From: Alexander Larsson <alexl@redhat.com>
To: Miklos Szeredi <mszeredi@redhat.com>, linux-unionfs@vger.kernel.org
Cc: Amir Goldstein <amir73il@gmail.com>,
linux-fsdevel@vger.kernel.org,
Giuseppe Scrivano <gscrivan@redhat.com>
Subject: Re: [PATCH v2 3/5] ovl: make redirect/metacopy rejection consistent
Date: Tue, 25 Mar 2025 14:44:23 +0100 [thread overview]
Message-ID: <d3eee00ba034dd04df964d28025504436bec6055.camel@redhat.com> (raw)
In-Reply-To: <20250325104634.162496-4-mszeredi@redhat.com>
On Tue, 2025-03-25 at 11:46 +0100, Miklos Szeredi wrote:
> When overlayfs finds a file with metacopy and/or redirect attributes
> and
> the metacopy and/or redirect features are not enabled, then it
> refuses to
> act on those attributes while also issuing a warning.
>
> There was a slight inconsistency of only warning on an upper metacopy
> if it
> found the next file on the lower layer, while always warning for
> metacopy
> found on a lower layer.
>
> Fix this inconsistency and make the logic more straightforward,
> paving the
> way for following patches to change when dataredirects are allowed.
>
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Alexander Larsson <alexl@redhat.com>
> ---
> fs/overlayfs/namei.c | 67 +++++++++++++++++++++++++++++-------------
> --
> 1 file changed, 44 insertions(+), 23 deletions(-)
>
> diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
> index be5c65d6f848..da322e9768d1 100644
> --- a/fs/overlayfs/namei.c
> +++ b/fs/overlayfs/namei.c
> @@ -1040,6 +1040,8 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> struct inode *inode = NULL;
> bool upperopaque = false;
> char *upperredirect = NULL;
> + bool nextredirect = false;
> + bool nextmetacopy = false;
> struct dentry *this;
> unsigned int i;
> int err;
> @@ -1087,8 +1089,10 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> if (err)
> goto out_put_upper;
>
> - if (d.metacopy)
> + if (d.metacopy) {
> uppermetacopy = true;
> + nextmetacopy = true;
> + }
> metacopy_size = d.metacopy;
> }
>
> @@ -1099,6 +1103,7 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> goto out_put_upper;
> if (d.redirect[0] == '/')
> poe = roe;
> + nextredirect = true;
> }
> upperopaque = d.opaque;
> }
> @@ -1113,6 +1118,29 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> for (i = 0; !d.stop && i < ovl_numlower(poe); i++) {
> struct ovl_path lower = ovl_lowerstack(poe)[i];
>
> + /*
> + * Following redirects/metacopy can have security
> consequences:
> + * it's like a symlink into the lower layer without
> the
> + * permission checks.
> + *
> + * This is only a problem if the upper layer is
> untrusted (e.g
> + * comes from an USB drive). This can allow a non-
> readable file
> + * or directory to become readable.
> + *
> + * Only following redirects when redirects are
> enabled disables
> + * this attack vector when not necessary.
> + */
> + if (nextmetacopy && !ofs->config.metacopy) {
> + pr_warn_ratelimited("refusing to follow
> metacopy origin for (%pd2)\n", dentry);
> + err = -EPERM;
> + goto out_put;
> + }
> + if (nextredirect && !ovl_redirect_follow(ofs)) {
> + pr_warn_ratelimited("refusing to follow
> redirect for (%pd2)\n", dentry);
> + err = -EPERM;
> + goto out_put;
> + }
> +
> if (!ovl_redirect_follow(ofs))
> d.last = i == ovl_numlower(poe) - 1;
> else if (d.is_dir || !ofs->numdatalayer)
> @@ -1126,12 +1154,8 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> if (!this)
> continue;
>
> - if ((uppermetacopy || d.metacopy) && !ofs-
> >config.metacopy) {
> - dput(this);
> - err = -EPERM;
> - pr_warn_ratelimited("refusing to follow
> metacopy origin for (%pd2)\n", dentry);
> - goto out_put;
> - }
> + if (d.metacopy)
> + nextmetacopy = true;
>
> /*
> * If no origin fh is stored in upper of a merge
> dir, store fh
> @@ -1185,22 +1209,8 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> ctr++;
> }
>
> - /*
> - * Following redirects can have security
> consequences: it's like
> - * a symlink into the lower layer without the
> permission checks.
> - * This is only a problem if the upper layer is
> untrusted (e.g
> - * comes from an USB drive). This can allow a non-
> readable file
> - * or directory to become readable.
> - *
> - * Only following redirects when redirects are
> enabled disables
> - * this attack vector when not necessary.
> - */
> - err = -EPERM;
> - if (d.redirect && !ovl_redirect_follow(ofs)) {
> - pr_warn_ratelimited("refusing to follow
> redirect for (%pd2)\n",
> - dentry);
> - goto out_put;
> - }
> + if (d.redirect)
> + nextredirect = true;
>
> if (d.stop)
> break;
> @@ -1218,6 +1228,17 @@ struct dentry *ovl_lookup(struct inode *dir,
> struct dentry *dentry,
> ctr++;
> }
>
> + if (nextmetacopy && !ofs->config.metacopy) {
> + pr_warn_ratelimited("refusing to follow metacopy
> origin for (%pd2)\n", dentry);
> + err = -EPERM;
> + goto out_put;
> + }
> + if (nextredirect && !ovl_redirect_follow(ofs)) {
> + pr_warn_ratelimited("refusing to follow redirect for
> (%pd2)\n", dentry);
> + err = -EPERM;
> + goto out_put;
> + }
> +
> /*
> * For regular non-metacopy upper dentries, there is no
> lower
> * path based lookup, hence ctr will be zero. If a dentry is
> found
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=
Alexander Larsson Red Hat,
Inc
alexl@redhat.com alexander.larsson@gmail.com
He's a witless guerilla astronaut with a mysterious suitcase handcuffed
to his arm. She's a mistrustful communist journalist with an incredible
destiny. They fight crime!
next prev parent reply other threads:[~2025-03-25 13:44 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-25 10:46 [PATCH v2 0/5] ovl: metacopy/verity fixes and improvements Miklos Szeredi
2025-03-25 10:46 ` [PATCH v2 1/5] ovl: don't allow datadir only Miklos Szeredi
2025-03-25 11:57 ` Alexander Larsson
2025-03-25 14:36 ` Christian Brauner
2025-03-25 10:46 ` [PATCH v2 2/5] ovl: remove unused forward declaration Miklos Szeredi
2025-03-25 13:43 ` Alexander Larsson
2025-03-25 14:38 ` Christian Brauner
2025-03-25 10:46 ` [PATCH v2 3/5] ovl: make redirect/metacopy rejection consistent Miklos Szeredi
2025-03-25 11:13 ` Amir Goldstein
2025-03-25 13:44 ` Alexander Larsson [this message]
2025-03-25 10:46 ` [PATCH v2 4/5] ovl: relax redirect/metacopy requirements for lower -> data redirect Miklos Szeredi
2025-03-25 11:22 ` Amir Goldstein
2025-03-25 13:46 ` Alexander Larsson
2025-03-25 10:46 ` [PATCH v2 5/5] ovl: don't require "metacopy=on" for "verity" Miklos Szeredi
2025-03-25 11:33 ` Amir Goldstein
2025-03-25 11:47 ` Amir Goldstein
2025-03-25 13:42 ` Alexander Larsson
2025-03-26 10:24 ` Miklos Szeredi
2025-03-28 10:08 ` Alexander Larsson
2025-03-25 13:48 ` Alexander Larsson
2025-03-25 12:04 ` [PATCH v2 0/5] ovl: metacopy/verity fixes and improvements Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3eee00ba034dd04df964d28025504436bec6055.camel@redhat.com \
--to=alexl@redhat.com \
--cc=amir73il@gmail.com \
--cc=gscrivan@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=mszeredi@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).