Whitelist SMB2 (rhbz#1694552)

Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
This commit is contained in:
Peter Lemenkov 2019-04-04 13:07:39 +03:00
parent d6de3febc3
commit 8e3bddea21
14 changed files with 213 additions and 139 deletions

View File

@ -1,33 +0,0 @@
From c52cafc81ced83fbd5cc7edf4ef5f7cb57b82729 Mon Sep 17 00:00:00 2001
From: Dalvik Khertel <khertel@outlook.com>
Date: Thu, 9 Aug 2012 12:48:20 +0000
Subject: [PATCH] libfuse: pass security context options to kernel
Mount can be used with an "-o context=" option in order to specify a
mountpoint-wide SELinux security context different from the default context
provided by the active SELinux policy.
This is useful in order to enable users to mount multiple sshfs targets under
distinct contexts, which is my main motivation for getting this patch mainlined.
---
lib/mount.c | 4 ++++
1 files changed, 4 insertions(+)
diff --git a/lib/mount.c b/lib/mount.c
index 6182a17..01f64da 100644
--- a/lib/mount.c
+++ b/lib/mount.c
@@ -97,6 +97,10 @@ static const struct fuse_opt fuse_mount_opts[] = {
FUSE_OPT_KEY("large_read", KEY_KERN_OPT),
FUSE_OPT_KEY("blksize=", KEY_KERN_OPT),
FUSE_OPT_KEY("default_permissions", KEY_KERN_OPT),
+ FUSE_OPT_KEY("context=", KEY_KERN_OPT),
+ FUSE_OPT_KEY("fscontext=", KEY_KERN_OPT),
+ FUSE_OPT_KEY("defcontext=", KEY_KERN_OPT),
+ FUSE_OPT_KEY("rootcontext=", KEY_KERN_OPT),
FUSE_OPT_KEY("max_read=", KEY_KERN_OPT),
FUSE_OPT_KEY("max_read=", FUSE_OPT_KEY_KEEP),
FUSE_OPT_KEY("user=", KEY_MTAB_OPT),
--
2.5.0

View File

@ -1,21 +0,0 @@
diff -up fuse-2.9.2/include/fuse_kernel.h.conflictfix fuse-2.9.2/include/fuse_kernel.h
--- fuse-2.9.2/include/fuse_kernel.h.conflictfix 2013-06-26 09:31:57.862198038 -0400
+++ fuse-2.9.2/include/fuse_kernel.h 2013-06-26 09:32:19.679198365 -0400
@@ -88,12 +88,16 @@
#ifndef _LINUX_FUSE_H
#define _LINUX_FUSE_H
-#include <sys/types.h>
+#ifdef __linux__
+#include <linux/types.h>
+#else
+#include <stdint.h>
#define __u64 uint64_t
#define __s64 int64_t
#define __u32 uint32_t
#define __s32 int32_t
#define __u16 uint16_t
+#endif
/*
* Version negotiation:

View File

@ -1,24 +0,0 @@
diff -up libfuse-fuse-2.9.7/lib/fuse_kern_chan.c.buffer_size libfuse-fuse-2.9.7/lib/fuse_kern_chan.c
--- libfuse-fuse-2.9.7/lib/fuse_kern_chan.c.buffer_size 2016-06-20 21:55:12.000000000 +0200
+++ libfuse-fuse-2.9.7/lib/fuse_kern_chan.c 2018-11-09 11:58:18.942124327 +0100
@@ -83,7 +83,10 @@ static void fuse_kern_chan_destroy(struc
close(fd);
}
-#define MIN_BUFSIZE 0x21000
+#define KERNEL_BUF_PAGES 32
+
+/* room needed in buffer to accommodate header */
+#define HEADER_SIZE 0x1000
struct fuse_chan *fuse_kern_chan_new(int fd)
{
@@ -92,7 +95,6 @@ struct fuse_chan *fuse_kern_chan_new(int
.send = fuse_kern_chan_send,
.destroy = fuse_kern_chan_destroy,
};
- size_t bufsize = getpagesize() + 0x1000;
- bufsize = bufsize < MIN_BUFSIZE ? MIN_BUFSIZE : bufsize;
+ size_t bufsize = KERNEL_BUF_PAGES * getpagesize() + HEADER_SIZE;
return fuse_chan_new(&op, fd, bufsize, NULL);
}

View File

@ -1,13 +0,0 @@
diff -up libfuse-fuse-3.0.0/lib/fuse.c.parens libfuse-fuse-3.0.0/lib/fuse.c
--- libfuse-fuse-3.0.0/lib/fuse.c.parens 2017-03-21 09:31:31.979537796 -0400
+++ libfuse-fuse-3.0.0/lib/fuse.c 2017-03-21 09:31:42.676250718 -0400
@@ -1653,7 +1653,7 @@ int fuse_fs_open(struct fuse_fs *fs, con
fprintf(stderr, "open flags: 0x%x %s\n", fi->flags,
path);
- err = fs->op.open(path, fi);
+ err = (fs->op.open)(path, fi);
if (fs->debug && !err)
fprintf(stderr, " open[%llu] flags: 0x%x %s\n",
diff -up libfuse-fuse-3.0.0/lib/fuse_lowlevel.c.parens libfuse-fuse-3.0.0/lib/fuse_lowlevel.c

View File

@ -1,19 +0,0 @@
diff -up libfuse-fuse-3.2.1/util/install_helper.sh.nodev libfuse-fuse-3.2.1/util/install_helper.sh
--- libfuse-fuse-3.2.1/util/install_helper.sh.nodev 2017-11-14 15:48:15.000000000 -0500
+++ libfuse-fuse-3.2.1/util/install_helper.sh 2017-11-16 15:23:20.552413938 -0500
@@ -11,14 +11,9 @@ bindir="$2"
udevrulesdir="$3"
prefix="${MESON_INSTALL_DESTDIR_PREFIX}"
-chown root:root "${prefix}/${bindir}/fusermount3"
+# chown root:root "${prefix}/${bindir}/fusermount3"
chmod u+s "${prefix}/${bindir}/fusermount3"
-if test ! -e "${DESTDIR}/dev/fuse"; then
- mkdir -p "${DESTDIR}/dev"
- mknod "${DESTDIR}/dev/fuse" -m 0666 c 10 229
-fi
-
install -D -m 644 "${MESON_SOURCE_ROOT}/util/udev.rules" \
"${DESTDIR}/${udevrulesdir}/99-fuse3.rules"

View File

@ -4,7 +4,7 @@
Name: fuse Name: fuse
Version: %{fuse2ver} Version: %{fuse2ver}
Release: 1%{?dist} Release: 2%{?dist}
Summary: File System in Userspace (FUSE) v2 utilities Summary: File System in Userspace (FUSE) v2 utilities
License: GPL+ License: GPL+
URL: http://fuse.sf.net URL: http://fuse.sf.net
@ -14,14 +14,23 @@ Source0: https://github.com/libfuse/libfuse/archive/%{name}-%{fuse2ver}.tar.gz
Source1: https://github.com/libfuse/libfuse/archive/%{name}-%{fuse3ver}.tar.gz Source1: https://github.com/libfuse/libfuse/archive/%{name}-%{fuse3ver}.tar.gz
Source2: %{name}.conf Source2: %{name}.conf
Patch1: fuse-3.0.0-More-parentheses.patch Patch1: fuse3-0001-More-parentheses.patch
Patch2: fuse-0001-More-parentheses.patch Patch2: fuse3-0002-disable-device-creation-during-build-install.patch
# https://bugzilla.redhat.com/1694552#c7
# https://github.com/libfuse/libfuse/pull/392
# backported for fuse-3.4.2
Patch3: fuse3-0003-Whitelist-smb2-392.patch
Patch101: fuse2-0001-More-parentheses.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=970768 # https://bugzilla.redhat.com/show_bug.cgi?id=970768
Patch3: fuse-2.9.2-namespace-conflict-fix.patch Patch102: fuse2-0002-add-fix-for-namespace-conflict-in-fuse_kernel.h.patch
Patch4: fuse-3.4.2-no-dev.patch
# https://github.com/libfuse/libfuse/commit/4f8f034a8969a48f210bf00be78a67cfb6964c72 # https://github.com/libfuse/libfuse/commit/4f8f034a8969a48f210bf00be78a67cfb6964c72
# backported for fuse2 # backported for fuse2
Patch5: fuse-2.9.7-buffer-size.patch Patch103: fuse2-0003-make-buffer-size-match-kernel-max-transfer-size.patch
# https://bugzilla.redhat.com/1694552#c7
# https://github.com/libfuse/libfuse/pull/392
# backported for fuse2
Patch104: fuse2-0004-Whitelist-SMB2-found-on-some-NAS-devices.patch
Requires: which Requires: which
Conflicts: filesystem < 3 Conflicts: filesystem < 3
@ -105,7 +114,8 @@ Common files for FUSE v2 and FUSE v3.
# fuse 3 # fuse 3
pushd lib%{name}-%{name}-%{fuse3ver} pushd lib%{name}-%{name}-%{fuse3ver}
%patch1 -p1 -b .add_parentheses %patch1 -p1 -b .add_parentheses
%patch4 -p1 -b .nodev %patch2 -p1 -b .nodev
%patch3 -p1 -b .smb2_whitelist
popd popd
# fuse 2 # fuse 2
@ -113,9 +123,10 @@ pushd %{name}-%{fuse2ver}
# ./makeconf.sh # ./makeconf.sh
#disable device creation during build/install #disable device creation during build/install
sed -i 's|mknod|echo Disabled: mknod |g' util/Makefile.in sed -i 's|mknod|echo Disabled: mknod |g' util/Makefile.in
%patch2 -p1 -b .add_parentheses %patch101 -p1 -b .add_parentheses
%patch3 -p1 -b .conflictfix %patch102 -p1 -b .conflictfix
%patch5 -p1 -b .buffer_size %patch103 -p1 -b .buffer_size
%patch104 -p1 -b .smb2_whitelist
popd popd
%build %build
@ -230,6 +241,9 @@ rm -f %{buildroot}/usr/lib/udev/rules.d/99-fuse3.rules
%{_includedir}/fuse3/ %{_includedir}/fuse3/
%changelog %changelog
* Thu Apr 04 2019 Peter Lemenkov <lemenkov@gmail.com> - 2.9.9-2
- Whitelist SMB2 (rhbz#1694552)
* Mon Mar 25 2019 Tom Callaway <spot@fedoraproject.org> - 2.9.9-1 * Mon Mar 25 2019 Tom Callaway <spot@fedoraproject.org> - 2.9.9-1
- update fuse to 2.9.9 - update fuse to 2.9.9
- update fuse3 to 3.4.2 - update fuse3 to 3.4.2

View File

@ -1,19 +1,14 @@
From 22ba14e45e84e0bd12a9ab1c9d0460b9ae27c10c Mon Sep 17 00:00:00 2001
From: Peter Lemenkov <lemenkov@gmail.com> From: Peter Lemenkov <lemenkov@gmail.com>
Date: Mon, 9 Aug 2010 12:10:40 +0400 Date: Mon, 9 Aug 2010 12:10:40 +0400
Subject: [PATCH 1/1] More parentheses Subject: [PATCH] More parentheses
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com> Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
---
lib/fuse.c | 8 +++-----
lib/fuse_lowlevel.c | 2 +-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/lib/fuse.c b/lib/fuse.c diff --git a/lib/fuse.c b/lib/fuse.c
index d511964..328ebba 100644 index d1d873a..ca1709c 100644
--- a/lib/fuse.c --- a/lib/fuse.c
+++ b/lib/fuse.c +++ b/lib/fuse.c
@@ -991,17 +991,15 @@ static int fuse_compat_open(struct fuse_fs *fs, const char *path, @@ -1529,17 +1529,15 @@ static int fuse_compat_open(struct fuse_fs *fs, const char *path,
{ {
int err; int err;
if (!fs->compat || fs->compat >= 25) if (!fs->compat || fs->compat >= 25)
@ -35,10 +30,10 @@ index d511964..328ebba 100644
} }
diff --git a/lib/fuse_lowlevel.c b/lib/fuse_lowlevel.c diff --git a/lib/fuse_lowlevel.c b/lib/fuse_lowlevel.c
index c86a910..4f19d61 100644 index ff03c63..255f733 100644
--- a/lib/fuse_lowlevel.c --- a/lib/fuse_lowlevel.c
+++ b/lib/fuse_lowlevel.c +++ b/lib/fuse_lowlevel.c
@@ -716,7 +716,7 @@ static void do_open(fuse_req_t req, fuse_ino_t nodeid, const void *inarg) @@ -1211,7 +1211,7 @@ static void do_open(fuse_req_t req, fuse_ino_t nodeid, const void *inarg)
fi.flags = arg->flags; fi.flags = arg->flags;
if (req->f->op.open) if (req->f->op.open)
@ -47,6 +42,3 @@ index c86a910..4f19d61 100644
else else
fuse_reply_open(req, &fi); fuse_reply_open(req, &fi);
} }
--
1.7.9.3

View File

@ -0,0 +1,28 @@
From: Tom Callaway <spot@fedoraproject.org>
Date: Wed, 26 Jun 2013 09:34:52 -0400
Subject: [PATCH] add fix for namespace conflict in fuse_kernel.h
https://bugzilla.redhat.com/show_bug.cgi?id=970768
diff --git a/include/fuse_kernel.h b/include/fuse_kernel.h
index c632b58..9e02fe3 100644
--- a/include/fuse_kernel.h
+++ b/include/fuse_kernel.h
@@ -88,12 +88,16 @@
#ifndef _LINUX_FUSE_H
#define _LINUX_FUSE_H
-#include <sys/types.h>
+#ifdef __linux__
+#include <linux/types.h>
+#else
+#include <stdint.h>
#define __u64 uint64_t
#define __s64 int64_t
#define __u32 uint32_t
#define __s32 int32_t
#define __u16 uint16_t
+#endif
/*
* Version negotiation:

View File

@ -0,0 +1,42 @@
From: Carlos Maiolino <cmaiolino-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Date: Thu, 20 Apr 2017 14:53:01 +0200
Subject: [PATCH] make buffer size match kernel max transfer size
Currently libfuse has a hardcoded buffer limit to 128kib, while fuse
kernel module has a limit up to 32 pages.
This patch changes buffer limit to match the current page size, instead
of assuming 4096 bytes pages, enabling architectures with bigger pages
to use larger buffers, improving performance.
Also, add a new macro (HEADER_SIZE) to specify the space needed to
accommodate the header, making it easier to understand why those extra
4096 bytes are needed
Signed-off-by: Carlos Maiolino <cmaiolino-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
diff --git a/lib/fuse_kern_chan.c b/lib/fuse_kern_chan.c
index 4a9beb8..640b91a 100644
--- a/lib/fuse_kern_chan.c
+++ b/lib/fuse_kern_chan.c
@@ -83,7 +83,10 @@ static void fuse_kern_chan_destroy(struct fuse_chan *ch)
close(fd);
}
-#define MIN_BUFSIZE 0x21000
+#define KERNEL_BUF_PAGES 32
+
+/* room needed in buffer to accommodate header */
+#define HEADER_SIZE 0x1000
struct fuse_chan *fuse_kern_chan_new(int fd)
{
@@ -92,7 +95,6 @@ struct fuse_chan *fuse_kern_chan_new(int fd)
.send = fuse_kern_chan_send,
.destroy = fuse_kern_chan_destroy,
};
- size_t bufsize = getpagesize() + 0x1000;
- bufsize = bufsize < MIN_BUFSIZE ? MIN_BUFSIZE : bufsize;
+ size_t bufsize = KERNEL_BUF_PAGES * getpagesize() + HEADER_SIZE;
return fuse_chan_new(&op, fd, bufsize, NULL);
}

View File

@ -0,0 +1,20 @@
From: Peter Lemenkov <lemenkov@gmail.com>
Date: Wed, 3 Apr 2019 12:23:56 +0300
Subject: [PATCH] Whitelist SMB2 found on some NAS devices
* https://bugzilla.redhat.com/1694552#c7
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
diff --git a/util/fusermount.c b/util/fusermount.c
index 4b799d9..ef9d1ed 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -1046,6 +1046,7 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd)
0x5346544E /* NTFS_SB_MAGIC */,
0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
0x52654973 /* REISERFS_SUPER_MAGIC */,
+ 0xFE534D42 /* SMB2_SUPER_MAGIC */,
0x73717368 /* SQUASHFS_MAGIC */,
0x01021994 /* TMPFS_MAGIC */,
0x24051905 /* UBIFS_SUPER_MAGIC */,

View File

@ -0,0 +1,19 @@
From: Peter Lemenkov <lemenkov@gmail.com>
Date: Mon, 9 Aug 2010 12:10:40 +0400
Subject: [PATCH] More parentheses
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
diff --git a/lib/fuse.c b/lib/fuse.c
index a40e995..479736c 100755
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -1759,7 +1759,7 @@ int fuse_fs_open(struct fuse_fs *fs, const char *path,
fprintf(stderr, "open flags: 0x%x %s\n", fi->flags,
path);
- err = fs->op.open(path, fi);
+ err = (fs->op.open)(path, fi);
if (fs->debug && !err)
fprintf(stderr, " open[%llu] flags: 0x%x %s\n",

View File

@ -1,6 +1,12 @@
diff -up libfuse-fuse-3.4.2/util/install_helper.sh.nodev libfuse-fuse-3.4.2/util/install_helper.sh From: Tom Callaway <spot@fedoraproject.org>
--- libfuse-fuse-3.4.2/util/install_helper.sh.nodev 2019-03-25 15:02:57.164858463 -0400 Date: Mon, 25 Mar 2019 15:17:36 -0400
+++ libfuse-fuse-3.4.2/util/install_helper.sh 2019-03-25 15:04:09.505292563 -0400 Subject: [PATCH] disable device creation during build/install
diff --git a/util/install_helper.sh b/util/install_helper.sh
index 688b245..8f40a9f 100755
--- a/util/install_helper.sh
+++ b/util/install_helper.sh
@@ -22,18 +22,12 @@ else @@ -22,18 +22,12 @@ else
DESTDIR="${DESTDIR%/}" DESTDIR="${DESTDIR%/}"
fi fi

View File

@ -0,0 +1,63 @@
From: Peter Lemenkov <lemenkov@gmail.com>
Date: Wed, 3 Apr 2019 22:43:48 +0200
Subject: [PATCH] Whitelist smb2 (#392)
See also https://bugzilla.redhat.com/1694552#c7
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
diff --git a/ChangeLog.rst b/ChangeLog.rst
index 74bd0be..f711b2f 100644
--- a/ChangeLog.rst
+++ b/ChangeLog.rst
@@ -1,3 +1,6 @@
+* Added SMB2 to whitelist (so users can now mount FUSE filesystems
+ on mountpoints within SMB 2.0 filesystems).
+
libfuse 3.4.2 (2019-03-09)
==========================
diff --git a/util/fusermount.c b/util/fusermount.c
index 7f9b7cd..5e0b104 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -1012,35 +1012,36 @@ static int check_perm(const char **mntp, struct stat *stbuf, int *mountpoint_fd)
* but got expanded as we found more filesystems that needed to be
* overlayed. */
typeof(fs_buf.f_type) f_type_whitelist[] = {
- 0x5346414f /* OPENAFS_SUPER_MAGIC */,
0x61756673 /* AUFS_SUPER_MAGIC */,
0x00000187 /* AUTOFS_SUPER_MAGIC */,
0xCA451A4E /* BCACHEFS_STATFS_MAGIC */,
0x9123683E /* BTRFS_SUPER_MAGIC */,
0x00C36400 /* CEPH_SUPER_MAGIC */,
0xFF534D42 /* CIFS_MAGIC_NUMBER */,
- 0X00004D44 /* MSDOS_SUPER_MAGIC */,
0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
0xF2F52010 /* F2FS_SUPER_MAGIC */,
0x65735546 /* FUSE_SUPER_MAGIC */,
0x01161970 /* GFS2_MAGIC */,
0x47504653 /* GPFS_SUPER_MAGIC */,
- 0x3153464A /* JFS_SUPER_MAGIC */,
+ 0x0000482b /* HFSPLUS_SUPER_MAGIC */,
0x000072B6 /* JFFS2_SUPER_MAGIC */,
+ 0x3153464A /* JFS_SUPER_MAGIC */,
0x0BD00BD0 /* LL_SUPER_MAGIC */,
+ 0X00004D44 /* MSDOS_SUPER_MAGIC */,
0x0000564C /* NCP_SUPER_MAGIC */,
0x00006969 /* NFS_SUPER_MAGIC */,
0x00003434 /* NILFS_SUPER_MAGIC */,
0x5346544E /* NTFS_SB_MAGIC */,
+ 0x5346414f /* OPENAFS_SUPER_MAGIC */,
0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
0x52654973 /* REISERFS_SUPER_MAGIC */,
+ 0xFE534D42 /* SMB2_SUPER_MAGIC */,
0x73717368 /* SQUASHFS_MAGIC */,
0x01021994 /* TMPFS_MAGIC */,
0x24051905 /* UBIFS_SUPER_MAGIC */,
0x58465342 /* XFS_SB_MAGIC */,
0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
- 0x0000482b /* HFSPLUS_SUPER_MAGIC */,
};
for (i = 0; i < sizeof(f_type_whitelist)/sizeof(f_type_whitelist[0]); i++) {
if (f_type_whitelist[i] == fs_buf.f_type)

View File

@ -1,2 +1,2 @@
SHA512 (fuse-3.4.2.tar.gz) = ba59f261a51803517cf5d131a74455cf3143e80382c9a9612037cbce9941af867d379955417c384fe0b28e31b5a16f9d0ff35337c7e565830767879458c942be
SHA512 (fuse-2.9.9.tar.gz) = 3d82fafd04f2924299bb09d2bb144935fa004a43fb9a6568e2e1cc5a60fded2efa1711029a0d7f12b3e6e4501f7217f2ee3545646d89da8dece083cb390f23e2 SHA512 (fuse-2.9.9.tar.gz) = 3d82fafd04f2924299bb09d2bb144935fa004a43fb9a6568e2e1cc5a60fded2efa1711029a0d7f12b3e6e4501f7217f2ee3545646d89da8dece083cb390f23e2
SHA512 (fuse-3.4.2.tar.gz) = ba59f261a51803517cf5d131a74455cf3143e80382c9a9612037cbce9941af867d379955417c384fe0b28e31b5a16f9d0ff35337c7e565830767879458c942be