xref: /openbmc/linux/fs/overlayfs/params.c (revision 8f91116f)
1 // SPDX-License-Identifier: GPL-2.0-only
2 
3 #include <linux/fs.h>
4 #include <linux/module.h>
5 #include <linux/namei.h>
6 #include <linux/fs_context.h>
7 #include <linux/fs_parser.h>
8 #include <linux/posix_acl_xattr.h>
9 #include <linux/seq_file.h>
10 #include <linux/xattr.h>
11 #include "overlayfs.h"
12 #include "params.h"
13 
14 static bool ovl_redirect_dir_def = IS_ENABLED(CONFIG_OVERLAY_FS_REDIRECT_DIR);
15 module_param_named(redirect_dir, ovl_redirect_dir_def, bool, 0644);
16 MODULE_PARM_DESC(redirect_dir,
17 		 "Default to on or off for the redirect_dir feature");
18 
19 static bool ovl_redirect_always_follow =
20 	IS_ENABLED(CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW);
21 module_param_named(redirect_always_follow, ovl_redirect_always_follow,
22 		   bool, 0644);
23 MODULE_PARM_DESC(redirect_always_follow,
24 		 "Follow redirects even if redirect_dir feature is turned off");
25 
26 static bool ovl_xino_auto_def = IS_ENABLED(CONFIG_OVERLAY_FS_XINO_AUTO);
27 module_param_named(xino_auto, ovl_xino_auto_def, bool, 0644);
28 MODULE_PARM_DESC(xino_auto,
29 		 "Auto enable xino feature");
30 
31 static bool ovl_index_def = IS_ENABLED(CONFIG_OVERLAY_FS_INDEX);
32 module_param_named(index, ovl_index_def, bool, 0644);
33 MODULE_PARM_DESC(index,
34 		 "Default to on or off for the inodes index feature");
35 
36 static bool ovl_nfs_export_def = IS_ENABLED(CONFIG_OVERLAY_FS_NFS_EXPORT);
37 module_param_named(nfs_export, ovl_nfs_export_def, bool, 0644);
38 MODULE_PARM_DESC(nfs_export,
39 		 "Default to on or off for the NFS export feature");
40 
41 static bool ovl_metacopy_def = IS_ENABLED(CONFIG_OVERLAY_FS_METACOPY);
42 module_param_named(metacopy, ovl_metacopy_def, bool, 0644);
43 MODULE_PARM_DESC(metacopy,
44 		 "Default to on or off for the metadata only copy up feature");
45 
46 enum ovl_opt {
47 	Opt_lowerdir,
48 	Opt_lowerdir_add,
49 	Opt_datadir_add,
50 	Opt_upperdir,
51 	Opt_workdir,
52 	Opt_default_permissions,
53 	Opt_redirect_dir,
54 	Opt_index,
55 	Opt_uuid,
56 	Opt_nfs_export,
57 	Opt_userxattr,
58 	Opt_xino,
59 	Opt_metacopy,
60 	Opt_verity,
61 	Opt_volatile,
62 };
63 
64 static const struct constant_table ovl_parameter_bool[] = {
65 	{ "on",		true  },
66 	{ "off",	false },
67 	{}
68 };
69 
70 static const struct constant_table ovl_parameter_uuid[] = {
71 	{ "off",	OVL_UUID_OFF  },
72 	{ "null",	OVL_UUID_NULL },
73 	{ "auto",	OVL_UUID_AUTO },
74 	{ "on",		OVL_UUID_ON   },
75 	{}
76 };
77 
78 static const char *ovl_uuid_mode(struct ovl_config *config)
79 {
80 	return ovl_parameter_uuid[config->uuid].name;
81 }
82 
83 static int ovl_uuid_def(void)
84 {
85 	return OVL_UUID_AUTO;
86 }
87 
88 static const struct constant_table ovl_parameter_xino[] = {
89 	{ "off",	OVL_XINO_OFF  },
90 	{ "auto",	OVL_XINO_AUTO },
91 	{ "on",		OVL_XINO_ON   },
92 	{}
93 };
94 
95 const char *ovl_xino_mode(struct ovl_config *config)
96 {
97 	return ovl_parameter_xino[config->xino].name;
98 }
99 
100 static int ovl_xino_def(void)
101 {
102 	return ovl_xino_auto_def ? OVL_XINO_AUTO : OVL_XINO_OFF;
103 }
104 
105 const struct constant_table ovl_parameter_redirect_dir[] = {
106 	{ "off",	OVL_REDIRECT_OFF      },
107 	{ "follow",	OVL_REDIRECT_FOLLOW   },
108 	{ "nofollow",	OVL_REDIRECT_NOFOLLOW },
109 	{ "on",		OVL_REDIRECT_ON       },
110 	{}
111 };
112 
113 static const char *ovl_redirect_mode(struct ovl_config *config)
114 {
115 	return ovl_parameter_redirect_dir[config->redirect_mode].name;
116 }
117 
118 static int ovl_redirect_mode_def(void)
119 {
120 	return ovl_redirect_dir_def	  ? OVL_REDIRECT_ON :
121 	       ovl_redirect_always_follow ? OVL_REDIRECT_FOLLOW :
122 					    OVL_REDIRECT_NOFOLLOW;
123 }
124 
125 static const struct constant_table ovl_parameter_verity[] = {
126 	{ "off",	OVL_VERITY_OFF     },
127 	{ "on",		OVL_VERITY_ON      },
128 	{ "require",	OVL_VERITY_REQUIRE },
129 	{}
130 };
131 
132 static const char *ovl_verity_mode(struct ovl_config *config)
133 {
134 	return ovl_parameter_verity[config->verity_mode].name;
135 }
136 
137 static int ovl_verity_mode_def(void)
138 {
139 	return OVL_VERITY_OFF;
140 }
141 
142 #define fsparam_string_empty(NAME, OPT) \
143 	__fsparam(fs_param_is_string, NAME, OPT, fs_param_can_be_empty, NULL)
144 
145 
146 const struct fs_parameter_spec ovl_parameter_spec[] = {
147 	fsparam_string_empty("lowerdir",    Opt_lowerdir),
148 	fsparam_string("lowerdir+",         Opt_lowerdir_add),
149 	fsparam_string("datadir+",          Opt_datadir_add),
150 	fsparam_string("upperdir",          Opt_upperdir),
151 	fsparam_string("workdir",           Opt_workdir),
152 	fsparam_flag("default_permissions", Opt_default_permissions),
153 	fsparam_enum("redirect_dir",        Opt_redirect_dir, ovl_parameter_redirect_dir),
154 	fsparam_enum("index",               Opt_index, ovl_parameter_bool),
155 	fsparam_enum("uuid",                Opt_uuid, ovl_parameter_uuid),
156 	fsparam_enum("nfs_export",          Opt_nfs_export, ovl_parameter_bool),
157 	fsparam_flag("userxattr",           Opt_userxattr),
158 	fsparam_enum("xino",                Opt_xino, ovl_parameter_xino),
159 	fsparam_enum("metacopy",            Opt_metacopy, ovl_parameter_bool),
160 	fsparam_enum("verity",              Opt_verity, ovl_parameter_verity),
161 	fsparam_flag("volatile",            Opt_volatile),
162 	{}
163 };
164 
165 static char *ovl_next_opt(char **s)
166 {
167 	char *sbegin = *s;
168 	char *p;
169 
170 	if (sbegin == NULL)
171 		return NULL;
172 
173 	for (p = sbegin; *p; p++) {
174 		if (*p == '\\') {
175 			p++;
176 			if (!*p)
177 				break;
178 		} else if (*p == ',') {
179 			*p = '\0';
180 			*s = p + 1;
181 			return sbegin;
182 		}
183 	}
184 	*s = NULL;
185 	return sbegin;
186 }
187 
188 static int ovl_parse_monolithic(struct fs_context *fc, void *data)
189 {
190 	return vfs_parse_monolithic_sep(fc, data, ovl_next_opt);
191 }
192 
193 static ssize_t ovl_parse_param_split_lowerdirs(char *str)
194 {
195 	ssize_t nr_layers = 1, nr_colons = 0;
196 	char *s, *d;
197 
198 	for (s = d = str;; s++, d++) {
199 		if (*s == '\\') {
200 			/* keep esc chars in split lowerdir */
201 			*d++ = *s++;
202 		} else if (*s == ':') {
203 			bool next_colon = (*(s + 1) == ':');
204 
205 			nr_colons++;
206 			if (nr_colons == 2 && next_colon) {
207 				pr_err("only single ':' or double '::' sequences of unescaped colons in lowerdir mount option allowed.\n");
208 				return -EINVAL;
209 			}
210 			/* count layers, not colons */
211 			if (!next_colon)
212 				nr_layers++;
213 
214 			*d = '\0';
215 			continue;
216 		}
217 
218 		*d = *s;
219 		if (!*s) {
220 			/* trailing colons */
221 			if (nr_colons) {
222 				pr_err("unescaped trailing colons in lowerdir mount option.\n");
223 				return -EINVAL;
224 			}
225 			break;
226 		}
227 		nr_colons = 0;
228 	}
229 
230 	return nr_layers;
231 }
232 
233 static int ovl_mount_dir_noesc(const char *name, struct path *path)
234 {
235 	int err = -EINVAL;
236 
237 	if (!*name) {
238 		pr_err("empty lowerdir\n");
239 		goto out;
240 	}
241 	err = kern_path(name, LOOKUP_FOLLOW, path);
242 	if (err) {
243 		pr_err("failed to resolve '%s': %i\n", name, err);
244 		goto out;
245 	}
246 	return 0;
247 
248 out:
249 	return err;
250 }
251 
252 static void ovl_unescape(char *s)
253 {
254 	char *d = s;
255 
256 	for (;; s++, d++) {
257 		if (*s == '\\')
258 			s++;
259 		*d = *s;
260 		if (!*s)
261 			break;
262 	}
263 }
264 
265 static int ovl_mount_dir(const char *name, struct path *path)
266 {
267 	int err = -ENOMEM;
268 	char *tmp = kstrdup(name, GFP_KERNEL);
269 
270 	if (tmp) {
271 		ovl_unescape(tmp);
272 		err = ovl_mount_dir_noesc(tmp, path);
273 		kfree(tmp);
274 	}
275 	return err;
276 }
277 
278 static int ovl_mount_dir_check(struct fs_context *fc, const struct path *path,
279 			       enum ovl_opt layer, const char *name, bool upper)
280 {
281 	struct ovl_fs_context *ctx = fc->fs_private;
282 
283 	if (!d_is_dir(path->dentry))
284 		return invalfc(fc, "%s is not a directory", name);
285 
286 	/*
287 	 * Root dentries of case-insensitive capable filesystems might
288 	 * not have the dentry operations set, but still be incompatible
289 	 * with overlayfs.  Check explicitly to prevent post-mount
290 	 * failures.
291 	 */
292 	if (sb_has_encoding(path->mnt->mnt_sb))
293 		return invalfc(fc, "case-insensitive capable filesystem on %s not supported", name);
294 
295 	if (ovl_dentry_weird(path->dentry))
296 		return invalfc(fc, "filesystem on %s not supported", name);
297 
298 	/*
299 	 * Check whether upper path is read-only here to report failures
300 	 * early. Don't forget to recheck when the superblock is created
301 	 * as the mount attributes could change.
302 	 */
303 	if (upper) {
304 		if (path->dentry->d_flags & DCACHE_OP_REAL)
305 			return invalfc(fc, "filesystem on %s not supported as upperdir", name);
306 		if (__mnt_is_readonly(path->mnt))
307 			return invalfc(fc, "filesystem on %s is read-only", name);
308 	} else {
309 		if (ctx->lowerdir_all && layer != Opt_lowerdir)
310 			return invalfc(fc, "lowerdir+ and datadir+ cannot follow lowerdir");
311 		if (ctx->nr_data && layer == Opt_lowerdir_add)
312 			return invalfc(fc, "regular lower layers cannot follow data layers");
313 		if (ctx->nr == OVL_MAX_STACK)
314 			return invalfc(fc, "too many lower directories, limit is %d",
315 				       OVL_MAX_STACK);
316 	}
317 	return 0;
318 }
319 
320 static int ovl_ctx_realloc_lower(struct fs_context *fc)
321 {
322 	struct ovl_fs_context *ctx = fc->fs_private;
323 	struct ovl_fs_context_layer *l;
324 	size_t nr;
325 
326 	if (ctx->nr < ctx->capacity)
327 		return 0;
328 
329 	nr = min_t(size_t, max(4096 / sizeof(*l), ctx->capacity * 2),
330 		   OVL_MAX_STACK);
331 	l = krealloc_array(ctx->lower, nr, sizeof(*l), GFP_KERNEL_ACCOUNT);
332 	if (!l)
333 		return -ENOMEM;
334 
335 	ctx->lower = l;
336 	ctx->capacity = nr;
337 	return 0;
338 }
339 
340 static void ovl_add_layer(struct fs_context *fc, enum ovl_opt layer,
341 			 struct path *path, char **pname)
342 {
343 	struct ovl_fs *ofs = fc->s_fs_info;
344 	struct ovl_config *config = &ofs->config;
345 	struct ovl_fs_context *ctx = fc->fs_private;
346 	struct ovl_fs_context_layer *l;
347 
348 	switch (layer) {
349 	case Opt_workdir:
350 		swap(config->workdir, *pname);
351 		swap(ctx->work, *path);
352 		break;
353 	case Opt_upperdir:
354 		swap(config->upperdir, *pname);
355 		swap(ctx->upper, *path);
356 		break;
357 	case Opt_datadir_add:
358 		ctx->nr_data++;
359 		fallthrough;
360 	case Opt_lowerdir:
361 		fallthrough;
362 	case Opt_lowerdir_add:
363 		WARN_ON(ctx->nr >= ctx->capacity);
364 		l = &ctx->lower[ctx->nr++];
365 		memset(l, 0, sizeof(*l));
366 		swap(l->name, *pname);
367 		swap(l->path, *path);
368 		break;
369 	default:
370 		WARN_ON(1);
371 	}
372 }
373 
374 static int ovl_parse_layer(struct fs_context *fc, const char *layer_name, enum ovl_opt layer)
375 {
376 	char *name = kstrdup(layer_name, GFP_KERNEL);
377 	bool upper = (layer == Opt_upperdir || layer == Opt_workdir);
378 	struct path path;
379 	int err;
380 
381 	if (!name)
382 		return -ENOMEM;
383 
384 	if (upper || layer == Opt_lowerdir)
385 		err = ovl_mount_dir(name, &path);
386 	else
387 		err = ovl_mount_dir_noesc(name, &path);
388 	if (err)
389 		goto out_free;
390 
391 	err = ovl_mount_dir_check(fc, &path, layer, name, upper);
392 	if (err)
393 		goto out_put;
394 
395 	if (!upper) {
396 		err = ovl_ctx_realloc_lower(fc);
397 		if (err)
398 			goto out_put;
399 	}
400 
401 	/* Store the user provided path string in ctx to show in mountinfo */
402 	ovl_add_layer(fc, layer, &path, &name);
403 
404 out_put:
405 	path_put(&path);
406 out_free:
407 	kfree(name);
408 	return err;
409 }
410 
411 static void ovl_reset_lowerdirs(struct ovl_fs_context *ctx)
412 {
413 	struct ovl_fs_context_layer *l = ctx->lower;
414 
415 	// Reset old user provided lowerdir string
416 	kfree(ctx->lowerdir_all);
417 	ctx->lowerdir_all = NULL;
418 
419 	for (size_t nr = 0; nr < ctx->nr; nr++, l++) {
420 		path_put(&l->path);
421 		kfree(l->name);
422 		l->name = NULL;
423 	}
424 	ctx->nr = 0;
425 	ctx->nr_data = 0;
426 }
427 
428 /*
429  * Parse lowerdir= mount option:
430  *
431  * e.g.: lowerdir=/lower1:/lower2:/lower3::/data1::/data2
432  *     Set "/lower1", "/lower2", and "/lower3" as lower layers and
433  *     "/data1" and "/data2" as data lower layers. Any existing lower
434  *     layers are replaced.
435  */
436 static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
437 {
438 	int err;
439 	struct ovl_fs_context *ctx = fc->fs_private;
440 	char *dup = NULL, *iter;
441 	ssize_t nr_lower, nr;
442 	bool data_layer = false;
443 
444 	/*
445 	 * Ensure we're backwards compatible with mount(2)
446 	 * by allowing relative paths.
447 	 */
448 
449 	/* drop all existing lower layers */
450 	ovl_reset_lowerdirs(ctx);
451 
452 	if (!*name)
453 		return 0;
454 
455 	if (*name == ':') {
456 		pr_err("cannot append lower layer\n");
457 		return -EINVAL;
458 	}
459 
460 	// Store user provided lowerdir string to show in mount options
461 	ctx->lowerdir_all = kstrdup(name, GFP_KERNEL);
462 	if (!ctx->lowerdir_all)
463 		return -ENOMEM;
464 
465 	dup = kstrdup(name, GFP_KERNEL);
466 	if (!dup)
467 		return -ENOMEM;
468 
469 	err = -EINVAL;
470 	nr_lower = ovl_parse_param_split_lowerdirs(dup);
471 	if (nr_lower < 0)
472 		goto out_err;
473 
474 	if (nr_lower > OVL_MAX_STACK) {
475 		pr_err("too many lower directories, limit is %d\n", OVL_MAX_STACK);
476 		goto out_err;
477 	}
478 
479 	iter = dup;
480 	for (nr = 0; nr < nr_lower; nr++) {
481 		err = ovl_parse_layer(fc, iter, Opt_lowerdir);
482 		if (err)
483 			goto out_err;
484 
485 		if (data_layer)
486 			ctx->nr_data++;
487 
488 		/* Calling strchr() again would overrun. */
489 		if (ctx->nr == nr_lower)
490 			break;
491 
492 		err = -EINVAL;
493 		iter = strchr(iter, '\0') + 1;
494 		if (*iter) {
495 			/*
496 			 * This is a regular layer so we require that
497 			 * there are no data layers.
498 			 */
499 			if (ctx->nr_data > 0) {
500 				pr_err("regular lower layers cannot follow data lower layers\n");
501 				goto out_err;
502 			}
503 
504 			data_layer = false;
505 			continue;
506 		}
507 
508 		/* This is a data lower layer. */
509 		data_layer = true;
510 		iter++;
511 	}
512 	kfree(dup);
513 	return 0;
514 
515 out_err:
516 	kfree(dup);
517 
518 	/* Intentionally don't realloc to a smaller size. */
519 	return err;
520 }
521 
522 static int ovl_parse_param(struct fs_context *fc, struct fs_parameter *param)
523 {
524 	int err = 0;
525 	struct fs_parse_result result;
526 	struct ovl_fs *ofs = fc->s_fs_info;
527 	struct ovl_config *config = &ofs->config;
528 	struct ovl_fs_context *ctx = fc->fs_private;
529 	int opt;
530 
531 	if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) {
532 		/*
533 		 * On remount overlayfs has always ignored all mount
534 		 * options no matter if malformed or not so for
535 		 * backwards compatibility we do the same here.
536 		 */
537 		if (fc->oldapi)
538 			return 0;
539 
540 		/*
541 		 * Give us the freedom to allow changing mount options
542 		 * with the new mount api in the future. So instead of
543 		 * silently ignoring everything we report a proper
544 		 * error. This is only visible for users of the new
545 		 * mount api.
546 		 */
547 		return invalfc(fc, "No changes allowed in reconfigure");
548 	}
549 
550 	opt = fs_parse(fc, ovl_parameter_spec, param, &result);
551 	if (opt < 0)
552 		return opt;
553 
554 	switch (opt) {
555 	case Opt_lowerdir:
556 		err = ovl_parse_param_lowerdir(param->string, fc);
557 		break;
558 	case Opt_lowerdir_add:
559 	case Opt_datadir_add:
560 	case Opt_upperdir:
561 	case Opt_workdir:
562 		err = ovl_parse_layer(fc, param->string, opt);
563 		break;
564 	case Opt_default_permissions:
565 		config->default_permissions = true;
566 		break;
567 	case Opt_redirect_dir:
568 		config->redirect_mode = result.uint_32;
569 		if (config->redirect_mode == OVL_REDIRECT_OFF) {
570 			config->redirect_mode = ovl_redirect_always_follow ?
571 						OVL_REDIRECT_FOLLOW :
572 						OVL_REDIRECT_NOFOLLOW;
573 		}
574 		ctx->set.redirect = true;
575 		break;
576 	case Opt_index:
577 		config->index = result.uint_32;
578 		ctx->set.index = true;
579 		break;
580 	case Opt_uuid:
581 		config->uuid = result.uint_32;
582 		break;
583 	case Opt_nfs_export:
584 		config->nfs_export = result.uint_32;
585 		ctx->set.nfs_export = true;
586 		break;
587 	case Opt_xino:
588 		config->xino = result.uint_32;
589 		break;
590 	case Opt_metacopy:
591 		config->metacopy = result.uint_32;
592 		ctx->set.metacopy = true;
593 		break;
594 	case Opt_verity:
595 		config->verity_mode = result.uint_32;
596 		break;
597 	case Opt_volatile:
598 		config->ovl_volatile = true;
599 		break;
600 	case Opt_userxattr:
601 		config->userxattr = true;
602 		break;
603 	default:
604 		pr_err("unrecognized mount option \"%s\" or missing value\n",
605 		       param->key);
606 		return -EINVAL;
607 	}
608 
609 	return err;
610 }
611 
612 static int ovl_get_tree(struct fs_context *fc)
613 {
614 	return get_tree_nodev(fc, ovl_fill_super);
615 }
616 
617 static inline void ovl_fs_context_free(struct ovl_fs_context *ctx)
618 {
619 	ovl_reset_lowerdirs(ctx);
620 	path_put(&ctx->upper);
621 	path_put(&ctx->work);
622 	kfree(ctx->lower);
623 	kfree(ctx);
624 }
625 
626 static void ovl_free(struct fs_context *fc)
627 {
628 	struct ovl_fs *ofs = fc->s_fs_info;
629 	struct ovl_fs_context *ctx = fc->fs_private;
630 
631 	/*
632 	 * ofs is stored in the fs_context when it is initialized.
633 	 * ofs is transferred to the superblock on a successful mount,
634 	 * but if an error occurs before the transfer we have to free
635 	 * it here.
636 	 */
637 	if (ofs)
638 		ovl_free_fs(ofs);
639 
640 	if (ctx)
641 		ovl_fs_context_free(ctx);
642 }
643 
644 static int ovl_reconfigure(struct fs_context *fc)
645 {
646 	struct super_block *sb = fc->root->d_sb;
647 	struct ovl_fs *ofs = OVL_FS(sb);
648 	struct super_block *upper_sb;
649 	int ret = 0;
650 
651 	if (!(fc->sb_flags & SB_RDONLY) && ovl_force_readonly(ofs))
652 		return -EROFS;
653 
654 	if (fc->sb_flags & SB_RDONLY && !sb_rdonly(sb)) {
655 		upper_sb = ovl_upper_mnt(ofs)->mnt_sb;
656 		if (ovl_should_sync(ofs)) {
657 			down_read(&upper_sb->s_umount);
658 			ret = sync_filesystem(upper_sb);
659 			up_read(&upper_sb->s_umount);
660 		}
661 	}
662 
663 	return ret;
664 }
665 
666 static const struct fs_context_operations ovl_context_ops = {
667 	.parse_monolithic = ovl_parse_monolithic,
668 	.parse_param = ovl_parse_param,
669 	.get_tree    = ovl_get_tree,
670 	.reconfigure = ovl_reconfigure,
671 	.free        = ovl_free,
672 };
673 
674 /*
675  * This is called during fsopen() and will record the user namespace of
676  * the caller in fc->user_ns since we've raised FS_USERNS_MOUNT. We'll
677  * need it when we actually create the superblock to verify that the
678  * process creating the superblock is in the same user namespace as
679  * process that called fsopen().
680  */
681 int ovl_init_fs_context(struct fs_context *fc)
682 {
683 	struct ovl_fs_context *ctx;
684 	struct ovl_fs *ofs;
685 
686 	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL_ACCOUNT);
687 	if (!ctx)
688 		return -ENOMEM;
689 
690 	/*
691 	 * By default we allocate for three lower layers. It's likely
692 	 * that it'll cover most users.
693 	 */
694 	ctx->lower = kmalloc_array(3, sizeof(*ctx->lower), GFP_KERNEL_ACCOUNT);
695 	if (!ctx->lower)
696 		goto out_err;
697 	ctx->capacity = 3;
698 
699 	ofs = kzalloc(sizeof(struct ovl_fs), GFP_KERNEL);
700 	if (!ofs)
701 		goto out_err;
702 
703 	ofs->config.redirect_mode	= ovl_redirect_mode_def();
704 	ofs->config.index		= ovl_index_def;
705 	ofs->config.uuid		= ovl_uuid_def();
706 	ofs->config.nfs_export		= ovl_nfs_export_def;
707 	ofs->config.xino		= ovl_xino_def();
708 	ofs->config.metacopy		= ovl_metacopy_def;
709 
710 	fc->s_fs_info		= ofs;
711 	fc->fs_private		= ctx;
712 	fc->ops			= &ovl_context_ops;
713 	return 0;
714 
715 out_err:
716 	ovl_fs_context_free(ctx);
717 	return -ENOMEM;
718 
719 }
720 
721 void ovl_free_fs(struct ovl_fs *ofs)
722 {
723 	struct vfsmount **mounts;
724 	unsigned i;
725 
726 	iput(ofs->workbasedir_trap);
727 	iput(ofs->indexdir_trap);
728 	iput(ofs->workdir_trap);
729 	dput(ofs->whiteout);
730 	dput(ofs->indexdir);
731 	dput(ofs->workdir);
732 	if (ofs->workdir_locked)
733 		ovl_inuse_unlock(ofs->workbasedir);
734 	dput(ofs->workbasedir);
735 	if (ofs->upperdir_locked)
736 		ovl_inuse_unlock(ovl_upper_mnt(ofs)->mnt_root);
737 
738 	/* Reuse ofs->config.lowerdirs as a vfsmount array before freeing it */
739 	mounts = (struct vfsmount **) ofs->config.lowerdirs;
740 	for (i = 0; i < ofs->numlayer; i++) {
741 		iput(ofs->layers[i].trap);
742 		kfree(ofs->config.lowerdirs[i]);
743 		mounts[i] = ofs->layers[i].mnt;
744 	}
745 	kern_unmount_array(mounts, ofs->numlayer);
746 	kfree(ofs->layers);
747 	for (i = 0; i < ofs->numfs; i++)
748 		free_anon_bdev(ofs->fs[i].pseudo_dev);
749 	kfree(ofs->fs);
750 
751 	kfree(ofs->config.lowerdirs);
752 	kfree(ofs->config.upperdir);
753 	kfree(ofs->config.workdir);
754 	if (ofs->creator_cred)
755 		put_cred(ofs->creator_cred);
756 	kfree(ofs);
757 }
758 
759 int ovl_fs_params_verify(const struct ovl_fs_context *ctx,
760 			 struct ovl_config *config)
761 {
762 	struct ovl_opt_set set = ctx->set;
763 
764 	/* Workdir/index are useless in non-upper mount */
765 	if (!config->upperdir) {
766 		if (config->workdir) {
767 			pr_info("option \"workdir=%s\" is useless in a non-upper mount, ignore\n",
768 				config->workdir);
769 			kfree(config->workdir);
770 			config->workdir = NULL;
771 		}
772 		if (config->index && set.index) {
773 			pr_info("option \"index=on\" is useless in a non-upper mount, ignore\n");
774 			set.index = false;
775 		}
776 		config->index = false;
777 	}
778 
779 	if (!config->upperdir && config->ovl_volatile) {
780 		pr_info("option \"volatile\" is meaningless in a non-upper mount, ignoring it.\n");
781 		config->ovl_volatile = false;
782 	}
783 
784 	if (!config->upperdir && config->uuid == OVL_UUID_ON) {
785 		pr_info("option \"uuid=on\" requires an upper fs, falling back to uuid=null.\n");
786 		config->uuid = OVL_UUID_NULL;
787 	}
788 
789 	/* Resolve verity -> metacopy dependency */
790 	if (config->verity_mode && !config->metacopy) {
791 		/* Don't allow explicit specified conflicting combinations */
792 		if (set.metacopy) {
793 			pr_err("conflicting options: metacopy=off,verity=%s\n",
794 			       ovl_verity_mode(config));
795 			return -EINVAL;
796 		}
797 		/* Otherwise automatically enable metacopy. */
798 		config->metacopy = true;
799 	}
800 
801 	/*
802 	 * This is to make the logic below simpler.  It doesn't make any other
803 	 * difference, since redirect_dir=on is only used for upper.
804 	 */
805 	if (!config->upperdir && config->redirect_mode == OVL_REDIRECT_FOLLOW)
806 		config->redirect_mode = OVL_REDIRECT_ON;
807 
808 	/* Resolve verity -> metacopy -> redirect_dir dependency */
809 	if (config->metacopy && config->redirect_mode != OVL_REDIRECT_ON) {
810 		if (set.metacopy && set.redirect) {
811 			pr_err("conflicting options: metacopy=on,redirect_dir=%s\n",
812 			       ovl_redirect_mode(config));
813 			return -EINVAL;
814 		}
815 		if (config->verity_mode && set.redirect) {
816 			pr_err("conflicting options: verity=%s,redirect_dir=%s\n",
817 			       ovl_verity_mode(config), ovl_redirect_mode(config));
818 			return -EINVAL;
819 		}
820 		if (set.redirect) {
821 			/*
822 			 * There was an explicit redirect_dir=... that resulted
823 			 * in this conflict.
824 			 */
825 			pr_info("disabling metacopy due to redirect_dir=%s\n",
826 				ovl_redirect_mode(config));
827 			config->metacopy = false;
828 		} else {
829 			/* Automatically enable redirect otherwise. */
830 			config->redirect_mode = OVL_REDIRECT_ON;
831 		}
832 	}
833 
834 	/* Resolve nfs_export -> index dependency */
835 	if (config->nfs_export && !config->index) {
836 		if (!config->upperdir &&
837 		    config->redirect_mode != OVL_REDIRECT_NOFOLLOW) {
838 			pr_info("NFS export requires \"redirect_dir=nofollow\" on non-upper mount, falling back to nfs_export=off.\n");
839 			config->nfs_export = false;
840 		} else if (set.nfs_export && set.index) {
841 			pr_err("conflicting options: nfs_export=on,index=off\n");
842 			return -EINVAL;
843 		} else if (set.index) {
844 			/*
845 			 * There was an explicit index=off that resulted
846 			 * in this conflict.
847 			 */
848 			pr_info("disabling nfs_export due to index=off\n");
849 			config->nfs_export = false;
850 		} else {
851 			/* Automatically enable index otherwise. */
852 			config->index = true;
853 		}
854 	}
855 
856 	/* Resolve nfs_export -> !metacopy && !verity dependency */
857 	if (config->nfs_export && config->metacopy) {
858 		if (set.nfs_export && set.metacopy) {
859 			pr_err("conflicting options: nfs_export=on,metacopy=on\n");
860 			return -EINVAL;
861 		}
862 		if (set.metacopy) {
863 			/*
864 			 * There was an explicit metacopy=on that resulted
865 			 * in this conflict.
866 			 */
867 			pr_info("disabling nfs_export due to metacopy=on\n");
868 			config->nfs_export = false;
869 		} else if (config->verity_mode) {
870 			/*
871 			 * There was an explicit verity=.. that resulted
872 			 * in this conflict.
873 			 */
874 			pr_info("disabling nfs_export due to verity=%s\n",
875 				ovl_verity_mode(config));
876 			config->nfs_export = false;
877 		} else {
878 			/*
879 			 * There was an explicit nfs_export=on that resulted
880 			 * in this conflict.
881 			 */
882 			pr_info("disabling metacopy due to nfs_export=on\n");
883 			config->metacopy = false;
884 		}
885 	}
886 
887 
888 	/* Resolve userxattr -> !redirect && !metacopy && !verity dependency */
889 	if (config->userxattr) {
890 		if (set.redirect &&
891 		    config->redirect_mode != OVL_REDIRECT_NOFOLLOW) {
892 			pr_err("conflicting options: userxattr,redirect_dir=%s\n",
893 			       ovl_redirect_mode(config));
894 			return -EINVAL;
895 		}
896 		if (config->metacopy && set.metacopy) {
897 			pr_err("conflicting options: userxattr,metacopy=on\n");
898 			return -EINVAL;
899 		}
900 		if (config->verity_mode) {
901 			pr_err("conflicting options: userxattr,verity=%s\n",
902 			       ovl_verity_mode(config));
903 			return -EINVAL;
904 		}
905 		/*
906 		 * Silently disable default setting of redirect and metacopy.
907 		 * This shall be the default in the future as well: these
908 		 * options must be explicitly enabled if used together with
909 		 * userxattr.
910 		 */
911 		config->redirect_mode = OVL_REDIRECT_NOFOLLOW;
912 		config->metacopy = false;
913 	}
914 
915 	/*
916 	 * Fail if we don't have trusted xattr capability and a feature was
917 	 * explicitly requested that requires them.
918 	 */
919 	if (!config->userxattr && !capable(CAP_SYS_ADMIN)) {
920 		if (set.redirect &&
921 		    config->redirect_mode != OVL_REDIRECT_NOFOLLOW) {
922 			pr_err("redirect_dir requires permission to access trusted xattrs\n");
923 			return -EPERM;
924 		}
925 		if (config->metacopy && set.metacopy) {
926 			pr_err("metacopy requires permission to access trusted xattrs\n");
927 			return -EPERM;
928 		}
929 		if (config->verity_mode) {
930 			pr_err("verity requires permission to access trusted xattrs\n");
931 			return -EPERM;
932 		}
933 		if (ctx->nr_data > 0) {
934 			pr_err("lower data-only dirs require permission to access trusted xattrs\n");
935 			return -EPERM;
936 		}
937 		/*
938 		 * Other xattr-dependent features should be disabled without
939 		 * great disturbance to the user in ovl_make_workdir().
940 		 */
941 	}
942 
943 	if (ctx->nr_data > 0 && !config->metacopy) {
944 		pr_err("lower data-only dirs require metacopy support.\n");
945 		return -EINVAL;
946 	}
947 
948 	return 0;
949 }
950 
951 /**
952  * ovl_show_options
953  * @m: the seq_file handle
954  * @dentry: The dentry to query
955  *
956  * Prints the mount options for a given superblock.
957  * Returns zero; does not fail.
958  */
959 int ovl_show_options(struct seq_file *m, struct dentry *dentry)
960 {
961 	struct super_block *sb = dentry->d_sb;
962 	struct ovl_fs *ofs = OVL_FS(sb);
963 	size_t nr, nr_merged_lower, nr_lower = 0;
964 	char **lowerdirs = ofs->config.lowerdirs;
965 
966 	/*
967 	 * lowerdirs[0] holds the colon separated list that user provided
968 	 * with lowerdir mount option.
969 	 * lowerdirs[1..numlayer] hold the lowerdir paths that were added
970 	 * using the lowerdir+ and datadir+ mount options.
971 	 * For now, we do not allow mixing the legacy lowerdir mount option
972 	 * with the new lowerdir+ and datadir+ mount options.
973 	 */
974 	if (lowerdirs[0]) {
975 		seq_show_option(m, "lowerdir", lowerdirs[0]);
976 	} else {
977 		nr_lower = ofs->numlayer;
978 		nr_merged_lower = nr_lower - ofs->numdatalayer;
979 	}
980 	for (nr = 1; nr < nr_lower; nr++) {
981 		if (nr < nr_merged_lower)
982 			seq_show_option(m, "lowerdir+", lowerdirs[nr]);
983 		else
984 			seq_show_option(m, "datadir+", lowerdirs[nr]);
985 	}
986 	if (ofs->config.upperdir) {
987 		seq_show_option(m, "upperdir", ofs->config.upperdir);
988 		seq_show_option(m, "workdir", ofs->config.workdir);
989 	}
990 	if (ofs->config.default_permissions)
991 		seq_puts(m, ",default_permissions");
992 	if (ofs->config.redirect_mode != ovl_redirect_mode_def())
993 		seq_printf(m, ",redirect_dir=%s",
994 			   ovl_redirect_mode(&ofs->config));
995 	if (ofs->config.index != ovl_index_def)
996 		seq_printf(m, ",index=%s", ofs->config.index ? "on" : "off");
997 	if (ofs->config.uuid != ovl_uuid_def())
998 		seq_printf(m, ",uuid=%s", ovl_uuid_mode(&ofs->config));
999 	if (ofs->config.nfs_export != ovl_nfs_export_def)
1000 		seq_printf(m, ",nfs_export=%s", ofs->config.nfs_export ?
1001 						"on" : "off");
1002 	if (ofs->config.xino != ovl_xino_def() && !ovl_same_fs(ofs))
1003 		seq_printf(m, ",xino=%s", ovl_xino_mode(&ofs->config));
1004 	if (ofs->config.metacopy != ovl_metacopy_def)
1005 		seq_printf(m, ",metacopy=%s",
1006 			   ofs->config.metacopy ? "on" : "off");
1007 	if (ofs->config.ovl_volatile)
1008 		seq_puts(m, ",volatile");
1009 	if (ofs->config.userxattr)
1010 		seq_puts(m, ",userxattr");
1011 	if (ofs->config.verity_mode != ovl_verity_mode_def())
1012 		seq_printf(m, ",verity=%s",
1013 			   ovl_verity_mode(&ofs->config));
1014 	return 0;
1015 }
1016