2 * Copyright (C) 2011 Novell Inc.
3 * Copyright (C) 2016 Red Hat, Inc.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 as published by
7 * the Free Software Foundation.
11 #include <linux/cred.h>
12 #include <linux/ctype.h>
13 #include <linux/namei.h>
14 #include <linux/xattr.h>
15 #include <linux/ratelimit.h>
16 #include <linux/mount.h>
17 #include <linux/exportfs.h>
18 #include "overlayfs.h"
20 struct ovl_lookup_data {
29 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
30 size_t prelen, const char *post)
33 char *s, *next, *buf = NULL;
35 res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, NULL, 0);
37 if (res == -ENODATA || res == -EOPNOTSUPP)
41 buf = kzalloc(prelen + res + strlen(post) + 1, GFP_KERNEL);
48 res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, buf, res);
54 for (s = buf; *s++ == '/'; s = next) {
55 next = strchrnul(s, '/');
60 if (strchr(buf, '/') != NULL)
63 memmove(buf + prelen, buf, res);
64 memcpy(buf, d->name.name, prelen);
70 d->name.name = d->redirect;
71 d->name.len = strlen(d->redirect);
79 pr_warn_ratelimited("overlayfs: failed to get redirect (%i)\n", res);
82 pr_warn_ratelimited("overlayfs: invalid redirect (%s)\n", buf);
86 static int ovl_acceptable(void *ctx, struct dentry *dentry)
89 * A non-dir origin may be disconnected, which is fine, because
90 * we only need it for its unique inode number.
92 if (!d_is_dir(dentry))
95 /* Don't decode a deleted empty directory */
96 if (d_unhashed(dentry))
99 /* Check if directory belongs to the layer we are decoding from */
100 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
104 * Check validity of an overlay file handle buffer.
106 * Return 0 for a valid file handle.
107 * Return -ENODATA for "origin unknown".
108 * Return <0 for an invalid file handle.
110 int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
112 if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len)
115 if (fh->magic != OVL_FH_MAGIC)
118 /* Treat larger version and unknown flags as "origin unknown" */
119 if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL)
122 /* Treat endianness mismatch as "origin unknown" */
123 if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) &&
124 (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN)
130 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
133 struct ovl_fh *fh = NULL;
135 res = vfs_getxattr(dentry, name, NULL, 0);
137 if (res == -ENODATA || res == -EOPNOTSUPP)
141 /* Zero size value means "copied up but origin unknown" */
145 fh = kzalloc(res, GFP_KERNEL);
147 return ERR_PTR(-ENOMEM);
149 res = vfs_getxattr(dentry, name, fh, res);
153 err = ovl_check_fh_len(fh, res);
167 pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res);
170 pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh);
174 struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt)
180 * Make sure that the stored uuid matches the uuid of the lower
181 * layer where file handle will be decoded.
183 if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid))
186 bytes = (fh->len - offsetof(struct ovl_fh, fid));
187 real = exportfs_decode_fh(mnt, (struct fid *)fh->fid,
188 bytes >> 2, (int)fh->type,
189 ovl_acceptable, mnt);
192 * Treat stale file handle to lower file as "origin unknown".
193 * upper file handle could become stale when upper file is
194 * unlinked and this information is needed to handle stale
195 * index entries correctly.
197 if (real == ERR_PTR(-ESTALE) &&
198 !(fh->flags & OVL_FH_FLAG_PATH_UPPER))
203 if (ovl_dentry_weird(real)) {
211 static bool ovl_is_opaquedir(struct dentry *dentry)
213 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
216 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
217 const char *name, unsigned int namelen,
218 size_t prelen, const char *post,
224 this = lookup_one_len_unlocked(name, base, namelen);
228 if (err == -ENOENT || err == -ENAMETOOLONG)
235 if (ovl_dentry_weird(this)) {
236 /* Don't support traversing automounts and other weirdness */
240 if (ovl_is_whiteout(this)) {
241 d->stop = d->opaque = true;
244 if (!d_can_lookup(this)) {
251 if (!d->last && ovl_is_opaquedir(this)) {
252 d->stop = d->opaque = true;
255 err = ovl_check_redirect(this, d, prelen, post);
272 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
275 /* Counting down from the end, since the prefix can change */
276 size_t rem = d->name.len - 1;
277 struct dentry *dentry = NULL;
280 if (d->name.name[0] != '/')
281 return ovl_lookup_single(base, d, d->name.name, d->name.len,
284 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
285 const char *s = d->name.name + d->name.len - rem;
286 const char *next = strchrnul(s, '/');
287 size_t thislen = next - s;
290 /* Verify we did not go off the rails */
291 if (WARN_ON(s[-1] != '/'))
294 err = ovl_lookup_single(base, d, s, thislen,
295 d->name.len - rem, next, &base);
305 if (WARN_ON(rem >= d->name.len))
313 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
314 struct dentry *upperdentry, struct ovl_path **stackp)
316 struct dentry *origin = NULL;
319 for (i = 0; i < ofs->numlower; i++) {
320 origin = ovl_decode_fh(fh, ofs->lower_layers[i].mnt);
327 else if (IS_ERR(origin))
328 return PTR_ERR(origin);
330 if (upperdentry && !ovl_is_whiteout(upperdentry) &&
331 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT))
335 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL);
340 **stackp = (struct ovl_path){
342 .layer = &ofs->lower_layers[i]
348 pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n",
349 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT,
350 d_inode(origin)->i_mode & S_IFMT);
355 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry,
356 struct ovl_path **stackp, unsigned int *ctrp)
358 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN);
361 if (IS_ERR_OR_NULL(fh))
364 err = ovl_check_origin_fh(ofs, fh, upperdentry, stackp);
381 * Verify that @fh matches the file handle stored in xattr @name.
382 * Return 0 on match, -ESTALE on mismatch, < 0 on error.
384 static int ovl_verify_fh(struct dentry *dentry, const char *name,
385 const struct ovl_fh *fh)
387 struct ovl_fh *ofh = ovl_get_fh(dentry, name);
396 if (fh->len != ofh->len || memcmp(fh, ofh, fh->len))
404 * Verify that @real dentry matches the file handle stored in xattr @name.
406 * If @set is true and there is no stored file handle, encode @real and store
407 * file handle in xattr @name.
409 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error.
411 int ovl_verify_set_fh(struct dentry *dentry, const char *name,
412 struct dentry *real, bool is_upper, bool set)
418 fh = ovl_encode_fh(real, is_upper);
423 err = ovl_verify_fh(dentry, name, fh);
424 if (set && err == -ENODATA)
425 err = ovl_do_setxattr(dentry, name, fh, fh->len, 0);
434 inode = d_inode(real);
435 pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n",
436 is_upper ? "upper" : "origin", real,
437 inode ? inode->i_ino : 0, err);
441 /* Get upper dentry from index */
442 struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
445 struct dentry *upper;
447 if (!d_is_dir(index))
450 fh = ovl_get_fh(index, OVL_XATTR_UPPER);
451 if (IS_ERR_OR_NULL(fh))
454 upper = ovl_decode_fh(fh, ofs->upper_mnt);
457 if (IS_ERR_OR_NULL(upper))
458 return upper ?: ERR_PTR(-ESTALE);
460 if (!d_is_dir(upper)) {
461 pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n",
464 return ERR_PTR(-EIO);
470 /* Is this a leftover from create/whiteout of directory index entry? */
471 static bool ovl_is_temp_index(struct dentry *index)
473 return index->d_name.name[0] == '#';
477 * Verify that an index entry name matches the origin file handle stored in
478 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
479 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error.
481 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
483 struct ovl_fh *fh = NULL;
485 struct ovl_path origin = { };
486 struct ovl_path *stack = &origin;
487 struct dentry *upper = NULL;
493 /* Cleanup leftover from index create/cleanup attempt */
495 if (ovl_is_temp_index(index))
499 if (index->d_name.len < sizeof(struct ovl_fh)*2)
503 len = index->d_name.len / 2;
504 fh = kzalloc(len, GFP_KERNEL);
509 if (hex2bin((u8 *)fh, index->d_name.name, len))
512 err = ovl_check_fh_len(fh, len);
517 * Whiteout index entries are used as an indication that an exported
518 * overlay file handle should be treated as stale (i.e. after unlink
519 * of the overlay inode). These entries contain no origin xattr.
521 if (ovl_is_whiteout(index))
525 * Verifying directory index entries are not stale is expensive, so
526 * only verify stale dir index if NFS export is enabled.
528 if (d_is_dir(index) && !ofs->config.nfs_export)
532 * Directory index entries should have 'upper' xattr pointing to the
533 * real upper dir. Non-dir index entries are hardlinks to the upper
534 * real inode. For non-dir index, we can read the copy up origin xattr
535 * directly from the index dentry, but for dir index we first need to
536 * decode the upper directory.
538 upper = ovl_index_upper(ofs, index);
539 if (IS_ERR_OR_NULL(upper)) {
540 err = PTR_ERR(upper);
542 * Directory index entries with no 'upper' xattr need to be
543 * removed. When dir index entry has a stale 'upper' xattr,
544 * we assume that upper dir was removed and we treat the dir
545 * index as orphan entry that needs to be whited out.
554 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh);
559 /* Check if non-dir index is orphan and don't warn before cleaning it */
560 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
561 err = ovl_check_origin_fh(ofs, fh, index, &stack);
565 if (ovl_get_nlink(origin.dentry, index, 0) == 0)
575 pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n",
576 index, d_inode(index)->i_mode & S_IFMT, err);
580 pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n",
581 index, d_inode(index)->i_mode & S_IFMT,
582 d_inode(index)->i_nlink);
587 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name)
591 n = kzalloc(fh->len * 2, GFP_KERNEL);
595 s = bin2hex(n, fh, fh->len);
596 *name = (struct qstr) QSTR_INIT(n, s - n);
603 * Lookup in indexdir for the index entry of a lower real inode or a copy up
604 * origin inode. The index entry name is the hex representation of the lower
607 * If the index dentry in negative, then either no lower aliases have been
608 * copied up yet, or aliases have been copied up in older kernels and are
611 * If the index dentry for a copy up origin inode is positive, but points
612 * to an inode different than the upper inode, then either the upper inode
613 * has been copied up and not indexed or it was indexed, but since then
614 * index dir was cleared. Either way, that index cannot be used to indentify
617 int ovl_get_index_name(struct dentry *origin, struct qstr *name)
622 fh = ovl_encode_fh(origin, false);
626 err = ovl_get_index_name_fh(fh, name);
632 /* Lookup index by file handle for NFS export */
633 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh)
635 struct dentry *index;
639 err = ovl_get_index_name_fh(fh, &name);
643 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
646 if (PTR_ERR(index) == -ENOENT)
651 if (d_is_negative(index))
653 else if (ovl_is_whiteout(index))
655 else if (ovl_dentry_weird(index))
664 struct dentry *ovl_lookup_index(struct ovl_fs *ofs, struct dentry *upper,
665 struct dentry *origin, bool verify)
667 struct dentry *index;
670 bool is_dir = d_is_dir(origin);
673 err = ovl_get_index_name(origin, &name);
677 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
679 err = PTR_ERR(index);
680 if (err == -ENOENT) {
684 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
685 "overlayfs: mount with '-o index=off' to disable inodes index.\n",
686 d_inode(origin)->i_ino, name.len, name.name,
691 inode = d_inode(index);
692 if (d_is_negative(index)) {
694 } else if (ovl_is_whiteout(index) && !verify) {
696 * When index lookup is called with !verify for decoding an
697 * overlay file handle, a whiteout index implies that decode
698 * should treat file handle as stale and no need to print a
702 index = ERR_PTR(-ESTALE);
704 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
705 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
707 * Index should always be of the same file type as origin
708 * except for the case of a whiteout index. A whiteout
709 * index should only exist if all lower aliases have been
710 * unlinked, which means that finding a lower origin on lookup
711 * whose index is a whiteout should be treated as an error.
713 pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n",
714 index, d_inode(index)->i_mode & S_IFMT,
715 d_inode(origin)->i_mode & S_IFMT);
717 } else if (is_dir && verify) {
719 pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n",
724 /* Verify that dir index 'upper' xattr points to upper dir */
725 err = ovl_verify_upper(index, upper, false);
727 if (err == -ESTALE) {
728 pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n",
729 upper, origin, index);
733 } else if (upper && d_inode(upper) != inode) {
747 index = ERR_PTR(-EIO);
752 * Returns next layer in stack starting from top.
753 * Returns -1 if this is the last layer.
755 int ovl_path_next(int idx, struct dentry *dentry, struct path *path)
757 struct ovl_entry *oe = dentry->d_fsdata;
761 ovl_path_upper(dentry, path);
763 return oe->numlower ? 1 : -1;
766 BUG_ON(idx > oe->numlower);
767 path->dentry = oe->lowerstack[idx - 1].dentry;
768 path->mnt = oe->lowerstack[idx - 1].layer->mnt;
770 return (idx < oe->numlower) ? idx + 1 : -1;
773 /* Fix missing 'origin' xattr */
774 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower,
775 struct dentry *upper)
779 if (ovl_check_origin_xattr(upper))
782 err = ovl_want_write(dentry);
786 err = ovl_set_origin(dentry, lower, upper);
788 err = ovl_set_impure(dentry->d_parent, upper->d_parent);
790 ovl_drop_write(dentry);
794 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
797 struct ovl_entry *oe;
798 const struct cred *old_cred;
799 struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
800 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
801 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
802 struct ovl_path *stack = NULL;
803 struct dentry *upperdir, *upperdentry = NULL;
804 struct dentry *origin = NULL;
805 struct dentry *index = NULL;
806 unsigned int ctr = 0;
807 struct inode *inode = NULL;
808 bool upperopaque = false;
809 char *upperredirect = NULL;
813 struct ovl_lookup_data d = {
814 .name = dentry->d_name,
818 .last = !poe->numlower,
822 if (dentry->d_name.len > ofs->namelen)
823 return ERR_PTR(-ENAMETOOLONG);
825 old_cred = ovl_override_creds(dentry->d_sb);
826 upperdir = ovl_dentry_upper(dentry->d_parent);
828 err = ovl_lookup_layer(upperdir, &d, &upperdentry);
832 if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) {
837 if (upperdentry && !d.is_dir) {
838 BUG_ON(!d.stop || d.redirect);
840 * Lookup copy up origin by decoding origin file handle.
841 * We may get a disconnected dentry, which is fine,
842 * because we only need to hold the origin inode in
843 * cache and use its inode number. We may even get a
844 * connected dentry, that is not under any of the lower
845 * layers root. That is also fine for using it's inode
846 * number - it's the same as if we held a reference
847 * to a dentry in lower layer that was moved under us.
849 err = ovl_check_origin(ofs, upperdentry, &stack, &ctr);
856 upperredirect = kstrdup(d.redirect, GFP_KERNEL);
859 if (d.redirect[0] == '/')
862 upperopaque = d.opaque;
865 if (!d.stop && poe->numlower) {
867 stack = kcalloc(ofs->numlower, sizeof(struct ovl_path),
873 for (i = 0; !d.stop && i < poe->numlower; i++) {
874 struct ovl_path lower = poe->lowerstack[i];
876 d.last = i == poe->numlower - 1;
877 err = ovl_lookup_layer(lower.dentry, &d, &this);
885 * If no origin fh is stored in upper of a merge dir, store fh
886 * of lower dir and set upper parent "impure".
888 if (upperdentry && !ctr && !ofs->noxattr) {
889 err = ovl_fix_origin(dentry, this, upperdentry);
897 * When "verify_lower" feature is enabled, do not merge with a
898 * lower dir that does not match a stored origin xattr. In any
899 * case, only verified origin is used for index lookup.
901 if (upperdentry && !ctr && ovl_verify_lower(dentry->d_sb)) {
902 err = ovl_verify_origin(upperdentry, this, false);
908 /* Bless lower dir as verified origin */
912 stack[ctr].dentry = this;
913 stack[ctr].layer = lower.layer;
917 * Following redirects can have security consequences: it's like
918 * a symlink into the lower layer without the permission checks.
919 * This is only a problem if the upper layer is untrusted (e.g
920 * comes from an USB drive). This can allow a non-readable file
921 * or directory to become readable.
923 * Only following redirects when redirects are enabled disables
924 * this attack vector when not necessary.
927 if (d.redirect && !ofs->config.redirect_follow) {
928 pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n",
936 if (d.redirect && d.redirect[0] == '/' && poe != roe) {
938 /* Find the current layer on the root dentry */
939 i = lower.layer->idx - 1;
944 * Lookup index by lower inode and verify it matches upper inode.
945 * We only trust dir index if we verified that lower dir matches
946 * origin, otherwise dir index entries may be inconsistent and we
947 * ignore them. Always lookup index of non-dir and non-upper.
949 if (ctr && (!upperdentry || !d.is_dir))
950 origin = stack[0].dentry;
952 if (origin && ovl_indexdir(dentry->d_sb) &&
953 (!d.is_dir || ovl_index_all(dentry->d_sb))) {
954 index = ovl_lookup_index(ofs, upperdentry, origin, true);
956 err = PTR_ERR(index);
962 oe = ovl_alloc_entry(ctr);
967 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr);
968 dentry->d_fsdata = oe;
971 ovl_dentry_set_opaque(dentry);
974 ovl_dentry_set_upper_alias(dentry);
976 upperdentry = dget(index);
978 if (upperdentry || ctr) {
980 origin = stack[0].dentry;
981 inode = ovl_get_inode(dentry->d_sb, upperdentry, origin, index,
983 err = PTR_ERR(inode);
987 OVL_I(inode)->redirect = upperredirect;
989 ovl_set_flag(OVL_INDEX, inode);
992 revert_creds(old_cred);
996 return d_splice_alias(inode, dentry);
999 dentry->d_fsdata = NULL;
1003 for (i = 0; i < ctr; i++)
1004 dput(stack[i].dentry);
1008 kfree(upperredirect);
1011 revert_creds(old_cred);
1012 return ERR_PTR(err);
1015 bool ovl_lower_positive(struct dentry *dentry)
1017 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
1018 const struct qstr *name = &dentry->d_name;
1019 const struct cred *old_cred;
1021 bool positive = false;
1025 * If dentry is negative, then lower is positive iff this is a
1028 if (!dentry->d_inode)
1029 return ovl_dentry_is_opaque(dentry);
1031 /* Negative upper -> positive lower */
1032 if (!ovl_dentry_upper(dentry))
1035 old_cred = ovl_override_creds(dentry->d_sb);
1036 /* Positive upper -> have to look up lower to see whether it exists */
1037 for (i = 0; !done && !positive && i < poe->numlower; i++) {
1038 struct dentry *this;
1039 struct dentry *lowerdir = poe->lowerstack[i].dentry;
1041 this = lookup_one_len_unlocked(name->name, lowerdir,
1044 switch (PTR_ERR(this)) {
1051 * Assume something is there, we just couldn't
1058 if (this->d_inode) {
1059 positive = !ovl_is_whiteout(this);
1065 revert_creds(old_cred);
projects / linux-2.6-block.git / blob