ovl: Support escaped overlay.* xattrs

There are cases where you want to use an overlayfs mount as a lowerdir
for another overlayfs mount. For example, if the system rootfs is on
overlayfs due to composefs, or to make it volatile (via tmps), then
you cannot currently store a lowerdir on the rootfs. This means you
can't e.g. store on the rootfs a prepared container image for use
using overlayfs.

To work around this, we introduce an escapment mechanism for overlayfs
xattrs. Whenever the lower/upper dir has a xattr named
"overlay.overlay.XYZ", we list it as "overlay.XYZ" in listxattrs, and
when the user calls getxattr or setxattr on "overlay.XYZ", we apply to
"overlay.overlay.XYZ" in the backing directories.

This allows storing any kind of overlay xattrs in a overlayfs mount
that can be used as a lowerdir in another mount. It is possible to
stack this mechanism multiple times, such that
"overlay.overlay.overlay.XYZ" will survive two levels of overlay mounts,
however this is not all that useful in practice because of stack depth
limitations of overlayfs mounts.

Note: These escaped xattrs are copied to upper during copy-up.

Signed-off-by: Alexander Larsson <alexl@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>

diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index 1c0ad84646e86db2325b0a0cd97ef9d4786a5647..393c6ba9bffa1ca38eb650116c545845a75d0547 100644 (file)
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -32,6 +32,13 @@ enum ovl_path_type {
 #define OVL_XATTR_USER_PREFIX XATTR_USER_PREFIX OVL_XATTR_NAMESPACE
 #define OVL_XATTR_USER_PREFIX_LEN (sizeof(OVL_XATTR_USER_PREFIX) - 1)
 
+#define OVL_XATTR_ESCAPE_PREFIX OVL_XATTR_NAMESPACE
+#define OVL_XATTR_ESCAPE_PREFIX_LEN (sizeof(OVL_XATTR_ESCAPE_PREFIX) - 1)
+#define OVL_XATTR_ESCAPE_TRUSTED_PREFIX OVL_XATTR_TRUSTED_PREFIX OVL_XATTR_ESCAPE_PREFIX
+#define OVL_XATTR_ESCAPE_TRUSTED_PREFIX_LEN (sizeof(OVL_XATTR_ESCAPE_TRUSTED_PREFIX) - 1)
+#define OVL_XATTR_ESCAPE_USER_PREFIX OVL_XATTR_USER_PREFIX OVL_XATTR_ESCAPE_PREFIX
+#define OVL_XATTR_ESCAPE_USER_PREFIX_LEN (sizeof(OVL_XATTR_ESCAPE_USER_PREFIX) - 1)
+
 enum ovl_xattr {
        OVL_XATTR_OPAQUE,
        OVL_XATTR_REDIRECT,

diff --git a/fs/overlayfs/xattrs.c b/fs/overlayfs/xattrs.c
index d20032f8a53734b377ae982eff0ddf9177ff39ea..383978e4663c2aec42a694e609ff32177ba24ed4 100644 (file)
--- a/fs/overlayfs/xattrs.c
+++ b/fs/overlayfs/xattrs.c
@@ -4,7 +4,19 @@
 #include <linux/xattr.h>
 #include "overlayfs.h"
 
-bool ovl_is_private_xattr(struct super_block *sb, const char *name)
+static bool ovl_is_escaped_xattr(struct super_block *sb, const char *name)
+{
+       struct ovl_fs *ofs = sb->s_fs_info;
+
+       if (ofs->config.userxattr)
+               return strncmp(name, OVL_XATTR_ESCAPE_USER_PREFIX,
+                              OVL_XATTR_ESCAPE_USER_PREFIX_LEN) == 0;
+       else
+               return strncmp(name, OVL_XATTR_ESCAPE_TRUSTED_PREFIX,
+                              OVL_XATTR_ESCAPE_TRUSTED_PREFIX_LEN - 1) == 0;
+}
+
+static bool ovl_is_own_xattr(struct super_block *sb, const char *name)
 {
        struct ovl_fs *ofs = OVL_FS(sb);
 
@@ -16,6 +28,11 @@ bool ovl_is_private_xattr(struct super_block *sb, const char *name)
                               OVL_XATTR_TRUSTED_PREFIX_LEN) == 0;
 }
 
+bool ovl_is_private_xattr(struct super_block *sb, const char *name)
+{
+       return ovl_is_own_xattr(sb, name) && !ovl_is_escaped_xattr(sb, name);
+}
+
 static int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name,
                         const void *value, size_t size, int flags)
 {
@@ -95,10 +112,12 @@ static bool ovl_can_list(struct super_block *sb, const char *s)
 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
 {
        struct dentry *realdentry = ovl_dentry_real(dentry);
+       struct ovl_fs *ofs = OVL_FS(dentry->d_sb);
        ssize_t res;
        size_t len;
        char *s;
        const struct cred *old_cred;
+       size_t prefix_len, name_len;
 
        old_cred = ovl_override_creds(dentry->d_sb);
        res = vfs_listxattr(realdentry, list, size);
@@ -106,6 +125,9 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
        if (res <= 0 || size == 0)
                return res;
 
+       prefix_len = ofs->config.userxattr ?
+               OVL_XATTR_USER_PREFIX_LEN : OVL_XATTR_TRUSTED_PREFIX_LEN;
+
        /* filter out private xattrs */
        for (s = list, len = res; len;) {
                size_t slen = strnlen(s, len) + 1;
@@ -118,6 +140,12 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
                if (!ovl_can_list(dentry->d_sb, s)) {
                        res -= slen;
                        memmove(s, s + slen, len);
+               } else if (ovl_is_escaped_xattr(dentry->d_sb, s)) {
+                       res -= OVL_XATTR_ESCAPE_PREFIX_LEN;
+                       name_len = slen - prefix_len - OVL_XATTR_ESCAPE_PREFIX_LEN;
+                       s += prefix_len;
+                       memmove(s, s + OVL_XATTR_ESCAPE_PREFIX_LEN, name_len + len);
+                       s += name_len;
                } else {
                        s += slen;
                }
@@ -126,11 +154,47 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size)
        return res;
 }
 
+static char *ovl_xattr_escape_name(const char *prefix, const char *name)
+{
+       size_t prefix_len = strlen(prefix);
+       size_t name_len = strlen(name);
+       size_t escaped_len;
+       char *escaped, *s;
+
+       escaped_len = prefix_len + OVL_XATTR_ESCAPE_PREFIX_LEN + name_len;
+       if (escaped_len > XATTR_NAME_MAX)
+               return ERR_PTR(-EOPNOTSUPP);
+
+       escaped = kmalloc(escaped_len + 1, GFP_KERNEL);
+       if (escaped == NULL)
+               return ERR_PTR(-ENOMEM);
+
+       s = escaped;
+       memcpy(s, prefix, prefix_len);
+       s += prefix_len;
+       memcpy(s, OVL_XATTR_ESCAPE_PREFIX, OVL_XATTR_ESCAPE_PREFIX_LEN);
+       s += OVL_XATTR_ESCAPE_PREFIX_LEN;
+       memcpy(s, name, name_len + 1);
+
+       return escaped;
+}
+
 static int ovl_own_xattr_get(const struct xattr_handler *handler,
                             struct dentry *dentry, struct inode *inode,
                             const char *name, void *buffer, size_t size)
 {
-       return -EOPNOTSUPP;
+       char *escaped;
+       int r;
+
+       escaped = ovl_xattr_escape_name(handler->prefix, name);
+       if (IS_ERR(escaped))
+               return PTR_ERR(escaped);
+
+       r = ovl_xattr_get(dentry, inode, escaped, buffer, size);
+
+       kfree(escaped);
+
+       return r;
 }
 
 static int ovl_own_xattr_set(const struct xattr_handler *handler,
@@ -139,7 +203,18 @@ static int ovl_own_xattr_set(const struct xattr_handler *handler,
                             const char *name, const void *value,
                             size_t size, int flags)
 {
-       return -EOPNOTSUPP;
+       char *escaped;
+       int r;
+
+       escaped = ovl_xattr_escape_name(handler->prefix, name);
+       if (IS_ERR(escaped))
+               return PTR_ERR(escaped);
+
+       r = ovl_xattr_set(dentry, inode, escaped, value, size, flags);
+
+       kfree(escaped);
+
+       return r;
 }
 
 static int ovl_other_xattr_get(const struct xattr_handler *handler,