent Penquerc'h
3a39c65e3e linux-utils: misc const/prototype fixups 2014-01-06 14:40:57 +01:00
Vincent Penquerc'h
af78e8d9e8 unpack: count directory and symlink sizes
Also do not rely on unpack being called just once if we don't
have to and initialize counts.

Since we don't know directory size before populating with files,
we just accumulate the size on the second pass, but do not actually
check for the limit being reached. If there's any file after that,
that'll trip the check.
2014-01-06 14:40:57 +01:00
Vincent Penquerc'h
77d34c3096 unix-server: guard against buffer overflow
sun_path is fairly small, and while the input is a smaller constant,
you never know how that might change.
2014-01-06 14:40:56 +01:00
Vincent Penquerc'h
21154a3e6b unix-server: some error checking 2014-01-06 14:40:56 +01:00
Vincent Penquerc'h
9192aa041d buffer.c: guard against bad input
The byte limit would be hit if adding one byte to a buffer
that's half the limit, due to the temporary double copy.
Not sure if that's something that's worth changing.
2014-01-06 14:40:56 +01:00
Marek Marczykowski-Górecki
21612bfadf qrexec-lib: add support for verbose mode (echo just processed file) 2013-11-13 10:35:47 +01:00
Marek Marczykowski-Górecki
761305bc8b qrexec-lib: check files limit before processing the file
Off-by-one error.
2013-11-13 10:35:23 +01:00
Marek Marczykowski-Górecki
2ee40f16c2 qrexec-lib: fail peer_client_init call when domain dies
Don't wait indefinitely.
2013-10-27 16:06:26 +01:00
Marek Marczykowski-Górecki
2739340559 qrexec-lib: fix memory leak
If xs_read returns pointer to empty string (len==0), then it was leaked.
2013-10-27 16:05:32 +01:00
Marek Marczykowski-Górecki
a73be3f126 qubes-rpc/filecopy: send last processed filename for diagnostic purposes
This will ease solving transfer problems - sender will known at which
file it failed.
2013-08-14 21:28:50 +02:00
Marek Marczykowski-Górecki
5131810265 qubes-rpc/filecopy: use explicit struct alignment
This is much more readable, than guessing exact struct packing done by
gcc on x86_64.
2013-08-14 21:26:37 +02:00
Marek Marczykowski-Górecki
138d7899d9 Remove duplicated filecopy.h header
The same also exists as libqubes-rpc-filecopy.h.
2013-08-14 21:25:30 +02:00
Marek Marczykowski
42e133b753 Qrexec common code, qubes.Filecopy common code, udev scripts 2013-03-20 06:27:32 +01:00