ovl: Provide a mount option metacopy=on/off for metadata copyup

By default metadata only copy up is disabled. Provide a mount option so that users can choose one way or other. Also provide a kernel config and module option to enable/disable metacopy feature. metacopy feature requires redirect_dir=on when upper is present. Otherwise, it requires redirect_dir=follow atleast. As of now, metacopy does not work with nfs_export=on. So if both metacopy=on and nfs_export=on then nfs_export is disabled. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
author: Vivek Goyal <vgoyal@redhat.com> 2018-05-11 11:49:27 -0400
committer: Miklos Szeredi <mszeredi@redhat.com> 2018-07-20 03:56:06 -0400
commit: d5791044d2e5749ef4de84161cec5532e2111540 (patch)
tree: 3abb05f2e56381c9d591b8f74bc838836ef4f6fd /Documentation/filesystems
parent: d6eac039133b31f9db1c63d2e51b88df61d075cc (diff)
1 files changed, 29 insertions, 1 deletions
diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt
index c2c71be75e3d..51c136c821bf 100644
--- a/Documentation/filesystems/overlayfs.txt
+++ b/Documentation/filesystems/overlayfs.txt
@@ -262,6 +262,30 @@ rightmost one and going left.  In the above example lower1 will be the
 top, lower2 the middle and lower3 the bottom layer.
+Metadata only copy up
+--------------------
+When metadata only copy up feature is enabled, overlayfs will only copy
+up metadata (as opposed to whole file), when a metadata specific operation
+like chown/chmod is performed. Full file will be copied up later when
+file is opened for WRITE operation.
+In other words, this is delayed data copy up operation and data is copied
+up when there is a need to actually modify data.
+There are multiple ways to enable/disable this feature. A config option
+CONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this feature
+by default. Or one can enable/disable it at module load time with module
+parameter metacopy=on/off. Lastly, there is also a per mount option
+metacopy=on/off to enable/disable this feature per mount.
+Do not use metacopy=on with untrusted upper/lower directories. Otherwise
+it is possible that an attacker can create a handcrafted file with
+appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower
+pointed by REDIRECT. This should not be possible on local system as setting
+"trusted." xattrs will require CAP_SYS_ADMIN. But it should be possible
+for untrusted layers like from a pen drive.
 Sharing and copying layers
 --------------------------
@@ -280,7 +304,7 @@ though it will not result in a crash or deadlock.
 Mounting an overlay using an upper layer path, where the upper layer path
 was previously used by another mounted overlay in combination with a
 different lower layer path, is allowed, unless the "inodes index" feature
-is enabled.
+or "metadata only copy up" feature is enabled.
 With the "inodes index" feature, on the first time mount, an NFS file
 handle of the lower layer root directory, along with the UUID of the lower
@@ -293,6 +317,10 @@ lower root origin, mount will fail with ESTALE.  An overlayfs mount with
 does not support NFS export, lower filesystem does not have a valid UUID or
 if the upper filesystem does not support extended attributes.
+For "metadata only copy up" feature there is no verification mechanism at
+mount time. So if same upper is mounted with different set of lower, mount
+probably will succeed but expect the unexpected later on. So don't do it.
 It is quite a common practice to copy overlay layers to a different
 directory tree on the same or different underlying filesystem, and even
 to a different machine.  With the "inodes index" feature, trying to mount
author	Vivek Goyal <vgoyal@redhat.com>	2018-05-11 11:49:27 -0400
committer	Miklos Szeredi <mszeredi@redhat.com>	2018-07-20 03:56:06 -0400
commit	d5791044d2e5749ef4de84161cec5532e2111540 (patch)
tree	3abb05f2e56381c9d591b8f74bc838836ef4f6fd /Documentation/filesystems
parent	d6eac039133b31f9db1c63d2e51b88df61d075cc (diff)

diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt index c2c71be75e3d..51c136c821bf 100644 --- a/Documentation/filesystems/overlayfs.txt +++ b/Documentation/filesystems/overlayfs.txt
@@ -262,6 +262,30 @@ rightmost one and going left. In the above example lower1 will be the
262	top, lower2 the middle and lower3 the bottom layer.	262	top, lower2 the middle and lower3 the bottom layer.
263		263
264		264
		265	Metadata only copy up
		266	--------------------
		267
		268	When metadata only copy up feature is enabled, overlayfs will only copy
		269	up metadata (as opposed to whole file), when a metadata specific operation
		270	like chown/chmod is performed. Full file will be copied up later when
		271	file is opened for WRITE operation.
		272
		273	In other words, this is delayed data copy up operation and data is copied
		274	up when there is a need to actually modify data.
		275
		276	There are multiple ways to enable/disable this feature. A config option
		277	CONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this feature
		278	by default. Or one can enable/disable it at module load time with module
		279	parameter metacopy=on/off. Lastly, there is also a per mount option
		280	metacopy=on/off to enable/disable this feature per mount.
		281
		282	Do not use metacopy=on with untrusted upper/lower directories. Otherwise
		283	it is possible that an attacker can create a handcrafted file with
		284	appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower
		285	pointed by REDIRECT. This should not be possible on local system as setting
		286	"trusted." xattrs will require CAP_SYS_ADMIN. But it should be possible
		287	for untrusted layers like from a pen drive.
		288
265	Sharing and copying layers	289	Sharing and copying layers
266	--------------------------	290	--------------------------
267		291
@@ -280,7 +304,7 @@ though it will not result in a crash or deadlock.
280	Mounting an overlay using an upper layer path, where the upper layer path	304	Mounting an overlay using an upper layer path, where the upper layer path
281	was previously used by another mounted overlay in combination with a	305	was previously used by another mounted overlay in combination with a
282	different lower layer path, is allowed, unless the "inodes index" feature	306	different lower layer path, is allowed, unless the "inodes index" feature
283	is enabled.	307	or "metadata only copy up" feature is enabled.
284		308
285	With the "inodes index" feature, on the first time mount, an NFS file	309	With the "inodes index" feature, on the first time mount, an NFS file
286	handle of the lower layer root directory, along with the UUID of the lower	310	handle of the lower layer root directory, along with the UUID of the lower
@@ -293,6 +317,10 @@ lower root origin, mount will fail with ESTALE. An overlayfs mount with
293	does not support NFS export, lower filesystem does not have a valid UUID or	317	does not support NFS export, lower filesystem does not have a valid UUID or
294	if the upper filesystem does not support extended attributes.	318	if the upper filesystem does not support extended attributes.
295		319
		320	For "metadata only copy up" feature there is no verification mechanism at
		321	mount time. So if same upper is mounted with different set of lower, mount
		322	probably will succeed but expect the unexpected later on. So don't do it.
		323
296	It is quite a common practice to copy overlay layers to a different	324	It is quite a common practice to copy overlay layers to a different
297	directory tree on the same or different underlying filesystem, and even	325	directory tree on the same or different underlying filesystem, and even
298	to a different machine. With the "inodes index" feature, trying to mount	326	to a different machine. With the "inodes index" feature, trying to mount