[PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower

public inbox for linux-unionfs@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower
@ 2018-02-02 15:23 Vivek Goyal
  2018-02-04 20:35 ` Amir Goldstein
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Vivek Goyal @ 2018-02-02 15:23 UTC (permalink / raw)
  To: linux-unionfs; +Cc: Miklos Szeredi, Amir Goldstein

redirect_dir=nofollow should not follow a redirect. But in a specific
configuration it can still follow it.  For example try this.

$ mkdir -p lower0 lower1/foo upper work merged
$ touch lower1/foo/lower-file.txt
$ setfattr -n "trusted.overlay.opaque" -v "y" lower1/foo
$ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=on none merged
$ cd merged
$ mv foo foo-renamed
$ umount merged

# mount again. This time with redirect_dir=nofollow
$ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=nofollow none merged
$ ls merged/foo-renamed/
# This lists lower-file.txt, while it should not have.

Basically, we are doing redirect check after we check for d.stop. And
if this is not last lower, and we find an opaque lower, d.stop will be
set.

ovl_lookup_single()
        if (!d->last && ovl_is_opaquedir(this)) {
                d->stop = d->opaque = true;
                goto out;
        }

To fix this, first check redirect is allowed. And after that check if
d.stop has been set or not.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
---
 fs/overlayfs/namei.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index beb945e1963c..ef3e7ea76296 100644
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -678,9 +678,6 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
 		stack[ctr].layer = lower.layer;
 		ctr++;
 
-		if (d.stop)
-			break;
-
 		/*
 		 * Following redirects can have security consequences: it's like
 		 * a symlink into the lower layer without the permission checks.
@@ -697,6 +694,9 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
 			goto out_put;
 		}
 
+		if (d.stop)
+			break;
+
 		if (d.redirect && d.redirect[0] == '/' && poe != roe) {
 			poe = roe;
 
-- 
2.13.6

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower
  2018-02-02 15:23 [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower Vivek Goyal
@ 2018-02-04 20:35 ` Amir Goldstein
  2018-02-26 15:56 ` Miklos Szeredi
  2018-03-07  7:25 ` Amir Goldstein
  2 siblings, 0 replies; 6+ messages in thread
From: Amir Goldstein @ 2018-02-04 20:35 UTC (permalink / raw)
  To: Vivek Goyal; +Cc: overlayfs, Miklos Szeredi

On Fri, Feb 2, 2018 at 5:23 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> redirect_dir=nofollow should not follow a redirect. But in a specific
> configuration it can still follow it.  For example try this.
>
> $ mkdir -p lower0 lower1/foo upper work merged
> $ touch lower1/foo/lower-file.txt
> $ setfattr -n "trusted.overlay.opaque" -v "y" lower1/foo
> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=on none merged
> $ cd merged
> $ mv foo foo-renamed
> $ umount merged
>
> # mount again. This time with redirect_dir=nofollow
> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=nofollow none merged
> $ ls merged/foo-renamed/
> # This lists lower-file.txt, while it should not have.
>
> Basically, we are doing redirect check after we check for d.stop. And
> if this is not last lower, and we find an opaque lower, d.stop will be
> set.
>
> ovl_lookup_single()
>         if (!d->last && ovl_is_opaquedir(this)) {
>                 d->stop = d->opaque = true;
>                 goto out;
>         }
>
> To fix this, first check redirect is allowed. And after that check if
> d.stop has been set or not.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Looks good.
Probably should have Fixes and Cc: stable

> ---
>  fs/overlayfs/namei.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
> index beb945e1963c..ef3e7ea76296 100644
> --- a/fs/overlayfs/namei.c
> +++ b/fs/overlayfs/namei.c
> @@ -678,9 +678,6 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
>                 stack[ctr].layer = lower.layer;
>                 ctr++;
>
> -               if (d.stop)
> -                       break;
> -
>                 /*
>                  * Following redirects can have security consequences: it's like
>                  * a symlink into the lower layer without the permission checks.
> @@ -697,6 +694,9 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
>                         goto out_put;
>                 }
>
> +               if (d.stop)
> +                       break;
> +
>                 if (d.redirect && d.redirect[0] == '/' && poe != roe) {
>                         poe = roe;
>
> --
> 2.13.6
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower
  2018-02-02 15:23 [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower Vivek Goyal
  2018-02-04 20:35 ` Amir Goldstein
@ 2018-02-26 15:56 ` Miklos Szeredi
  2018-03-07  7:25 ` Amir Goldstein
  2 siblings, 0 replies; 6+ messages in thread
From: Miklos Szeredi @ 2018-02-26 15:56 UTC (permalink / raw)
  To: Vivek Goyal; +Cc: overlayfs, Amir Goldstein

On Fri, Feb 2, 2018 at 4:23 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> redirect_dir=nofollow should not follow a redirect. But in a specific
> configuration it can still follow it.  For example try this.
>
> $ mkdir -p lower0 lower1/foo upper work merged
> $ touch lower1/foo/lower-file.txt
> $ setfattr -n "trusted.overlay.opaque" -v "y" lower1/foo
> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=on none merged
> $ cd merged
> $ mv foo foo-renamed
> $ umount merged
>
> # mount again. This time with redirect_dir=nofollow
> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=nofollow none merged
> $ ls merged/foo-renamed/
> # This lists lower-file.txt, while it should not have.
>
> Basically, we are doing redirect check after we check for d.stop. And
> if this is not last lower, and we find an opaque lower, d.stop will be
> set.
>
> ovl_lookup_single()
>         if (!d->last && ovl_is_opaquedir(this)) {
>                 d->stop = d->opaque = true;
>                 goto out;
>         }
>
> To fix this, first check redirect is allowed. And after that check if
> d.stop has been set or not.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

Thanks, applied.

Miklos

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower
  2018-02-02 15:23 [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower Vivek Goyal
  2018-02-04 20:35 ` Amir Goldstein
  2018-02-26 15:56 ` Miklos Szeredi
@ 2018-03-07  7:25 ` Amir Goldstein
  2018-03-07  7:26   ` Amir Goldstein
  2018-03-07 13:32   ` Vivek Goyal
  2 siblings, 2 replies; 6+ messages in thread
From: Amir Goldstein @ 2018-03-07  7:25 UTC (permalink / raw)
  To: Vivek Goyal; +Cc: overlayfs, Miklos Szeredi

On Fri, Feb 2, 2018 at 5:23 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> redirect_dir=nofollow should not follow a redirect. But in a specific
> configuration it can still follow it.  For example try this.
>
> $ mkdir -p lower0 lower1/foo upper work merged
> $ touch lower1/foo/lower-file.txt
> $ setfattr -n "trusted.overlay.opaque" -v "y" lower1/foo
> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=on none merged
> $ cd merged
> $ mv foo foo-renamed
> $ umount merged
>
> # mount again. This time with redirect_dir=nofollow
> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=nofollow none merged
> $ ls merged/foo-renamed/
> # This lists lower-file.txt, while it should not have.
>
> Basically, we are doing redirect check after we check for d.stop. And
> if this is not last lower, and we find an opaque lower, d.stop will be
> set.
>
> ovl_lookup_single()
>         if (!d->last && ovl_is_opaquedir(this)) {
>                 d->stop = d->opaque = true;
>                 goto out;
>         }
>
> To fix this, first check redirect is allowed. And after that check if
> d.stop has been set or not.
>
> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

This is already in overlayfs-next, which is the branch you should be
rebasing on..

Thanks,
Amir.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower
  2018-03-07  7:25 ` Amir Goldstein
@ 2018-03-07  7:26   ` Amir Goldstein
  2018-03-07 13:32   ` Vivek Goyal
  1 sibling, 0 replies; 6+ messages in thread
From: Amir Goldstein @ 2018-03-07  7:26 UTC (permalink / raw)
  To: Vivek Goyal; +Cc: overlayfs, Miklos Szeredi

On Wed, Mar 7, 2018 at 9:25 AM, Amir Goldstein <amir73il@gmail.com> wrote:
> On Fri, Feb 2, 2018 at 5:23 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
>> redirect_dir=nofollow should not follow a redirect. But in a specific
>> configuration it can still follow it.  For example try this.
>>
>> $ mkdir -p lower0 lower1/foo upper work merged
>> $ touch lower1/foo/lower-file.txt
>> $ setfattr -n "trusted.overlay.opaque" -v "y" lower1/foo
>> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=on none merged
>> $ cd merged
>> $ mv foo foo-renamed
>> $ umount merged
>>
>> # mount again. This time with redirect_dir=nofollow
>> $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=nofollow none merged
>> $ ls merged/foo-renamed/
>> # This lists lower-file.txt, while it should not have.
>>
>> Basically, we are doing redirect check after we check for d.stop. And
>> if this is not last lower, and we find an opaque lower, d.stop will be
>> set.
>>
>> ovl_lookup_single()
>>         if (!d->last && ovl_is_opaquedir(this)) {
>>                 d->stop = d->opaque = true;
>>                 goto out;
>>         }
>>
>> To fix this, first check redirect is allowed. And after that check if
>> d.stop has been set or not.
>>
>> Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
>
> This is already in overlayfs-next, which is the branch you should be
> rebasing on..
>


Sorry, that was supposed to be a reply on first patch of metacopy series

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower
  2018-03-07  7:25 ` Amir Goldstein
  2018-03-07  7:26   ` Amir Goldstein
@ 2018-03-07 13:32   ` Vivek Goyal
  1 sibling, 0 replies; 6+ messages in thread
From: Vivek Goyal @ 2018-03-07 13:32 UTC (permalink / raw)
  To: Amir Goldstein; +Cc: overlayfs, Miklos Szeredi

On Wed, Mar 07, 2018 at 09:25:27AM +0200, Amir Goldstein wrote:
> On Fri, Feb 2, 2018 at 5:23 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> > redirect_dir=nofollow should not follow a redirect. But in a specific
> > configuration it can still follow it.  For example try this.
> >
> > $ mkdir -p lower0 lower1/foo upper work merged
> > $ touch lower1/foo/lower-file.txt
> > $ setfattr -n "trusted.overlay.opaque" -v "y" lower1/foo
> > $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=on none merged
> > $ cd merged
> > $ mv foo foo-renamed
> > $ umount merged
> >
> > # mount again. This time with redirect_dir=nofollow
> > $ mount -t overlay -o lowerdir=lower1:lower0,workdir=work,upperdir=upper,redirect_dir=nofollow none merged
> > $ ls merged/foo-renamed/
> > # This lists lower-file.txt, while it should not have.
> >
> > Basically, we are doing redirect check after we check for d.stop. And
> > if this is not last lower, and we find an opaque lower, d.stop will be
> > set.
> >
> > ovl_lookup_single()
> >         if (!d->last && ovl_is_opaquedir(this)) {
> >                 d->stop = d->opaque = true;
> >                 goto out;
> >         }
> >
> > To fix this, first check redirect is allowed. And after that check if
> > d.stop has been set or not.
> >
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> 
> This is already in overlayfs-next, which is the branch you should be
> rebasing on..

Hmm.., I generally work with linus's tree. I knew that this patch is
in overlayfs-next. Assumed that it will be dropped while merging.

Next version I can rebase on top of overlayfs-next and post.

Vivek

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2018-03-07 13:32 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-02 15:23 [PATCH] ovl: redirect_dir=nofollow should not follow redirect for opaque lower Vivek Goyal
2018-02-04 20:35 ` Amir Goldstein
2018-02-26 15:56 ` Miklos Szeredi
2018-03-07  7:25 ` Amir Goldstein
2018-03-07  7:26   ` Amir Goldstein
2018-03-07 13:32   ` Vivek Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox