1. 05 7月, 2017 2 次提交
  2. 28 6月, 2017 2 次提交
  3. 05 6月, 2017 2 次提交
  4. 29 5月, 2017 2 次提交
    • M
      ovl: filter trusted xattr for non-admin · a082c6f6
      Miklos Szeredi 提交于
      Filesystems filter out extended attributes in the "trusted." domain for
      unprivlieged callers.
      
      Overlay calls underlying filesystem's method with elevated privs, so need
      to do the filtering in overlayfs too.
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      a082c6f6
    • A
      ovl: mark upper merge dir with type origin entries "impure" · f3a15685
      Amir Goldstein 提交于
      An upper dir is marked "impure" to let ovl_iterate() know that this
      directory may contain non pure upper entries whose d_ino may need to be
      read from the origin inode.
      
      We already mark a non-merge dir "impure" when moving a non-pure child
      entry inside it, to let ovl_iterate() know not to iterate the non-merge
      dir directly.
      
      Mark also a merge dir "impure" when moving a non-pure child entry inside
      it and when copying up a child entry inside it.
      
      This can be used to optimize ovl_iterate() to perform a "pure merge" of
      upper and lower directories, merging the content of the directories,
      without having to read d_ino from origin inodes.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      f3a15685
  5. 19 5月, 2017 3 次提交
  6. 18 5月, 2017 3 次提交
  7. 15 5月, 2017 1 次提交
    • A
      ovl: select EXPORTFS · 72d42504
      Arnd Bergmann 提交于
      We get a link error when EXPORTFS is not enabled:
      
      ERROR: "exportfs_encode_fh" [fs/overlayfs/overlay.ko] undefined!
      ERROR: "exportfs_decode_fh" [fs/overlayfs/overlay.ko] undefined!
      
      This adds a Kconfig 'select' statement for overlayfs, the same way that
      it is done for the other users of exportfs.
      
      Fixes: 3a1e819b ("ovl: store file handle of lower inode on copy up")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      72d42504
  8. 05 5月, 2017 9 次提交
    • A
      ovl: persistent inode numbers for upper hardlinks · 5b6c9053
      Amir Goldstein 提交于
      An upper type non directory dentry that is a copy up target
      should have a reference to its lower copy up origin.
      
      There are three ways for an upper type dentry to be instantiated:
      1. A lower type dentry that is being copied up
      2. An entry that is found in upper dir by ovl_lookup()
      3. A negative dentry is hardlinked to an upper type dentry
      
      In the first case, the lower reference is set before copy up.
      In the second case, the lower reference is found by ovl_lookup().
      In the last case of hardlinked upper dentry, it is not easy to
      update the lower reference of the negative dentry.  Instead,
      drop the newly hardlinked negative dentry from dcache and let
      the next access call ovl_lookup() to find its lower reference.
      
      This makes sure that the inode number reported by stat(2) after
      the hardlink is created is the same inode number that will be
      reported by stat(2) after mount cycle, which is the inode number
      of the lower copy up origin of the hardlink source.
      
      NOTE that this does not fix breaking of lower hardlinks on copy
      up, but only fixes the case of lower nlink == 1, whose upper copy
      up inode is hardlinked in upper dir.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      5b6c9053
    • M
      ovl: merge getattr for dir and nondir · 5b712091
      Miklos Szeredi 提交于
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      5b712091
    • A
      ovl: constant st_ino/st_dev across copy up · 72b608f0
      Amir Goldstein 提交于
      When all layers are on the same underlying filesystem, let stat(2) return
      st_dev/st_ino values of the copy up origin inode if it is known.
      
      This results in constant st_ino/st_dev representation of files in an
      overlay mount before and after copy up.
      
      When the underlying filesystem support NFS exportfs, the result is also
      persistent st_ino/st_dev representation before and after mount cycle.
      
      Lower hardlinks are broken on copy up to different upper files, so we
      cannot use the lower origin st_ino for those different files, even for the
      same fs case.
      
      When all overlay layers are on the same fs, use overlay st_dev for non-dirs
      to get the correct result from du -x.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      72b608f0
    • A
      ovl: persistent inode number for directories · b7a807dc
      Amir Goldstein 提交于
      stat(2) on overlay directories reports the overlay temp inode
      number, which is constant across copy up, but is not persistent.
      
      When all layers are on the same fs, report the copy up origin inode
      number for directories.
      
      This inode number is persistent, unique across the overlay mount and
      constant across copy up.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      b7a807dc
    • A
      ovl: set the ORIGIN type flag · 59548503
      Amir Goldstein 提交于
      For directory entries, non zero oe->numlower implies OVL_TYPE_MERGE.
      Define a new type flag OVL_TYPE_ORIGIN to indicate that an entry holds a
      reference to its lower copy up origin.
      
      For directory entries ORIGIN := MERGE && UPPER. For non-dir entries ORIGIN
      means that a lower type dentry has been recently copied up or that we were
      able to find the copy up origin from overlay.origin xattr.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      59548503
    • A
      ovl: lookup non-dir copy-up-origin by file handle · a9d01957
      Amir Goldstein 提交于
      If overlay.origin xattr is found on a non-dir upper inode try to get lower
      dentry by calling exportfs_decode_fh().
      
      On failure to lookup by file handle to lower layer, do not lookup the copy
      up origin by name, because the lower found by name could be another file in
      case the upper file was renamed.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      a9d01957
    • A
      c22205d0
    • A
      ovl: store file handle of lower inode on copy up · 3a1e819b
      Amir Goldstein 提交于
      Sometimes it is interesting to know if an upper file is pure upper or a
      copy up target, and if it is a copy up target, it may be interesting to
      find the copy up origin.
      
      This will be used to preserve lower inode numbers across copy up.
      
      Store the lower inode file handle in upper inode extended attribute
      overlay.origin on copy up to use it later for these cases.  Store the lower
      filesystem uuid along side the file handle, so we can validate that we are
      looking for the origin file in the original fs.
      
      If lower fs does not support NFS export ops store a zero sized xattr so we
      can always use the overlay.origin xattr to distinguish between a copy up
      and a pure upper inode.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      3a1e819b
    • A
      ovl: check if all layers are on the same fs · 7bcd74b9
      Amir Goldstein 提交于
      Some features can only work when all layers are on the same fs.  Test this
      condition during mount time, so features can check them later.
      
      Add helper ovl_same_sb() to return the common super block in case all
      layers are on the same fs.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      7bcd74b9
  9. 26 4月, 2017 1 次提交
  10. 20 4月, 2017 2 次提交
    • A
      ovl: check IS_APPEND() on real upper inode · b0990fbb
      Amir Goldstein 提交于
      For overlay file open, check IS_APPEND() on the real upper inode
      inside d_real(), because the overlay inode does not have the
      S_APPEND flag and IS_APPEND() can only be checked at open time.
      
      Note that because overlayfs does not copy up the chattr inode flags
      (i.e. S_APPEND, S_IMMUTABLE), the IS_APPEND() check is only relevant
      for upper inodes that were set with chattr +a and not to lower
      inodes that had chattr +a before copy up.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      b0990fbb
    • K
      ovl: Use designated initializers · 33006cdf
      Kees Cook 提交于
      Prepare to mark sensitive kernel structures for randomization by making
      sure they're using designated initializers. These were identified during
      allyesconfig builds of x86, arm, and arm64, with most initializer fixes
      extracted from grsecurity.
      
      For these cases, use { }, which will be zero-filled, instead of
      undesignated NULLs.
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      33006cdf
  11. 09 3月, 2017 1 次提交
  12. 08 3月, 2017 1 次提交
    • A
      ovl: lockdep annotate of nested stacked overlayfs inode lock · b1eaa950
      Amir Goldstein 提交于
      An overlayfs instance can be the lower layer of another overlayfs
      instance. This setup triggers a lockdep splat of possible recursive
      locking of sb->s_type->i_mutex_key in iterate_dir(). Trimmed snip:
      
       [ INFO: possible recursive locking detected ]
       bash/2468 is trying to acquire lock:
        &sb->s_type->i_mutex_key#14, at: iterate_dir+0x7d/0x15c
       but task is already holding lock:
        &sb->s_type->i_mutex_key#14, at: iterate_dir+0x7d/0x15c
      
      One problem observed with this splat is that ovl_new_inode()
      does not call lockdep_annotate_inode_mutex_key() to annotate
      the dir inode lock as &sb->s_type->i_mutex_dir_key like other
      fs do.
      
      The other problem is that the 2 nested levels of overlayfs inode
      lock are annotated using the same key, which is the cause of the
      false positive lockdep warning.
      
      Fix this by annotating overlayfs inode lock in ovl_fill_inode()
      according to stack level of the super block instance and use
      different key for dir vs. non-dir like other fs do.
      
      Here is an edited snip from /proc/lockdep_chains after
      iterate_dir() of nested overlayfs:
      
       [...] &ovl_i_mutex_dir_key[depth]   (stack_depth=2)
       [...] &ovl_i_mutex_dir_key[depth]#2 (stack_depth=1)
       [...] &type->i_mutex_dir_key        (stack_depth=0)
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      b1eaa950
  13. 03 3月, 2017 1 次提交
    • D
      statx: Add a system call to make enhanced file info available · a528d35e
      David Howells 提交于
      Add a system call to make extended file information available, including
      file creation and some attribute flags where available through the
      underlying filesystem.
      
      The getattr inode operation is altered to take two additional arguments: a
      u32 request_mask and an unsigned int flags that indicate the
      synchronisation mode.  This change is propagated to the vfs_getattr*()
      function.
      
      Functions like vfs_stat() are now inline wrappers around new functions
      vfs_statx() and vfs_statx_fd() to reduce stack usage.
      
      ========
      OVERVIEW
      ========
      
      The idea was initially proposed as a set of xattrs that could be retrieved
      with getxattr(), but the general preference proved to be for a new syscall
      with an extended stat structure.
      
      A number of requests were gathered for features to be included.  The
      following have been included:
      
       (1) Make the fields a consistent size on all arches and make them large.
      
       (2) Spare space, request flags and information flags are provided for
           future expansion.
      
       (3) Better support for the y2038 problem [Arnd Bergmann] (tv_sec is an
           __s64).
      
       (4) Creation time: The SMB protocol carries the creation time, which could
           be exported by Samba, which will in turn help CIFS make use of
           FS-Cache as that can be used for coherency data (stx_btime).
      
           This is also specified in NFSv4 as a recommended attribute and could
           be exported by NFSD [Steve French].
      
       (5) Lightweight stat: Ask for just those details of interest, and allow a
           netfs (such as NFS) to approximate anything not of interest, possibly
           without going to the server [Trond Myklebust, Ulrich Drepper, Andreas
           Dilger] (AT_STATX_DONT_SYNC).
      
       (6) Heavyweight stat: Force a netfs to go to the server, even if it thinks
           its cached attributes are up to date [Trond Myklebust]
           (AT_STATX_FORCE_SYNC).
      
      And the following have been left out for future extension:
      
       (7) Data version number: Could be used by userspace NFS servers [Aneesh
           Kumar].
      
           Can also be used to modify fill_post_wcc() in NFSD which retrieves
           i_version directly, but has just called vfs_getattr().  It could get
           it from the kstat struct if it used vfs_xgetattr() instead.
      
           (There's disagreement on the exact semantics of a single field, since
           not all filesystems do this the same way).
      
       (8) BSD stat compatibility: Including more fields from the BSD stat such
           as creation time (st_btime) and inode generation number (st_gen)
           [Jeremy Allison, Bernd Schubert].
      
       (9) Inode generation number: Useful for FUSE and userspace NFS servers
           [Bernd Schubert].
      
           (This was asked for but later deemed unnecessary with the
           open-by-handle capability available and caused disagreement as to
           whether it's a security hole or not).
      
      (10) Extra coherency data may be useful in making backups [Andreas Dilger].
      
           (No particular data were offered, but things like last backup
           timestamp, the data version number and the DOS archive bit would come
           into this category).
      
      (11) Allow the filesystem to indicate what it can/cannot provide: A
           filesystem can now say it doesn't support a standard stat feature if
           that isn't available, so if, for instance, inode numbers or UIDs don't
           exist or are fabricated locally...
      
           (This requires a separate system call - I have an fsinfo() call idea
           for this).
      
      (12) Store a 16-byte volume ID in the superblock that can be returned in
           struct xstat [Steve French].
      
           (Deferred to fsinfo).
      
      (13) Include granularity fields in the time data to indicate the
           granularity of each of the times (NFSv4 time_delta) [Steve French].
      
           (Deferred to fsinfo).
      
      (14) FS_IOC_GETFLAGS value.  These could be translated to BSD's st_flags.
           Note that the Linux IOC flags are a mess and filesystems such as Ext4
           define flags that aren't in linux/fs.h, so translation in the kernel
           may be a necessity (or, possibly, we provide the filesystem type too).
      
           (Some attributes are made available in stx_attributes, but the general
           feeling was that the IOC flags were to ext[234]-specific and shouldn't
           be exposed through statx this way).
      
      (15) Mask of features available on file (eg: ACLs, seclabel) [Brad Boyer,
           Michael Kerrisk].
      
           (Deferred, probably to fsinfo.  Finding out if there's an ACL or
           seclabal might require extra filesystem operations).
      
      (16) Femtosecond-resolution timestamps [Dave Chinner].
      
           (A __reserved field has been left in the statx_timestamp struct for
           this - if there proves to be a need).
      
      (17) A set multiple attributes syscall to go with this.
      
      ===============
      NEW SYSTEM CALL
      ===============
      
      The new system call is:
      
      	int ret = statx(int dfd,
      			const char *filename,
      			unsigned int flags,
      			unsigned int mask,
      			struct statx *buffer);
      
      The dfd, filename and flags parameters indicate the file to query, in a
      similar way to fstatat().  There is no equivalent of lstat() as that can be
      emulated with statx() by passing AT_SYMLINK_NOFOLLOW in flags.  There is
      also no equivalent of fstat() as that can be emulated by passing a NULL
      filename to statx() with the fd of interest in dfd.
      
      Whether or not statx() synchronises the attributes with the backing store
      can be controlled by OR'ing a value into the flags argument (this typically
      only affects network filesystems):
      
       (1) AT_STATX_SYNC_AS_STAT tells statx() to behave as stat() does in this
           respect.
      
       (2) AT_STATX_FORCE_SYNC will require a network filesystem to synchronise
           its attributes with the server - which might require data writeback to
           occur to get the timestamps correct.
      
       (3) AT_STATX_DONT_SYNC will suppress synchronisation with the server in a
           network filesystem.  The resulting values should be considered
           approximate.
      
      mask is a bitmask indicating the fields in struct statx that are of
      interest to the caller.  The user should set this to STATX_BASIC_STATS to
      get the basic set returned by stat().  It should be noted that asking for
      more information may entail extra I/O operations.
      
      buffer points to the destination for the data.  This must be 256 bytes in
      size.
      
      ======================
      MAIN ATTRIBUTES RECORD
      ======================
      
      The following structures are defined in which to return the main attribute
      set:
      
      	struct statx_timestamp {
      		__s64	tv_sec;
      		__s32	tv_nsec;
      		__s32	__reserved;
      	};
      
      	struct statx {
      		__u32	stx_mask;
      		__u32	stx_blksize;
      		__u64	stx_attributes;
      		__u32	stx_nlink;
      		__u32	stx_uid;
      		__u32	stx_gid;
      		__u16	stx_mode;
      		__u16	__spare0[1];
      		__u64	stx_ino;
      		__u64	stx_size;
      		__u64	stx_blocks;
      		__u64	__spare1[1];
      		struct statx_timestamp	stx_atime;
      		struct statx_timestamp	stx_btime;
      		struct statx_timestamp	stx_ctime;
      		struct statx_timestamp	stx_mtime;
      		__u32	stx_rdev_major;
      		__u32	stx_rdev_minor;
      		__u32	stx_dev_major;
      		__u32	stx_dev_minor;
      		__u64	__spare2[14];
      	};
      
      The defined bits in request_mask and stx_mask are:
      
      	STATX_TYPE		Want/got stx_mode & S_IFMT
      	STATX_MODE		Want/got stx_mode & ~S_IFMT
      	STATX_NLINK		Want/got stx_nlink
      	STATX_UID		Want/got stx_uid
      	STATX_GID		Want/got stx_gid
      	STATX_ATIME		Want/got stx_atime{,_ns}
      	STATX_MTIME		Want/got stx_mtime{,_ns}
      	STATX_CTIME		Want/got stx_ctime{,_ns}
      	STATX_INO		Want/got stx_ino
      	STATX_SIZE		Want/got stx_size
      	STATX_BLOCKS		Want/got stx_blocks
      	STATX_BASIC_STATS	[The stuff in the normal stat struct]
      	STATX_BTIME		Want/got stx_btime{,_ns}
      	STATX_ALL		[All currently available stuff]
      
      stx_btime is the file creation time, stx_mask is a bitmask indicating the
      data provided and __spares*[] are where as-yet undefined fields can be
      placed.
      
      Time fields are structures with separate seconds and nanoseconds fields
      plus a reserved field in case we want to add even finer resolution.  Note
      that times will be negative if before 1970; in such a case, the nanosecond
      fields will also be negative if not zero.
      
      The bits defined in the stx_attributes field convey information about a
      file, how it is accessed, where it is and what it does.  The following
      attributes map to FS_*_FL flags and are the same numerical value:
      
      	STATX_ATTR_COMPRESSED		File is compressed by the fs
      	STATX_ATTR_IMMUTABLE		File is marked immutable
      	STATX_ATTR_APPEND		File is append-only
      	STATX_ATTR_NODUMP		File is not to be dumped
      	STATX_ATTR_ENCRYPTED		File requires key to decrypt in fs
      
      Within the kernel, the supported flags are listed by:
      
      	KSTAT_ATTR_FS_IOC_FLAGS
      
      [Are any other IOC flags of sufficient general interest to be exposed
      through this interface?]
      
      New flags include:
      
      	STATX_ATTR_AUTOMOUNT		Object is an automount trigger
      
      These are for the use of GUI tools that might want to mark files specially,
      depending on what they are.
      
      Fields in struct statx come in a number of classes:
      
       (0) stx_dev_*, stx_blksize.
      
           These are local system information and are always available.
      
       (1) stx_mode, stx_nlinks, stx_uid, stx_gid, stx_[amc]time, stx_ino,
           stx_size, stx_blocks.
      
           These will be returned whether the caller asks for them or not.  The
           corresponding bits in stx_mask will be set to indicate whether they
           actually have valid values.
      
           If the caller didn't ask for them, then they may be approximated.  For
           example, NFS won't waste any time updating them from the server,
           unless as a byproduct of updating something requested.
      
           If the values don't actually exist for the underlying object (such as
           UID or GID on a DOS file), then the bit won't be set in the stx_mask,
           even if the caller asked for the value.  In such a case, the returned
           value will be a fabrication.
      
           Note that there are instances where the type might not be valid, for
           instance Windows reparse points.
      
       (2) stx_rdev_*.
      
           This will be set only if stx_mode indicates we're looking at a
           blockdev or a chardev, otherwise will be 0.
      
       (3) stx_btime.
      
           Similar to (1), except this will be set to 0 if it doesn't exist.
      
      =======
      TESTING
      =======
      
      The following test program can be used to test the statx system call:
      
      	samples/statx/test-statx.c
      
      Just compile and run, passing it paths to the files you want to examine.
      The file is built automatically if CONFIG_SAMPLES is enabled.
      
      Here's some example output.  Firstly, an NFS directory that crosses to
      another FSID.  Note that the AUTOMOUNT attribute is set because transiting
      this directory will cause d_automount to be invoked by the VFS.
      
      	[root@andromeda ~]# /tmp/test-statx -A /warthog/data
      	statx(/warthog/data) = 0
      	results=7ff
      	  Size: 4096            Blocks: 8          IO Block: 1048576  directory
      	Device: 00:26           Inode: 1703937     Links: 125
      	Access: (3777/drwxrwxrwx)  Uid:     0   Gid:  4041
      	Access: 2016-11-24 09:02:12.219699527+0000
      	Modify: 2016-11-17 10:44:36.225653653+0000
      	Change: 2016-11-17 10:44:36.225653653+0000
      	Attributes: 0000000000001000 (-------- -------- -------- -------- -------- -------- ---m---- --------)
      
      Secondly, the result of automounting on that directory.
      
      	[root@andromeda ~]# /tmp/test-statx /warthog/data
      	statx(/warthog/data) = 0
      	results=7ff
      	  Size: 4096            Blocks: 8          IO Block: 1048576  directory
      	Device: 00:27           Inode: 2           Links: 125
      	Access: (3777/drwxrwxrwx)  Uid:     0   Gid:  4041
      	Access: 2016-11-24 09:02:12.219699527+0000
      	Modify: 2016-11-17 10:44:36.225653653+0000
      	Change: 2016-11-17 10:44:36.225653653+0000
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a528d35e
  14. 02 3月, 2017 2 次提交
  15. 07 2月, 2017 7 次提交
  16. 18 1月, 2017 1 次提交
    • A
      ovl: fix possible use after free on redirect dir lookup · 4c7d0c9c
      Amir Goldstein 提交于
      ovl_lookup_layer() iterates on path elements of d->name.name
      but also frees and allocates a new pointer for d->name.name.
      
      For the case of lookup in upper layer, the initial d->name.name
      pointer is stable (dentry->d_name), but for lower layers, the
      initial d->name.name can be d->redirect, which can be freed during
      iteration.
      
      [SzM]
      Keep the count of remaining characters in the redirect path and calculate
      the current position from that.  This works becuase only the prefix is
      modified, the ending always stays the same.
      
      Fixes: 02b69b28 ("ovl: lookup redirects")
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      4c7d0c9c