From: Christian Brauner <brauner@kernel.org>
To: Miklos Szeredi <miklos@szeredi.hu>, Amir Goldstein <amir73il@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-unionfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Christian Brauner <brauner@kernel.org>
Subject: [PATCH v2 00/42] ovl: convert to cred guard
Date: Thu, 13 Nov 2025 17:37:05 +0100 [thread overview]
Message-ID: <20251113-work-ovl-cred-guard-v2-0-c08940095e90@kernel.org> (raw)
This adds an overlayfs specific extension of the cred guard
infrastructure I introduced. This allows all of overlayfs to be ported
to cred guards. I refactored a few functions to reduce the scope of the
cred guard. I think this is beneficial as it's visually very easy to
grasp the scope in one go. Lightly tested.
Signed-off-by: Christian Brauner <brauner@kernel.org>
---
Changes in v2:
- Fixed ovl_lookup() refactoring.
- Various other fixes.
- Added vfs debug assert to detect double credential overrides.
- Link to v1: https://patch.msgid.link/20251113-work-ovl-cred-guard-v1-0-fa9887f17061@kernel.org
---
Amir Goldstein (1):
ovl: refactor ovl_iterate() and port to cred guard
Christian Brauner (41):
ovl: add override_creds cleanup guard extension for overlayfs
ovl: port ovl_copy_up_flags() to cred guards
ovl: port ovl_create_or_link() to cred guard
ovl: port ovl_set_link_redirect() to cred guard
ovl: port ovl_do_remove() to cred guard
ovl: port ovl_create_tmpfile() to cred guard
ovl: port ovl_open_realfile() to cred guard
ovl: port ovl_llseek() to cred guard
ovl: port ovl_fsync() to cred guard
ovl: port ovl_fallocate() to cred guard
ovl: port ovl_fadvise() to cred guard
ovl: port ovl_flush() to cred guard
ovl: port ovl_setattr() to cred guard
ovl: port ovl_getattr() to cred guard
ovl: port ovl_permission() to cred guard
ovl: port ovl_get_link() to cred guard
ovl: port do_ovl_get_acl() to cred guard
ovl: port ovl_set_or_remove_acl() to cred guard
ovl: port ovl_fiemap() to cred guard
ovl: port ovl_fileattr_set() to cred guard
ovl: port ovl_fileattr_get() to cred guard
ovl: port ovl_maybe_validate_verity() to cred guard
ovl: port ovl_maybe_lookup_lowerdata() to cred guard
ovl: don't override credentials for ovl_check_whiteouts()
ovl: port ovl_dir_llseek() to cred guard
ovl: port ovl_check_empty_dir() to cred guard
ovl: port ovl_nlink_start() to cred guard
ovl: port ovl_nlink_end() to cred guard
ovl: port ovl_xattr_set() to cred guard
ovl: port ovl_xattr_get() to cred guard
ovl: port ovl_listxattr() to cred guard
ovl: refactor ovl_rename()
ovl: port ovl_rename() to cred guard
ovl: port ovl_copyfile() to cred guard
ovl: refactor ovl_lookup()
ovl: port ovl_lookup() to cred guard
ovl: port ovl_lower_positive() to cred guard
ovl: refactor ovl_fill_super()
ovl: port ovl_fill_super() to cred guard
ovl: remove ovl_revert_creds()
ovl: detect double credential overrides
fs/overlayfs/copy_up.c | 6 +-
fs/overlayfs/dir.c | 427 +++++++++++++++++++++++------------------------
fs/overlayfs/file.c | 101 +++++------
fs/overlayfs/inode.c | 120 ++++++-------
fs/overlayfs/namei.c | 402 ++++++++++++++++++++++----------------------
fs/overlayfs/overlayfs.h | 6 +-
fs/overlayfs/readdir.c | 86 ++++------
fs/overlayfs/super.c | 89 +++++-----
fs/overlayfs/util.c | 20 +--
fs/overlayfs/xattrs.c | 35 ++--
10 files changed, 611 insertions(+), 681 deletions(-)
---
base-commit: 2902367e352af16cbed9c67ca9022b52a0b738e7
change-id: 20251112-work-ovl-cred-guard-20daabcbf8fa
next reply other threads:[~2025-11-13 16:37 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 16:37 Christian Brauner [this message]
2025-11-13 16:37 ` [PATCH v2 01/42] ovl: add override_creds cleanup guard extension for overlayfs Christian Brauner
2025-11-13 16:37 ` [PATCH v2 02/42] ovl: port ovl_copy_up_flags() to cred guards Christian Brauner
2025-11-13 16:37 ` [PATCH v2 03/42] ovl: port ovl_create_or_link() to cred guard Christian Brauner
2025-11-13 16:37 ` [PATCH v2 04/42] ovl: port ovl_set_link_redirect() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 05/42] ovl: port ovl_do_remove() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 06/42] ovl: port ovl_create_tmpfile() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 07/42] ovl: port ovl_open_realfile() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 08/42] ovl: port ovl_llseek() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 09/42] ovl: port ovl_fsync() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 10/42] ovl: port ovl_fallocate() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 11/42] ovl: port ovl_fadvise() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 12/42] ovl: port ovl_flush() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 13/42] ovl: port ovl_setattr() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 14/42] ovl: port ovl_getattr() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 15/42] ovl: port ovl_permission() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 16/42] ovl: port ovl_get_link() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 17/42] ovl: port do_ovl_get_acl() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 18/42] ovl: port ovl_set_or_remove_acl() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 19/42] ovl: port ovl_fiemap() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 20/42] ovl: port ovl_fileattr_set() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 21/42] ovl: port ovl_fileattr_get() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 22/42] ovl: port ovl_maybe_validate_verity() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 23/42] ovl: port ovl_maybe_lookup_lowerdata() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 24/42] ovl: don't override credentials for ovl_check_whiteouts() Christian Brauner
2025-11-13 16:37 ` [PATCH v2 25/42] ovl: refactor ovl_iterate() and port to cred guard Christian Brauner
2025-11-13 16:37 ` [PATCH v2 26/42] ovl: port ovl_dir_llseek() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 27/42] ovl: port ovl_check_empty_dir() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 28/42] ovl: port ovl_nlink_start() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 29/42] ovl: port ovl_nlink_end() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 30/42] ovl: port ovl_xattr_set() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 31/42] ovl: port ovl_xattr_get() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 32/42] ovl: port ovl_listxattr() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 33/42] ovl: refactor ovl_rename() Christian Brauner
2025-11-13 16:37 ` [PATCH v2 34/42] ovl: port ovl_rename() to cred guard Christian Brauner
2025-11-13 16:37 ` [PATCH v2 35/42] ovl: port ovl_copyfile() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 36/42] ovl: refactor ovl_lookup() Christian Brauner
2025-11-13 16:37 ` [PATCH v2 37/42] ovl: port ovl_lookup() to cred guard Christian Brauner
2025-11-13 16:37 ` [PATCH v2 38/42] ovl: port ovl_lower_positive() " Christian Brauner
2025-11-13 16:37 ` [PATCH v2 39/42] ovl: refactor ovl_fill_super() Christian Brauner
2025-11-13 16:37 ` [PATCH v2 40/42] ovl: port ovl_fill_super() to cred guard Christian Brauner
2025-11-13 16:37 ` [PATCH v2 41/42] ovl: remove ovl_revert_creds() Christian Brauner
2025-11-13 16:37 ` [PATCH v2 42/42] ovl: detect double credential overrides Christian Brauner
2025-11-13 18:42 ` Amir Goldstein
2025-11-13 21:31 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113-work-ovl-cred-guard-v2-0-c08940095e90@kernel.org \
--to=brauner@kernel.org \
--cc=amir73il@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).