1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Provide a way to create a superblock configuration context within the kernel
3 * that allows a superblock to be set up prior to mounting.
4 *
5 * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
6 * Written by David Howells (dhowells@redhat.com)
7 */
8
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <linux/module.h>
11 #include <linux/fs_context.h>
12 #include <linux/fs_parser.h>
13 #include <linux/fs.h>
14 #include <linux/mount.h>
15 #include <linux/nsproxy.h>
16 #include <linux/slab.h>
17 #include <linux/magic.h>
18 #include <linux/security.h>
19 #include <linux/mnt_namespace.h>
20 #include <linux/pid_namespace.h>
21 #include <linux/user_namespace.h>
22 #include <net/net_namespace.h>
23 #include <asm/sections.h>
24 #include "mount.h"
25 #include "internal.h"
26
27 static const struct constant_table common_set_sb_flag[] = {
28 { "dirsync", SB_DIRSYNC },
29 { "lazytime", SB_LAZYTIME },
30 { "mand", SB_MANDLOCK },
31 { "ro", SB_RDONLY },
32 { "sync", SB_SYNCHRONOUS },
33 { },
34 };
35
36 static const struct constant_table common_clear_sb_flag[] = {
37 { "async", SB_SYNCHRONOUS },
38 { "nolazytime", SB_LAZYTIME },
39 { "nomand", SB_MANDLOCK },
40 { "rw", SB_RDONLY },
41 { },
42 };
43
44 /*
45 * Check for a common mount option that manipulates s_flags.
46 */
vfs_parse_sb_flag(struct fs_context * fc,const char * key)47 static int vfs_parse_sb_flag(struct fs_context *fc, const char *key)
48 {
49 unsigned int token;
50
51 token = lookup_constant(common_set_sb_flag, key, 0);
52 if (token) {
53 fc->sb_flags |= token;
54 fc->sb_flags_mask |= token;
55 return 0;
56 }
57
58 token = lookup_constant(common_clear_sb_flag, key, 0);
59 if (token) {
60 fc->sb_flags &= ~token;
61 fc->sb_flags_mask |= token;
62 return 0;
63 }
64
65 return -ENOPARAM;
66 }
67
68 /**
69 * vfs_parse_fs_param_source - Handle setting "source" via parameter
70 * @fc: The filesystem context to modify
71 * @param: The parameter
72 *
73 * This is a simple helper for filesystems to verify that the "source" they
74 * accept is sane.
75 *
76 * Returns 0 on success, -ENOPARAM if this is not "source" parameter, and
77 * -EINVAL otherwise. In the event of failure, supplementary error information
78 * is logged.
79 */
vfs_parse_fs_param_source(struct fs_context * fc,struct fs_parameter * param)80 int vfs_parse_fs_param_source(struct fs_context *fc, struct fs_parameter *param)
81 {
82 if (strcmp(param->key, "source") != 0)
83 return -ENOPARAM;
84
85 if (param->type != fs_value_is_string)
86 return invalf(fc, "Non-string source");
87
88 if (fc->source)
89 return invalf(fc, "Multiple sources");
90
91 fc->source = param->string;
92 param->string = NULL;
93 return 0;
94 }
95 EXPORT_SYMBOL(vfs_parse_fs_param_source);
96
97 /**
98 * vfs_parse_fs_param - Add a single parameter to a superblock config
99 * @fc: The filesystem context to modify
100 * @param: The parameter
101 *
102 * A single mount option in string form is applied to the filesystem context
103 * being set up. Certain standard options (for example "ro") are translated
104 * into flag bits without going to the filesystem. The active security module
105 * is allowed to observe and poach options. Any other options are passed over
106 * to the filesystem to parse.
107 *
108 * This may be called multiple times for a context.
109 *
110 * Returns 0 on success and a negative error code on failure. In the event of
111 * failure, supplementary error information may have been set.
112 */
vfs_parse_fs_param(struct fs_context * fc,struct fs_parameter * param)113 int vfs_parse_fs_param(struct fs_context *fc, struct fs_parameter *param)
114 {
115 int ret;
116
117 if (!param->key)
118 return invalf(fc, "Unnamed parameter\n");
119
120 ret = vfs_parse_sb_flag(fc, param->key);
121 if (ret != -ENOPARAM)
122 return ret;
123
124 ret = security_fs_context_parse_param(fc, param);
125 if (ret != -ENOPARAM)
126 /* Param belongs to the LSM or is disallowed by the LSM; so
127 * don't pass to the FS.
128 */
129 return ret;
130
131 if (fc->ops->parse_param) {
132 ret = fc->ops->parse_param(fc, param);
133 if (ret != -ENOPARAM)
134 return ret;
135 }
136
137 /* If the filesystem doesn't take any arguments, give it the
138 * default handling of source.
139 */
140 ret = vfs_parse_fs_param_source(fc, param);
141 if (ret != -ENOPARAM)
142 return ret;
143
144 return invalf(fc, "%s: Unknown parameter '%s'",
145 fc->fs_type->name, param->key);
146 }
147 EXPORT_SYMBOL(vfs_parse_fs_param);
148
149 /**
150 * vfs_parse_fs_qstr - Convenience function to just parse a string.
151 * @fc: Filesystem context.
152 * @key: Parameter name.
153 * @value: Default value.
154 */
vfs_parse_fs_qstr(struct fs_context * fc,const char * key,const struct qstr * value)155 int vfs_parse_fs_qstr(struct fs_context *fc, const char *key,
156 const struct qstr *value)
157 {
158 int ret;
159
160 struct fs_parameter param = {
161 .key = key,
162 .type = fs_value_is_flag,
163 .size = value ? value->len : 0,
164 };
165
166 if (value) {
167 param.string = kmemdup_nul(value->name, value->len, GFP_KERNEL);
168 if (!param.string)
169 return -ENOMEM;
170 param.type = fs_value_is_string;
171 }
172
173 ret = vfs_parse_fs_param(fc, ¶m);
174 kfree(param.string);
175 return ret;
176 }
177 EXPORT_SYMBOL(vfs_parse_fs_qstr);
178
179 /**
180 * vfs_parse_monolithic_sep - Parse key[=val][,key[=val]]* mount data
181 * @fc: The superblock configuration to fill in.
182 * @data: The data to parse
183 * @sep: callback for separating next option
184 *
185 * Parse a blob of data that's in key[=val][,key[=val]]* form with a custom
186 * option separator callback.
187 *
188 * Returns 0 on success or the error returned by the ->parse_option() fs_context
189 * operation on failure.
190 */
vfs_parse_monolithic_sep(struct fs_context * fc,void * data,char * (* sep)(char **))191 int vfs_parse_monolithic_sep(struct fs_context *fc, void *data,
192 char *(*sep)(char **))
193 {
194 char *options = data, *key;
195 int ret = 0;
196
197 if (!options)
198 return 0;
199
200 ret = security_sb_eat_lsm_opts(options, &fc->security);
201 if (ret)
202 return ret;
203
204 while ((key = sep(&options)) != NULL) {
205 if (*key) {
206 char *value = strchr(key, '=');
207
208 if (value) {
209 if (unlikely(value == key))
210 continue;
211 *value++ = 0;
212 }
213 ret = vfs_parse_fs_string(fc, key, value);
214 if (ret < 0)
215 break;
216 }
217 }
218
219 return ret;
220 }
221 EXPORT_SYMBOL(vfs_parse_monolithic_sep);
222
vfs_parse_comma_sep(char ** s)223 static char *vfs_parse_comma_sep(char **s)
224 {
225 return strsep(s, ",");
226 }
227
228 /**
229 * generic_parse_monolithic - Parse key[=val][,key[=val]]* mount data
230 * @fc: The superblock configuration to fill in.
231 * @data: The data to parse
232 *
233 * Parse a blob of data that's in key[=val][,key[=val]]* form. This can be
234 * called from the ->monolithic_mount_data() fs_context operation.
235 *
236 * Returns 0 on success or the error returned by the ->parse_option() fs_context
237 * operation on failure.
238 */
generic_parse_monolithic(struct fs_context * fc,void * data)239 int generic_parse_monolithic(struct fs_context *fc, void *data)
240 {
241 return vfs_parse_monolithic_sep(fc, data, vfs_parse_comma_sep);
242 }
243 EXPORT_SYMBOL(generic_parse_monolithic);
244
245 /**
246 * alloc_fs_context - Create a filesystem context.
247 * @fs_type: The filesystem type.
248 * @reference: The dentry from which this one derives (or NULL)
249 * @sb_flags: Filesystem/superblock flags (SB_*)
250 * @sb_flags_mask: Applicable members of @sb_flags
251 * @purpose: The purpose that this configuration shall be used for.
252 *
253 * Open a filesystem and create a mount context. The mount context is
254 * initialised with the supplied flags and, if a submount/automount from
255 * another superblock (referred to by @reference) is supplied, may have
256 * parameters such as namespaces copied across from that superblock.
257 */
alloc_fs_context(struct file_system_type * fs_type,struct dentry * reference,unsigned int sb_flags,unsigned int sb_flags_mask,enum fs_context_purpose purpose)258 static struct fs_context *alloc_fs_context(struct file_system_type *fs_type,
259 struct dentry *reference,
260 unsigned int sb_flags,
261 unsigned int sb_flags_mask,
262 enum fs_context_purpose purpose)
263 {
264 struct fs_context *fc;
265 int ret = -ENOMEM;
266
267 fc = kzalloc_obj(struct fs_context, GFP_KERNEL_ACCOUNT);
268 if (!fc)
269 return ERR_PTR(-ENOMEM);
270
271 fc->purpose = purpose;
272 fc->sb_flags = sb_flags;
273 fc->sb_flags_mask = sb_flags_mask;
274 fc->fs_type = get_filesystem(fs_type);
275 fc->cred = get_current_cred();
276 fc->net_ns = get_net(current->nsproxy->net_ns);
277 fc->log.prefix = fs_type->name;
278
279 mutex_init(&fc->uapi_mutex);
280
281 switch (purpose) {
282 case FS_CONTEXT_FOR_MOUNT:
283 fc->user_ns = get_user_ns(fc->cred->user_ns);
284 break;
285 case FS_CONTEXT_FOR_SUBMOUNT:
286 fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
287 break;
288 case FS_CONTEXT_FOR_RECONFIGURE:
289 atomic_inc(&reference->d_sb->s_active);
290 fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
291 fc->root = dget(reference);
292 break;
293 }
294
295 ret = fc->fs_type->init_fs_context(fc);
296 if (ret < 0)
297 goto err_fc;
298 fc->need_free = true;
299 return fc;
300
301 err_fc:
302 put_fs_context(fc);
303 return ERR_PTR(ret);
304 }
305
fs_context_for_mount(struct file_system_type * fs_type,unsigned int sb_flags)306 struct fs_context *fs_context_for_mount(struct file_system_type *fs_type,
307 unsigned int sb_flags)
308 {
309 return alloc_fs_context(fs_type, NULL, sb_flags, 0,
310 FS_CONTEXT_FOR_MOUNT);
311 }
312 EXPORT_SYMBOL(fs_context_for_mount);
313
fs_context_for_reconfigure(struct dentry * dentry,unsigned int sb_flags,unsigned int sb_flags_mask)314 struct fs_context *fs_context_for_reconfigure(struct dentry *dentry,
315 unsigned int sb_flags,
316 unsigned int sb_flags_mask)
317 {
318 return alloc_fs_context(dentry->d_sb->s_type, dentry, sb_flags,
319 sb_flags_mask, FS_CONTEXT_FOR_RECONFIGURE);
320 }
321
322 /**
323 * fs_context_for_submount: allocate a new fs_context for a submount
324 * @type: file_system_type of the new context
325 * @reference: reference dentry from which to copy relevant info
326 *
327 * Allocate a new fs_context suitable for a submount. This also ensures that
328 * the fc->security object is inherited from @reference (if needed).
329 */
fs_context_for_submount(struct file_system_type * type,struct dentry * reference)330 struct fs_context *fs_context_for_submount(struct file_system_type *type,
331 struct dentry *reference)
332 {
333 struct fs_context *fc;
334 int ret;
335
336 fc = alloc_fs_context(type, reference, 0, 0, FS_CONTEXT_FOR_SUBMOUNT);
337 if (IS_ERR(fc))
338 return fc;
339
340 ret = security_fs_context_submount(fc, reference->d_sb);
341 if (ret) {
342 put_fs_context(fc);
343 return ERR_PTR(ret);
344 }
345
346 return fc;
347 }
348 EXPORT_SYMBOL(fs_context_for_submount);
349
fc_drop_locked(struct fs_context * fc)350 void fc_drop_locked(struct fs_context *fc)
351 {
352 struct super_block *sb = fc->root->d_sb;
353 dput(fc->root);
354 fc->root = NULL;
355 deactivate_locked_super(sb);
356 }
357
358 /**
359 * vfs_dup_fs_context - Duplicate a filesystem context.
360 * @src_fc: The context to copy.
361 */
vfs_dup_fs_context(struct fs_context * src_fc)362 struct fs_context *vfs_dup_fs_context(struct fs_context *src_fc)
363 {
364 struct fs_context *fc;
365 int ret;
366
367 if (!src_fc->ops->dup)
368 return ERR_PTR(-EOPNOTSUPP);
369
370 fc = kmemdup(src_fc, sizeof(struct fs_context), GFP_KERNEL);
371 if (!fc)
372 return ERR_PTR(-ENOMEM);
373
374 mutex_init(&fc->uapi_mutex);
375
376 fc->fs_private = NULL;
377 fc->s_fs_info = NULL;
378 fc->source = NULL;
379 fc->security = NULL;
380 get_filesystem(fc->fs_type);
381 get_net(fc->net_ns);
382 get_user_ns(fc->user_ns);
383 get_cred(fc->cred);
384 if (fc->log.log)
385 refcount_inc(&fc->log.log->usage);
386
387 /* Can't call put until we've called ->dup */
388 ret = fc->ops->dup(fc, src_fc);
389 if (ret < 0)
390 goto err_fc;
391
392 ret = security_fs_context_dup(fc, src_fc);
393 if (ret < 0)
394 goto err_fc;
395 return fc;
396
397 err_fc:
398 put_fs_context(fc);
399 return ERR_PTR(ret);
400 }
401 EXPORT_SYMBOL(vfs_dup_fs_context);
402
403 /**
404 * logfc - Log a message to a filesystem context
405 * @log: The filesystem context to log to, or NULL to use printk.
406 * @prefix: A string to prefix the output with, or NULL.
407 * @level: 'w' for a warning, 'e' for an error. Anything else is a notice.
408 * @fmt: The format of the buffer.
409 */
logfc(struct fc_log * log,const char * prefix,char level,const char * fmt,...)410 void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, ...)
411 {
412 va_list va;
413 struct va_format vaf = {.fmt = fmt, .va = &va};
414
415 va_start(va, fmt);
416 if (!log) {
417 switch (level) {
418 case 'w':
419 printk(KERN_WARNING "%s%s%pV\n", prefix ? prefix : "",
420 prefix ? ": " : "", &vaf);
421 break;
422 case 'e':
423 printk(KERN_ERR "%s%s%pV\n", prefix ? prefix : "",
424 prefix ? ": " : "", &vaf);
425 break;
426 case 'i':
427 printk(KERN_INFO "%s%s%pV\n", prefix ? prefix : "",
428 prefix ? ": " : "", &vaf);
429 break;
430 default:
431 printk(KERN_NOTICE "%s%s%pV\n", prefix ? prefix : "",
432 prefix ? ": " : "", &vaf);
433 break;
434 }
435 } else {
436 unsigned int logsize = ARRAY_SIZE(log->buffer);
437 u8 index;
438 char *q = kasprintf(GFP_KERNEL, "%c %s%s%pV\n", level,
439 prefix ? prefix : "",
440 prefix ? ": " : "", &vaf);
441
442 index = log->head & (logsize - 1);
443 BUILD_BUG_ON(sizeof(log->head) != sizeof(u8) ||
444 sizeof(log->tail) != sizeof(u8));
445 if ((u8)(log->head - log->tail) == logsize) {
446 /* The buffer is full, discard the oldest message */
447 if (log->need_free & (1 << index))
448 kfree(log->buffer[index]);
449 log->tail++;
450 }
451
452 log->buffer[index] = q ? q : "OOM: Can't store error string";
453 if (q)
454 log->need_free |= 1 << index;
455 else
456 log->need_free &= ~(1 << index);
457 log->head++;
458 }
459 va_end(va);
460 }
461 EXPORT_SYMBOL(logfc);
462
463 /*
464 * Free a logging structure.
465 */
put_fc_log(struct fs_context * fc)466 static void put_fc_log(struct fs_context *fc)
467 {
468 struct fc_log *log = fc->log.log;
469 int i;
470
471 if (log) {
472 if (refcount_dec_and_test(&log->usage)) {
473 fc->log.log = NULL;
474 for (i = 0; i < ARRAY_SIZE(log->buffer) ; i++)
475 if (log->need_free & (1 << i))
476 kfree(log->buffer[i]);
477 kfree(log);
478 }
479 }
480 }
481
482 /**
483 * put_fs_context - Dispose of a superblock configuration context.
484 * @fc: The context to dispose of.
485 */
put_fs_context(struct fs_context * fc)486 void put_fs_context(struct fs_context *fc)
487 {
488 struct super_block *sb;
489
490 if (fc->root) {
491 sb = fc->root->d_sb;
492 dput(fc->root);
493 fc->root = NULL;
494 deactivate_super(sb);
495 }
496
497 if (fc->need_free && fc->ops && fc->ops->free)
498 fc->ops->free(fc);
499
500 security_free_mnt_opts(&fc->security);
501 put_net(fc->net_ns);
502 put_user_ns(fc->user_ns);
503 put_cred(fc->cred);
504 put_fc_log(fc);
505 put_filesystem(fc->fs_type);
506 kfree(fc->source);
507 kfree(fc);
508 }
509 EXPORT_SYMBOL(put_fs_context);
510
parse_monolithic_mount_data(struct fs_context * fc,void * data)511 int parse_monolithic_mount_data(struct fs_context *fc, void *data)
512 {
513 int (*monolithic_mount_data)(struct fs_context *, void *);
514
515 monolithic_mount_data = fc->ops->parse_monolithic;
516 if (!monolithic_mount_data)
517 monolithic_mount_data = generic_parse_monolithic;
518
519 return monolithic_mount_data(fc, data);
520 }
521
522 /*
523 * Clean up a context after performing an action on it and put it into a state
524 * from where it can be used to reconfigure a superblock.
525 *
526 * Note that here we do only the parts that can't fail; the rest is in
527 * finish_clean_context() below and in between those fs_context is marked
528 * FS_CONTEXT_AWAITING_RECONF. The reason for splitup is that after
529 * successful mount or remount we need to report success to userland.
530 * Trying to do full reinit (for the sake of possible subsequent remount)
531 * and failing to allocate memory would've put us into a nasty situation.
532 * So here we only discard the old state and reinitialization is left
533 * until we actually try to reconfigure.
534 */
vfs_clean_context(struct fs_context * fc)535 void vfs_clean_context(struct fs_context *fc)
536 {
537 if (fc->need_free && fc->ops && fc->ops->free)
538 fc->ops->free(fc);
539 fc->need_free = false;
540 fc->fs_private = NULL;
541 fc->s_fs_info = NULL;
542 fc->sb_flags = 0;
543 security_free_mnt_opts(&fc->security);
544 kfree(fc->source);
545 fc->source = NULL;
546 fc->exclusive = false;
547
548 fc->purpose = FS_CONTEXT_FOR_RECONFIGURE;
549 fc->phase = FS_CONTEXT_AWAITING_RECONF;
550 }
551
finish_clean_context(struct fs_context * fc)552 int finish_clean_context(struct fs_context *fc)
553 {
554 int error;
555
556 if (fc->phase != FS_CONTEXT_AWAITING_RECONF)
557 return 0;
558
559 error = fc->fs_type->init_fs_context(fc);
560
561 if (unlikely(error)) {
562 fc->phase = FS_CONTEXT_FAILED;
563 return error;
564 }
565 fc->need_free = true;
566 fc->phase = FS_CONTEXT_RECONF_PARAMS;
567 return 0;
568 }
569