1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Provide a way to create a superblock configuration context within the kernel
3 * that allows a superblock to be set up prior to mounting.
4 *
5 * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
6 * Written by David Howells (dhowells@redhat.com)
7 */
8
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 #include <linux/module.h>
11 #include <linux/fs_context.h>
12 #include <linux/fs_parser.h>
13 #include <linux/fs.h>
14 #include <linux/mount.h>
15 #include <linux/nsproxy.h>
16 #include <linux/slab.h>
17 #include <linux/magic.h>
18 #include <linux/security.h>
19 #include <linux/mnt_namespace.h>
20 #include <linux/pid_namespace.h>
21 #include <linux/user_namespace.h>
22 #include <net/net_namespace.h>
23 #include <asm/sections.h>
24 #include "mount.h"
25 #include "internal.h"
26
27 static const struct constant_table common_set_sb_flag[] = {
28 { "dirsync", SB_DIRSYNC },
29 { "lazytime", SB_LAZYTIME },
30 { "mand", SB_MANDLOCK },
31 { "ro", SB_RDONLY },
32 { "sync", SB_SYNCHRONOUS },
33 { },
34 };
35
36 static const struct constant_table common_clear_sb_flag[] = {
37 { "async", SB_SYNCHRONOUS },
38 { "nolazytime", SB_LAZYTIME },
39 { "nomand", SB_MANDLOCK },
40 { "rw", SB_RDONLY },
41 { },
42 };
43
44 /*
45 * Check for a common mount option that manipulates s_flags.
46 */
vfs_parse_sb_flag(struct fs_context * fc,const char * key)47 static int vfs_parse_sb_flag(struct fs_context *fc, const char *key)
48 {
49 unsigned int token;
50
51 token = lookup_constant(common_set_sb_flag, key, 0);
52 if (token) {
53 fc->sb_flags |= token;
54 fc->sb_flags_mask |= token;
55 return 0;
56 }
57
58 token = lookup_constant(common_clear_sb_flag, key, 0);
59 if (token) {
60 fc->sb_flags &= ~token;
61 fc->sb_flags_mask |= token;
62 return 0;
63 }
64
65 return -ENOPARAM;
66 }
67
68 /**
69 * vfs_parse_fs_param_source - Handle setting "source" via parameter
70 * @fc: The filesystem context to modify
71 * @param: The parameter
72 *
73 * This is a simple helper for filesystems to verify that the "source" they
74 * accept is sane.
75 *
76 * Returns 0 on success, -ENOPARAM if this is not "source" parameter, and
77 * -EINVAL otherwise. In the event of failure, supplementary error information
78 * is logged.
79 */
vfs_parse_fs_param_source(struct fs_context * fc,struct fs_parameter * param)80 int vfs_parse_fs_param_source(struct fs_context *fc, struct fs_parameter *param)
81 {
82 if (strcmp(param->key, "source") != 0)
83 return -ENOPARAM;
84
85 if (param->type != fs_value_is_string)
86 return invalf(fc, "Non-string source");
87
88 if (fc->source)
89 return invalf(fc, "Multiple sources");
90
91 fc->source = param->string;
92 param->string = NULL;
93 return 0;
94 }
95 EXPORT_SYMBOL(vfs_parse_fs_param_source);
96
97 /**
98 * vfs_parse_fs_param - Add a single parameter to a superblock config
99 * @fc: The filesystem context to modify
100 * @param: The parameter
101 *
102 * A single mount option in string form is applied to the filesystem context
103 * being set up. Certain standard options (for example "ro") are translated
104 * into flag bits without going to the filesystem. The active security module
105 * is allowed to observe and poach options. Any other options are passed over
106 * to the filesystem to parse.
107 *
108 * This may be called multiple times for a context.
109 *
110 * Returns 0 on success and a negative error code on failure. In the event of
111 * failure, supplementary error information may have been set.
112 */
vfs_parse_fs_param(struct fs_context * fc,struct fs_parameter * param)113 int vfs_parse_fs_param(struct fs_context *fc, struct fs_parameter *param)
114 {
115 int ret;
116
117 if (!param->key)
118 return invalf(fc, "Unnamed parameter\n");
119
120 ret = vfs_parse_sb_flag(fc, param->key);
121 if (ret != -ENOPARAM)
122 return ret;
123
124 ret = security_fs_context_parse_param(fc, param);
125 if (ret != -ENOPARAM)
126 /* Param belongs to the LSM or is disallowed by the LSM; so
127 * don't pass to the FS.
128 */
129 return ret;
130
131 if (fc->ops->parse_param) {
132 ret = fc->ops->parse_param(fc, param);
133 if (ret != -ENOPARAM)
134 return ret;
135 }
136
137 /* If the filesystem doesn't take any arguments, give it the
138 * default handling of source.
139 */
140 ret = vfs_parse_fs_param_source(fc, param);
141 if (ret != -ENOPARAM)
142 return ret;
143
144 return invalf(fc, "%s: Unknown parameter '%s'",
145 fc->fs_type->name, param->key);
146 }
147 EXPORT_SYMBOL(vfs_parse_fs_param);
148
149 /**
150 * vfs_parse_fs_qstr - Convenience function to just parse a string.
151 * @fc: Filesystem context.
152 * @key: Parameter name.
153 * @value: Default value.
154 */
vfs_parse_fs_qstr(struct fs_context * fc,const char * key,const struct qstr * value)155 int vfs_parse_fs_qstr(struct fs_context *fc, const char *key,
156 const struct qstr *value)
157 {
158 int ret;
159
160 struct fs_parameter param = {
161 .key = key,
162 .type = fs_value_is_flag,
163 .size = value ? value->len : 0,
164 };
165
166 if (value) {
167 param.string = kmemdup_nul(value->name, value->len, GFP_KERNEL);
168 if (!param.string)
169 return -ENOMEM;
170 param.type = fs_value_is_string;
171 }
172
173 ret = vfs_parse_fs_param(fc, ¶m);
174 kfree(param.string);
175 return ret;
176 }
177 EXPORT_SYMBOL(vfs_parse_fs_qstr);
178
179 /**
180 * vfs_parse_monolithic_sep - Parse key[=val][,key[=val]]* mount data
181 * @fc: The superblock configuration to fill in.
182 * @data: The data to parse
183 * @sep: callback for separating next option
184 *
185 * Parse a blob of data that's in key[=val][,key[=val]]* form with a custom
186 * option separator callback.
187 *
188 * Returns 0 on success or the error returned by the ->parse_option() fs_context
189 * operation on failure.
190 */
vfs_parse_monolithic_sep(struct fs_context * fc,void * data,char * (* sep)(char **))191 int vfs_parse_monolithic_sep(struct fs_context *fc, void *data,
192 char *(*sep)(char **))
193 {
194 char *options = data, *key;
195 int ret = 0;
196
197 if (!options)
198 return 0;
199
200 ret = security_sb_eat_lsm_opts(options, &fc->security);
201 if (ret)
202 return ret;
203
204 while ((key = sep(&options)) != NULL) {
205 if (*key) {
206 char *value = strchr(key, '=');
207
208 if (value) {
209 if (unlikely(value == key))
210 continue;
211 *value++ = 0;
212 }
213 ret = vfs_parse_fs_string(fc, key, value);
214 if (ret < 0)
215 break;
216 }
217 }
218
219 return ret;
220 }
221 EXPORT_SYMBOL(vfs_parse_monolithic_sep);
222
vfs_parse_comma_sep(char ** s)223 static char *vfs_parse_comma_sep(char **s)
224 {
225 return strsep(s, ",");
226 }
227
228 /**
229 * generic_parse_monolithic - Parse key[=val][,key[=val]]* mount data
230 * @fc: The superblock configuration to fill in.
231 * @data: The data to parse
232 *
233 * Parse a blob of data that's in key[=val][,key[=val]]* form. This can be
234 * called from the ->monolithic_mount_data() fs_context operation.
235 *
236 * Returns 0 on success or the error returned by the ->parse_option() fs_context
237 * operation on failure.
238 */
generic_parse_monolithic(struct fs_context * fc,void * data)239 int generic_parse_monolithic(struct fs_context *fc, void *data)
240 {
241 return vfs_parse_monolithic_sep(fc, data, vfs_parse_comma_sep);
242 }
243 EXPORT_SYMBOL(generic_parse_monolithic);
244
245 /**
246 * alloc_fs_context - Create a filesystem context.
247 * @fs_type: The filesystem type.
248 * @reference: The dentry from which this one derives (or NULL)
249 * @sb_flags: Filesystem/superblock flags (SB_*)
250 * @sb_flags_mask: Applicable members of @sb_flags
251 * @purpose: The purpose that this configuration shall be used for.
252 *
253 * Open a filesystem and create a mount context. The mount context is
254 * initialised with the supplied flags and, if a submount/automount from
255 * another superblock (referred to by @reference) is supplied, may have
256 * parameters such as namespaces copied across from that superblock.
257 */
alloc_fs_context(struct file_system_type * fs_type,struct dentry * reference,unsigned int sb_flags,unsigned int sb_flags_mask,enum fs_context_purpose purpose)258 static struct fs_context *alloc_fs_context(struct file_system_type *fs_type,
259 struct dentry *reference,
260 unsigned int sb_flags,
261 unsigned int sb_flags_mask,
262 enum fs_context_purpose purpose)
263 {
264 struct fs_context *fc;
265 int ret = -ENOMEM;
266
267 fc = kzalloc_obj(struct fs_context, GFP_KERNEL_ACCOUNT);
268 if (!fc)
269 return ERR_PTR(-ENOMEM);
270
271 fc->purpose = purpose;
272 fc->sb_flags = sb_flags;
273 fc->sb_flags_mask = sb_flags_mask;
274 fc->fs_type = get_filesystem(fs_type);
275 fc->cred = get_current_cred();
276 fc->net_ns = get_net(current->nsproxy->net_ns);
277 fc->log.prefix = fs_type->name;
278
279 mutex_init(&fc->uapi_mutex);
280
281 switch (purpose) {
282 case FS_CONTEXT_FOR_MOUNT:
283 fc->user_ns = get_user_ns(fc->cred->user_ns);
284 break;
285 case FS_CONTEXT_FOR_SUBMOUNT:
286 fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
287 break;
288 case FS_CONTEXT_FOR_RECONFIGURE:
289 atomic_inc(&reference->d_sb->s_active);
290 fc->user_ns = get_user_ns(reference->d_sb->s_user_ns);
291 fc->root = dget(reference);
292 break;
293 }
294
295 ret = fc->fs_type->init_fs_context(fc);
296 if (ret < 0)
297 goto err_fc;
298 fc->need_free = true;
299 return fc;
300
301 err_fc:
302 put_fs_context(fc);
303 return ERR_PTR(ret);
304 }
305
fs_context_for_mount(struct file_system_type * fs_type,unsigned int sb_flags)306 struct fs_context *fs_context_for_mount(struct file_system_type *fs_type,
307 unsigned int sb_flags)
308 {
309 return alloc_fs_context(fs_type, NULL, sb_flags, 0,
310 FS_CONTEXT_FOR_MOUNT);
311 }
312 EXPORT_SYMBOL(fs_context_for_mount);
313
fs_context_for_reconfigure(struct dentry * dentry,unsigned int sb_flags,unsigned int sb_flags_mask)314 struct fs_context *fs_context_for_reconfigure(struct dentry *dentry,
315 unsigned int sb_flags,
316 unsigned int sb_flags_mask)
317 {
318 return alloc_fs_context(dentry->d_sb->s_type, dentry, sb_flags,
319 sb_flags_mask, FS_CONTEXT_FOR_RECONFIGURE);
320 }
321 EXPORT_SYMBOL(fs_context_for_reconfigure);
322
323 /**
324 * fs_context_for_submount: allocate a new fs_context for a submount
325 * @type: file_system_type of the new context
326 * @reference: reference dentry from which to copy relevant info
327 *
328 * Allocate a new fs_context suitable for a submount. This also ensures that
329 * the fc->security object is inherited from @reference (if needed).
330 */
fs_context_for_submount(struct file_system_type * type,struct dentry * reference)331 struct fs_context *fs_context_for_submount(struct file_system_type *type,
332 struct dentry *reference)
333 {
334 struct fs_context *fc;
335 int ret;
336
337 fc = alloc_fs_context(type, reference, 0, 0, FS_CONTEXT_FOR_SUBMOUNT);
338 if (IS_ERR(fc))
339 return fc;
340
341 ret = security_fs_context_submount(fc, reference->d_sb);
342 if (ret) {
343 put_fs_context(fc);
344 return ERR_PTR(ret);
345 }
346
347 return fc;
348 }
349 EXPORT_SYMBOL(fs_context_for_submount);
350
fc_drop_locked(struct fs_context * fc)351 void fc_drop_locked(struct fs_context *fc)
352 {
353 struct super_block *sb = fc->root->d_sb;
354 dput(fc->root);
355 fc->root = NULL;
356 deactivate_locked_super(sb);
357 }
358
359 /**
360 * vfs_dup_fs_context - Duplicate a filesystem context.
361 * @src_fc: The context to copy.
362 */
vfs_dup_fs_context(struct fs_context * src_fc)363 struct fs_context *vfs_dup_fs_context(struct fs_context *src_fc)
364 {
365 struct fs_context *fc;
366 int ret;
367
368 if (!src_fc->ops->dup)
369 return ERR_PTR(-EOPNOTSUPP);
370
371 fc = kmemdup(src_fc, sizeof(struct fs_context), GFP_KERNEL);
372 if (!fc)
373 return ERR_PTR(-ENOMEM);
374
375 mutex_init(&fc->uapi_mutex);
376
377 fc->fs_private = NULL;
378 fc->s_fs_info = NULL;
379 fc->source = NULL;
380 fc->security = NULL;
381 get_filesystem(fc->fs_type);
382 get_net(fc->net_ns);
383 get_user_ns(fc->user_ns);
384 get_cred(fc->cred);
385 if (fc->log.log)
386 refcount_inc(&fc->log.log->usage);
387
388 /* Can't call put until we've called ->dup */
389 ret = fc->ops->dup(fc, src_fc);
390 if (ret < 0)
391 goto err_fc;
392
393 ret = security_fs_context_dup(fc, src_fc);
394 if (ret < 0)
395 goto err_fc;
396 return fc;
397
398 err_fc:
399 put_fs_context(fc);
400 return ERR_PTR(ret);
401 }
402 EXPORT_SYMBOL(vfs_dup_fs_context);
403
404 /**
405 * logfc - Log a message to a filesystem context
406 * @log: The filesystem context to log to, or NULL to use printk.
407 * @prefix: A string to prefix the output with, or NULL.
408 * @level: 'w' for a warning, 'e' for an error. Anything else is a notice.
409 * @fmt: The format of the buffer.
410 */
logfc(struct fc_log * log,const char * prefix,char level,const char * fmt,...)411 void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, ...)
412 {
413 va_list va;
414 struct va_format vaf = {.fmt = fmt, .va = &va};
415
416 va_start(va, fmt);
417 if (!log) {
418 switch (level) {
419 case 'w':
420 printk(KERN_WARNING "%s%s%pV\n", prefix ? prefix : "",
421 prefix ? ": " : "", &vaf);
422 break;
423 case 'e':
424 printk(KERN_ERR "%s%s%pV\n", prefix ? prefix : "",
425 prefix ? ": " : "", &vaf);
426 break;
427 case 'i':
428 printk(KERN_INFO "%s%s%pV\n", prefix ? prefix : "",
429 prefix ? ": " : "", &vaf);
430 break;
431 default:
432 printk(KERN_NOTICE "%s%s%pV\n", prefix ? prefix : "",
433 prefix ? ": " : "", &vaf);
434 break;
435 }
436 } else {
437 unsigned int logsize = ARRAY_SIZE(log->buffer);
438 u8 index;
439 char *q = kasprintf(GFP_KERNEL, "%c %s%s%pV\n", level,
440 prefix ? prefix : "",
441 prefix ? ": " : "", &vaf);
442
443 index = log->head & (logsize - 1);
444 BUILD_BUG_ON(sizeof(log->head) != sizeof(u8) ||
445 sizeof(log->tail) != sizeof(u8));
446 if ((u8)(log->head - log->tail) == logsize) {
447 /* The buffer is full, discard the oldest message */
448 if (log->need_free & (1 << index))
449 kfree(log->buffer[index]);
450 log->tail++;
451 }
452
453 log->buffer[index] = q ? q : "OOM: Can't store error string";
454 if (q)
455 log->need_free |= 1 << index;
456 else
457 log->need_free &= ~(1 << index);
458 log->head++;
459 }
460 va_end(va);
461 }
462 EXPORT_SYMBOL(logfc);
463
464 /*
465 * Free a logging structure.
466 */
put_fc_log(struct fs_context * fc)467 static void put_fc_log(struct fs_context *fc)
468 {
469 struct fc_log *log = fc->log.log;
470 int i;
471
472 if (log) {
473 if (refcount_dec_and_test(&log->usage)) {
474 fc->log.log = NULL;
475 for (i = 0; i < ARRAY_SIZE(log->buffer) ; i++)
476 if (log->need_free & (1 << i))
477 kfree(log->buffer[i]);
478 kfree(log);
479 }
480 }
481 }
482
483 /**
484 * put_fs_context - Dispose of a superblock configuration context.
485 * @fc: The context to dispose of.
486 */
put_fs_context(struct fs_context * fc)487 void put_fs_context(struct fs_context *fc)
488 {
489 struct super_block *sb;
490
491 if (fc->root) {
492 sb = fc->root->d_sb;
493 dput(fc->root);
494 fc->root = NULL;
495 deactivate_super(sb);
496 }
497
498 if (fc->need_free && fc->ops && fc->ops->free)
499 fc->ops->free(fc);
500
501 security_free_mnt_opts(&fc->security);
502 put_net(fc->net_ns);
503 put_user_ns(fc->user_ns);
504 put_cred(fc->cred);
505 put_fc_log(fc);
506 put_filesystem(fc->fs_type);
507 kfree(fc->source);
508 kfree(fc);
509 }
510 EXPORT_SYMBOL(put_fs_context);
511
parse_monolithic_mount_data(struct fs_context * fc,void * data)512 int parse_monolithic_mount_data(struct fs_context *fc, void *data)
513 {
514 int (*monolithic_mount_data)(struct fs_context *, void *);
515
516 monolithic_mount_data = fc->ops->parse_monolithic;
517 if (!monolithic_mount_data)
518 monolithic_mount_data = generic_parse_monolithic;
519
520 return monolithic_mount_data(fc, data);
521 }
522
523 /*
524 * Clean up a context after performing an action on it and put it into a state
525 * from where it can be used to reconfigure a superblock.
526 *
527 * Note that here we do only the parts that can't fail; the rest is in
528 * finish_clean_context() below and in between those fs_context is marked
529 * FS_CONTEXT_AWAITING_RECONF. The reason for splitup is that after
530 * successful mount or remount we need to report success to userland.
531 * Trying to do full reinit (for the sake of possible subsequent remount)
532 * and failing to allocate memory would've put us into a nasty situation.
533 * So here we only discard the old state and reinitialization is left
534 * until we actually try to reconfigure.
535 */
vfs_clean_context(struct fs_context * fc)536 void vfs_clean_context(struct fs_context *fc)
537 {
538 if (fc->need_free && fc->ops && fc->ops->free)
539 fc->ops->free(fc);
540 fc->need_free = false;
541 fc->fs_private = NULL;
542 fc->s_fs_info = NULL;
543 fc->sb_flags = 0;
544 security_free_mnt_opts(&fc->security);
545 kfree(fc->source);
546 fc->source = NULL;
547 fc->exclusive = false;
548
549 fc->purpose = FS_CONTEXT_FOR_RECONFIGURE;
550 fc->phase = FS_CONTEXT_AWAITING_RECONF;
551 }
552
finish_clean_context(struct fs_context * fc)553 int finish_clean_context(struct fs_context *fc)
554 {
555 int error;
556
557 if (fc->phase != FS_CONTEXT_AWAITING_RECONF)
558 return 0;
559
560 error = fc->fs_type->init_fs_context(fc);
561
562 if (unlikely(error)) {
563 fc->phase = FS_CONTEXT_FAILED;
564 return error;
565 }
566 fc->need_free = true;
567 fc->phase = FS_CONTEXT_RECONF_PARAMS;
568 return 0;
569 }
570