2 * Copyright (C) 2011 Novell Inc.
3 * Copyright (C) 2016 Red Hat, Inc.
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 as published by
7 * the Free Software Foundation.
11 #include <linux/cred.h>
12 #include <linux/ctype.h>
13 #include <linux/namei.h>
14 #include <linux/xattr.h>
15 #include <linux/ratelimit.h>
16 #include <linux/mount.h>
17 #include <linux/exportfs.h>
18 #include "overlayfs.h"
20 struct ovl_lookup_data {
29 static int ovl_check_redirect(struct dentry *dentry, struct ovl_lookup_data *d,
30 size_t prelen, const char *post)
33 char *s, *next, *buf = NULL;
35 res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, NULL, 0);
37 if (res == -ENODATA || res == -EOPNOTSUPP)
41 buf = kzalloc(prelen + res + strlen(post) + 1, GFP_KERNEL);
48 res = vfs_getxattr(dentry, OVL_XATTR_REDIRECT, buf, res);
54 for (s = buf; *s++ == '/'; s = next) {
55 next = strchrnul(s, '/');
60 if (strchr(buf, '/') != NULL)
63 memmove(buf + prelen, buf, res);
64 memcpy(buf, d->name.name, prelen);
70 d->name.name = d->redirect;
71 d->name.len = strlen(d->redirect);
79 pr_warn_ratelimited("overlayfs: failed to get redirect (%i)\n", res);
82 pr_warn_ratelimited("overlayfs: invalid redirect (%s)\n", buf);
86 static int ovl_acceptable(void *ctx, struct dentry *dentry)
89 * A non-dir origin may be disconnected, which is fine, because
90 * we only need it for its unique inode number.
92 if (!d_is_dir(dentry))
95 /* Don't decode a deleted empty directory */
96 if (d_unhashed(dentry))
99 /* Check if directory belongs to the layer we are decoding from */
100 return is_subdir(dentry, ((struct vfsmount *)ctx)->mnt_root);
104 * Check validity of an overlay file handle buffer.
106 * Return 0 for a valid file handle.
107 * Return -ENODATA for "origin unknown".
108 * Return <0 for an invalid file handle.
110 int ovl_check_fh_len(struct ovl_fh *fh, int fh_len)
112 if (fh_len < sizeof(struct ovl_fh) || fh_len < fh->len)
115 if (fh->magic != OVL_FH_MAGIC)
118 /* Treat larger version and unknown flags as "origin unknown" */
119 if (fh->version > OVL_FH_VERSION || fh->flags & ~OVL_FH_FLAG_ALL)
122 /* Treat endianness mismatch as "origin unknown" */
123 if (!(fh->flags & OVL_FH_FLAG_ANY_ENDIAN) &&
124 (fh->flags & OVL_FH_FLAG_BIG_ENDIAN) != OVL_FH_FLAG_CPU_ENDIAN)
130 static struct ovl_fh *ovl_get_fh(struct dentry *dentry, const char *name)
133 struct ovl_fh *fh = NULL;
135 res = vfs_getxattr(dentry, name, NULL, 0);
137 if (res == -ENODATA || res == -EOPNOTSUPP)
141 /* Zero size value means "copied up but origin unknown" */
145 fh = kzalloc(res, GFP_KERNEL);
147 return ERR_PTR(-ENOMEM);
149 res = vfs_getxattr(dentry, name, fh, res);
153 err = ovl_check_fh_len(fh, res);
167 pr_warn_ratelimited("overlayfs: failed to get origin (%i)\n", res);
170 pr_warn_ratelimited("overlayfs: invalid origin (%*phN)\n", res, fh);
174 struct dentry *ovl_decode_fh(struct ovl_fh *fh, struct vfsmount *mnt)
180 * Make sure that the stored uuid matches the uuid of the lower
181 * layer where file handle will be decoded.
183 if (!uuid_equal(&fh->uuid, &mnt->mnt_sb->s_uuid))
186 bytes = (fh->len - offsetof(struct ovl_fh, fid));
187 real = exportfs_decode_fh(mnt, (struct fid *)fh->fid,
188 bytes >> 2, (int)fh->type,
189 ovl_acceptable, mnt);
192 * Treat stale file handle to lower file as "origin unknown".
193 * upper file handle could become stale when upper file is
194 * unlinked and this information is needed to handle stale
195 * index entries correctly.
197 if (real == ERR_PTR(-ESTALE) &&
198 !(fh->flags & OVL_FH_FLAG_PATH_UPPER))
203 if (ovl_dentry_weird(real)) {
211 static bool ovl_is_opaquedir(struct dentry *dentry)
213 return ovl_check_dir_xattr(dentry, OVL_XATTR_OPAQUE);
216 static int ovl_lookup_single(struct dentry *base, struct ovl_lookup_data *d,
217 const char *name, unsigned int namelen,
218 size_t prelen, const char *post,
224 this = lookup_one_len_unlocked(name, base, namelen);
228 if (err == -ENOENT || err == -ENAMETOOLONG)
235 if (ovl_dentry_weird(this)) {
236 /* Don't support traversing automounts and other weirdness */
240 if (ovl_is_whiteout(this)) {
241 d->stop = d->opaque = true;
244 if (!d_can_lookup(this)) {
251 if (!d->last && ovl_is_opaquedir(this)) {
252 d->stop = d->opaque = true;
255 err = ovl_check_redirect(this, d, prelen, post);
272 static int ovl_lookup_layer(struct dentry *base, struct ovl_lookup_data *d,
275 /* Counting down from the end, since the prefix can change */
276 size_t rem = d->name.len - 1;
277 struct dentry *dentry = NULL;
280 if (d->name.name[0] != '/')
281 return ovl_lookup_single(base, d, d->name.name, d->name.len,
284 while (!IS_ERR_OR_NULL(base) && d_can_lookup(base)) {
285 const char *s = d->name.name + d->name.len - rem;
286 const char *next = strchrnul(s, '/');
287 size_t thislen = next - s;
290 /* Verify we did not go off the rails */
291 if (WARN_ON(s[-1] != '/'))
294 err = ovl_lookup_single(base, d, s, thislen,
295 d->name.len - rem, next, &base);
305 if (WARN_ON(rem >= d->name.len))
313 int ovl_check_origin_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
314 struct dentry *upperdentry, struct ovl_path **stackp)
316 struct dentry *origin = NULL;
319 for (i = 0; i < ofs->numlower; i++) {
320 origin = ovl_decode_fh(fh, ofs->lower_layers[i].mnt);
327 else if (IS_ERR(origin))
328 return PTR_ERR(origin);
330 if (upperdentry && !ovl_is_whiteout(upperdentry) &&
331 ((d_inode(origin)->i_mode ^ d_inode(upperdentry)->i_mode) & S_IFMT))
335 *stackp = kmalloc(sizeof(struct ovl_path), GFP_KERNEL);
340 **stackp = (struct ovl_path){
342 .layer = &ofs->lower_layers[i]
348 pr_warn_ratelimited("overlayfs: invalid origin (%pd2, ftype=%x, origin ftype=%x).\n",
349 upperdentry, d_inode(upperdentry)->i_mode & S_IFMT,
350 d_inode(origin)->i_mode & S_IFMT);
355 static int ovl_check_origin(struct ovl_fs *ofs, struct dentry *upperdentry,
356 struct ovl_path **stackp, unsigned int *ctrp)
358 struct ovl_fh *fh = ovl_get_fh(upperdentry, OVL_XATTR_ORIGIN);
361 if (IS_ERR_OR_NULL(fh))
364 err = ovl_check_origin_fh(ofs, fh, upperdentry, stackp);
381 * Verify that @fh matches the file handle stored in xattr @name.
382 * Return 0 on match, -ESTALE on mismatch, < 0 on error.
384 static int ovl_verify_fh(struct dentry *dentry, const char *name,
385 const struct ovl_fh *fh)
387 struct ovl_fh *ofh = ovl_get_fh(dentry, name);
396 if (fh->len != ofh->len || memcmp(fh, ofh, fh->len))
404 * Verify that @real dentry matches the file handle stored in xattr @name.
406 * If @set is true and there is no stored file handle, encode @real and store
407 * file handle in xattr @name.
409 * Return 0 on match, -ESTALE on mismatch, -ENODATA on no xattr, < 0 on error.
411 int ovl_verify_set_fh(struct dentry *dentry, const char *name,
412 struct dentry *real, bool is_upper, bool set)
418 fh = ovl_encode_fh(real, is_upper);
423 err = ovl_verify_fh(dentry, name, fh);
424 if (set && err == -ENODATA)
425 err = ovl_do_setxattr(dentry, name, fh, fh->len, 0);
434 inode = d_inode(real);
435 pr_warn_ratelimited("overlayfs: failed to verify %s (%pd2, ino=%lu, err=%i)\n",
436 is_upper ? "upper" : "origin", real,
437 inode ? inode->i_ino : 0, err);
441 /* Get upper dentry from index */
442 static struct dentry *ovl_index_upper(struct ovl_fs *ofs, struct dentry *index)
445 struct dentry *upper;
447 if (!d_is_dir(index))
450 fh = ovl_get_fh(index, OVL_XATTR_UPPER);
451 if (IS_ERR_OR_NULL(fh))
454 upper = ovl_decode_fh(fh, ofs->upper_mnt);
457 if (IS_ERR_OR_NULL(upper))
458 return upper ?: ERR_PTR(-ESTALE);
460 if (!d_is_dir(upper)) {
461 pr_warn_ratelimited("overlayfs: invalid index upper (%pd2, upper=%pd2).\n",
464 return ERR_PTR(-EIO);
470 /* Is this a leftover from create/whiteout of directory index entry? */
471 static bool ovl_is_temp_index(struct dentry *index)
473 return index->d_name.name[0] == '#';
477 * Verify that an index entry name matches the origin file handle stored in
478 * OVL_XATTR_ORIGIN and that origin file handle can be decoded to lower path.
479 * Return 0 on match, -ESTALE on mismatch or stale origin, < 0 on error.
481 int ovl_verify_index(struct ovl_fs *ofs, struct dentry *index)
483 struct ovl_fh *fh = NULL;
485 struct ovl_path origin = { };
486 struct ovl_path *stack = &origin;
487 struct dentry *upper = NULL;
493 /* Cleanup leftover from index create/cleanup attempt */
495 if (ovl_is_temp_index(index))
499 if (index->d_name.len < sizeof(struct ovl_fh)*2)
503 len = index->d_name.len / 2;
504 fh = kzalloc(len, GFP_KERNEL);
509 if (hex2bin((u8 *)fh, index->d_name.name, len))
512 err = ovl_check_fh_len(fh, len);
517 * Whiteout index entries are used as an indication that an exported
518 * overlay file handle should be treated as stale (i.e. after unlink
519 * of the overlay inode). These entries contain no origin xattr.
521 if (ovl_is_whiteout(index))
525 * Verifying directory index entries are not stale is expensive, so
526 * only verify stale dir index if NFS export is enabled.
528 if (d_is_dir(index) && !ofs->config.nfs_export)
532 * Directory index entries should have 'upper' xattr pointing to the
533 * real upper dir. Non-dir index entries are hardlinks to the upper
534 * real inode. For non-dir index, we can read the copy up origin xattr
535 * directly from the index dentry, but for dir index we first need to
536 * decode the upper directory.
538 upper = ovl_index_upper(ofs, index);
539 if (IS_ERR_OR_NULL(upper)) {
540 err = PTR_ERR(upper);
542 * Directory index entries with no 'upper' xattr need to be
543 * removed. When dir index entry has a stale 'upper' xattr,
544 * we assume that upper dir was removed and we treat the dir
545 * index as orphan entry that needs to be whited out.
554 err = ovl_verify_fh(upper, OVL_XATTR_ORIGIN, fh);
559 /* Check if non-dir index is orphan and don't warn before cleaning it */
560 if (!d_is_dir(index) && d_inode(index)->i_nlink == 1) {
561 err = ovl_check_origin_fh(ofs, fh, index, &stack);
565 if (ovl_get_nlink(origin.dentry, index, 0) == 0)
575 pr_warn_ratelimited("overlayfs: failed to verify index (%pd2, ftype=%x, err=%i)\n",
576 index, d_inode(index)->i_mode & S_IFMT, err);
580 pr_warn_ratelimited("overlayfs: orphan index entry (%pd2, ftype=%x, nlink=%u)\n",
581 index, d_inode(index)->i_mode & S_IFMT,
582 d_inode(index)->i_nlink);
587 static int ovl_get_index_name_fh(struct ovl_fh *fh, struct qstr *name)
591 n = kzalloc(fh->len * 2, GFP_KERNEL);
595 s = bin2hex(n, fh, fh->len);
596 *name = (struct qstr) QSTR_INIT(n, s - n);
603 * Lookup in indexdir for the index entry of a lower real inode or a copy up
604 * origin inode. The index entry name is the hex representation of the lower
607 * If the index dentry in negative, then either no lower aliases have been
608 * copied up yet, or aliases have been copied up in older kernels and are
611 * If the index dentry for a copy up origin inode is positive, but points
612 * to an inode different than the upper inode, then either the upper inode
613 * has been copied up and not indexed or it was indexed, but since then
614 * index dir was cleared. Either way, that index cannot be used to indentify
617 int ovl_get_index_name(struct dentry *origin, struct qstr *name)
622 fh = ovl_encode_fh(origin, false);
626 err = ovl_get_index_name_fh(fh, name);
632 /* Lookup index by file handle for NFS export */
633 struct dentry *ovl_get_index_fh(struct ovl_fs *ofs, struct ovl_fh *fh)
635 struct dentry *index;
639 err = ovl_get_index_name_fh(fh, &name);
643 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
646 if (PTR_ERR(index) == -ENOENT)
651 if (d_is_negative(index))
653 else if (ovl_is_whiteout(index))
655 else if (ovl_dentry_weird(index))
664 static struct dentry *ovl_lookup_index(struct dentry *dentry,
665 struct dentry *upper,
666 struct dentry *origin)
668 struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
669 struct dentry *index;
672 bool is_dir = d_is_dir(origin);
675 err = ovl_get_index_name(origin, &name);
679 index = lookup_one_len_unlocked(name.name, ofs->indexdir, name.len);
681 err = PTR_ERR(index);
682 if (err == -ENOENT) {
686 pr_warn_ratelimited("overlayfs: failed inode index lookup (ino=%lu, key=%*s, err=%i);\n"
687 "overlayfs: mount with '-o index=off' to disable inodes index.\n",
688 d_inode(origin)->i_ino, name.len, name.name,
693 inode = d_inode(index);
694 if (d_is_negative(index)) {
696 } else if (ovl_dentry_weird(index) || ovl_is_whiteout(index) ||
697 ((inode->i_mode ^ d_inode(origin)->i_mode) & S_IFMT)) {
699 * Index should always be of the same file type as origin
700 * except for the case of a whiteout index. A whiteout
701 * index should only exist if all lower aliases have been
702 * unlinked, which means that finding a lower origin on lookup
703 * whose index is a whiteout should be treated as an error.
705 pr_warn_ratelimited("overlayfs: bad index found (index=%pd2, ftype=%x, origin ftype=%x).\n",
706 index, d_inode(index)->i_mode & S_IFMT,
707 d_inode(origin)->i_mode & S_IFMT);
711 pr_warn_ratelimited("overlayfs: suspected uncovered redirected dir found (origin=%pd2, index=%pd2).\n",
716 /* Verify that dir index 'upper' xattr points to upper dir */
717 err = ovl_verify_upper(index, upper, false);
719 if (err == -ESTALE) {
720 pr_warn_ratelimited("overlayfs: suspected multiply redirected dir found (upper=%pd2, origin=%pd2, index=%pd2).\n",
721 upper, origin, index);
725 } else if (upper && d_inode(upper) != inode) {
739 index = ERR_PTR(-EIO);
744 * Returns next layer in stack starting from top.
745 * Returns -1 if this is the last layer.
747 int ovl_path_next(int idx, struct dentry *dentry, struct path *path)
749 struct ovl_entry *oe = dentry->d_fsdata;
753 ovl_path_upper(dentry, path);
755 return oe->numlower ? 1 : -1;
758 BUG_ON(idx > oe->numlower);
759 path->dentry = oe->lowerstack[idx - 1].dentry;
760 path->mnt = oe->lowerstack[idx - 1].layer->mnt;
762 return (idx < oe->numlower) ? idx + 1 : -1;
765 /* Fix missing 'origin' xattr */
766 static int ovl_fix_origin(struct dentry *dentry, struct dentry *lower,
767 struct dentry *upper)
771 if (ovl_check_origin_xattr(upper))
774 err = ovl_want_write(dentry);
778 err = ovl_set_origin(dentry, lower, upper);
780 err = ovl_set_impure(dentry->d_parent, upper->d_parent);
782 ovl_drop_write(dentry);
786 struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry,
789 struct ovl_entry *oe;
790 const struct cred *old_cred;
791 struct ovl_fs *ofs = dentry->d_sb->s_fs_info;
792 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
793 struct ovl_entry *roe = dentry->d_sb->s_root->d_fsdata;
794 struct ovl_path *stack = NULL;
795 struct dentry *upperdir, *upperdentry = NULL;
796 struct dentry *origin = NULL;
797 struct dentry *index = NULL;
798 unsigned int ctr = 0;
799 struct inode *inode = NULL;
800 bool upperopaque = false;
801 char *upperredirect = NULL;
805 struct ovl_lookup_data d = {
806 .name = dentry->d_name,
810 .last = !poe->numlower,
814 if (dentry->d_name.len > ofs->namelen)
815 return ERR_PTR(-ENAMETOOLONG);
817 old_cred = ovl_override_creds(dentry->d_sb);
818 upperdir = ovl_dentry_upper(dentry->d_parent);
820 err = ovl_lookup_layer(upperdir, &d, &upperdentry);
824 if (upperdentry && unlikely(ovl_dentry_remote(upperdentry))) {
829 if (upperdentry && !d.is_dir) {
830 BUG_ON(!d.stop || d.redirect);
832 * Lookup copy up origin by decoding origin file handle.
833 * We may get a disconnected dentry, which is fine,
834 * because we only need to hold the origin inode in
835 * cache and use its inode number. We may even get a
836 * connected dentry, that is not under any of the lower
837 * layers root. That is also fine for using it's inode
838 * number - it's the same as if we held a reference
839 * to a dentry in lower layer that was moved under us.
841 err = ovl_check_origin(ofs, upperdentry, &stack, &ctr);
848 upperredirect = kstrdup(d.redirect, GFP_KERNEL);
851 if (d.redirect[0] == '/')
854 upperopaque = d.opaque;
857 if (!d.stop && poe->numlower) {
859 stack = kcalloc(ofs->numlower, sizeof(struct ovl_path),
865 for (i = 0; !d.stop && i < poe->numlower; i++) {
866 struct ovl_path lower = poe->lowerstack[i];
868 d.last = i == poe->numlower - 1;
869 err = ovl_lookup_layer(lower.dentry, &d, &this);
877 * If no origin fh is stored in upper of a merge dir, store fh
878 * of lower dir and set upper parent "impure".
880 if (upperdentry && !ctr && !ofs->noxattr) {
881 err = ovl_fix_origin(dentry, this, upperdentry);
889 * When "verify_lower" feature is enabled, do not merge with a
890 * lower dir that does not match a stored origin xattr. In any
891 * case, only verified origin is used for index lookup.
893 if (upperdentry && !ctr && ovl_verify_lower(dentry->d_sb)) {
894 err = ovl_verify_origin(upperdentry, this, false);
900 /* Bless lower dir as verified origin */
904 stack[ctr].dentry = this;
905 stack[ctr].layer = lower.layer;
912 * Following redirects can have security consequences: it's like
913 * a symlink into the lower layer without the permission checks.
914 * This is only a problem if the upper layer is untrusted (e.g
915 * comes from an USB drive). This can allow a non-readable file
916 * or directory to become readable.
918 * Only following redirects when redirects are enabled disables
919 * this attack vector when not necessary.
922 if (d.redirect && !ofs->config.redirect_follow) {
923 pr_warn_ratelimited("overlayfs: refusing to follow redirect for (%pd2)\n",
928 if (d.redirect && d.redirect[0] == '/' && poe != roe) {
930 /* Find the current layer on the root dentry */
931 i = lower.layer->idx - 1;
936 * Lookup index by lower inode and verify it matches upper inode.
937 * We only trust dir index if we verified that lower dir matches
938 * origin, otherwise dir index entries may be inconsistent and we
939 * ignore them. Always lookup index of non-dir and non-upper.
941 if (ctr && (!upperdentry || !d.is_dir))
942 origin = stack[0].dentry;
944 if (origin && ovl_indexdir(dentry->d_sb) &&
945 (!d.is_dir || ovl_index_all(dentry->d_sb))) {
946 index = ovl_lookup_index(dentry, upperdentry, origin);
948 err = PTR_ERR(index);
954 oe = ovl_alloc_entry(ctr);
959 memcpy(oe->lowerstack, stack, sizeof(struct ovl_path) * ctr);
960 dentry->d_fsdata = oe;
963 ovl_dentry_set_opaque(dentry);
966 ovl_dentry_set_upper_alias(dentry);
968 upperdentry = dget(index);
970 if (upperdentry || ctr) {
971 inode = ovl_get_inode(dentry->d_sb, upperdentry, origin, index,
973 err = PTR_ERR(inode);
977 OVL_I(inode)->redirect = upperredirect;
979 ovl_set_flag(OVL_INDEX, inode);
982 revert_creds(old_cred);
986 return d_splice_alias(inode, dentry);
989 dentry->d_fsdata = NULL;
993 for (i = 0; i < ctr; i++)
994 dput(stack[i].dentry);
998 kfree(upperredirect);
1001 revert_creds(old_cred);
1002 return ERR_PTR(err);
1005 bool ovl_lower_positive(struct dentry *dentry)
1007 struct ovl_entry *poe = dentry->d_parent->d_fsdata;
1008 const struct qstr *name = &dentry->d_name;
1009 const struct cred *old_cred;
1011 bool positive = false;
1015 * If dentry is negative, then lower is positive iff this is a
1018 if (!dentry->d_inode)
1019 return ovl_dentry_is_opaque(dentry);
1021 /* Negative upper -> positive lower */
1022 if (!ovl_dentry_upper(dentry))
1025 old_cred = ovl_override_creds(dentry->d_sb);
1026 /* Positive upper -> have to look up lower to see whether it exists */
1027 for (i = 0; !done && !positive && i < poe->numlower; i++) {
1028 struct dentry *this;
1029 struct dentry *lowerdir = poe->lowerstack[i].dentry;
1031 this = lookup_one_len_unlocked(name->name, lowerdir,
1034 switch (PTR_ERR(this)) {
1041 * Assume something is there, we just couldn't
1048 if (this->d_inode) {
1049 positive = !ovl_is_whiteout(this);
1055 revert_creds(old_cred);