From: Christian Brauner <brauner@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christian Brauner <brauner@kernel.org>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [GIT PULL 14/17 for v6.19] overlayfs cred guards
Date: Fri, 28 Nov 2025 17:48:25 +0100 [thread overview]
Message-ID: <20251128-vfs-ovl-cred-guards-v619-15a5d2f80226@brauner> (raw)
In-Reply-To: <20251128-vfs-v619-77cd88166806@brauner>
Hey Linus,
/* Summary */
This converts all of overlayfs to use credential guards, eliminating
manual credential management throughout the filesystem. It depends on
the directory locking changes, the kbuild -fms-extensions support, and
the credential guard infrastructure.
Complete Credential Guard Conversion
- Convert all of overlayfs to use credential guards, replacing the manual
ovl_override_creds()/ovl_revert_creds() pattern with scoped guards. This
makes credential handling visually explicit and eliminates a class of
potential bugs from mismatched override/revert calls.
(1) Basic credential guard (with_ovl_creds)
(2) Creator credential guard (ovl_override_creator_creds):
Introduced a specialized guard for file creation operations that handles
the two-phase credential override (mounter credentials, then fs{g,u}id
override). The new pattern is much clearer:
with_ovl_creds(dentry->d_sb) {
scoped_class(prepare_creds_ovl, cred, dentry, inode, mode) {
if (IS_ERR(cred))
return PTR_ERR(cred);
/* creation operations */
}
}
(3) Copy-up credential guard (ovl_cu_creds):
Introduced a specialized guard for copy-up operations, simplifying the
previous struct ovl_cu_creds helper and associated functions.
Ported ovl_copy_up_workdir() and ovl_copy_up_tmpfile() to this pattern.
Cleanups
- Remove ovl_revert_creds() after all callers converted to guards
- Remove struct ovl_cu_creds and associated functions
- Drop ovl_setup_cred_for_create() after conversion
- Refactor ovl_fill_super(), ovl_lookup(), ovl_iterate(), ovl_rename()
for cleaner credential guard scope
- Introduce struct ovl_renamedata to simplify rename handling
- Don't override credentials for ovl_check_whiteouts() (unnecessary)
- Remove unneeded semicolon
Dependencies
- Directory locking changes
- Kbuild -fms-extensions support
- Kernel credential guard infrastructure
/* Testing */
gcc (Debian 14.2.0-19) 14.2.0
Debian clang version 19.1.7 (3+b1)
No build failures or warnings were observed.
/* Conflicts */
Merge conflicts with mainline
=============================
No known conflicts.
Merge conflicts with other trees
================================
The following changes since commit dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa:
Linux 6.18-rc3 (2025-10-26 15:59:49 -0700)
are available in the Git repository at:
git@gitolite.kernel.org:pub/scm/linux/kernel/git/vfs/vfs tags/vfs-6.19-rc1.ovl
for you to fetch changes up to 2579e21be532457742d4100bbda1c2a5b81cbdef:
ovl: remove unneeded semicolon (2025-11-28 11:05:52 +0100)
Please consider pulling these changes from the signed vfs-6.19-rc1.ovl tag.
Thanks!
Christian
----------------------------------------------------------------
vfs-6.19-rc1.ovl
----------------------------------------------------------------
Chen Ni (1):
ovl: remove unneeded semicolon
Christian Brauner (99):
cleanup: fix scoped_class()
cred: add kernel_cred() helper
cred: make init_cred static
cred: add scoped_with_kernel_creds()
firmware: don't copy kernel creds
nbd: don't copy kernel creds
target: don't copy kernel creds
unix: don't copy creds
Merge patch series "creds: add {scoped_}with_kernel_creds()"
cred: add scoped_with_creds() guards
aio: use credential guards
backing-file: use credential guards for reads
backing-file: use credential guards for writes
backing-file: use credential guards for splice read
backing-file: use credential guards for splice write
backing-file: use credential guards for mmap
binfmt_misc: use credential guards
erofs: use credential guards
nfs: use credential guards in nfs_local_call_read()
nfs: use credential guards in nfs_local_call_write()
nfs: use credential guards in nfs_idmap_get_key()
smb: use credential guards in cifs_get_spnego_key()
act: use credential guards in acct_write_process()
cgroup: use credential guards in cgroup_attach_permissions()
net/dns_resolver: use credential guards in dns_query()
Merge patch series "credentials guards: the easy cases"
cred: add prepare credential guard
sev-dev: use guard for path
sev-dev: use prepare credential guard
sev-dev: use override credential guards
coredump: move revert_cred() before coredump_cleanup()
coredump: pass struct linux_binfmt as const
coredump: mark struct mm_struct as const
coredump: split out do_coredump() from vfs_coredump()
coredump: use prepare credential guard
coredump: use override credential guard
trace: use prepare credential guard
trace: use override credential guard
Merge patch series "credential guards: credential preparation"
Merge patch "kbuild: Add '-fms-extensions' to areas with dedicated CFLAGS"
Merge patch series "Create and use APIs to centralise locking for directory ops."
Merge branch 'kbuild-6.19.fms.extension'
Merge branch 'vfs-6.19.directory.locking' into base.vfs-6.19.ovl
ovl: add override_creds cleanup guard extension for overlayfs
ovl: port ovl_copy_up_flags() to cred guards
ovl: port ovl_create_or_link() to cred guard
ovl: port ovl_set_link_redirect() to cred guard
ovl: port ovl_do_remove() to cred guard
ovl: port ovl_create_tmpfile() to cred guard
ovl: port ovl_open_realfile() to cred guard
ovl: port ovl_llseek() to cred guard
ovl: port ovl_fsync() to cred guard
ovl: port ovl_fallocate() to cred guard
ovl: port ovl_fadvise() to cred guard
ovl: port ovl_flush() to cred guard
ovl: port ovl_setattr() to cred guard
ovl: port ovl_getattr() to cred guard
ovl: port ovl_permission() to cred guard
ovl: port ovl_get_link() to cred guard
ovl: port do_ovl_get_acl() to cred guard
ovl: port ovl_set_or_remove_acl() to cred guard
ovl: port ovl_fiemap() to cred guard
ovl: port ovl_fileattr_set() to cred guard
ovl: port ovl_fileattr_get() to cred guard
ovl: port ovl_maybe_validate_verity() to cred guard
ovl: port ovl_maybe_lookup_lowerdata() to cred guard
ovl: don't override credentials for ovl_check_whiteouts()
ovl: refactor ovl_iterate() and port to cred guard
ovl: port ovl_dir_llseek() to cred guard
ovl: port ovl_check_empty_dir() to cred guard
ovl: port ovl_nlink_start() to cred guard
ovl: port ovl_nlink_end() to cred guard
ovl: port ovl_xattr_set() to cred guard
ovl: port ovl_xattr_get() to cred guard
ovl: port ovl_listxattr() to cred guard
ovl: introduce struct ovl_renamedata
ovl: refactor ovl_rename()
ovl: port ovl_rename() to cred guard
ovl: port ovl_copyfile() to cred guard
ovl: refactor ovl_lookup()
ovl: port ovl_lookup() to cred guard
ovl: port ovl_lower_positive() to cred guard
ovl: refactor ovl_fill_super()
ovl: port ovl_fill_super() to cred guard
ovl: remove ovl_revert_creds()
Merge patch series "ovl: convert to cred guard"
ovl: add ovl_override_creator_creds cred guard
ovl: port ovl_create_tmpfile() to new ovl_override_creator_creds cleanup guard
ovl: reflow ovl_create_or_link()
ovl: mark ovl_setup_cred_for_create() as unused temporarily
ovl: port ovl_create_or_link() to new ovl_override_creator_creds cleanup guard
ovl: drop ovl_setup_cred_for_create()
ovl: add copy up credential guard
ovl: port ovl_copy_up_workdir() to cred guard
ovl: mark *_cu_creds() as unused temporarily
ovl: port ovl_copy_up_tmpfile() to cred guard
ovl: remove struct ovl_cu_creds and associated functions
Merge patch series "ovl: convert creation credential override to cred guard"
Merge patch series "ovl: convert copyup credential override to cred guard"
Nathan Chancellor (2):
jfs: Rename _inline to avoid conflict with clang's '-fms-extensions'
kbuild: Add '-fms-extensions' to areas with dedicated CFLAGS
NeilBrown (15):
debugfs: rename end_creating() to debugfs_end_creating()
VFS: introduce start_dirop() and end_dirop()
VFS: tidy up do_unlinkat()
VFS/nfsd/cachefiles/ovl: add start_creating() and end_creating()
VFS/nfsd/cachefiles/ovl: introduce start_removing() and end_removing()
VFS: introduce start_creating_noperm() and start_removing_noperm()
smb/server: use end_removing_noperm for for target of smb2_create_link()
VFS: introduce start_removing_dentry()
VFS: add start_creating_killable() and start_removing_killable()
VFS/nfsd/ovl: introduce start_renaming() and end_renaming()
VFS/ovl/smb: introduce start_renaming_dentry()
Add start_renaming_two_dentries()
ecryptfs: use new start_creating/start_removing APIs
VFS: change vfs_mkdir() to unlock on failure.
VFS: introduce end_creating_keep()
Rasmus Villemoes (1):
Kbuild: enable -fms-extensions
Documentation/filesystems/porting.rst | 13 +
Makefile | 3 +
arch/arm64/kernel/vdso32/Makefile | 3 +-
arch/loongarch/vdso/Makefile | 2 +-
arch/parisc/boot/compressed/Makefile | 2 +-
arch/powerpc/boot/Makefile | 3 +-
arch/s390/Makefile | 3 +-
arch/s390/purgatory/Makefile | 3 +-
arch/x86/Makefile | 4 +-
arch/x86/boot/compressed/Makefile | 7 +-
drivers/base/firmware_loader/main.c | 59 ++-
drivers/block/nbd.c | 54 +--
drivers/crypto/ccp/sev-dev.c | 17 +-
drivers/firmware/efi/libstub/Makefile | 4 +-
drivers/target/target_core_configfs.c | 14 +-
fs/aio.c | 6 +-
fs/backing-file.c | 147 +++----
fs/binfmt_misc.c | 7 +-
fs/btrfs/ioctl.c | 41 +-
fs/cachefiles/interface.c | 11 +-
fs/cachefiles/namei.c | 96 +++--
fs/cachefiles/volume.c | 9 +-
fs/coredump.c | 142 +++----
fs/debugfs/inode.c | 74 ++--
fs/ecryptfs/inode.c | 153 ++++---
fs/erofs/fileio.c | 6 +-
fs/fuse/dir.c | 19 +-
fs/internal.h | 3 +
fs/jfs/jfs_incore.h | 6 +-
fs/libfs.c | 36 +-
fs/namei.c | 747 +++++++++++++++++++++++++++++-----
fs/nfs/localio.c | 59 +--
fs/nfs/nfs4idmap.c | 7 +-
fs/nfsd/nfs3proc.c | 14 +-
fs/nfsd/nfs4proc.c | 14 +-
fs/nfsd/nfs4recover.c | 34 +-
fs/nfsd/nfsproc.c | 11 +-
fs/nfsd/vfs.c | 151 +++----
fs/overlayfs/copy_up.c | 143 +++----
fs/overlayfs/dir.c | 585 +++++++++++++-------------
fs/overlayfs/file.c | 97 ++---
fs/overlayfs/inode.c | 118 +++---
fs/overlayfs/namei.c | 402 +++++++++---------
fs/overlayfs/overlayfs.h | 53 ++-
fs/overlayfs/readdir.c | 110 ++---
fs/overlayfs/super.c | 138 +++----
fs/overlayfs/util.c | 29 +-
fs/overlayfs/xattrs.c | 35 +-
fs/smb/client/cifs_spnego.c | 6 +-
fs/smb/server/smb2pdu.c | 6 +-
fs/smb/server/vfs.c | 114 ++----
fs/smb/server/vfs.h | 8 +-
fs/xfs/scrub/orphanage.c | 11 +-
include/linux/cleanup.h | 15 +-
include/linux/cred.h | 22 +
include/linux/fs.h | 2 +
include/linux/init_task.h | 1 -
include/linux/namei.h | 82 ++++
include/linux/sched/coredump.h | 2 +-
init/init_task.c | 27 ++
ipc/mqueue.c | 32 +-
kernel/acct.c | 29 +-
kernel/cgroup/cgroup.c | 10 +-
kernel/cred.c | 27 --
kernel/trace/trace_events_user.c | 22 +-
net/dns_resolver/dns_query.c | 6 +-
net/unix/af_unix.c | 17 +-
scripts/Makefile.extrawarn | 4 +-
security/apparmor/apparmorfs.c | 8 +-
security/keys/process_keys.c | 2 +-
security/selinux/selinuxfs.c | 15 +-
71 files changed, 2276 insertions(+), 1886 deletions(-)
next prev parent reply other threads:[~2025-11-28 16:51 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-28 16:48 [GIT PULL 00/17 for v6.19] v6.19 Christian Brauner
2025-11-28 16:48 ` [GIT PULL 01/17 for v6.19] vfs iomap Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 02/17 for v6.19] vfs misc Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 03/17 for v6.19] vfs inode Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 04/17 for v6.19] vfs writeback Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 05/17 for v6.19] namespaces Christian Brauner
2025-12-01 19:06 ` Eric W. Biederman
2025-12-02 17:00 ` Linus Torvalds
2025-12-03 10:07 ` Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 06/17 for v6.19] vfs coredump Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 07/17 for v6.19] vfs folio Christian Brauner
2025-12-01 22:08 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 08/17 for v6.19] cred guards Christian Brauner
2025-12-01 21:53 ` Linus Torvalds
2025-12-02 1:26 ` Sasha Levin
2025-12-02 1:36 ` [PATCH] nfs/localio: make do_nfs_local_call_write() return void Sasha Levin
2025-12-01 22:08 ` [GIT PULL 08/17 for v6.19] cred guards pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 09/17 for v6.19] vfs headers Christian Brauner
2025-12-01 23:22 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 10/17 for v6.19] vfs super guards Christian Brauner
2025-12-01 23:22 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 11/17 for v6.19] minix Christian Brauner
2025-12-01 23:22 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 12/17 for v6.19] vfs directory delegations Christian Brauner
2025-12-02 3:19 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 13/17 for v6.19] vfs directory locking Christian Brauner
2025-12-02 3:19 ` pr-tracker-bot
2025-11-28 16:48 ` Christian Brauner [this message]
2025-12-02 3:19 ` [GIT PULL 14/17 for v6.19] overlayfs cred guards pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 15/17 for v6.19] autofs Christian Brauner
2025-12-02 3:19 ` pr-tracker-bot
2025-11-28 16:48 ` [GIT PULL 16/17 for v6.19] vfs fd prepare Christian Brauner
2025-12-01 14:15 ` Al Viro
2025-12-01 18:41 ` Sean Christopherson
2025-11-28 16:48 ` [GIT PULL 17/17 for v6.19] vfs fd prepare minimal Christian Brauner
2025-12-02 1:35 ` Linus Torvalds
2025-12-02 9:42 ` Christian Brauner
2025-12-02 3:19 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251128-vfs-ovl-cred-guards-v619-15a5d2f80226@brauner \
--to=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).