From: Vivek Goyal <vgoyal@redhat.com>
To: Amir Goldstein <amir73il@gmail.com>
Cc: overlayfs <linux-unionfs@vger.kernel.org>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [PATCH v13 10/28] ovl: Modify ovl_lookup() and friends to lookup metacopy dentry
Date: Mon, 2 Apr 2018 11:06:51 -0400 [thread overview]
Message-ID: <20180402150651.GC23306@redhat.com> (raw)
In-Reply-To: <CAOQ4uxiO8fRn6TB54SANB4cp4uURDJ6wQVNT8mF29nH67F7M+A@mail.gmail.com>
On Fri, Mar 30, 2018 at 08:49:26AM +0300, Amir Goldstein wrote:
> On Thu, Mar 29, 2018 at 10:38 PM, Vivek Goyal <vgoyal@redhat.com> wrote:
> > This patch modifies ovl_lookup() and friends to lookup metacopy dentries.
> > It also allows for presence of metacopy dentries in lower layer.
> >
> > During lookup, check for presence of OVL_XATTR_METACOPY and if not present,
> > set OVL_UPPERDATA bit in flags.
> >
> > We don't support metacopy feature with nfs_export. So in nfs_export code,
> > we set OVL_UPPERDATA flag set unconditionally if upper inode exists.
> >
> > Do not follow metacopy origin if we find a metacopy only inode and metacopy
> > feature is not enabled for that mount. Like redirect, this can have security
> > implications where an attacker could hand craft upper and try to gain
> > access to file on lower which it should not have to begin with.
> >
> > Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
> > ---
> > fs/overlayfs/export.c | 3 ++
> > fs/overlayfs/inode.c | 6 +++-
> > fs/overlayfs/namei.c | 90 ++++++++++++++++++++++++++++++++++++++++++------
> > fs/overlayfs/overlayfs.h | 1 +
> > fs/overlayfs/util.c | 22 ++++++++++++
> > 5 files changed, 110 insertions(+), 12 deletions(-)
> >
> > diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c
> > index e668329f7361..1c233096e59c 100644
> > --- a/fs/overlayfs/export.c
> > +++ b/fs/overlayfs/export.c
> > @@ -311,6 +311,9 @@ static struct dentry *ovl_obtain_alias(struct super_block *sb,
> > return ERR_CAST(inode);
> > }
> >
> > + if (upper)
> > + ovl_set_flag(OVL_UPPERDATA, inode);
> > +
> > dentry = d_find_any_alias(inode);
> > if (!dentry) {
> > dentry = d_alloc_anon(inode->i_sb);
> > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
> > index 3991a890b464..e1dbfed0c449 100644
> > --- a/fs/overlayfs/inode.c
> > +++ b/fs/overlayfs/inode.c
> > @@ -677,7 +677,7 @@ struct inode *ovl_get_inode(struct super_block *sb, struct dentry *upperdentry,
> > struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
> > struct inode *inode;
> > bool bylower = ovl_hash_bylower(sb, upperdentry, lowerdentry, index);
> > - bool is_dir;
> > + bool is_dir, metacopy = false;
> >
> > if (!realinode)
> > realinode = d_inode(lowerdentry);
> > @@ -732,6 +732,10 @@ struct inode *ovl_get_inode(struct super_block *sb, struct dentry *upperdentry,
> > if (index)
> > ovl_set_flag(OVL_INDEX, inode);
> >
> > + metacopy = ovl_check_metacopy_xattr(upperdentry ?: lowerdentry);
>
> No reason to check metacopy on lowerdentry.
Right. Will change it.
>
> > + if (upperdentry && !metacopy)
> > + ovl_set_flag(OVL_UPPERDATA, inode);
> > +
> > OVL_I(inode)->redirect = redirect;
> >
> > /* Check for non-merge dir that may have whiteouts */
> > diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
> > index 0b325e65864c..1dba89e9543f 100644
> > --- a/fs/overlayfs/namei.c
> > +++ b/fs/overlayfs/namei.c
> > @@ -24,6 +24,7 @@ struct ovl_lookup_data {
> > bool stop;
> > bool last;
> > char *redirect;
> > + bool metacopy;
> > };
> >
> > static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
> > @@ -252,9 +253,13 @@ static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
> > goto put_and_out;
> > }
> > if (!d_can_lookup(this)) {
> > - d->stop = true;
>
> upper was a dir. You look in lower and find a non-dir. you need to stop
> going to next layer. goto put_and_out won't do that.
Ok, will set d->stop = true before "goto put_and_out" to handle this
case.
>
> Similarly, you need to handle the case where dir is found below
> non-dir with metacopy.
Ok, will look into it.
>
> > if (d->is_dir)
> > goto put_and_out;
> > + err = ovl_check_metacopy_xattr(this);
> > + if (err < 0)
> > + goto out_err;
> > + d->stop = !err;
> > + d->metacopy = !!err;
> > goto out;
> > }
> > if (last_element)
> > @@ -815,7 +820,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
> > struct ovl_entry *poe = dentry->d_parent->d_fsdata;
> > struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
> > - struct ovl_path *stack = NULL;
> > + struct ovl_path *stack = NULL, *origin_path = NULL;
> > struct dentry *upperdir, *upperdentry = NULL;
> > struct dentry *origin = NULL;
> > struct dentry *index = NULL;
> > @@ -826,6 +831,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > struct dentry *this;
> > unsigned int i;
> > int err;
> > + bool metacopy = false;
> > struct ovl_lookup_data d = {
> > .name = dentry->d_name,
> > .is_dir = false,
> > @@ -833,6 +839,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > .stop = false,
> > .last = ofs->config.redirect_follow ? false : !poe->numlower,
> > .redirect = NULL,
> > + .metacopy = false,
> > };
> >
> > if (dentry->d_name.len > ofs->namelen)
> > @@ -851,7 +858,8 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > goto out;
> > }
> > if (upperdentry && !d.is_dir) {
> > - BUG_ON(!d.stop || d.redirect);
> > + unsigned int origin_ctr = 0;
> > + BUG_ON(d.redirect);
> > /*
> > * Lookup copy up origin by decoding origin file handle.
> > * We may get a disconnected dentry, which is fine,
> > @@ -862,16 +870,20 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > * number - it's the same as if we held a reference
> > * to a dentry in lower layer that was moved under us.
> > */
> > - err = ovl_check_origin(ofs, upperdentry, &stack, &ctr);
> > + err = ovl_check_origin(ofs, upperdentry, &origin_path,
> > + &origin_ctr);
> > if (err)
> > goto out_put_upper;
> > +
> > + if (d.metacopy)
> > + metacopy = true;
> > }
> >
> > if (d.redirect) {
> > err = -ENOMEM;
> > upperredirect = kstrdup(d.redirect, GFP_KERNEL);
> > if (!upperredirect)
> > - goto out_put_upper;
> > + goto out_put_origin;
> > if (d.redirect[0] == '/')
> > poe = roe;
> > }
> > @@ -883,7 +895,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > stack = kcalloc(ofs->numlower, sizeof(struct ovl_path),
> > GFP_KERNEL);
> > if (!stack)
> > - goto out_put_upper;
> > + goto out_put_origin;
> > }
> >
> > for (i = 0; !d.stop && i < poe->numlower; i++) {
> > @@ -905,7 +917,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > * If no origin fh is stored in upper of a merge dir, store fh
> > * of lower dir and set upper parent "impure".
> > */
> > - if (upperdentry && !ctr && !ofs->noxattr) {
> > + if (upperdentry && !ctr && !ofs->noxattr && d.is_dir) {
> > err = ovl_fix_origin(dentry, this, upperdentry);
> > if (err) {
> > dput(this);
> > @@ -917,16 +929,35 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > * When "verify_lower" feature is enabled, do not merge with a
> > * lower dir that does not match a stored origin xattr. In any
> > * case, only verified origin is used for index lookup.
> > + *
> > + * For non-dir dentry, make sure dentry found by lookup
> > + * matches the origin stored in upper. Otherwise its an
> > + * error.
> > */
> > - if (upperdentry && !ctr && ovl_verify_lower(dentry->d_sb)) {
> > + if (upperdentry && !ctr &&
> > + ((d.is_dir && ovl_verify_lower(dentry->d_sb)) ||
> > + (!d.is_dir && origin_path))) {
> > err = ovl_verify_origin(upperdentry, this, false);
> > if (err) {
> > dput(this);
> > - break;
> > + if (d.is_dir)
> > + break;
> > + goto out_put;
> > }
> > -
> > /* Bless lower dir as verified origin */
> > - origin = this;
> > + if (d.is_dir)
> > + origin = this;
>
> It's ok to bless verified non-dir as well.
> It is going to be blesses anyway, just above index lookup if ctr > 0.
Hmm..., make sense to trust origin once we have verified origin both
for dir and non-dir. Will do.
>
> > + }
> > +
> > + if (d.metacopy)
> > + metacopy = true;
> > + /*
> > + * Do not store intermediate metacopy dentries in chain,
> > + * except top most lower metacopy dentry
> > + */
> > + if (d.metacopy && ctr) {
> > + dput(this);
> > + continue;
> > }
> >
> > stack[ctr].dentry = this;
> > @@ -960,6 +991,34 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > }
> > }
> >
> > + if (metacopy) {
> > + BUG_ON(d.is_dir);
>
> Yeh, I think that is really a bug, because you need to detect
> the case of dir in lower layer under metacopy in upper layer
> and do something about it.
>
> > + /*
> > + * Found a metacopy dentry but did not find corresponding
> > + * data dentry
> > + */
> > + if (d.metacopy) {
> > + err = -ESTALE;
> > + goto out_put;
> > + }
> > +
> > + err = -EPERM;
> > + if (!ofs->config.metacopy) {
> > + pr_warn_ratelimited("overlay: refusing to follow"
> > + " metacopy origin for (%pd2)\n",
> > + dentry);
> > + goto out_put;
> > + }
> > + } else if (!d.is_dir && upperdentry && !ctr && origin_path) {
> > + if (WARN_ON(stack != NULL)) {
> > + err = -EIO;
> > + goto out_put;
> > + }
> > + stack = origin_path;
> > + ctr = 1;
> > + origin_path = NULL;
> > + }
> > +
> > /*
> > * Lookup index by lower inode and verify it matches upper inode.
> > * We only trust dir index if we verified that lower dir matches
> > @@ -1006,6 +1065,10 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > }
> >
> > revert_creds(old_cred);
> > + if (origin_path) {
> > + dput(origin_path->dentry);
> > + kfree(origin_path);
> > + }
> > dput(index);
> > kfree(stack);
> > kfree(d.redirect);
> > @@ -1019,6 +1082,11 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
> > for (i = 0; i < ctr; i++)
> > dput(stack[i].dentry);
> > kfree(stack);
> > +out_put_origin:
> > + if (origin_path) {
> > + dput(origin_path->dentry);
> > + kfree(origin_path);
> > + }
>
> There is no need for the new goto label.
> Just add this in existing out_put_upper label.
Ok, I should be able to club this with out_put_upper label.
Vivek
>
> Thanks,
> Amir,
next prev parent reply other threads:[~2018-04-02 15:06 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-29 19:38 [PATCH v13 00/28] overlayfs: Delayed copy up of data Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 01/28] ovl: Set OVL_INDEX flag in ovl_get_inode() Vivek Goyal
2018-03-30 4:59 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 02/28] ovl: Initialize ovl_inode->redirect " Vivek Goyal
2018-03-30 4:57 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 03/28] ovl: Rename local variable locked to new_locked Vivek Goyal
2018-03-30 4:58 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 04/28] ovl: Provide a mount option metacopy=on/off for metadata copyup Vivek Goyal
2018-03-30 4:52 ` Amir Goldstein
2018-04-02 13:56 ` Vivek Goyal
2018-04-05 20:16 ` Amir Goldstein
2018-04-06 13:51 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 05/28] ovl: During copy up, first copy up metadata and then data Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 06/28] ovl: Move the copy up helpers to copy_up.c Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 07/28] ovl: Copy up only metadata during copy up where it makes sense Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 08/28] ovl: Add helper ovl_already_copied_up() Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 09/28] ovl: A new xattr OVL_XATTR_METACOPY for file on upper Vivek Goyal
2018-04-11 15:10 ` Amir Goldstein
2018-04-11 15:53 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 10/28] ovl: Modify ovl_lookup() and friends to lookup metacopy dentry Vivek Goyal
2018-03-30 5:49 ` Amir Goldstein
2018-03-30 9:12 ` Amir Goldstein
2018-04-02 19:45 ` Vivek Goyal
2018-04-02 20:07 ` Amir Goldstein
2018-04-02 15:06 ` Vivek Goyal [this message]
2018-03-29 19:38 ` [PATCH v13 11/28] ovl: Copy up meta inode data from lowest data inode Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 12/28] ovl: Fix ovl_getattr() to get number of blocks from lower Vivek Goyal
2018-03-30 9:24 ` Amir Goldstein
2018-04-02 20:11 ` Vivek Goyal
2018-04-02 20:27 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 13/28] ovl: Add helper ovl_dentry_lowerdata() to get lower data dentry Vivek Goyal
2018-03-30 6:01 ` Amir Goldstein
2018-04-02 15:08 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 14/28] ovl: Do not expose metacopy only dentry from d_real() Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 15/28] ovl: Move some of ovl_nlink_start() functionality in ovl_nlink_prep() Vivek Goyal
2018-03-30 6:23 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 16/28] ovl: Create locked version of ovl_nlink_start() and ovl_nlink_end() Vivek Goyal
2018-03-30 6:28 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 17/28] ovl: During rename lock both source and target ovl_inode Vivek Goyal
2018-03-30 6:50 ` Amir Goldstein
2018-04-02 17:34 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 18/28] ovl: Check redirects for metacopy files Vivek Goyal
2018-03-30 10:02 ` Amir Goldstein
2018-04-02 20:29 ` Vivek Goyal
2018-04-03 5:44 ` Amir Goldstein
2018-04-03 12:31 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 19/28] ovl: Treat metacopy dentries as type OVL_PATH_MERGE Vivek Goyal
2018-03-30 6:52 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 20/28] ovl: Do not set dentry type ORIGIN for broken hardlinks Vivek Goyal
2018-03-30 9:54 ` Amir Goldstein
2018-04-10 14:00 ` Vivek Goyal
2018-04-10 19:20 ` Amir Goldstein
2018-04-10 19:29 ` Amir Goldstein
2018-04-10 20:59 ` Vivek Goyal
2018-04-10 20:51 ` Vivek Goyal
2018-04-11 8:58 ` Amir Goldstein
2018-04-11 13:31 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 21/28] ovl: Set redirect on metacopy files upon rename Vivek Goyal
2018-03-30 7:31 ` Amir Goldstein
2018-04-11 15:12 ` Vivek Goyal
2018-04-11 17:01 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 22/28] ovl: Set redirect on upper inode when it is linked Vivek Goyal
2018-03-30 7:04 ` Amir Goldstein
2018-04-11 15:59 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 23/28] ovl: Remove redirect when data of a metacopy file is copied up Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 24/28] ovl: Do not error if REDIRECT XATTR is missing Vivek Goyal
2018-03-30 7:41 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 25/28] ovl: Use out_err insteada of out_nomem Vivek Goyal
2018-03-30 7:35 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 26/28] ovl: Re-check redirect xattr during inode initialization Vivek Goyal
2018-03-30 8:56 ` Amir Goldstein
2018-04-02 19:35 ` Vivek Goyal
2018-04-02 20:25 ` Amir Goldstein
2018-03-29 19:38 ` [PATCH v13 27/28] ovl: Verify a data dentry has been found for metacopy inode Vivek Goyal
2018-03-30 10:53 ` Amir Goldstein
2018-04-02 12:39 ` Vivek Goyal
2018-04-04 12:29 ` Vivek Goyal
2018-04-04 12:51 ` Amir Goldstein
2018-04-04 13:21 ` Vivek Goyal
2018-04-04 15:51 ` Amir Goldstein
2018-04-05 14:37 ` Vivek Goyal
2018-04-05 18:22 ` Vivek Goyal
2018-04-05 19:58 ` Amir Goldstein
2018-04-05 20:45 ` Vivek Goyal
2018-04-06 9:46 ` Amir Goldstein
2018-04-06 15:37 ` Vivek Goyal
2018-04-06 16:21 ` Amir Goldstein
2018-04-06 17:32 ` Vivek Goyal
2018-04-06 20:10 ` Amir Goldstein
2018-04-09 12:18 ` Vivek Goyal
2018-03-29 19:38 ` [PATCH v13 28/28] ovl: Enable metadata only feature Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180402150651.GC23306@redhat.com \
--to=vgoyal@redhat.com \
--cc=amir73il@gmail.com \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox