2016-12-16 03:02:56 -07:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2011 Novell Inc.
|
|
|
|
* Copyright (C) 2016 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License version 2 as published by
|
|
|
|
* the Free Software Foundation.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/mount.h>
|
|
|
|
#include <linux/slab.h>
|
2017-02-02 09:54:15 -07:00
|
|
|
#include <linux/cred.h>
|
2016-12-16 03:02:56 -07:00
|
|
|
#include <linux/xattr.h>
|
2017-06-21 06:28:36 -06:00
|
|
|
#include <linux/exportfs.h>
|
|
|
|
#include <linux/uuid.h>
|
2017-06-21 04:46:12 -06:00
|
|
|
#include <linux/namei.h>
|
|
|
|
#include <linux/ratelimit.h>
|
2016-12-16 03:02:56 -07:00
|
|
|
#include "overlayfs.h"
|
|
|
|
|
|
|
|
int ovl_want_write(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
|
|
|
|
return mnt_want_write(ofs->upper_mnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_drop_write(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
|
|
|
|
mnt_drop_write(ofs->upper_mnt);
|
|
|
|
}
|
|
|
|
|
|
|
|
struct dentry *ovl_workdir(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
|
|
|
|
return ofs->workdir;
|
|
|
|
}
|
|
|
|
|
|
|
|
const struct cred *ovl_override_creds(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = sb->s_fs_info;
|
|
|
|
|
ANDROID: overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials. The incoming accesses are
checked against the caller's credentials.
If the principles of least privilege are applied, the mounter's
credentials might not overlap the credentials of the caller's when
accessing the overlayfs filesystem. For example, a file that a lower
DAC privileged caller can execute, is MAC denied to the generally
higher DAC privileged mounter, to prevent an attack vector.
We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/override_creds.
It was not always this way. Circa 4.6 there was no recorded mounter's
credentials, instead privileged access to upper or work directories
were temporarily increased to perform the operations. The MAC
(selinux) policies were caller's in all cases. override_creds=off
partially returns us to this older access model minus the insecure
temporary credential increases. This is to permit use in a system
with non-overlapping security models for each executable including
the agent that mounts the overlayfs filesystem. In Android
this is the case since init, which performs the mount operations,
has a minimal MAC set of privileges to reduce any attack surface,
and services that use the content have a different set of MAC
privileges (eg: read, for vendor labelled configuration, execute for
vendor libraries and modules). The caveats are not a problem in
the Android usage model, however they should be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-unionfs@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
---
v9:
- Add to the caveats
v8:
- drop pr_warn message after straw poll to remove it.
- added a use case in the commit message
v7:
- change name of internal parameter to ovl_override_creds_def
- report override_creds only if different than default
v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation.
- pr_warn message adjusted to report consequences.
v5:
- beefed up the caveats in the Documentation
- Is dependent on
"overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
"overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off
v4:
- spelling and grammar errors in text
v3:
- Change name from caller_credentials / creator_credentials to the
boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS
v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from https://lore.kernel.org/patchwork/patch/1009299)
Bug: 109821005
Bug: 112955896
Bug: 127298877
Change-Id: Ie43b0c7dfd64f4cfc27dfe5e1622ea01f3b000cf
2019-02-22 13:09:42 -07:00
|
|
|
if (!ofs->config.override_creds)
|
|
|
|
return NULL;
|
2016-12-16 03:02:56 -07:00
|
|
|
return override_creds(ofs->creator_cred);
|
|
|
|
}
|
|
|
|
|
ANDROID: overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials. The incoming accesses are
checked against the caller's credentials.
If the principles of least privilege are applied, the mounter's
credentials might not overlap the credentials of the caller's when
accessing the overlayfs filesystem. For example, a file that a lower
DAC privileged caller can execute, is MAC denied to the generally
higher DAC privileged mounter, to prevent an attack vector.
We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/override_creds.
It was not always this way. Circa 4.6 there was no recorded mounter's
credentials, instead privileged access to upper or work directories
were temporarily increased to perform the operations. The MAC
(selinux) policies were caller's in all cases. override_creds=off
partially returns us to this older access model minus the insecure
temporary credential increases. This is to permit use in a system
with non-overlapping security models for each executable including
the agent that mounts the overlayfs filesystem. In Android
this is the case since init, which performs the mount operations,
has a minimal MAC set of privileges to reduce any attack surface,
and services that use the content have a different set of MAC
privileges (eg: read, for vendor labelled configuration, execute for
vendor libraries and modules). The caveats are not a problem in
the Android usage model, however they should be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-unionfs@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
---
v9:
- Add to the caveats
v8:
- drop pr_warn message after straw poll to remove it.
- added a use case in the commit message
v7:
- change name of internal parameter to ovl_override_creds_def
- report override_creds only if different than default
v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation.
- pr_warn message adjusted to report consequences.
v5:
- beefed up the caveats in the Documentation
- Is dependent on
"overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
"overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off
v4:
- spelling and grammar errors in text
v3:
- Change name from caller_credentials / creator_credentials to the
boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS
v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from https://lore.kernel.org/patchwork/patch/1009299)
Bug: 109821005
Bug: 112955896
Bug: 127298877
Change-Id: Ie43b0c7dfd64f4cfc27dfe5e1622ea01f3b000cf
2019-02-22 13:09:42 -07:00
|
|
|
void ovl_revert_creds(const struct cred *old_cred)
|
|
|
|
{
|
|
|
|
if (old_cred)
|
|
|
|
revert_creds(old_cred);
|
|
|
|
}
|
|
|
|
|
2019-07-23 14:53:48 -06:00
|
|
|
ssize_t ovl_vfs_getxattr(struct dentry *dentry, const char *name, void *buf,
|
|
|
|
size_t size)
|
|
|
|
{
|
|
|
|
return __vfs_getxattr(dentry, d_inode(dentry), name, buf, size);
|
|
|
|
}
|
|
|
|
|
2017-03-22 06:42:21 -06:00
|
|
|
struct super_block *ovl_same_sb(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = sb->s_fs_info;
|
|
|
|
|
2018-03-28 11:22:41 -06:00
|
|
|
if (!ofs->numlowerfs)
|
|
|
|
return ofs->upper_mnt->mnt_sb;
|
|
|
|
else if (ofs->numlowerfs == 1 && !ofs->upper_mnt)
|
|
|
|
return ofs->lower_fs[0].sb;
|
|
|
|
else
|
|
|
|
return NULL;
|
2017-03-22 06:42:21 -06:00
|
|
|
}
|
|
|
|
|
2017-11-07 04:55:04 -07:00
|
|
|
/*
|
|
|
|
* Check if underlying fs supports file handles and try to determine encoding
|
|
|
|
* type, in order to deduce maximum inode number used by fs.
|
|
|
|
*
|
|
|
|
* Return 0 if file handles are not supported.
|
|
|
|
* Return 1 (FILEID_INO32_GEN) if fs uses the default 32bit inode encoding.
|
|
|
|
* Return -1 if fs uses a non default encoding with unknown inode size.
|
|
|
|
*/
|
|
|
|
int ovl_can_decode_fh(struct super_block *sb)
|
2017-06-21 06:28:36 -06:00
|
|
|
{
|
2017-11-07 04:55:04 -07:00
|
|
|
if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry ||
|
|
|
|
uuid_is_null(&sb->s_uuid))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return sb->s_export_op->encode_fh ? -1 : FILEID_INO32_GEN;
|
2017-06-21 06:28:36 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
struct dentry *ovl_indexdir(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = sb->s_fs_info;
|
|
|
|
|
|
|
|
return ofs->indexdir;
|
|
|
|
}
|
|
|
|
|
2018-01-19 02:26:53 -07:00
|
|
|
/* Index all files on copy up. For now only enabled for NFS export */
|
|
|
|
bool ovl_index_all(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = sb->s_fs_info;
|
|
|
|
|
|
|
|
return ofs->config.nfs_export && ofs->config.index;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Verify lower origin on lookup. For now only enabled for NFS export */
|
|
|
|
bool ovl_verify_lower(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = sb->s_fs_info;
|
|
|
|
|
|
|
|
return ofs->config.nfs_export && ofs->config.index;
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:56 -07:00
|
|
|
struct ovl_entry *ovl_alloc_entry(unsigned int numlower)
|
|
|
|
{
|
|
|
|
size_t size = offsetof(struct ovl_entry, lowerstack[numlower]);
|
|
|
|
struct ovl_entry *oe = kzalloc(size, GFP_KERNEL);
|
|
|
|
|
|
|
|
if (oe)
|
|
|
|
oe->numlower = numlower;
|
|
|
|
|
|
|
|
return oe;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_dentry_remote(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return dentry->d_flags &
|
|
|
|
(DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE |
|
|
|
|
DCACHE_OP_REAL);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_dentry_weird(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return dentry->d_flags & (DCACHE_NEED_AUTOMOUNT |
|
|
|
|
DCACHE_MANAGE_TRANSIT |
|
|
|
|
DCACHE_OP_HASH |
|
|
|
|
DCACHE_OP_COMPARE);
|
|
|
|
}
|
|
|
|
|
|
|
|
enum ovl_path_type ovl_path_type(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
enum ovl_path_type type = 0;
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
if (ovl_dentry_upper(dentry)) {
|
2016-12-16 03:02:56 -07:00
|
|
|
type = __OVL_PATH_UPPER;
|
|
|
|
|
|
|
|
/*
|
2017-04-23 14:12:34 -06:00
|
|
|
* Non-dir dentry can hold lower dentry of its copy up origin.
|
2016-12-16 03:02:56 -07:00
|
|
|
*/
|
2017-04-23 14:12:34 -06:00
|
|
|
if (oe->numlower) {
|
2018-05-11 09:49:32 -06:00
|
|
|
if (ovl_test_flag(OVL_CONST_INO, d_inode(dentry)))
|
|
|
|
type |= __OVL_PATH_ORIGIN;
|
2018-05-11 09:49:32 -06:00
|
|
|
if (d_is_dir(dentry) ||
|
|
|
|
!ovl_has_upperdata(d_inode(dentry)))
|
2017-04-23 14:12:34 -06:00
|
|
|
type |= __OVL_PATH_MERGE;
|
|
|
|
}
|
2016-12-16 03:02:56 -07:00
|
|
|
} else {
|
|
|
|
if (oe->numlower > 1)
|
|
|
|
type |= __OVL_PATH_MERGE;
|
|
|
|
}
|
|
|
|
return type;
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_path_upper(struct dentry *dentry, struct path *path)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
|
|
|
|
|
|
|
|
path->mnt = ofs->upper_mnt;
|
2017-07-04 14:03:16 -06:00
|
|
|
path->dentry = ovl_dentry_upper(dentry);
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_path_lower(struct dentry *dentry, struct path *path)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
|
2017-07-24 00:57:54 -06:00
|
|
|
if (oe->numlower) {
|
|
|
|
path->mnt = oe->lowerstack[0].layer->mnt;
|
|
|
|
path->dentry = oe->lowerstack[0].dentry;
|
|
|
|
} else {
|
|
|
|
*path = (struct path) { };
|
|
|
|
}
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2018-05-11 09:49:30 -06:00
|
|
|
void ovl_path_lowerdata(struct dentry *dentry, struct path *path)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
|
|
|
|
if (oe->numlower) {
|
|
|
|
path->mnt = oe->lowerstack[oe->numlower - 1].layer->mnt;
|
|
|
|
path->dentry = oe->lowerstack[oe->numlower - 1].dentry;
|
|
|
|
} else {
|
|
|
|
*path = (struct path) { };
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:56 -07:00
|
|
|
enum ovl_path_type ovl_path_real(struct dentry *dentry, struct path *path)
|
|
|
|
{
|
|
|
|
enum ovl_path_type type = ovl_path_type(dentry);
|
|
|
|
|
|
|
|
if (!OVL_TYPE_UPPER(type))
|
|
|
|
ovl_path_lower(dentry, path);
|
|
|
|
else
|
|
|
|
ovl_path_upper(dentry, path);
|
|
|
|
|
|
|
|
return type;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct dentry *ovl_dentry_upper(struct dentry *dentry)
|
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
return ovl_upperdentry_dereference(OVL_I(d_inode(dentry)));
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
struct dentry *ovl_dentry_lower(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
return oe->numlower ? oe->lowerstack[0].dentry : NULL;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2017-11-08 10:39:51 -07:00
|
|
|
struct ovl_layer *ovl_layer_lower(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
|
|
|
|
return oe->numlower ? oe->lowerstack[0].layer : NULL;
|
|
|
|
}
|
|
|
|
|
2018-05-11 09:49:30 -06:00
|
|
|
/*
|
|
|
|
* ovl_dentry_lower() could return either a data dentry or metacopy dentry
|
|
|
|
* dependig on what is stored in lowerstack[0]. At times we need to find
|
|
|
|
* lower dentry which has data (and not metacopy dentry). This helper
|
|
|
|
* returns the lower data dentry.
|
|
|
|
*/
|
|
|
|
struct dentry *ovl_dentry_lowerdata(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
|
|
|
|
return oe->numlower ? oe->lowerstack[oe->numlower - 1].dentry : NULL;
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:56 -07:00
|
|
|
struct dentry *ovl_dentry_real(struct dentry *dentry)
|
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
return ovl_dentry_upper(dentry) ?: ovl_dentry_lower(dentry);
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2017-07-20 03:08:21 -06:00
|
|
|
struct dentry *ovl_i_dentry_upper(struct inode *inode)
|
|
|
|
{
|
|
|
|
return ovl_upperdentry_dereference(OVL_I(inode));
|
|
|
|
}
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
struct inode *ovl_inode_upper(struct inode *inode)
|
2017-07-04 14:03:16 -06:00
|
|
|
{
|
2017-07-20 03:08:21 -06:00
|
|
|
struct dentry *upperdentry = ovl_i_dentry_upper(inode);
|
2017-07-04 14:03:16 -06:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
return upperdentry ? d_inode(upperdentry) : NULL;
|
|
|
|
}
|
2017-07-04 14:03:16 -06:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
struct inode *ovl_inode_lower(struct inode *inode)
|
|
|
|
{
|
|
|
|
return OVL_I(inode)->lower;
|
|
|
|
}
|
2017-07-04 14:03:16 -06:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
struct inode *ovl_inode_real(struct inode *inode)
|
|
|
|
{
|
|
|
|
return ovl_inode_upper(inode) ?: ovl_inode_lower(inode);
|
2017-07-04 14:03:16 -06:00
|
|
|
}
|
|
|
|
|
2018-05-11 09:49:30 -06:00
|
|
|
/* Return inode which contains lower data. Do not return metacopy */
|
|
|
|
struct inode *ovl_inode_lowerdata(struct inode *inode)
|
|
|
|
{
|
|
|
|
if (WARN_ON(!S_ISREG(inode->i_mode)))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return OVL_I(inode)->lowerdata ?: ovl_inode_lower(inode);
|
|
|
|
}
|
2017-07-04 14:03:16 -06:00
|
|
|
|
2018-05-11 09:49:31 -06:00
|
|
|
/* Return real inode which contains data. Does not return metacopy inode */
|
|
|
|
struct inode *ovl_inode_realdata(struct inode *inode)
|
|
|
|
{
|
|
|
|
struct inode *upperinode;
|
|
|
|
|
|
|
|
upperinode = ovl_inode_upper(inode);
|
|
|
|
if (upperinode && ovl_has_upperdata(inode))
|
|
|
|
return upperinode;
|
|
|
|
|
|
|
|
return ovl_inode_lowerdata(inode);
|
|
|
|
}
|
|
|
|
|
2017-07-27 13:54:06 -06:00
|
|
|
struct ovl_dir_cache *ovl_dir_cache(struct inode *inode)
|
2016-12-16 03:02:56 -07:00
|
|
|
{
|
2017-07-27 13:54:06 -06:00
|
|
|
return OVL_I(inode)->cache;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2017-07-27 13:54:06 -06:00
|
|
|
void ovl_set_dir_cache(struct inode *inode, struct ovl_dir_cache *cache)
|
2016-12-16 03:02:56 -07:00
|
|
|
{
|
2017-07-27 13:54:06 -06:00
|
|
|
OVL_I(inode)->cache = cache;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2018-01-14 10:25:31 -07:00
|
|
|
void ovl_dentry_set_flag(unsigned long flag, struct dentry *dentry)
|
|
|
|
{
|
|
|
|
set_bit(flag, &OVL_E(dentry)->flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_dentry_clear_flag(unsigned long flag, struct dentry *dentry)
|
|
|
|
{
|
|
|
|
clear_bit(flag, &OVL_E(dentry)->flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_dentry_test_flag(unsigned long flag, struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return test_bit(flag, &OVL_E(dentry)->flags);
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:56 -07:00
|
|
|
bool ovl_dentry_is_opaque(struct dentry *dentry)
|
|
|
|
{
|
2018-01-14 10:25:31 -07:00
|
|
|
return ovl_dentry_test_flag(OVL_E_OPAQUE, dentry);
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_dentry_is_whiteout(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
return !dentry->d_inode && ovl_dentry_is_opaque(dentry);
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:57 -07:00
|
|
|
void ovl_dentry_set_opaque(struct dentry *dentry)
|
2016-12-16 03:02:56 -07:00
|
|
|
{
|
2018-01-14 10:25:31 -07:00
|
|
|
ovl_dentry_set_flag(OVL_E_OPAQUE, dentry);
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2017-07-04 14:03:18 -06:00
|
|
|
/*
|
2017-10-15 09:00:20 -06:00
|
|
|
* For hard links and decoded file handles, it's possible for ovl_dentry_upper()
|
|
|
|
* to return positive, while there's no actual upper alias for the inode.
|
|
|
|
* Copy up code needs to know about the existence of the upper alias, so it
|
|
|
|
* can't use ovl_dentry_upper().
|
2017-07-04 14:03:18 -06:00
|
|
|
*/
|
|
|
|
bool ovl_dentry_has_upper_alias(struct dentry *dentry)
|
|
|
|
{
|
2018-01-14 10:25:31 -07:00
|
|
|
return ovl_dentry_test_flag(OVL_E_UPPER_ALIAS, dentry);
|
2017-07-04 14:03:18 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_dentry_set_upper_alias(struct dentry *dentry)
|
|
|
|
{
|
2018-01-14 10:25:31 -07:00
|
|
|
ovl_dentry_set_flag(OVL_E_UPPER_ALIAS, dentry);
|
2017-07-04 14:03:18 -06:00
|
|
|
}
|
|
|
|
|
2018-05-11 09:49:28 -06:00
|
|
|
static bool ovl_should_check_upperdata(struct inode *inode)
|
|
|
|
{
|
|
|
|
if (!S_ISREG(inode->i_mode))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!ovl_inode_lower(inode))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_has_upperdata(struct inode *inode)
|
|
|
|
{
|
|
|
|
if (!ovl_should_check_upperdata(inode))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
if (!ovl_test_flag(OVL_UPPERDATA, inode))
|
|
|
|
return false;
|
|
|
|
/*
|
|
|
|
* Pairs with smp_wmb() in ovl_set_upperdata(). Main user of
|
|
|
|
* ovl_has_upperdata() is ovl_copy_up_meta_inode_data(). Make sure
|
|
|
|
* if setting of OVL_UPPERDATA is visible, then effects of writes
|
|
|
|
* before that are visible too.
|
|
|
|
*/
|
|
|
|
smp_rmb();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_set_upperdata(struct inode *inode)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Pairs with smp_rmb() in ovl_has_upperdata(). Make sure
|
|
|
|
* if OVL_UPPERDATA flag is visible, then effects of write operations
|
|
|
|
* before it are visible as well.
|
|
|
|
*/
|
|
|
|
smp_wmb();
|
|
|
|
ovl_set_flag(OVL_UPPERDATA, inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Caller should hold ovl_inode->lock */
|
|
|
|
bool ovl_dentry_needs_data_copy_up_locked(struct dentry *dentry, int flags)
|
|
|
|
{
|
|
|
|
if (!ovl_open_flags_need_copy_up(flags))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return !ovl_test_flag(OVL_UPPERDATA, d_inode(dentry));
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_dentry_needs_data_copy_up(struct dentry *dentry, int flags)
|
|
|
|
{
|
|
|
|
if (!ovl_open_flags_need_copy_up(flags))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return !ovl_has_upperdata(d_inode(dentry));
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:56 -07:00
|
|
|
bool ovl_redirect_dir(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct ovl_fs *ofs = sb->s_fs_info;
|
|
|
|
|
2017-05-16 15:12:41 -06:00
|
|
|
return ofs->config.redirect_dir && !ofs->noxattr;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
const char *ovl_dentry_get_redirect(struct dentry *dentry)
|
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
return OVL_I(d_inode(dentry))->redirect;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_dentry_set_redirect(struct dentry *dentry, const char *redirect)
|
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
struct ovl_inode *oi = OVL_I(d_inode(dentry));
|
2016-12-16 03:02:56 -07:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
kfree(oi->redirect);
|
|
|
|
oi->redirect = redirect;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
void ovl_inode_init(struct inode *inode, struct dentry *upperdentry,
|
2018-05-11 09:49:30 -06:00
|
|
|
struct dentry *lowerdentry, struct dentry *lowerdata)
|
2016-12-16 03:02:56 -07:00
|
|
|
{
|
2018-03-15 15:39:01 -06:00
|
|
|
struct inode *realinode = d_inode(upperdentry ?: lowerdentry);
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
if (upperdentry)
|
|
|
|
OVL_I(inode)->__upperdentry = upperdentry;
|
|
|
|
if (lowerdentry)
|
2018-01-14 09:35:40 -07:00
|
|
|
OVL_I(inode)->lower = igrab(d_inode(lowerdentry));
|
2018-05-11 09:49:30 -06:00
|
|
|
if (lowerdata)
|
|
|
|
OVL_I(inode)->lowerdata = igrab(d_inode(lowerdata));
|
2016-12-16 03:02:56 -07:00
|
|
|
|
2018-03-15 15:39:01 -06:00
|
|
|
ovl_copyattr(realinode, inode);
|
2018-07-18 07:44:41 -06:00
|
|
|
ovl_copyflags(realinode, inode);
|
2018-03-15 15:39:01 -06:00
|
|
|
if (!inode->i_ino)
|
|
|
|
inode->i_ino = realinode->i_ino;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
void ovl_inode_update(struct inode *inode, struct dentry *upperdentry)
|
2016-12-16 03:02:56 -07:00
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
struct inode *upperinode = d_inode(upperdentry);
|
2017-07-04 14:03:16 -06:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
WARN_ON(OVL_I(inode)->__upperdentry);
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
/*
|
2017-07-04 14:03:16 -06:00
|
|
|
* Make sure upperdentry is consistent before making it visible
|
2017-07-04 14:03:16 -06:00
|
|
|
*/
|
|
|
|
smp_wmb();
|
2017-07-04 14:03:16 -06:00
|
|
|
OVL_I(inode)->__upperdentry = upperdentry;
|
2018-01-14 09:35:40 -07:00
|
|
|
if (inode_unhashed(inode)) {
|
2018-03-15 15:39:01 -06:00
|
|
|
if (!inode->i_ino)
|
|
|
|
inode->i_ino = upperinode->i_ino;
|
2017-07-04 14:03:16 -06:00
|
|
|
inode->i_private = upperinode;
|
2016-12-16 03:02:56 -07:00
|
|
|
__insert_inode_hash(inode, (unsigned long) upperinode);
|
2017-07-04 14:03:16 -06:00
|
|
|
}
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2018-07-18 07:44:40 -06:00
|
|
|
static void ovl_dentry_version_inc(struct dentry *dentry, bool impurity)
|
2016-12-16 03:02:56 -07:00
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
struct inode *inode = d_inode(dentry);
|
2016-12-16 03:02:56 -07:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
WARN_ON(!inode_is_locked(inode));
|
2017-07-27 13:54:06 -06:00
|
|
|
/*
|
|
|
|
* Version is used by readdir code to keep cache consistent. For merge
|
|
|
|
* dirs all changes need to be noted. For non-merge dirs, cache only
|
|
|
|
* contains impure (ones which have been copied up and have origins)
|
|
|
|
* entries, so only need to note changes to impure entries.
|
|
|
|
*/
|
|
|
|
if (OVL_TYPE_MERGE(ovl_path_type(dentry)) || impurity)
|
|
|
|
OVL_I(inode)->version++;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
2018-07-18 07:44:40 -06:00
|
|
|
void ovl_dir_modified(struct dentry *dentry, bool impurity)
|
|
|
|
{
|
|
|
|
/* Copy mtime/ctime */
|
|
|
|
ovl_copyattr(d_inode(ovl_dentry_upper(dentry)), d_inode(dentry));
|
|
|
|
|
|
|
|
ovl_dentry_version_inc(dentry, impurity);
|
|
|
|
}
|
|
|
|
|
2016-12-16 03:02:56 -07:00
|
|
|
u64 ovl_dentry_version_get(struct dentry *dentry)
|
|
|
|
{
|
2017-07-04 14:03:16 -06:00
|
|
|
struct inode *inode = d_inode(dentry);
|
2016-12-16 03:02:56 -07:00
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
WARN_ON(!inode_is_locked(inode));
|
|
|
|
return OVL_I(inode)->version;
|
2016-12-16 03:02:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_is_whiteout(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct inode *inode = dentry->d_inode;
|
|
|
|
|
|
|
|
return inode && IS_WHITEOUT(inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
struct file *ovl_path_open(struct path *path, int flags)
|
|
|
|
{
|
|
|
|
return dentry_open(path, flags | O_NOATIME, current_cred());
|
|
|
|
}
|
2017-01-16 21:34:56 -07:00
|
|
|
|
2018-05-11 09:49:28 -06:00
|
|
|
/* Caller should hold ovl_inode->lock */
|
|
|
|
static bool ovl_already_copied_up_locked(struct dentry *dentry, int flags)
|
|
|
|
{
|
|
|
|
bool disconnected = dentry->d_flags & DCACHE_DISCONNECTED;
|
|
|
|
|
|
|
|
if (ovl_dentry_upper(dentry) &&
|
|
|
|
(ovl_dentry_has_upper_alias(dentry) || disconnected) &&
|
|
|
|
!ovl_dentry_needs_data_copy_up_locked(dentry, flags))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ovl_already_copied_up(struct dentry *dentry, int flags)
|
2018-05-11 09:49:28 -06:00
|
|
|
{
|
|
|
|
bool disconnected = dentry->d_flags & DCACHE_DISCONNECTED;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check if copy-up has happened as well as for upper alias (in
|
|
|
|
* case of hard links) is there.
|
|
|
|
*
|
|
|
|
* Both checks are lockless:
|
|
|
|
* - false negatives: will recheck under oi->lock
|
|
|
|
* - false positives:
|
|
|
|
* + ovl_dentry_upper() uses memory barriers to ensure the
|
|
|
|
* upper dentry is up-to-date
|
|
|
|
* + ovl_dentry_has_upper_alias() relies on locking of
|
|
|
|
* upper parent i_rwsem to prevent reordering copy-up
|
|
|
|
* with rename.
|
|
|
|
*/
|
|
|
|
if (ovl_dentry_upper(dentry) &&
|
2018-05-11 09:49:28 -06:00
|
|
|
(ovl_dentry_has_upper_alias(dentry) || disconnected) &&
|
|
|
|
!ovl_dentry_needs_data_copy_up(dentry, flags))
|
2018-05-11 09:49:28 -06:00
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-05-11 09:49:28 -06:00
|
|
|
int ovl_copy_up_start(struct dentry *dentry, int flags)
|
2017-01-16 21:34:56 -07:00
|
|
|
{
|
2017-06-21 06:28:51 -06:00
|
|
|
struct ovl_inode *oi = OVL_I(d_inode(dentry));
|
2017-01-16 21:34:56 -07:00
|
|
|
int err;
|
|
|
|
|
2017-06-21 06:28:51 -06:00
|
|
|
err = mutex_lock_interruptible(&oi->lock);
|
2018-05-11 09:49:28 -06:00
|
|
|
if (!err && ovl_already_copied_up_locked(dentry, flags)) {
|
2017-06-21 06:28:51 -06:00
|
|
|
err = 1; /* Already copied up */
|
|
|
|
mutex_unlock(&oi->lock);
|
2017-01-16 21:34:56 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_copy_up_end(struct dentry *dentry)
|
|
|
|
{
|
2017-06-21 06:28:51 -06:00
|
|
|
mutex_unlock(&OVL_I(d_inode(dentry))->lock);
|
2017-01-16 21:34:56 -07:00
|
|
|
}
|
2017-05-16 15:12:40 -06:00
|
|
|
|
2017-06-25 07:37:17 -06:00
|
|
|
bool ovl_check_origin_xattr(struct dentry *dentry)
|
|
|
|
{
|
2019-07-23 14:53:48 -06:00
|
|
|
ssize_t res;
|
2017-06-25 07:37:17 -06:00
|
|
|
|
2019-07-23 14:53:48 -06:00
|
|
|
res = ovl_vfs_getxattr(dentry, OVL_XATTR_ORIGIN, NULL, 0);
|
2017-06-25 07:37:17 -06:00
|
|
|
|
|
|
|
/* Zero size value means "copied up but origin unknown" */
|
|
|
|
if (res >= 0)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-05-24 06:29:33 -06:00
|
|
|
bool ovl_check_dir_xattr(struct dentry *dentry, const char *name)
|
|
|
|
{
|
2019-07-23 14:53:48 -06:00
|
|
|
ssize_t res;
|
2017-05-24 06:29:33 -06:00
|
|
|
char val;
|
|
|
|
|
|
|
|
if (!d_is_dir(dentry))
|
|
|
|
return false;
|
|
|
|
|
2019-07-23 14:53:48 -06:00
|
|
|
res = ovl_vfs_getxattr(dentry, name, &val, 1);
|
2017-05-24 06:29:33 -06:00
|
|
|
if (res == 1 && val == 'y')
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-05-16 15:12:40 -06:00
|
|
|
int ovl_check_setxattr(struct dentry *dentry, struct dentry *upperdentry,
|
|
|
|
const char *name, const void *value, size_t size,
|
|
|
|
int xerr)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
|
|
|
|
|
|
|
|
if (ofs->noxattr)
|
|
|
|
return xerr;
|
|
|
|
|
|
|
|
err = ovl_do_setxattr(upperdentry, name, value, size, 0);
|
|
|
|
|
|
|
|
if (err == -EOPNOTSUPP) {
|
|
|
|
pr_warn("overlayfs: cannot set %s xattr on upper\n", name);
|
|
|
|
ofs->noxattr = true;
|
|
|
|
return xerr;
|
|
|
|
}
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
2017-05-24 06:29:33 -06:00
|
|
|
|
|
|
|
int ovl_set_impure(struct dentry *dentry, struct dentry *upperdentry)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
if (ovl_test_flag(OVL_IMPURE, d_inode(dentry)))
|
2017-05-24 06:29:33 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Do not fail when upper doesn't support xattrs.
|
|
|
|
* Upper inodes won't have origin nor redirect xattr anyway.
|
|
|
|
*/
|
|
|
|
err = ovl_check_setxattr(dentry, upperdentry, OVL_XATTR_IMPURE,
|
|
|
|
"y", 1, 0);
|
|
|
|
if (!err)
|
2017-07-04 14:03:16 -06:00
|
|
|
ovl_set_flag(OVL_IMPURE, d_inode(dentry));
|
2017-05-24 06:29:33 -06:00
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
2017-07-04 14:03:16 -06:00
|
|
|
|
|
|
|
void ovl_set_flag(unsigned long flag, struct inode *inode)
|
|
|
|
{
|
|
|
|
set_bit(flag, &OVL_I(inode)->flags);
|
|
|
|
}
|
|
|
|
|
2017-07-27 13:54:06 -06:00
|
|
|
void ovl_clear_flag(unsigned long flag, struct inode *inode)
|
|
|
|
{
|
|
|
|
clear_bit(flag, &OVL_I(inode)->flags);
|
|
|
|
}
|
|
|
|
|
2017-07-04 14:03:16 -06:00
|
|
|
bool ovl_test_flag(unsigned long flag, struct inode *inode)
|
|
|
|
{
|
|
|
|
return test_bit(flag, &OVL_I(inode)->flags);
|
|
|
|
}
|
2017-06-21 06:28:32 -06:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Caller must hold a reference to inode to prevent it from being freed while
|
|
|
|
* it is marked inuse.
|
|
|
|
*/
|
|
|
|
bool ovl_inuse_trylock(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct inode *inode = d_inode(dentry);
|
|
|
|
bool locked = false;
|
|
|
|
|
|
|
|
spin_lock(&inode->i_lock);
|
|
|
|
if (!(inode->i_state & I_OVL_INUSE)) {
|
|
|
|
inode->i_state |= I_OVL_INUSE;
|
|
|
|
locked = true;
|
|
|
|
}
|
|
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
|
|
|
|
return locked;
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_inuse_unlock(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
if (dentry) {
|
|
|
|
struct inode *inode = d_inode(dentry);
|
|
|
|
|
|
|
|
spin_lock(&inode->i_lock);
|
|
|
|
WARN_ON(!(inode->i_state & I_OVL_INUSE));
|
|
|
|
inode->i_state &= ~I_OVL_INUSE;
|
|
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
}
|
|
|
|
}
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
|
ovl: detect overlapping layers
[ Upstream commit 146d62e5a5867fbf84490d82455718bfb10fe824 ]
Overlapping overlay layers are not supported and can cause unexpected
behavior, but overlayfs does not currently check or warn about these
configurations.
User is not supposed to specify the same directory for upper and
lower dirs or for different lower layers and user is not supposed to
specify directories that are descendants of each other for overlay
layers, but that is exactly what this zysbot repro did:
https://syzkaller.appspot.com/x/repro.syz?x=12c7a94f400000
Moving layer root directories into other layers while overlayfs
is mounted could also result in unexpected behavior.
This commit places "traps" in the overlay inode hash table.
Those traps are dummy overlay inodes that are hashed by the layers
root inodes.
On mount, the hash table trap entries are used to verify that overlay
layers are not overlapping. While at it, we also verify that overlay
layers are not overlapping with directories "in-use" by other overlay
instances as upperdir/workdir.
On lookup, the trap entries are used to verify that overlay layers
root inodes have not been moved into other layers after mount.
Some examples:
$ ./run --ov --samefs -s
...
( mkdir -p base/upper/0/u base/upper/0/w base/lower lower upper mnt
mount -o bind base/lower lower
mount -o bind base/upper upper
mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w)
$ umount mnt
$ mount -t overlay none mnt ...
-o lowerdir=base,upperdir=upper/0/u,workdir=upper/0/w
[ 94.434900] overlayfs: overlapping upperdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=upper/0/u,upperdir=upper/0/u,workdir=upper/0/w
[ 151.350132] overlayfs: conflicting lowerdir path
mount: none is already mounted or mnt busy
$ mount -t overlay none mnt ...
-o lowerdir=lower:lower/a,upperdir=upper/0/u,workdir=upper/0/w
[ 201.205045] overlayfs: overlapping lowerdir path
mount: mount overlay on mnt failed: Too many levels of symbolic links
$ mount -t overlay none mnt ...
-o lowerdir=lower,upperdir=upper/0/u,workdir=upper/0/w
$ mv base/upper/0/ base/lower/
$ find mnt/0
mnt/0
mnt/0/w
find: 'mnt/0/w/work': Too many levels of symbolic links
find: 'mnt/0/u': Too many levels of symbolic links
Reported-by: syzbot+9c69c282adc4edd2b540@syzkaller.appspotmail.com
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-04-18 08:42:08 -06:00
|
|
|
bool ovl_is_inuse(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct inode *inode = d_inode(dentry);
|
|
|
|
bool inuse;
|
|
|
|
|
|
|
|
spin_lock(&inode->i_lock);
|
|
|
|
inuse = (inode->i_state & I_OVL_INUSE);
|
|
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
|
|
|
|
return inuse;
|
|
|
|
}
|
|
|
|
|
2017-09-25 22:55:26 -06:00
|
|
|
/*
|
|
|
|
* Does this overlay dentry need to be indexed on copy up?
|
|
|
|
*/
|
|
|
|
bool ovl_need_index(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct dentry *lower = ovl_dentry_lower(dentry);
|
|
|
|
|
|
|
|
if (!lower || !ovl_indexdir(dentry->d_sb))
|
|
|
|
return false;
|
|
|
|
|
2017-11-21 15:08:21 -07:00
|
|
|
/* Index all files for NFS export and consistency verification */
|
2018-01-11 05:01:08 -07:00
|
|
|
if (ovl_index_all(dentry->d_sb))
|
2017-11-21 15:08:21 -07:00
|
|
|
return true;
|
|
|
|
|
2017-09-25 22:55:26 -06:00
|
|
|
/* Index only lower hardlinks on copy up */
|
|
|
|
if (!d_is_dir(lower) && d_inode(lower)->i_nlink > 1)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-09-24 08:36:26 -06:00
|
|
|
/* Caller must hold OVL_I(inode)->lock */
|
2017-06-21 04:46:12 -06:00
|
|
|
static void ovl_cleanup_index(struct dentry *dentry)
|
|
|
|
{
|
2017-10-24 08:38:33 -06:00
|
|
|
struct dentry *indexdir = ovl_indexdir(dentry->d_sb);
|
|
|
|
struct inode *dir = indexdir->d_inode;
|
2017-06-21 04:46:12 -06:00
|
|
|
struct dentry *lowerdentry = ovl_dentry_lower(dentry);
|
|
|
|
struct dentry *upperdentry = ovl_dentry_upper(dentry);
|
|
|
|
struct dentry *index = NULL;
|
|
|
|
struct inode *inode;
|
2018-09-18 07:34:31 -06:00
|
|
|
struct qstr name = { };
|
2017-06-21 04:46:12 -06:00
|
|
|
int err;
|
|
|
|
|
|
|
|
err = ovl_get_index_name(lowerdentry, &name);
|
|
|
|
if (err)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
inode = d_inode(upperdentry);
|
2017-09-25 22:40:37 -06:00
|
|
|
if (!S_ISDIR(inode->i_mode) && inode->i_nlink != 1) {
|
2017-06-21 04:46:12 -06:00
|
|
|
pr_warn_ratelimited("overlayfs: cleanup linked index (%pd2, ino=%lu, nlink=%u)\n",
|
|
|
|
upperdentry, inode->i_ino, inode->i_nlink);
|
|
|
|
/*
|
|
|
|
* We either have a bug with persistent union nlink or a lower
|
|
|
|
* hardlink was added while overlay is mounted. Adding a lower
|
|
|
|
* hardlink and then unlinking all overlay hardlinks would drop
|
|
|
|
* overlay nlink to zero before all upper inodes are unlinked.
|
|
|
|
* As a safety measure, when that situation is detected, set
|
|
|
|
* the overlay nlink to the index inode nlink minus one for the
|
|
|
|
* index entry itself.
|
|
|
|
*/
|
|
|
|
set_nlink(d_inode(dentry), inode->i_nlink - 1);
|
|
|
|
ovl_set_nlink_upper(dentry);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
inode_lock_nested(dir, I_MUTEX_PARENT);
|
2017-10-24 08:38:33 -06:00
|
|
|
index = lookup_one_len(name.name, indexdir, name.len);
|
2017-06-21 04:46:12 -06:00
|
|
|
err = PTR_ERR(index);
|
2017-10-24 08:38:33 -06:00
|
|
|
if (IS_ERR(index)) {
|
2017-09-24 08:36:26 -06:00
|
|
|
index = NULL;
|
2017-10-24 08:38:33 -06:00
|
|
|
} else if (ovl_index_all(dentry->d_sb)) {
|
|
|
|
/* Whiteout orphan index to block future open by handle */
|
|
|
|
err = ovl_cleanup_and_whiteout(indexdir, dir, index);
|
|
|
|
} else {
|
|
|
|
/* Cleanup orphan index entries */
|
|
|
|
err = ovl_cleanup(dir, index);
|
|
|
|
}
|
2017-09-24 08:36:26 -06:00
|
|
|
|
2017-06-21 04:46:12 -06:00
|
|
|
inode_unlock(dir);
|
|
|
|
if (err)
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
out:
|
2018-09-18 07:34:31 -06:00
|
|
|
kfree(name.name);
|
2017-06-21 04:46:12 -06:00
|
|
|
dput(index);
|
|
|
|
return;
|
|
|
|
|
|
|
|
fail:
|
|
|
|
pr_err("overlayfs: cleanup index of '%pd2' failed (%i)\n", dentry, err);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
/*
|
|
|
|
* Operations that change overlay inode and upper inode nlink need to be
|
|
|
|
* synchronized with copy up for persistent nlink accounting.
|
|
|
|
*/
|
|
|
|
int ovl_nlink_start(struct dentry *dentry, bool *locked)
|
|
|
|
{
|
|
|
|
struct ovl_inode *oi = OVL_I(d_inode(dentry));
|
|
|
|
const struct cred *old_cred;
|
|
|
|
int err;
|
|
|
|
|
2017-09-25 22:40:37 -06:00
|
|
|
if (!d_inode(dentry))
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* With inodes index is enabled, we store the union overlay nlink
|
2017-09-25 22:55:26 -06:00
|
|
|
* in an xattr on the index inode. When whiting out an indexed lower,
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
* we need to decrement the overlay persistent nlink, but before the
|
|
|
|
* first copy up, we have no upper index inode to store the xattr.
|
|
|
|
*
|
2017-09-25 22:55:26 -06:00
|
|
|
* As a workaround, before whiteout/rename over an indexed lower,
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
* copy up to create the upper index. Creating the upper index will
|
|
|
|
* initialize the overlay nlink, so it could be dropped if unlink
|
|
|
|
* or rename succeeds.
|
|
|
|
*
|
|
|
|
* TODO: implement metadata only index copy up when called with
|
|
|
|
* ovl_copy_up_flags(dentry, O_PATH).
|
|
|
|
*/
|
2017-09-25 22:55:26 -06:00
|
|
|
if (ovl_need_index(dentry) && !ovl_dentry_has_upper_alias(dentry)) {
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
err = ovl_copy_up(dentry);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
err = mutex_lock_interruptible(&oi->lock);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2017-09-25 22:40:37 -06:00
|
|
|
if (d_is_dir(dentry) || !ovl_test_flag(OVL_INDEX, d_inode(dentry)))
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
old_cred = ovl_override_creds(dentry->d_sb);
|
|
|
|
/*
|
|
|
|
* The overlay inode nlink should be incremented/decremented IFF the
|
|
|
|
* upper operation succeeds, along with nlink change of upper inode.
|
|
|
|
* Therefore, before link/unlink/rename, we store the union nlink
|
|
|
|
* value relative to the upper inode nlink in an upper inode xattr.
|
|
|
|
*/
|
|
|
|
err = ovl_set_nlink_upper(dentry);
|
ANDROID: overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials. The incoming accesses are
checked against the caller's credentials.
If the principles of least privilege are applied, the mounter's
credentials might not overlap the credentials of the caller's when
accessing the overlayfs filesystem. For example, a file that a lower
DAC privileged caller can execute, is MAC denied to the generally
higher DAC privileged mounter, to prevent an attack vector.
We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/override_creds.
It was not always this way. Circa 4.6 there was no recorded mounter's
credentials, instead privileged access to upper or work directories
were temporarily increased to perform the operations. The MAC
(selinux) policies were caller's in all cases. override_creds=off
partially returns us to this older access model minus the insecure
temporary credential increases. This is to permit use in a system
with non-overlapping security models for each executable including
the agent that mounts the overlayfs filesystem. In Android
this is the case since init, which performs the mount operations,
has a minimal MAC set of privileges to reduce any attack surface,
and services that use the content have a different set of MAC
privileges (eg: read, for vendor labelled configuration, execute for
vendor libraries and modules). The caveats are not a problem in
the Android usage model, however they should be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-unionfs@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
---
v9:
- Add to the caveats
v8:
- drop pr_warn message after straw poll to remove it.
- added a use case in the commit message
v7:
- change name of internal parameter to ovl_override_creds_def
- report override_creds only if different than default
v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation.
- pr_warn message adjusted to report consequences.
v5:
- beefed up the caveats in the Documentation
- Is dependent on
"overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
"overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off
v4:
- spelling and grammar errors in text
v3:
- Change name from caller_credentials / creator_credentials to the
boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS
v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from https://lore.kernel.org/patchwork/patch/1009299)
Bug: 109821005
Bug: 112955896
Bug: 127298877
Change-Id: Ie43b0c7dfd64f4cfc27dfe5e1622ea01f3b000cf
2019-02-22 13:09:42 -07:00
|
|
|
ovl_revert_creds(old_cred);
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (err)
|
|
|
|
mutex_unlock(&oi->lock);
|
|
|
|
else
|
|
|
|
*locked = true;
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
void ovl_nlink_end(struct dentry *dentry, bool locked)
|
|
|
|
{
|
2017-06-21 04:46:12 -06:00
|
|
|
if (locked) {
|
|
|
|
if (ovl_test_flag(OVL_INDEX, d_inode(dentry)) &&
|
|
|
|
d_inode(dentry)->i_nlink == 0) {
|
|
|
|
const struct cred *old_cred;
|
|
|
|
|
|
|
|
old_cred = ovl_override_creds(dentry->d_sb);
|
|
|
|
ovl_cleanup_index(dentry);
|
ANDROID: overlayfs: override_creds=off option bypass creator_cred
By default, all access to the upper, lower and work directories is the
recorded mounter's MAC and DAC credentials. The incoming accesses are
checked against the caller's credentials.
If the principles of least privilege are applied, the mounter's
credentials might not overlap the credentials of the caller's when
accessing the overlayfs filesystem. For example, a file that a lower
DAC privileged caller can execute, is MAC denied to the generally
higher DAC privileged mounter, to prevent an attack vector.
We add the option to turn off override_creds in the mount options; all
subsequent operations after mount on the filesystem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/override_creds.
It was not always this way. Circa 4.6 there was no recorded mounter's
credentials, instead privileged access to upper or work directories
were temporarily increased to perform the operations. The MAC
(selinux) policies were caller's in all cases. override_creds=off
partially returns us to this older access model minus the insecure
temporary credential increases. This is to permit use in a system
with non-overlapping security models for each executable including
the agent that mounts the overlayfs filesystem. In Android
this is the case since init, which performs the mount operations,
has a minimal MAC set of privileges to reduce any attack surface,
and services that use the content have a different set of MAC
privileges (eg: read, for vendor labelled configuration, execute for
vendor libraries and modules). The caveats are not a problem in
the Android usage model, however they should be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-unionfs@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
---
v9:
- Add to the caveats
v8:
- drop pr_warn message after straw poll to remove it.
- added a use case in the commit message
v7:
- change name of internal parameter to ovl_override_creds_def
- report override_creds only if different than default
v6:
- Drop CONFIG_OVERLAY_FS_OVERRIDE_CREDS.
- Do better with the documentation.
- pr_warn message adjusted to report consequences.
v5:
- beefed up the caveats in the Documentation
- Is dependent on
"overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh"
"overlayfs: check CAP_MKNOD before issuing vfs_whiteout"
- Added prwarn when override_creds=off
v4:
- spelling and grammar errors in text
v3:
- Change name from caller_credentials / creator_credentials to the
boolean override_creds.
- Changed from creator to mounter credentials.
- Updated and fortified the documentation.
- Added CONFIG_OVERLAY_FS_OVERRIDE_CREDS
v2:
- Forward port changed attr to stat, resulting in a build error.
- altered commit message.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from https://lore.kernel.org/patchwork/patch/1009299)
Bug: 109821005
Bug: 112955896
Bug: 127298877
Change-Id: Ie43b0c7dfd64f4cfc27dfe5e1622ea01f3b000cf
2019-02-22 13:09:42 -07:00
|
|
|
ovl_revert_creds(old_cred);
|
2017-06-21 04:46:12 -06:00
|
|
|
}
|
|
|
|
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
mutex_unlock(&OVL_I(d_inode(dentry))->lock);
|
2017-06-21 04:46:12 -06:00
|
|
|
}
|
ovl: persistent overlay inode nlink for indexed inodes
With inodes index enabled, an overlay inode nlink counts the union of upper
and non-covered lower hardlinks. During the lifetime of a non-pure upper
inode, the following nlink modifying operations can happen:
1. Lower hardlink copy up
2. Upper hardlink created, unlinked or renamed over
3. Lower hardlink whiteout or renamed over
For the first, copy up case, the union nlink does not change, whether the
operation succeeds or fails, but the upper inode nlink may change.
Therefore, before copy up, we store the union nlink value relative to the
lower inode nlink in the index inode xattr trusted.overlay.nlink.
For the second, upper hardlink case, the union nlink should be incremented
or decremented IFF the operation succeeds, aligned with nlink change of the
upper inode. Therefore, before link/unlink/rename, we store the union nlink
value relative to the upper inode nlink in the index inode.
For the last, lower cover up case, we simplify things by preceding the
whiteout or cover up with copy up. This makes sure that there is an index
upper inode where the nlink xattr can be stored before the copied up upper
entry is unlink.
Return the overlay inode nlinks for indexed upper inodes on stat(2).
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2017-06-20 06:35:14 -06:00
|
|
|
}
|
2017-09-25 07:39:55 -06:00
|
|
|
|
|
|
|
int ovl_lock_rename_workdir(struct dentry *workdir, struct dentry *upperdir)
|
|
|
|
{
|
|
|
|
/* Workdir should not be the same as upperdir */
|
|
|
|
if (workdir == upperdir)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
/* Workdir should not be subdir of upperdir and vice versa */
|
|
|
|
if (lock_rename(workdir, upperdir) != NULL)
|
|
|
|
goto err_unlock;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err_unlock:
|
|
|
|
unlock_rename(workdir, upperdir);
|
|
|
|
err:
|
|
|
|
pr_err("overlayfs: failed to lock workdir+upperdir\n");
|
|
|
|
return -EIO;
|
|
|
|
}
|
2018-05-11 09:49:28 -06:00
|
|
|
|
|
|
|
/* err < 0, 0 if no metacopy xattr, 1 if metacopy xattr found */
|
|
|
|
int ovl_check_metacopy_xattr(struct dentry *dentry)
|
|
|
|
{
|
2019-07-23 14:53:48 -06:00
|
|
|
ssize_t res;
|
2018-05-11 09:49:28 -06:00
|
|
|
|
|
|
|
/* Only regular files can have metacopy xattr */
|
|
|
|
if (!S_ISREG(d_inode(dentry)->i_mode))
|
|
|
|
return 0;
|
|
|
|
|
2019-07-23 14:53:48 -06:00
|
|
|
res = ovl_vfs_getxattr(dentry, OVL_XATTR_METACOPY, NULL, 0);
|
2018-05-11 09:49:28 -06:00
|
|
|
if (res < 0) {
|
|
|
|
if (res == -ENODATA || res == -EOPNOTSUPP)
|
|
|
|
return 0;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
out:
|
2019-07-23 14:53:48 -06:00
|
|
|
pr_warn_ratelimited("overlayfs: failed to get metacopy (%zi)\n", res);
|
2018-05-11 09:49:28 -06:00
|
|
|
return res;
|
|
|
|
}
|
2018-05-11 09:49:30 -06:00
|
|
|
|
|
|
|
bool ovl_is_metacopy_dentry(struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct ovl_entry *oe = dentry->d_fsdata;
|
|
|
|
|
|
|
|
if (!d_is_reg(dentry))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (ovl_dentry_upper(dentry)) {
|
|
|
|
if (!ovl_has_upperdata(d_inode(dentry)))
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return (oe->numlower > 1);
|
|
|
|
}
|
2018-05-11 09:49:32 -06:00
|
|
|
|
2019-01-30 12:01:57 -07:00
|
|
|
ssize_t ovl_getxattr(struct dentry *dentry, char *name, char **value,
|
|
|
|
size_t padding)
|
2018-05-11 09:49:32 -06:00
|
|
|
{
|
2019-01-30 12:01:57 -07:00
|
|
|
ssize_t res;
|
|
|
|
char *buf = NULL;
|
2018-05-11 09:49:32 -06:00
|
|
|
|
2019-07-23 14:53:48 -06:00
|
|
|
res = ovl_vfs_getxattr(dentry, name, NULL, 0);
|
2018-05-11 09:49:32 -06:00
|
|
|
if (res < 0) {
|
|
|
|
if (res == -ENODATA || res == -EOPNOTSUPP)
|
2019-01-30 12:01:57 -07:00
|
|
|
return -ENODATA;
|
2018-05-11 09:49:32 -06:00
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
2019-01-30 12:01:57 -07:00
|
|
|
if (res != 0) {
|
|
|
|
buf = kzalloc(res + padding, GFP_KERNEL);
|
|
|
|
if (!buf)
|
|
|
|
return -ENOMEM;
|
2018-05-11 09:49:32 -06:00
|
|
|
|
2019-07-23 14:53:48 -06:00
|
|
|
res = ovl_vfs_getxattr(dentry, name, buf, res);
|
2019-01-30 12:01:57 -07:00
|
|
|
if (res < 0)
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
*value = buf;
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
|
|
|
fail:
|
|
|
|
pr_warn_ratelimited("overlayfs: failed to get xattr %s: err=%zi)\n",
|
|
|
|
name, res);
|
|
|
|
kfree(buf);
|
|
|
|
return res;
|
|
|
|
}
|
2018-05-11 09:49:32 -06:00
|
|
|
|
2019-01-30 12:01:57 -07:00
|
|
|
char *ovl_get_redirect_xattr(struct dentry *dentry, int padding)
|
|
|
|
{
|
|
|
|
int res;
|
|
|
|
char *s, *next, *buf = NULL;
|
|
|
|
|
|
|
|
res = ovl_getxattr(dentry, OVL_XATTR_REDIRECT, &buf, padding + 1);
|
|
|
|
if (res == -ENODATA)
|
|
|
|
return NULL;
|
2018-05-11 09:49:32 -06:00
|
|
|
if (res < 0)
|
2019-01-30 12:01:57 -07:00
|
|
|
return ERR_PTR(res);
|
2018-05-11 09:49:32 -06:00
|
|
|
if (res == 0)
|
|
|
|
goto invalid;
|
|
|
|
|
|
|
|
if (buf[0] == '/') {
|
|
|
|
for (s = buf; *s++ == '/'; s = next) {
|
|
|
|
next = strchrnul(s, '/');
|
|
|
|
if (s == next)
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (strchr(buf, '/') != NULL)
|
|
|
|
goto invalid;
|
|
|
|
}
|
|
|
|
|
|
|
|
return buf;
|
|
|
|
invalid:
|
|
|
|
pr_warn_ratelimited("overlayfs: invalid redirect (%s)\n", buf);
|
|
|
|
res = -EINVAL;
|
2019-01-30 12:01:57 -07:00
|
|
|
kfree(buf);
|
|
|
|
return ERR_PTR(res);
|
2018-05-11 09:49:32 -06:00
|
|
|
}
|