1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Provide a way to create a superblock configuration context within the kernel 3 * that allows a superblock to be set up prior to mounting. 4 * 5 * Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. 6 * Written by David Howells (dhowells@redhat.com) 7 */ 8 9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 10 #include <linux/module.h> 11 #include <linux/fs_context.h> 12 #include <linux/fs_parser.h> 13 #include <linux/fs.h> 14 #include <linux/mount.h> 15 #include <linux/nsproxy.h> 16 #include <linux/slab.h> 17 #include <linux/magic.h> 18 #include <linux/security.h> 19 #include <linux/mnt_namespace.h> 20 #include <linux/pid_namespace.h> 21 #include <linux/user_namespace.h> 22 #include <net/net_namespace.h> 23 #include <asm/sections.h> 24 #include "mount.h" 25 #include "internal.h" 26 27 static const struct constant_table common_set_sb_flag[] = { 28 { "dirsync", SB_DIRSYNC }, 29 { "lazytime", SB_LAZYTIME }, 30 { "mand", SB_MANDLOCK }, 31 { "ro", SB_RDONLY }, 32 { "sync", SB_SYNCHRONOUS }, 33 { }, 34 }; 35 36 static const struct constant_table common_clear_sb_flag[] = { 37 { "async", SB_SYNCHRONOUS }, 38 { "nolazytime", SB_LAZYTIME }, 39 { "nomand", SB_MANDLOCK }, 40 { "rw", SB_RDONLY }, 41 { }, 42 }; 43 44 /* 45 * Check for a common mount option that manipulates s_flags. 46 */ 47 static int vfs_parse_sb_flag(struct fs_context *fc, const char *key) 48 { 49 unsigned int token; 50 51 token = lookup_constant(common_set_sb_flag, key, 0); 52 if (token) { 53 fc->sb_flags |= token; 54 fc->sb_flags_mask |= token; 55 return 0; 56 } 57 58 token = lookup_constant(common_clear_sb_flag, key, 0); 59 if (token) { 60 fc->sb_flags &= ~token; 61 fc->sb_flags_mask |= token; 62 return 0; 63 } 64 65 return -ENOPARAM; 66 } 67 68 /** 69 * vfs_parse_fs_param_source - Handle setting "source" via parameter 70 * @fc: The filesystem context to modify 71 * @param: The parameter 72 * 73 * This is a simple helper for filesystems to verify that the "source" they 74 * accept is sane. 75 * 76 * Returns 0 on success, -ENOPARAM if this is not "source" parameter, and 77 * -EINVAL otherwise. In the event of failure, supplementary error information 78 * is logged. 79 */ 80 int vfs_parse_fs_param_source(struct fs_context *fc, struct fs_parameter *param) 81 { 82 if (strcmp(param->key, "source") != 0) 83 return -ENOPARAM; 84 85 if (param->type != fs_value_is_string) 86 return invalf(fc, "Non-string source"); 87 88 if (fc->source) 89 return invalf(fc, "Multiple sources"); 90 91 fc->source = param->string; 92 param->string = NULL; 93 return 0; 94 } 95 EXPORT_SYMBOL(vfs_parse_fs_param_source); 96 97 /** 98 * vfs_parse_fs_param - Add a single parameter to a superblock config 99 * @fc: The filesystem context to modify 100 * @param: The parameter 101 * 102 * A single mount option in string form is applied to the filesystem context 103 * being set up. Certain standard options (for example "ro") are translated 104 * into flag bits without going to the filesystem. The active security module 105 * is allowed to observe and poach options. Any other options are passed over 106 * to the filesystem to parse. 107 * 108 * This may be called multiple times for a context. 109 * 110 * Returns 0 on success and a negative error code on failure. In the event of 111 * failure, supplementary error information may have been set. 112 */ 113 int vfs_parse_fs_param(struct fs_context *fc, struct fs_parameter *param) 114 { 115 int ret; 116 117 if (!param->key) 118 return invalf(fc, "Unnamed parameter\n"); 119 120 ret = vfs_parse_sb_flag(fc, param->key); 121 if (ret != -ENOPARAM) 122 return ret; 123 124 ret = security_fs_context_parse_param(fc, param); 125 if (ret != -ENOPARAM) 126 /* Param belongs to the LSM or is disallowed by the LSM; so 127 * don't pass to the FS. 128 */ 129 return ret; 130 131 if (fc->ops->parse_param) { 132 ret = fc->ops->parse_param(fc, param); 133 if (ret != -ENOPARAM) 134 return ret; 135 } 136 137 /* If the filesystem doesn't take any arguments, give it the 138 * default handling of source. 139 */ 140 ret = vfs_parse_fs_param_source(fc, param); 141 if (ret != -ENOPARAM) 142 return ret; 143 144 return invalf(fc, "%s: Unknown parameter '%s'", 145 fc->fs_type->name, param->key); 146 } 147 EXPORT_SYMBOL(vfs_parse_fs_param); 148 149 /** 150 * vfs_parse_fs_qstr - Convenience function to just parse a string. 151 * @fc: Filesystem context. 152 * @key: Parameter name. 153 * @value: Default value. 154 */ 155 int vfs_parse_fs_qstr(struct fs_context *fc, const char *key, 156 const struct qstr *value) 157 { 158 int ret; 159 160 struct fs_parameter param = { 161 .key = key, 162 .type = fs_value_is_flag, 163 .size = value ? value->len : 0, 164 }; 165 166 if (value) { 167 param.string = kmemdup_nul(value->name, value->len, GFP_KERNEL); 168 if (!param.string) 169 return -ENOMEM; 170 param.type = fs_value_is_string; 171 } 172 173 ret = vfs_parse_fs_param(fc, ¶m); 174 kfree(param.string); 175 return ret; 176 } 177 EXPORT_SYMBOL(vfs_parse_fs_qstr); 178 179 /** 180 * vfs_parse_monolithic_sep - Parse key[=val][,key[=val]]* mount data 181 * @fc: The superblock configuration to fill in. 182 * @data: The data to parse 183 * @sep: callback for separating next option 184 * 185 * Parse a blob of data that's in key[=val][,key[=val]]* form with a custom 186 * option separator callback. 187 * 188 * Returns 0 on success or the error returned by the ->parse_option() fs_context 189 * operation on failure. 190 */ 191 int vfs_parse_monolithic_sep(struct fs_context *fc, void *data, 192 char *(*sep)(char **)) 193 { 194 char *options = data, *key; 195 int ret = 0; 196 197 if (!options) 198 return 0; 199 200 ret = security_sb_eat_lsm_opts(options, &fc->security); 201 if (ret) 202 return ret; 203 204 while ((key = sep(&options)) != NULL) { 205 if (*key) { 206 char *value = strchr(key, '='); 207 208 if (value) { 209 if (unlikely(value == key)) 210 continue; 211 *value++ = 0; 212 } 213 ret = vfs_parse_fs_string(fc, key, value); 214 if (ret < 0) 215 break; 216 } 217 } 218 219 return ret; 220 } 221 EXPORT_SYMBOL(vfs_parse_monolithic_sep); 222 223 static char *vfs_parse_comma_sep(char **s) 224 { 225 return strsep(s, ","); 226 } 227 228 /** 229 * generic_parse_monolithic - Parse key[=val][,key[=val]]* mount data 230 * @fc: The superblock configuration to fill in. 231 * @data: The data to parse 232 * 233 * Parse a blob of data that's in key[=val][,key[=val]]* form. This can be 234 * called from the ->monolithic_mount_data() fs_context operation. 235 * 236 * Returns 0 on success or the error returned by the ->parse_option() fs_context 237 * operation on failure. 238 */ 239 int generic_parse_monolithic(struct fs_context *fc, void *data) 240 { 241 return vfs_parse_monolithic_sep(fc, data, vfs_parse_comma_sep); 242 } 243 EXPORT_SYMBOL(generic_parse_monolithic); 244 245 /** 246 * alloc_fs_context - Create a filesystem context. 247 * @fs_type: The filesystem type. 248 * @reference: The dentry from which this one derives (or NULL) 249 * @sb_flags: Filesystem/superblock flags (SB_*) 250 * @sb_flags_mask: Applicable members of @sb_flags 251 * @purpose: The purpose that this configuration shall be used for. 252 * 253 * Open a filesystem and create a mount context. The mount context is 254 * initialised with the supplied flags and, if a submount/automount from 255 * another superblock (referred to by @reference) is supplied, may have 256 * parameters such as namespaces copied across from that superblock. 257 */ 258 static struct fs_context *alloc_fs_context(struct file_system_type *fs_type, 259 struct dentry *reference, 260 unsigned int sb_flags, 261 unsigned int sb_flags_mask, 262 enum fs_context_purpose purpose) 263 { 264 struct fs_context *fc; 265 int ret = -ENOMEM; 266 267 fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL_ACCOUNT); 268 if (!fc) 269 return ERR_PTR(-ENOMEM); 270 271 fc->purpose = purpose; 272 fc->sb_flags = sb_flags; 273 fc->sb_flags_mask = sb_flags_mask; 274 fc->fs_type = get_filesystem(fs_type); 275 fc->cred = get_current_cred(); 276 fc->net_ns = get_net(current->nsproxy->net_ns); 277 fc->log.prefix = fs_type->name; 278 279 mutex_init(&fc->uapi_mutex); 280 281 switch (purpose) { 282 case FS_CONTEXT_FOR_MOUNT: 283 fc->user_ns = get_user_ns(fc->cred->user_ns); 284 break; 285 case FS_CONTEXT_FOR_SUBMOUNT: 286 fc->user_ns = get_user_ns(reference->d_sb->s_user_ns); 287 break; 288 case FS_CONTEXT_FOR_RECONFIGURE: 289 atomic_inc(&reference->d_sb->s_active); 290 fc->user_ns = get_user_ns(reference->d_sb->s_user_ns); 291 fc->root = dget(reference); 292 break; 293 } 294 295 ret = fc->fs_type->init_fs_context(fc); 296 if (ret < 0) 297 goto err_fc; 298 fc->need_free = true; 299 return fc; 300 301 err_fc: 302 put_fs_context(fc); 303 return ERR_PTR(ret); 304 } 305 306 struct fs_context *fs_context_for_mount(struct file_system_type *fs_type, 307 unsigned int sb_flags) 308 { 309 return alloc_fs_context(fs_type, NULL, sb_flags, 0, 310 FS_CONTEXT_FOR_MOUNT); 311 } 312 EXPORT_SYMBOL(fs_context_for_mount); 313 314 struct fs_context *fs_context_for_reconfigure(struct dentry *dentry, 315 unsigned int sb_flags, 316 unsigned int sb_flags_mask) 317 { 318 return alloc_fs_context(dentry->d_sb->s_type, dentry, sb_flags, 319 sb_flags_mask, FS_CONTEXT_FOR_RECONFIGURE); 320 } 321 EXPORT_SYMBOL(fs_context_for_reconfigure); 322 323 /** 324 * fs_context_for_submount: allocate a new fs_context for a submount 325 * @type: file_system_type of the new context 326 * @reference: reference dentry from which to copy relevant info 327 * 328 * Allocate a new fs_context suitable for a submount. This also ensures that 329 * the fc->security object is inherited from @reference (if needed). 330 */ 331 struct fs_context *fs_context_for_submount(struct file_system_type *type, 332 struct dentry *reference) 333 { 334 struct fs_context *fc; 335 int ret; 336 337 fc = alloc_fs_context(type, reference, 0, 0, FS_CONTEXT_FOR_SUBMOUNT); 338 if (IS_ERR(fc)) 339 return fc; 340 341 ret = security_fs_context_submount(fc, reference->d_sb); 342 if (ret) { 343 put_fs_context(fc); 344 return ERR_PTR(ret); 345 } 346 347 return fc; 348 } 349 EXPORT_SYMBOL(fs_context_for_submount); 350 351 void fc_drop_locked(struct fs_context *fc) 352 { 353 struct super_block *sb = fc->root->d_sb; 354 dput(fc->root); 355 fc->root = NULL; 356 deactivate_locked_super(sb); 357 } 358 359 /** 360 * vfs_dup_fs_context - Duplicate a filesystem context. 361 * @src_fc: The context to copy. 362 */ 363 struct fs_context *vfs_dup_fs_context(struct fs_context *src_fc) 364 { 365 struct fs_context *fc; 366 int ret; 367 368 if (!src_fc->ops->dup) 369 return ERR_PTR(-EOPNOTSUPP); 370 371 fc = kmemdup(src_fc, sizeof(struct fs_context), GFP_KERNEL); 372 if (!fc) 373 return ERR_PTR(-ENOMEM); 374 375 mutex_init(&fc->uapi_mutex); 376 377 fc->fs_private = NULL; 378 fc->s_fs_info = NULL; 379 fc->source = NULL; 380 fc->security = NULL; 381 get_filesystem(fc->fs_type); 382 get_net(fc->net_ns); 383 get_user_ns(fc->user_ns); 384 get_cred(fc->cred); 385 if (fc->log.log) 386 refcount_inc(&fc->log.log->usage); 387 388 /* Can't call put until we've called ->dup */ 389 ret = fc->ops->dup(fc, src_fc); 390 if (ret < 0) 391 goto err_fc; 392 393 ret = security_fs_context_dup(fc, src_fc); 394 if (ret < 0) 395 goto err_fc; 396 return fc; 397 398 err_fc: 399 put_fs_context(fc); 400 return ERR_PTR(ret); 401 } 402 EXPORT_SYMBOL(vfs_dup_fs_context); 403 404 /** 405 * logfc - Log a message to a filesystem context 406 * @log: The filesystem context to log to, or NULL to use printk. 407 * @prefix: A string to prefix the output with, or NULL. 408 * @level: 'w' for a warning, 'e' for an error. Anything else is a notice. 409 * @fmt: The format of the buffer. 410 */ 411 void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt, ...) 412 { 413 va_list va; 414 struct va_format vaf = {.fmt = fmt, .va = &va}; 415 416 va_start(va, fmt); 417 if (!log) { 418 switch (level) { 419 case 'w': 420 printk(KERN_WARNING "%s%s%pV\n", prefix ? prefix : "", 421 prefix ? ": " : "", &vaf); 422 break; 423 case 'e': 424 printk(KERN_ERR "%s%s%pV\n", prefix ? prefix : "", 425 prefix ? ": " : "", &vaf); 426 break; 427 case 'i': 428 printk(KERN_INFO "%s%s%pV\n", prefix ? prefix : "", 429 prefix ? ": " : "", &vaf); 430 break; 431 default: 432 printk(KERN_NOTICE "%s%s%pV\n", prefix ? prefix : "", 433 prefix ? ": " : "", &vaf); 434 break; 435 } 436 } else { 437 unsigned int logsize = ARRAY_SIZE(log->buffer); 438 u8 index; 439 char *q = kasprintf(GFP_KERNEL, "%c %s%s%pV\n", level, 440 prefix ? prefix : "", 441 prefix ? ": " : "", &vaf); 442 443 index = log->head & (logsize - 1); 444 BUILD_BUG_ON(sizeof(log->head) != sizeof(u8) || 445 sizeof(log->tail) != sizeof(u8)); 446 if ((u8)(log->head - log->tail) == logsize) { 447 /* The buffer is full, discard the oldest message */ 448 if (log->need_free & (1 << index)) 449 kfree(log->buffer[index]); 450 log->tail++; 451 } 452 453 log->buffer[index] = q ? q : "OOM: Can't store error string"; 454 if (q) 455 log->need_free |= 1 << index; 456 else 457 log->need_free &= ~(1 << index); 458 log->head++; 459 } 460 va_end(va); 461 } 462 EXPORT_SYMBOL(logfc); 463 464 /* 465 * Free a logging structure. 466 */ 467 static void put_fc_log(struct fs_context *fc) 468 { 469 struct fc_log *log = fc->log.log; 470 int i; 471 472 if (log) { 473 if (refcount_dec_and_test(&log->usage)) { 474 fc->log.log = NULL; 475 for (i = 0; i < ARRAY_SIZE(log->buffer) ; i++) 476 if (log->need_free & (1 << i)) 477 kfree(log->buffer[i]); 478 kfree(log); 479 } 480 } 481 } 482 483 /** 484 * put_fs_context - Dispose of a superblock configuration context. 485 * @fc: The context to dispose of. 486 */ 487 void put_fs_context(struct fs_context *fc) 488 { 489 struct super_block *sb; 490 491 if (fc->root) { 492 sb = fc->root->d_sb; 493 dput(fc->root); 494 fc->root = NULL; 495 deactivate_super(sb); 496 } 497 498 if (fc->need_free && fc->ops && fc->ops->free) 499 fc->ops->free(fc); 500 501 security_free_mnt_opts(&fc->security); 502 put_net(fc->net_ns); 503 put_user_ns(fc->user_ns); 504 put_cred(fc->cred); 505 put_fc_log(fc); 506 put_filesystem(fc->fs_type); 507 kfree(fc->source); 508 kfree(fc); 509 } 510 EXPORT_SYMBOL(put_fs_context); 511 512 int parse_monolithic_mount_data(struct fs_context *fc, void *data) 513 { 514 int (*monolithic_mount_data)(struct fs_context *, void *); 515 516 monolithic_mount_data = fc->ops->parse_monolithic; 517 if (!monolithic_mount_data) 518 monolithic_mount_data = generic_parse_monolithic; 519 520 return monolithic_mount_data(fc, data); 521 } 522 523 /* 524 * Clean up a context after performing an action on it and put it into a state 525 * from where it can be used to reconfigure a superblock. 526 * 527 * Note that here we do only the parts that can't fail; the rest is in 528 * finish_clean_context() below and in between those fs_context is marked 529 * FS_CONTEXT_AWAITING_RECONF. The reason for splitup is that after 530 * successful mount or remount we need to report success to userland. 531 * Trying to do full reinit (for the sake of possible subsequent remount) 532 * and failing to allocate memory would've put us into a nasty situation. 533 * So here we only discard the old state and reinitialization is left 534 * until we actually try to reconfigure. 535 */ 536 void vfs_clean_context(struct fs_context *fc) 537 { 538 if (fc->need_free && fc->ops && fc->ops->free) 539 fc->ops->free(fc); 540 fc->need_free = false; 541 fc->fs_private = NULL; 542 fc->s_fs_info = NULL; 543 fc->sb_flags = 0; 544 security_free_mnt_opts(&fc->security); 545 kfree(fc->source); 546 fc->source = NULL; 547 fc->exclusive = false; 548 549 fc->purpose = FS_CONTEXT_FOR_RECONFIGURE; 550 fc->phase = FS_CONTEXT_AWAITING_RECONF; 551 } 552 553 int finish_clean_context(struct fs_context *fc) 554 { 555 int error; 556 557 if (fc->phase != FS_CONTEXT_AWAITING_RECONF) 558 return 0; 559 560 error = fc->fs_type->init_fs_context(fc); 561 562 if (unlikely(error)) { 563 fc->phase = FS_CONTEXT_FAILED; 564 return error; 565 } 566 fc->need_free = true; 567 fc->phase = FS_CONTEXT_RECONF_PARAMS; 568 return 0; 569 } 570