Re: [PATCH] ovl: consistent behavior for immutable/append-only inodes

[Miklos Szeredi <miklos@szeredi.hu>]

On Tue, 8 Jun 2021 at 16:37, Amir Goldstein <amir73il@gmail.com> wrote:
>
> On Tue, Jun 8, 2021 at 4:52 PM Miklos Szeredi <miklos@szeredi.hu> wrote:
> >
> > On Sun, 6 Jun 2021 at 16:46, Amir Goldstein <amir73il@gmail.com> wrote:
> > >
> > > When a lower file has immutable/append-only attributes, the behavior of
> > > overlayfs post copy up is inconsistent.
> > >
> > > Immediattely after copy up, ovl inode still has the S_IMMUTABLE/S_APPEND
> > > inode flags copied from lower inode, so vfs code still treats the ovl
> > > inode as immutable/append-only.  After ovl inode evict or mount cycle,
> > > the ovl inode does not have these inode flags anymore.
> > >
> > > We cannot copy up the immutable and append-only fileattr flags, because
> > > immutable/append-only inodes cannot be linked and because overlayfs will
> > > not be able to set overlay.* xattr on the upper inodes.
> >
> > Ugh.
> >
> > > Instead, if any of the fileattr flags of interest exist on the lower
> > > inode, we set an xattr overlay.xflags on the upper inode as an indication
> > > to merge the origin inode fileattr flags on lookup.
> > >
> > > This gives consistent behavior post copy up regardless of inode eviction
> > > from cache.
> > >
> > > When user sets new fileattr flags, we break the connection with the
> > > origin fileattr by removing the overlay.xflags xattr.
> > >
> > > Note that having the S_IMMUTABLE/S_APPEND on the ovl inode does not
> > > provide the same level of protection as setting those flags on the real
> > > upper inode, because some filesystem check those flags internally in
> > > addition or instead of the vfs checks (e.g. btrfs_may_delete()), but
> > > that is the way it has always been for overlayfs.
> >
> > That's fine, underlying filesystem is just a backing store.
> >
>
> Immutability of underlying files was not my concern.
> My concern was that vfs does not provide full protection and that some
> protection is provided in fs level, because I saw IS_APPEND/IS_IMMUTABLE
> sprinkled all over the place in fs (e.g. ext4_setattr()), but I guess those are
> just leftovers and I was over concerned.

Would be a nice cleanup to get rid of these.   It would also prove
that the vfs protection is sufficient.

>
> > > As can be seen in the comment above ovl_check_origin_xflags(), the
> > > "xflags merge" feature is designed to solve other non-standard behavior
> > > issues related to immutable directories and hardlinks in the future, but
> > > this commit does not bother to fix those cases because those are corner
> > > cases that are probably not so important to fix.
> > >
> > > A word about the design decision to merge the origin and upper xflags -
> > > Because we do not copy up fileattr and because fileattr_set breaks the
> > > link to origin xflags, the only cases where origin and upper inodes both
> > > have xflags is if upper inode was modified not via overlayfs or if the
> > > system crashed during ovl_fileattr_set() before removing the
> > > overlay.xflags xattr.  In both cases, modifiying the upper inode is not
> > > going to be permitted, so it is better to reflect this in the overlay
> > > inode flags.
> >
> > So why not implement the non-merge (#3) behavior unconditionally?
> > That would solve all issues related to fileattr, right?
> >
>
> I suppose so. Note that #3 fileattr_get is still a merge between upper fileattr
> and the 4 overlay stored flags, but for inode flags it will not be a merge.
>
> I can give this a shot.
>
> While you are here, do you think that will be sufficient for the on-disk format
> of overlay.xflags?
>
> struct ovl_xflags {
>         __le32 xflags;
>         __le32 xflags_mask;
> }

I think I'd prefer a slightly more complex, but user friendlier
"+i,-a,..." format.

Thanks,
Miklos