#
39a25b2b |
| 01-Jul-2016 |
Vivek Goyal <vgoyal@redhat.com> |
ovl: define ->get_acl() for overlay inodes
Now we are planning to do DAC permission checks on overlay inode itself. And to make it work, we will need to make sure we can get acls from underlying ino
ovl: define ->get_acl() for overlay inodes
Now we are planning to do DAC permission checks on overlay inode itself. And to make it work, we will need to make sure we can get acls from underlying inode. So define ->get_acl() for overlay inodes and this in turn calls into underlying filesystem to get acls, if any.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
show more ...
|
#
58ed4e70 |
| 25-May-2016 |
Andreas Gruenbacher <agruenba@redhat.com> |
ovl: store ovl_entry in inode->i_private for all inodes
Previously this was only done for directory inodes. Doing so for all inodes makes for a nice cleanup in ovl_permission at zero cost.
Inodes
ovl: store ovl_entry in inode->i_private for all inodes
Previously this was only done for directory inodes. Doing so for all inodes makes for a nice cleanup in ovl_permission at zero cost.
Inodes are not shared for hard links on the overlay, so this works fine.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
show more ...
|
#
07a2daab |
| 01-Jul-2016 |
Vivek Goyal <vgoyal@redhat.com> |
ovl: Copy up underlying inode's ->i_mode to overlay inode
Right now when a new overlay inode is created, we initialize overlay inode's ->i_mode from underlying inode ->i_mode but we retain only file
ovl: Copy up underlying inode's ->i_mode to overlay inode
Right now when a new overlay inode is created, we initialize overlay inode's ->i_mode from underlying inode ->i_mode but we retain only file type bits (S_IFMT) and discard permission bits.
This patch changes it and retains permission bits too. This should allow overlay to do permission checks on overlay inode itself in task context.
[SzM] It also fixes clearing suid/sgid bits on write.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reported-by: Eryu Guan <eguan@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay") Cc: <stable@vger.kernel.org>
show more ...
|
#
b99c2d91 |
| 04-Jul-2016 |
Miklos Szeredi <mszeredi@redhat.com> |
ovl: handle ATTR_KILL*
Before 4bacc9c9234c ("overlayfs: Make f_path...") file->f_path pointed to the underlying file, hence suid/sgid removal on write worked fine.
After that patch file->f_path poi
ovl: handle ATTR_KILL*
Before 4bacc9c9234c ("overlayfs: Make f_path...") file->f_path pointed to the underlying file, hence suid/sgid removal on write worked fine.
After that patch file->f_path pointed to the overlay file, and the file mode bits weren't copied to overlay_inode->i_mode. So the suid/sgid removal simply stopped working.
The fix is to copy the mode bits, but then ovl_setattr() needs to clear ATTR_MODE to avoid the BUG() in notify_change(). So do this first, then in the next patch copy the mode.
Reported-by: Eryu Guan <eguan@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay") Cc: <stable@vger.kernel.org>
show more ...
|
#
2d902671 |
| 30-Jun-2016 |
Miklos Szeredi <mszeredi@redhat.com> |
vfs: merge .d_select_inode() into .d_real()
The two methods essentially do the same: find the real dentry/inode belonging to an overlay dentry. The difference is in the usage:
vfs_open() uses ->d_
vfs: merge .d_select_inode() into .d_real()
The two methods essentially do the same: find the real dentry/inode belonging to an overlay dentry. The difference is in the usage:
vfs_open() uses ->d_select_inode() and expects the function to perform copy-up if necessary based on the open flags argument.
file_dentry() uses ->d_real() passing in the overlay dentry as well as the underlying inode.
vfs_rename() uses ->d_select_inode() but passes zero flags. ->d_real() with a zero inode would have worked just as well here.
This patch merges the functionality of ->d_select_inode() into ->d_real() by adding an 'open_flags' argument to the latter.
[Al Viro] Make the signature of d_real() match that of ->d_real() again. And constify the inode argument, while we are at it.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
show more ...
|
#
03bea604 |
| 29-Jun-2016 |
Miklos Szeredi <mszeredi@redhat.com> |
ovl: get_write_access() in truncate
When truncating a file we should check write access on the underlying inode. And we should do so on the lower file as well (before copy-up) for consistency.
Ori
ovl: get_write_access() in truncate
When truncating a file we should check write access on the underlying inode. And we should do so on the lower file as well (before copy-up) for consistency.
Original patch and test case by Aihua Zhang.
- - >o >o - - test.c - - >o >o - - #include <stdio.h> #include <errno.h> #include <unistd.h>
int main(int argc, char *argv[]) { int ret;
ret = truncate(argv[0], 4096); if (ret != -1) { fprintf(stderr, "truncate(argv[0]) should have failed\n"); return 1; } if (errno != ETXTBSY) { perror("truncate(argv[0])"); return 1; }
return 0; } - - >o >o - - >o >o - - >o >o - -
Reported-by: Aihua Zhang <zhangaihua1@huawei.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Cc: <stable@vger.kernel.org>
show more ...
|
#
a4859d75 |
| 29-Jun-2016 |
Miklos Szeredi <mszeredi@redhat.com> |
ovl: fix dentry leak for default_permissions
When using the 'default_permissions' mount option, ovl_permission() on non-directories was missing a dput(alias), resulting in "BUG Dentry still in use".
ovl: fix dentry leak for default_permissions
When using the 'default_permissions' mount option, ovl_permission() on non-directories was missing a dput(alias), resulting in "BUG Dentry still in use".
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: 8d3095f4ad47 ("ovl: default permissions") Cc: <stable@vger.kernel.org> # v4.5+
show more ...
|
#
b581755b |
| 06-Jun-2016 |
Miklos Szeredi <mszeredi@redhat.com> |
ovl: xattr filter fix
a) ovl_need_xattr_filter() is wrong, we can have multiple lower layers overlaid, all of which (except the lowest one) honouring the "trusted.overlay.opaque" xattr. So need to
ovl: xattr filter fix
a) ovl_need_xattr_filter() is wrong, we can have multiple lower layers overlaid, all of which (except the lowest one) honouring the "trusted.overlay.opaque" xattr. So need to filter everything except the bottom and the pure-upper layer.
b) we no longer can assume that inode is attached to dentry in get/setxattr.
This patch unconditionally filters private xattrs to fix both of the above. Performance impact for get/removexattrs is likely in the noise.
For listxattrs it might be measurable in pathological cases, but I very much hope nobody cares. If they do, we'll fix it then.
Reported-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: b96809173e94 ("security_d_instantiate(): move to the point prior to attaching dentry to inode")
show more ...
|
#
3767e255 |
| 27-May-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
switch ->setxattr() to passing dentry and inode separately
smack ->d_instantiate() uses ->setxattr(), so to be able to call it before we'd hashed the new dentry and attached it to inode, we need ->s
switch ->setxattr() to passing dentry and inode separately
smack ->d_instantiate() uses ->setxattr(), so to be able to call it before we'd hashed the new dentry and attached it to inode, we need ->setxattr() instances getting the inode as an explicit argument rather than obtaining it from dentry.
Similar change for ->getxattr() had been done in commit ce23e64. Unlike ->getxattr() (which is used by both selinux and smack instances of ->d_instantiate()) ->setxattr() is used only by smack one and unfortunately it got missed back then.
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com> Tested-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
Revision tags: openbmc-20160521-1, v4.4.11, openbmc-20160518-1, v4.6, v4.4.10, openbmc-20160511-1, openbmc-20160505-1, v4.4.9, v4.4.8, v4.4.7 |
|
#
ce23e640 |
| 10-Apr-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
->getxattr(): pass dentry and inode as separate arguments
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
Revision tags: openbmc-20160329-2, openbmc-20160329-1, openbmc-20160321-1, v4.4.6, v4.5, v4.4.5, v4.4.4, v4.4.3, openbmc-20160222-1, v4.4.2, openbmc-20160212-1, openbmc-20160210-1, openbmc-20160202-2, openbmc-20160202-1, v4.4.1 |
|
#
b81de061 |
| 31-Jan-2016 |
Konstantin Khlebnikov <koct9i@gmail.com> |
ovl: copy new uid/gid into overlayfs runtime inode
Overlayfs must update uid/gid after chown, otherwise functions like inode_owner_or_capable() will check user against stale uid. Catched by xfstests
ovl: copy new uid/gid into overlayfs runtime inode
Overlayfs must update uid/gid after chown, otherwise functions like inode_owner_or_capable() will check user against stale uid. Catched by xfstests generic/087, it chowns file and calls utimes.
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com> Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> Cc: <stable@vger.kernel.org>
show more ...
|
Revision tags: openbmc-20160127-1 |
|
#
5955102c |
| 22-Jan-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
wrappers for ->i_mutex access
parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested}, inode_foo(inode) being mutex_foo(&inode->i_mutex).
Please, use those for access to ->i_mutex; over the c
wrappers for ->i_mutex access
parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested}, inode_foo(inode) being mutex_foo(&inode->i_mutex).
Please, use those for access to ->i_mutex; over the coming cycle ->i_mutex will become rwsem, with ->lookup() done with it held only shared.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
Revision tags: openbmc-20160120-1, v4.4 |
|
#
fceef393 |
| 29-Dec-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
switch ->get_link() to delayed_call, kill ->put_link()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
Revision tags: openbmc-20151217-1 |
|
#
cf9a6784 |
| 11-Dec-2015 |
Miklos Szeredi <miklos@szeredi.hu> |
ovl: setattr: check permissions before copy-up
Without this copy-up of a file can be forced, even without actually being allowed to do anything on the file.
[Arnd Bergmann] include <linux/pagemap.h
ovl: setattr: check permissions before copy-up
Without this copy-up of a file can be forced, even without actually being allowed to do anything on the file.
[Arnd Bergmann] include <linux/pagemap.h> for PAGE_CACHE_SIZE (used by MAX_LFS_FILESIZE definition).
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> Cc: <stable@vger.kernel.org>
show more ...
|
Revision tags: openbmc-20151210-1, openbmc-20151202-1, openbmc-20151123-1, openbmc-20151118-1 |
|
#
6b255391 |
| 17-Nov-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
replace ->follow_link() with new method that could stay in RCU mode
new method: ->get_link(); replacement of ->follow_link(). The differences are: * inode and dentry are passed separately * might
replace ->follow_link() with new method that could stay in RCU mode
new method: ->get_link(); replacement of ->follow_link(). The differences are: * inode and dentry are passed separately * might be called both in RCU and non-RCU mode; the former is indicated by passing it a NULL dentry. * when called that way it isn't allowed to block and should return ERR_PTR(-ECHILD) if it needs to be called in non-RCU mode.
It's a flagday change - the old method is gone, all in-tree instances converted. Conversion isn't hard; said that, so far very few instances do not immediately bail out when called in RCU mode. That'll change in the next commits.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
0f7ff2da |
| 06-Dec-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
ovl: get rid of the dead code left from broken (and disabled) optimizations
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
acff81ec |
| 04-Dec-2015 |
Miklos Szeredi <miklos@szeredi.hu> |
ovl: fix permission checking for setattr
[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr() away - instead of "copy verbatim with metadata" + "chmod/chown/utimes" (with the
ovl: fix permission checking for setattr
[Al Viro] The bug is in being too enthusiastic about optimizing ->setattr() away - instead of "copy verbatim with metadata" + "chmod/chown/utimes" (with the former being always safe and the latter failing in case of insufficient permissions) it tries to combine these two. Note that copyup itself will have to do ->setattr() anyway; _that_ is where the elevated capabilities are right. Having these two ->setattr() (one to set verbatim copy of metadata, another to do what overlayfs ->setattr() had been asked to do in the first place) combined is where it breaks.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> Cc: <stable@vger.kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
Revision tags: openbmc-20151104-1, v4.3, openbmc-20151102-1, openbmc-20151028-1 |
|
#
8d3095f4 |
| 12-Oct-2015 |
Miklos Szeredi <miklos@szeredi.hu> |
ovl: default permissions
Add mount option "default_permissions" to alter the way permissions are calculated.
Without this option and prior to this patch permissions were calculated by underlying lo
ovl: default permissions
Add mount option "default_permissions" to alter the way permissions are calculated.
Without this option and prior to this patch permissions were calculated by underlying lower or upper filesystem.
With this option the permissions are calculated by overlayfs based on the file owner, group and mode bits.
This has significance for example when a read-only exported NFS filesystem is used as a lower layer. In this case the underlying NFS filesystem will reply with EROFS, in which case all we know is that the filesystem is read-only. But that's not what we are interested in, we are interested in whether the access would be allowed if the filesystem wasn't read-only; the server doesn't tell us that, and would need updating at various levels, which doesn't seem practicable.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
show more ...
|
#
1c8a47df |
| 12-Oct-2015 |
Miklos Szeredi <miklos@szeredi.hu> |
ovl: fix open in stacked overlay
If two overlayfs filesystems are stacked on top of each other, then we need recursion in ovl_d_select_inode().
I guess d_backing_inode() is supposed to do that. Bu
ovl: fix open in stacked overlay
If two overlayfs filesystems are stacked on top of each other, then we need recursion in ovl_d_select_inode().
I guess d_backing_inode() is supposed to do that. But currently it doesn't and that functionality is open coded in vfs_open(). This is now copied into ovl_d_select_inode() to fix this regression.
Reported-by: Alban Crequy <alban.crequy@gmail.com> Signed-off-by: Miklos Szeredi <miklos@szeredi.hu> Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...") Cc: David Howells <dhowells@redhat.com> Cc: <stable@vger.kernel.org> # v4.2+
show more ...
|
Revision tags: v4.3-rc1, v4.2, v4.2-rc8, v4.2-rc7, v4.2-rc6, v4.2-rc5, v4.2-rc4, v4.2-rc3, v4.2-rc2 |
|
#
9391dd00 |
| 12-Jul-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
fix a braino in ovl_d_select_inode()
when opening a directory we want the overlayfs inode, not one from the topmost layer.
Reported-By: Andrey Jr. Melnikov <temnota.am@gmail.com> Tested-By: Andrey
fix a braino in ovl_d_select_inode()
when opening a directory we want the overlayfs inode, not one from the topmost layer.
Reported-By: Andrey Jr. Melnikov <temnota.am@gmail.com> Tested-By: Andrey Jr. Melnikov <temnota.am@gmail.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
Revision tags: v4.2-rc1, v4.1 |
|
#
4bacc9c9 |
| 18-Jun-2015 |
David Howells <dhowells@redhat.com> |
overlayfs: Make f_path always point to the overlay and f_inode to the underlay
Make file->f_path always point to the overlay dentry so that the path in /proc/pid/fd is correct and to ensure that lab
overlayfs: Make f_path always point to the overlay and f_inode to the underlay
Make file->f_path always point to the overlay dentry so that the path in /proc/pid/fd is correct and to ensure that label-based LSMs have access to the overlay as well as the underlay (path-based LSMs probably don't need it).
Using my union testsuite to set things up, before the patch I see:
[root@andromeda union-testsuite]# bash 5</mnt/a/foo107 [root@andromeda union-testsuite]# ls -l /proc/$$/fd/ ... lr-x------. 1 root root 64 Jun 5 14:38 5 -> /a/foo107 [root@andromeda union-testsuite]# stat /mnt/a/foo107 ... Device: 23h/35d Inode: 13381 Links: 1 ... [root@andromeda union-testsuite]# stat -L /proc/$$/fd/5 ... Device: 23h/35d Inode: 13381 Links: 1 ...
After the patch:
[root@andromeda union-testsuite]# bash 5</mnt/a/foo107 [root@andromeda union-testsuite]# ls -l /proc/$$/fd/ ... lr-x------. 1 root root 64 Jun 5 14:22 5 -> /mnt/a/foo107 [root@andromeda union-testsuite]# stat /mnt/a/foo107 ... Device: 23h/35d Inode: 40346 Links: 1 ... [root@andromeda union-testsuite]# stat -L /proc/$$/fd/5 ... Device: 23h/35d Inode: 40346 Links: 1 ...
Note the change in where /proc/$$/fd/5 points to in the ls command. It was pointing to /a/foo107 (which doesn't exist) and now points to /mnt/a/foo107 (which is correct).
The inode accessed, however, is the lower layer. The union layer is on device 25h/37d and the upper layer on 24h/36d.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
f25801ee |
| 18-Jun-2015 |
David Howells <dhowells@redhat.com> |
overlay: Call ovl_drop_write() earlier in ovl_dentry_open()
Call ovl_drop_write() earlier in ovl_dentry_open() before we call vfs_open() as we've done the copy up for which we needed the freeze-writ
overlay: Call ovl_drop_write() earlier in ovl_dentry_open()
Call ovl_drop_write() earlier in ovl_dentry_open() before we call vfs_open() as we've done the copy up for which we needed the freeze-write lock by that point.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
Revision tags: v4.1-rc8, v4.1-rc7, v4.1-rc6, v4.1-rc5, v4.1-rc4, v4.1-rc3 |
|
#
5f2c4179 |
| 07-May-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
switch ->put_link() from dentry to inode
only one instance looks at that argument at all; that sole exception wants inode rather than dentry.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
Revision tags: v4.1-rc2 |
|
#
6e77137b |
| 02-May-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
don't pass nameidata to ->follow_link()
its only use is getting passed to nd_jump_link(), which can obtain it from current->nameidata
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
680baacb |
| 02-May-2015 |
Al Viro <viro@zeniv.linux.org.uk> |
new ->follow_link() and ->put_link() calling conventions
a) instead of storing the symlink body (via nd_set_link()) and returning an opaque pointer later passed to ->put_link(), ->follow_link() _sto
new ->follow_link() and ->put_link() calling conventions
a) instead of storing the symlink body (via nd_set_link()) and returning an opaque pointer later passed to ->put_link(), ->follow_link() _stores_ that opaque pointer (into void * passed by address by caller) and returns the symlink body. Returning ERR_PTR() on error, NULL on jump (procfs magic symlinks) and pointer to symlink body for normal symlinks. Stored pointer is ignored in all cases except the last one.
Storing NULL for opaque pointer (or not storing it at all) means no call of ->put_link().
b) the body used to be passed to ->put_link() implicitly (via nameidata). Now only the opaque pointer is. In the cases when we used the symlink body to free stuff, ->follow_link() now should store it as opaque pointer in addition to returning it.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|