[Linux] Make krun_start_enter error when root directory does not exist

Previously krun_start_enter would succeed and the guest kernel would
just panic. The root filesystem directory was opened lazily when
the guest kernel used fuse init opcode.
This commit changes it so the root directory is opened when
creating the fs device.

This only fixes it on Linux, but not in the macOS implementation.

Signed-off-by: Matej Hrica <[email protected]>

Author: mtjhrc

src/devices/src/virtio/fs/device.rs

@@ -95,7 +95,7 @@ impl Fs {
             device_state: DeviceState::Inactive,
             config,
             shm_region: None,
-            server: Server::new(PassthroughFs::new(fs_cfg).unwrap()),
+            server: Server::new(PassthroughFs::new(fs_cfg).map_err(FsError::FailedToMount)?),
             intc: None,
             irq_line: None,
         })

src/devices/src/virtio/fs/linux/passthrough.rs

@@ -266,6 +266,47 @@ impl Default for Config {
     }
 }
 
+fn insert_root_dir(
+    root_dir: &str,
+    inodes: &mut MultikeyBTreeMap<Inode, InodeAltKey, Arc<InodeData>>,
+) -> io::Result<()> {
+    let root = CString::new(root_dir).expect("CString::new failed");
+
+    // Safe because this doesn't modify any memory and we check the return value.
+    // We use `O_PATH` because we just want this for traversing the directory tree
+    // and not for actually reading the contents.
+    let fd = unsafe {
+        libc::openat(
+            libc::AT_FDCWD,
+            root.as_ptr(),
+            libc::O_PATH | libc::O_NOFOLLOW | libc::O_CLOEXEC,
+        )
+    };
+    if fd < 0 {
+        return Err(io::Error::last_os_error());
+    }
+
+    // Safe because we just opened this fd above.
+    let f = unsafe { File::from_raw_fd(fd) };
+
+    let st = stat(&f)?;
+
+    // Not sure why the root inode gets a refcount of 2 but that's what libfuse does.
+    inodes.insert(
+        fuse::ROOT_ID,
+        InodeAltKey {
+            ino: st.st_ino,
+            dev: st.st_dev,
+        },
+        Arc::new(InodeData {
+            inode: fuse::ROOT_ID,
+            file: f,
+            refcount: AtomicU64::new(2),
+        }),
+    );
+    Ok(())
+}
+
 /// A file system that simply "passes through" all requests it receives to the underlying file
 /// system. To keep the implementation simple it servers the contents of its root directory. Users
 /// that wish to serve only a specific directory should set up the environment so that that
@@ -324,9 +365,11 @@ impl PassthroughFs {
 
         // Safe because we just opened this fd or it was provided by our caller.
         let proc_self_fd = unsafe { File::from_raw_fd(fd) };
+        let mut inodes = MultikeyBTreeMap::new();
+        insert_root_dir(&cfg.root_dir, &mut inodes)?;
 
         Ok(PassthroughFs {
-            inodes: RwLock::new(MultikeyBTreeMap::new()),
+            inodes: RwLock::new(inodes),
             next_inode: AtomicU64::new(fuse::ROOT_ID + 2),
             init_inode: fuse::ROOT_ID + 1,
 
@@ -683,48 +726,11 @@ impl FileSystem for PassthroughFs {
     type Handle = Handle;
 
     fn init(&self, capable: FsOptions) -> io::Result<FsOptions> {
-        let root = CString::new(self.cfg.root_dir.as_str()).expect("CString::new failed");
-
-        // Safe because this doesn't modify any memory and we check the return value.
-        // We use `O_PATH` because we just want this for traversing the directory tree
-        // and not for actually reading the contents.
-        let fd = unsafe {
-            libc::openat(
-                libc::AT_FDCWD,
-                root.as_ptr(),
-                libc::O_PATH | libc::O_NOFOLLOW | libc::O_CLOEXEC,
-            )
-        };
-        if fd < 0 {
-            return Err(io::Error::last_os_error());
-        }
-
-        // Safe because we just opened this fd above.
-        let f = unsafe { File::from_raw_fd(fd) };
-
-        let st = stat(&f)?;
-
         // Safe because this doesn't modify any memory and there is no need to check the return
         // value because this system call always succeeds. We need to clear the umask here because
         // we want the client to be able to set all the bits in the mode.
         unsafe { libc::umask(0o000) };
 
-        let mut inodes = self.inodes.write().unwrap();
-
-        // Not sure why the root inode gets a refcount of 2 but that's what libfuse does.
-        inodes.insert(
-            fuse::ROOT_ID,
-            InodeAltKey {
-                ino: st.st_ino,
-                dev: st.st_dev,
-            },
-            Arc::new(InodeData {
-                inode: fuse::ROOT_ID,
-                file: f,
-                refcount: AtomicU64::new(2),
-            }),
-        );
-
         let mut opts = FsOptions::DO_READDIRPLUS | FsOptions::READDIRPLUS_AUTO;
         if self.cfg.writeback && capable.contains(FsOptions::WRITEBACK_CACHE) {
             opts |= FsOptions::WRITEBACK_CACHE;

src/devices/src/virtio/fs/mod.rs

@@ -59,6 +59,8 @@ pub enum FsError {
     InvalidXattrSize((u32, usize)),
     QueueReader(DescriptorError),
     QueueWriter(DescriptorError),
+    /// Could not open the root directory or mapped volumes (they do not exist, permission error...)
+    FailedToMount(io::Error),
 }
 
 type Result<T> = std::result::Result<T, FsError>;

src/libkrun/src/lib.rs

@@ -770,8 +770,8 @@ pub extern "C" fn krun_start_enter(ctx_id: u32) -> i32 {
 
     #[cfg(not(feature = "tee"))]
     if let Some(fs_cfg) = ctx_cfg.get_fs_cfg() {
-        if ctx_cfg.vmr.set_fs_device(fs_cfg).is_err() {
-            error!("Error configuring virtio-fs");
+        if let Err(e) = ctx_cfg.vmr.set_fs_device(fs_cfg) {
+            error!("Error configuring virtio-fs {e:?}");
             return -libc::EINVAL;
         }
     }