cca1555cc7
* mount: implement create for rsync temp files * mount: move access implementation out of unsupported * mount: tighten access checks * mount: log access group lookup failures * mount: reset dirty pages on truncate * mount: tighten create and root access handling * mount: handle existing creates before quota checks * mount: restrict access fallback when group lookup fails When lookupSupplementaryGroupIDs returns an error, the previous code fell through to checking only the "other" permission bits, which could overgrant access. Require both group and other permission classes to satisfy the mask so access is never broader than intended. * mount: guard against nil entry in Create existing-file path maybeLoadEntry can return OK with a nil entry or nil Attributes in edge cases. Check before dereferencing to prevent a panic. * mount: reopen existing file on create race without O_EXCL When createRegularFile returns EEXIST because another process won the race, and O_EXCL is not set, reload the winner's entry and open it instead of propagating the error to the caller. * mount: check parent directory permission in createRegularFile Verify the caller has write+search (W_OK|X_OK) permission on the parent directory before creating a file. This applies to both Create and Mknod. Update test fixture mount mode to 0o777 so the existing tests pass with the new check. * mount: enforce file permission bits in AcquireHandle Map the open flags (O_RDONLY/O_WRONLY/O_RDWR) to an access mask and call hasAccess before handing out a file handle. This makes AcquireHandle the single source of truth for mode-based access control across Open, Create-existing, and Create-new paths. --------- Co-authored-by: Copilot <copilot@github.com>
95 lines
3.4 KiB
Go
95 lines
3.4 KiB
Go
package mount
|
|
|
|
import (
|
|
"github.com/seaweedfs/go-fuse/v2/fuse"
|
|
"github.com/seaweedfs/seaweedfs/weed/glog"
|
|
"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
|
|
"github.com/seaweedfs/seaweedfs/weed/util"
|
|
)
|
|
|
|
func (wfs *WFS) AcquireHandle(inode uint64, flags, uid, gid uint32) (fileHandle *FileHandle, status fuse.Status) {
|
|
// If there is an in-flight async flush for this inode, wait for it to
|
|
// complete before reopening. Otherwise the new handle would be built
|
|
// from pre-close filer metadata and its next flush could overwrite the
|
|
// data that was just written asynchronously.
|
|
wfs.waitForPendingAsyncFlush(inode)
|
|
|
|
var entry *filer_pb.Entry
|
|
var path util.FullPath
|
|
path, _, entry, status = wfs.maybeReadEntry(inode)
|
|
if status == fuse.OK {
|
|
if wormEnforced, _ := wfs.wormEnforcedForEntry(path, entry); wormEnforced && flags&fuse.O_ANYWRITE != 0 {
|
|
return nil, fuse.EPERM
|
|
}
|
|
// Check unix permission bits for the requested access mode.
|
|
if entry != nil && entry.Attributes != nil {
|
|
if mask := openFlagsToAccessMask(flags); mask != 0 && !hasAccess(uid, gid, entry.Attributes.Uid, entry.Attributes.Gid, entry.Attributes.FileMode, mask) {
|
|
return nil, fuse.EACCES
|
|
}
|
|
}
|
|
// need to AcquireFileHandle again to ensure correct handle counter
|
|
fileHandle = wfs.fhMap.AcquireFileHandle(wfs, inode, entry)
|
|
fileHandle.RememberPath(path)
|
|
}
|
|
return
|
|
}
|
|
|
|
// ReleaseHandle is called from FUSE Release. For handles with a pending
|
|
// async flush, the map removal and the pendingAsyncFlush registration are
|
|
// done under a single lock hold so that a concurrent AcquireHandle cannot
|
|
// slip through the gap between the two (P1-1 TOCTOU fix).
|
|
//
|
|
// The handle intentionally stays in fhMap during the drain so that rename
|
|
// and unlink can still find it via FindFileHandle (P1-2 fix). It is
|
|
// removed from fhMap only after the drain completes (RemoveFileHandle).
|
|
func (wfs *WFS) ReleaseHandle(handleId FileHandleId) {
|
|
// Hold pendingAsyncFlushMu across the counter decrement and the
|
|
// pending-flush registration. Lock ordering: pendingAsyncFlushMu → fhMap.
|
|
wfs.pendingAsyncFlushMu.Lock()
|
|
fhToRelease := wfs.fhMap.ReleaseByHandle(handleId)
|
|
if fhToRelease != nil && fhToRelease.asyncFlushPending {
|
|
done := make(chan struct{})
|
|
wfs.pendingAsyncFlush[fhToRelease.inode] = done
|
|
wfs.pendingAsyncFlushMu.Unlock()
|
|
|
|
wfs.asyncFlushWg.Add(1)
|
|
go func() {
|
|
defer wfs.asyncFlushWg.Done()
|
|
defer func() {
|
|
// Remove from fhMap first (so AcquireFileHandle creates a fresh handle).
|
|
wfs.fhMap.RemoveFileHandle(fhToRelease.fh, fhToRelease.inode)
|
|
// Then signal completion (unblocks waitForPendingAsyncFlush).
|
|
close(done)
|
|
wfs.pendingAsyncFlushMu.Lock()
|
|
delete(wfs.pendingAsyncFlush, fhToRelease.inode)
|
|
wfs.pendingAsyncFlushMu.Unlock()
|
|
}()
|
|
wfs.completeAsyncFlush(fhToRelease)
|
|
}()
|
|
return
|
|
}
|
|
wfs.pendingAsyncFlushMu.Unlock()
|
|
|
|
if fhToRelease != nil {
|
|
fhToRelease.ReleaseHandle()
|
|
}
|
|
}
|
|
|
|
// waitForPendingAsyncFlush blocks until any in-flight async flush for
|
|
// the given inode completes. Called from AcquireHandle before building
|
|
// new handle state, so the filer metadata reflects the flushed data.
|
|
func (wfs *WFS) waitForPendingAsyncFlush(inode uint64) {
|
|
wfs.pendingAsyncFlushMu.Lock()
|
|
done, found := wfs.pendingAsyncFlush[inode]
|
|
wfs.pendingAsyncFlushMu.Unlock()
|
|
|
|
if found {
|
|
glog.V(3).Infof("waitForPendingAsyncFlush: waiting for inode %d", inode)
|
|
<-done
|
|
}
|
|
}
|
|
|
|
func (wfs *WFS) GetHandle(handleId FileHandleId) *FileHandle {
|
|
return wfs.fhMap.GetFileHandle(handleId)
|
|
}
|