3 * Copyright (C) 2011 Novell Inc.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 as published by
7 * the Free Software Foundation.
11 #include <linux/slab.h>
12 #include <linux/cred.h>
13 #include <linux/xattr.h>
14 #include <linux/posix_acl.h>
15 #include <linux/ratelimit.h>
16 #include "overlayfs.h"
17 #include "ovl_entry.h"
19 int ovl_setattr(struct dentry *dentry, struct iattr *attr)
22 struct dentry *upperdentry;
23 const struct cred *old_cred;
26 * Check for permissions before trying to copy-up. This is redundant
27 * since it will be rechecked later by ->setattr() on upper dentry. But
28 * without this, copy-up can be triggered by just about anybody.
30 * We don't initialize inode->size, which just means that
31 * inode_newsize_ok() will always check against MAX_LFS_FILESIZE and not
32 * check for a swapfile (which this won't be anyway).
34 err = setattr_prepare(dentry, attr);
38 err = ovl_want_write(dentry);
42 err = ovl_copy_up(dentry);
44 upperdentry = ovl_dentry_upper(dentry);
46 if (attr->ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID))
47 attr->ia_valid &= ~ATTR_MODE;
49 inode_lock(upperdentry->d_inode);
50 old_cred = ovl_override_creds(dentry->d_sb);
51 err = notify_change(upperdentry, attr, NULL);
52 revert_creds(old_cred);
54 ovl_copyattr(upperdentry->d_inode, dentry->d_inode);
55 inode_unlock(upperdentry->d_inode);
57 ovl_drop_write(dentry);
62 int ovl_getattr(const struct path *path, struct kstat *stat,
63 u32 request_mask, unsigned int flags)
65 struct dentry *dentry = path->dentry;
66 enum ovl_path_type type;
68 const struct cred *old_cred;
69 bool is_dir = S_ISDIR(dentry->d_inode->i_mode);
72 type = ovl_path_real(dentry, &realpath);
73 old_cred = ovl_override_creds(dentry->d_sb);
74 err = vfs_getattr(&realpath, stat, request_mask, flags);
79 * When all layers are on the same fs, all real inode number are
80 * unique, so we use the overlay st_dev, which is friendly to du -x.
82 * We also use st_ino of the copy up origin, if we know it.
83 * This guaranties constant st_dev/st_ino across copy up.
85 * If filesystem supports NFS export ops, this also guaranties
86 * persistent st_ino across mount cycle.
88 if (ovl_same_sb(dentry->d_sb)) {
89 if (OVL_TYPE_ORIGIN(type)) {
90 struct kstat lowerstat;
91 u32 lowermask = STATX_INO | (!is_dir ? STATX_NLINK : 0);
93 ovl_path_lower(dentry, &realpath);
94 err = vfs_getattr(&realpath, &lowerstat,
99 WARN_ON_ONCE(stat->dev != lowerstat.dev);
101 * Lower hardlinks may be broken on copy up to different
102 * upper files, so we cannot use the lower origin st_ino
103 * for those different files, even for the same fs case.
104 * With inodes index enabled, it is safe to use st_ino
105 * of an indexed hardlinked origin. The index validates
106 * that the upper hardlink is not broken.
108 if (is_dir || lowerstat.nlink == 1 ||
109 ovl_test_flag(OVL_INDEX, d_inode(dentry)))
110 stat->ino = lowerstat.ino;
112 stat->dev = dentry->d_sb->s_dev;
115 * If not all layers are on the same fs the pair {real st_ino;
116 * overlay st_dev} is not unique, so use the non persistent
119 * Always use the overlay st_dev for directories, so 'find
120 * -xdev' will scan the entire overlay mount and won't cross the
121 * overlay mount boundaries.
123 stat->dev = dentry->d_sb->s_dev;
124 stat->ino = dentry->d_inode->i_ino;
128 * It's probably not worth it to count subdirs to get the
129 * correct link count. nlink=1 seems to pacify 'find' and
132 if (is_dir && OVL_TYPE_MERGE(type))
136 * Return the overlay inode nlinks for indexed upper inodes.
137 * Overlay inode nlink counts the union of the upper hardlinks
138 * and non-covered lower hardlinks. It does not include the upper
141 if (!is_dir && ovl_test_flag(OVL_INDEX, d_inode(dentry)))
142 stat->nlink = dentry->d_inode->i_nlink;
145 revert_creds(old_cred);
150 int ovl_permission(struct inode *inode, int mask)
152 struct inode *upperinode = ovl_inode_upper(inode);
153 struct inode *realinode = upperinode ?: ovl_inode_lower(inode);
154 const struct cred *old_cred;
157 /* Careful in RCU walk mode */
159 WARN_ON(!(mask & MAY_NOT_BLOCK));
164 * Check overlay inode with the creds of task and underlying inode
165 * with creds of mounter
167 err = generic_permission(inode, mask);
171 old_cred = ovl_override_creds(inode->i_sb);
173 !special_file(realinode->i_mode) && mask & MAY_WRITE) {
174 mask &= ~(MAY_WRITE | MAY_APPEND);
175 /* Make sure mounter can read file for copy up later */
178 err = inode_permission(realinode, mask);
179 revert_creds(old_cred);
184 static const char *ovl_get_link(struct dentry *dentry,
186 struct delayed_call *done)
188 const struct cred *old_cred;
192 return ERR_PTR(-ECHILD);
194 old_cred = ovl_override_creds(dentry->d_sb);
195 p = vfs_get_link(ovl_dentry_real(dentry), done);
196 revert_creds(old_cred);
200 bool ovl_is_private_xattr(const char *name)
202 return strncmp(name, OVL_XATTR_PREFIX,
203 sizeof(OVL_XATTR_PREFIX) - 1) == 0;
206 int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
207 const void *value, size_t size, int flags)
210 struct dentry *upperdentry = ovl_i_dentry_upper(inode);
211 struct dentry *realdentry = upperdentry ?: ovl_dentry_lower(dentry);
212 const struct cred *old_cred;
214 err = ovl_want_write(dentry);
218 if (!value && !upperdentry) {
219 old_cred = ovl_override_creds(dentry->d_sb);
220 err = vfs_getxattr(realdentry, name, NULL, 0);
221 revert_creds(old_cred);
227 err = ovl_copy_up(dentry);
231 realdentry = ovl_dentry_upper(dentry);
234 old_cred = ovl_override_creds(dentry->d_sb);
236 err = vfs_setxattr(realdentry, name, value, size, flags);
238 WARN_ON(flags != XATTR_REPLACE);
239 err = vfs_removexattr(realdentry, name);
241 revert_creds(old_cred);
244 ovl_drop_write(dentry);
249 int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name,
250 void *value, size_t size)
253 const struct cred *old_cred;
254 struct dentry *realdentry =
255 ovl_i_dentry_upper(inode) ?: ovl_dentry_lower(dentry);
257 old_cred = ovl_override_creds(dentry->d_sb);
258 res = vfs_getxattr(realdentry, name, value, size);
259 revert_creds(old_cred);
263 static bool ovl_can_list(const char *s)
265 /* List all non-trusted xatts */
266 if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0)
269 /* Never list trusted.overlay, list other trusted for superuser only */
270 return !ovl_is_private_xattr(s) &&
271 ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
274 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
276 struct dentry *realdentry = ovl_dentry_real(dentry);
280 const struct cred *old_cred;
282 old_cred = ovl_override_creds(dentry->d_sb);
283 res = vfs_listxattr(realdentry, list, size);
284 revert_creds(old_cred);
285 if (res <= 0 || size == 0)
288 /* filter out private xattrs */
289 for (s = list, len = res; len;) {
290 size_t slen = strnlen(s, len) + 1;
292 /* underlying fs providing us with an broken xattr list? */
293 if (WARN_ON(slen > len))
297 if (!ovl_can_list(s)) {
299 memmove(s, s + slen, len);
308 struct posix_acl *ovl_get_acl(struct inode *inode, int type)
310 struct inode *realinode = ovl_inode_real(inode);
311 const struct cred *old_cred;
312 struct posix_acl *acl;
314 if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
317 old_cred = ovl_override_creds(inode->i_sb);
318 acl = get_acl(realinode, type);
319 revert_creds(old_cred);
324 static bool ovl_open_need_copy_up(struct dentry *dentry, int flags)
326 if (ovl_dentry_upper(dentry) &&
327 ovl_dentry_has_upper_alias(dentry))
330 if (special_file(d_inode(dentry)->i_mode))
333 if (!(OPEN_FMODE(flags) & FMODE_WRITE) && !(flags & O_TRUNC))
339 int ovl_open_maybe_copy_up(struct dentry *dentry, unsigned int file_flags)
343 if (ovl_open_need_copy_up(dentry, file_flags)) {
344 err = ovl_want_write(dentry);
346 err = ovl_copy_up_flags(dentry, file_flags);
347 ovl_drop_write(dentry);
354 int ovl_update_time(struct inode *inode, struct timespec *ts, int flags)
356 struct dentry *alias;
357 struct path upperpath;
359 if (!(flags & S_ATIME))
362 alias = d_find_any_alias(inode);
366 ovl_path_upper(alias, &upperpath);
367 if (upperpath.dentry) {
368 touch_atime(&upperpath);
369 inode->i_atime = d_inode(upperpath.dentry)->i_atime;
377 static const struct inode_operations ovl_file_inode_operations = {
378 .setattr = ovl_setattr,
379 .permission = ovl_permission,
380 .getattr = ovl_getattr,
381 .listxattr = ovl_listxattr,
382 .get_acl = ovl_get_acl,
383 .update_time = ovl_update_time,
386 static const struct inode_operations ovl_symlink_inode_operations = {
387 .setattr = ovl_setattr,
388 .get_link = ovl_get_link,
389 .getattr = ovl_getattr,
390 .listxattr = ovl_listxattr,
391 .update_time = ovl_update_time,
395 * It is possible to stack overlayfs instance on top of another
396 * overlayfs instance as lower layer. We need to annonate the
397 * stackable i_mutex locks according to stack level of the super
398 * block instance. An overlayfs instance can never be in stack
399 * depth 0 (there is always a real fs below it). An overlayfs
400 * inode lock will use the lockdep annotaion ovl_i_mutex_key[depth].
402 * For example, here is a snip from /proc/lockdep_chains after
403 * dir_iterate of nested overlayfs:
405 * [...] &ovl_i_mutex_dir_key[depth] (stack_depth=2)
406 * [...] &ovl_i_mutex_dir_key[depth]#2 (stack_depth=1)
407 * [...] &type->i_mutex_dir_key (stack_depth=0)
409 #define OVL_MAX_NESTING FILESYSTEM_MAX_STACK_DEPTH
411 static inline void ovl_lockdep_annotate_inode_mutex_key(struct inode *inode)
413 #ifdef CONFIG_LOCKDEP
414 static struct lock_class_key ovl_i_mutex_key[OVL_MAX_NESTING];
415 static struct lock_class_key ovl_i_mutex_dir_key[OVL_MAX_NESTING];
417 int depth = inode->i_sb->s_stack_depth - 1;
419 if (WARN_ON_ONCE(depth < 0 || depth >= OVL_MAX_NESTING))
422 if (S_ISDIR(inode->i_mode))
423 lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_dir_key[depth]);
425 lockdep_set_class(&inode->i_rwsem, &ovl_i_mutex_key[depth]);
429 static void ovl_fill_inode(struct inode *inode, umode_t mode, dev_t rdev)
431 inode->i_ino = get_next_ino();
432 inode->i_mode = mode;
433 inode->i_flags |= S_NOCMTIME;
434 #ifdef CONFIG_FS_POSIX_ACL
435 inode->i_acl = inode->i_default_acl = ACL_DONT_CACHE;
438 ovl_lockdep_annotate_inode_mutex_key(inode);
440 switch (mode & S_IFMT) {
442 inode->i_op = &ovl_file_inode_operations;
446 inode->i_op = &ovl_dir_inode_operations;
447 inode->i_fop = &ovl_dir_operations;
451 inode->i_op = &ovl_symlink_inode_operations;
455 inode->i_op = &ovl_file_inode_operations;
456 init_special_inode(inode, mode, rdev);
462 * With inodes index enabled, an overlay inode nlink counts the union of upper
463 * hardlinks and non-covered lower hardlinks. During the lifetime of a non-pure
464 * upper inode, the following nlink modifying operations can happen:
466 * 1. Lower hardlink copy up
467 * 2. Upper hardlink created, unlinked or renamed over
468 * 3. Lower hardlink whiteout or renamed over
470 * For the first, copy up case, the union nlink does not change, whether the
471 * operation succeeds or fails, but the upper inode nlink may change.
472 * Therefore, before copy up, we store the union nlink value relative to the
473 * lower inode nlink in the index inode xattr trusted.overlay.nlink.
475 * For the second, upper hardlink case, the union nlink should be incremented
476 * or decremented IFF the operation succeeds, aligned with nlink change of the
477 * upper inode. Therefore, before link/unlink/rename, we store the union nlink
478 * value relative to the upper inode nlink in the index inode.
480 * For the last, lower cover up case, we simplify things by preceding the
481 * whiteout or cover up with copy up. This makes sure that there is an index
482 * upper inode where the nlink xattr can be stored before the copied up upper
485 #define OVL_NLINK_ADD_UPPER (1 << 0)
488 * On-disk format for indexed nlink:
490 * nlink relative to the upper inode - "U[+-]NUM"
491 * nlink relative to the lower inode - "L[+-]NUM"
494 static int ovl_set_nlink_common(struct dentry *dentry,
495 struct dentry *realdentry, const char *format)
497 struct inode *inode = d_inode(dentry);
498 struct inode *realinode = d_inode(realdentry);
502 len = snprintf(buf, sizeof(buf), format,
503 (int) (inode->i_nlink - realinode->i_nlink));
505 if (WARN_ON(len >= sizeof(buf)))
508 return ovl_do_setxattr(ovl_dentry_upper(dentry),
509 OVL_XATTR_NLINK, buf, len, 0);
512 int ovl_set_nlink_upper(struct dentry *dentry)
514 return ovl_set_nlink_common(dentry, ovl_dentry_upper(dentry), "U%+i");
517 int ovl_set_nlink_lower(struct dentry *dentry)
519 return ovl_set_nlink_common(dentry, ovl_dentry_lower(dentry), "L%+i");
522 unsigned int ovl_get_nlink(struct dentry *lowerdentry,
523 struct dentry *upperdentry,
524 unsigned int fallback)
531 if (!lowerdentry || !upperdentry || d_inode(lowerdentry)->i_nlink == 1)
534 err = vfs_getxattr(upperdentry, OVL_XATTR_NLINK, &buf, sizeof(buf) - 1);
539 if ((buf[0] != 'L' && buf[0] != 'U') ||
540 (buf[1] != '+' && buf[1] != '-'))
543 err = kstrtoint(buf + 1, 10, &nlink_diff);
547 nlink = d_inode(buf[0] == 'L' ? lowerdentry : upperdentry)->i_nlink;
556 pr_warn_ratelimited("overlayfs: failed to get index nlink (%pd2, err=%i)\n",
561 struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev)
565 inode = new_inode(sb);
567 ovl_fill_inode(inode, mode, rdev);
572 static int ovl_inode_test(struct inode *inode, void *data)
574 return inode->i_private == data;
577 static int ovl_inode_set(struct inode *inode, void *data)
579 inode->i_private = data;
583 static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry,
584 struct dentry *upperdentry)
586 if (S_ISDIR(inode->i_mode)) {
587 /* Real lower dir moved to upper layer under us? */
588 if (!lowerdentry && ovl_inode_lower(inode))
591 /* Lookup of an uncovered redirect origin? */
592 if (!upperdentry && ovl_inode_upper(inode))
597 * Allow non-NULL lower inode in ovl_inode even if lowerdentry is NULL.
598 * This happens when finding a copied up overlay inode for a renamed
599 * or hardlinked overlay dentry and lower dentry cannot be followed
600 * by origin because lower fs does not support file handles.
602 if (lowerdentry && ovl_inode_lower(inode) != d_inode(lowerdentry))
606 * Allow non-NULL __upperdentry in inode even if upperdentry is NULL.
607 * This happens when finding a lower alias for a copied up hard link.
609 if (upperdentry && ovl_inode_upper(inode) != d_inode(upperdentry))
616 * Does overlay inode need to be hashed by lower inode?
618 static bool ovl_hash_bylower(struct super_block *sb, struct dentry *upper,
619 struct dentry *lower, struct dentry *index)
621 struct ovl_fs *ofs = sb->s_fs_info;
623 /* No, if pure upper */
627 /* Yes, if already indexed */
631 /* Yes, if won't be copied up */
635 /* No, if lower hardlink is or will be broken on copy up */
636 if ((upper || !ovl_indexdir(sb)) &&
637 !d_is_dir(lower) && d_inode(lower)->i_nlink > 1)
640 /* No, if non-indexed upper with NFS export */
641 if (sb->s_export_op && upper)
644 /* Otherwise, hash by lower inode for fsnotify */
648 struct inode *ovl_get_inode(struct dentry *dentry, struct dentry *upperdentry,
649 struct dentry *index)
651 struct super_block *sb = dentry->d_sb;
652 struct dentry *lowerdentry = ovl_dentry_lower(dentry);
653 struct inode *realinode = upperdentry ? d_inode(upperdentry) : NULL;
655 bool bylower = ovl_hash_bylower(sb, upperdentry, lowerdentry, index);
659 realinode = d_inode(lowerdentry);
662 * Copy up origin (lower) may exist for non-indexed upper, but we must
663 * not use lower as hash key if this is a broken hardlink.
665 is_dir = S_ISDIR(realinode->i_mode);
666 if (upperdentry || bylower) {
667 struct inode *key = d_inode(bylower ? lowerdentry :
669 unsigned int nlink = is_dir ? 1 : realinode->i_nlink;
671 inode = iget5_locked(sb, (unsigned long) key,
672 ovl_inode_test, ovl_inode_set, key);
675 if (!(inode->i_state & I_NEW)) {
677 * Verify that the underlying files stored in the inode
678 * match those in the dentry.
680 if (!ovl_verify_inode(inode, lowerdentry, upperdentry)) {
682 inode = ERR_PTR(-ESTALE);
690 /* Recalculate nlink for non-dir due to indexing */
692 nlink = ovl_get_nlink(lowerdentry, upperdentry, nlink);
693 set_nlink(inode, nlink);
695 /* Lower hardlink that will be broken on copy up */
696 inode = new_inode(sb);
700 ovl_fill_inode(inode, realinode->i_mode, realinode->i_rdev);
701 ovl_inode_init(inode, upperdentry, lowerdentry);
703 if (upperdentry && ovl_is_impuredir(upperdentry))
704 ovl_set_flag(OVL_IMPURE, inode);
706 if (inode->i_state & I_NEW)
707 unlock_new_inode(inode);
712 inode = ERR_PTR(-ENOMEM);
projects / releases.git / blob