mirror of
https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git
synced 2025-10-11 20:27:42 +10:00
2a1867219c
This implements the missing mount_setattr() syscall. While the new mount
api allows to change the properties of a superblock there is currently
no way to change the properties of a mount or a mount tree using file
descriptors which the new mount api is based on. In addition the old
mount api has the restriction that mount options cannot be applied
recursively. This hasn't changed since changing mount options on a
per-mount basis was implemented in [1] and has been a frequent request
not just for convenience but also for security reasons. The legacy
mount syscall is unable to accommodate this behavior without introducing
a whole new set of flags because MS_REC | MS_REMOUNT | MS_BIND |
MS_RDONLY | MS_NOEXEC | [...] only apply the mount option to the topmost
mount. Changing MS_REC to apply to the whole mount tree would mean
introducing a significant uapi change and would likely cause significant
regressions.
The new mount_setattr() syscall allows to recursively clear and set
mount options in one shot. Multiple calls to change mount options
requesting the same changes are idempotent:
int mount_setattr(int dfd, const char *path, unsigned flags,
struct mount_attr *uattr, size_t usize);
Flags to modify path resolution behavior are specified in the @flags
argument. Currently, AT_EMPTY_PATH, AT_RECURSIVE, AT_SYMLINK_NOFOLLOW,
and AT_NO_AUTOMOUNT are supported. If useful, additional lookup flags to
restrict path resolution as introduced with openat2() might be supported
in the future.
The mount_setattr() syscall can be expected to grow over time and is
designed with extensibility in mind. It follows the extensible syscall
pattern we have used with other syscalls such as openat2(), clone3(),
sched_{set,get}attr(), and others.
The set of mount options is passed in the uapi struct mount_attr which
currently has the following layout:
struct mount_attr {
__u64 attr_set;
__u64 attr_clr;
__u64 propagation;
__u64 userns_fd;
};
The @attr_set and @attr_clr members are used to clear and set mount
options. This way a user can e.g. request that a set of flags is to be
raised such as turning mounts readonly by raising MOUNT_ATTR_RDONLY in
@attr_set while at the same time requesting that another set of flags is
to be lowered such as removing noexec from a mount tree by specifying
MOUNT_ATTR_NOEXEC in @attr_clr.
Note, since the MOUNT_ATTR_<atime> values are an enum starting from 0,
not a bitmap, users wanting to transition to a different atime setting
cannot simply specify the atime setting in @attr_set, but must also
specify MOUNT_ATTR__ATIME in the @attr_clr field. So we ensure that
MOUNT_ATTR__ATIME can't be partially set in @attr_clr and that @attr_set
can't have any atime bits set if MOUNT_ATTR__ATIME isn't set in
@attr_clr.
The @propagation field lets callers specify the propagation type of a
mount tree. Propagation is a single property that has four different
settings and as such is not really a flag argument but an enum.
Specifically, it would be unclear what setting and clearing propagation
settings in combination would amount to. The legacy mount() syscall thus
forbids the combination of multiple propagation settings too. The goal
is to keep the semantics of mount propagation somewhat simple as they
are overly complex as it is.
The @userns_fd field lets user specify a user namespace whose idmapping
becomes the idmapping of the mount. This is implemented and explained in
detail in the next patch.
[1]: commit 2e4b7fcd92 ("[PATCH] r/o bind mounts: honor mount writer counts at remount")
Link: https://lore.kernel.org/r/20210121131959.646623-35-christian.brauner@ubuntu.com
Cc: David Howells <dhowells@redhat.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-api@vger.kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
137 lines
4.8 KiB
C
137 lines
4.8 KiB
C
#ifndef _UAPI_LINUX_MOUNT_H
|
|
#define _UAPI_LINUX_MOUNT_H
|
|
|
|
#include <linux/types.h>
|
|
|
|
/*
|
|
* These are the fs-independent mount-flags: up to 32 flags are supported
|
|
*
|
|
* Usage of these is restricted within the kernel to core mount(2) code and
|
|
* callers of sys_mount() only. Filesystems should be using the SB_*
|
|
* equivalent instead.
|
|
*/
|
|
#define MS_RDONLY 1 /* Mount read-only */
|
|
#define MS_NOSUID 2 /* Ignore suid and sgid bits */
|
|
#define MS_NODEV 4 /* Disallow access to device special files */
|
|
#define MS_NOEXEC 8 /* Disallow program execution */
|
|
#define MS_SYNCHRONOUS 16 /* Writes are synced at once */
|
|
#define MS_REMOUNT 32 /* Alter flags of a mounted FS */
|
|
#define MS_MANDLOCK 64 /* Allow mandatory locks on an FS */
|
|
#define MS_DIRSYNC 128 /* Directory modifications are synchronous */
|
|
#define MS_NOSYMFOLLOW 256 /* Do not follow symlinks */
|
|
#define MS_NOATIME 1024 /* Do not update access times. */
|
|
#define MS_NODIRATIME 2048 /* Do not update directory access times */
|
|
#define MS_BIND 4096
|
|
#define MS_MOVE 8192
|
|
#define MS_REC 16384
|
|
#define MS_VERBOSE 32768 /* War is peace. Verbosity is silence.
|
|
MS_VERBOSE is deprecated. */
|
|
#define MS_SILENT 32768
|
|
#define MS_POSIXACL (1<<16) /* VFS does not apply the umask */
|
|
#define MS_UNBINDABLE (1<<17) /* change to unbindable */
|
|
#define MS_PRIVATE (1<<18) /* change to private */
|
|
#define MS_SLAVE (1<<19) /* change to slave */
|
|
#define MS_SHARED (1<<20) /* change to shared */
|
|
#define MS_RELATIME (1<<21) /* Update atime relative to mtime/ctime. */
|
|
#define MS_KERNMOUNT (1<<22) /* this is a kern_mount call */
|
|
#define MS_I_VERSION (1<<23) /* Update inode I_version field */
|
|
#define MS_STRICTATIME (1<<24) /* Always perform atime updates */
|
|
#define MS_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */
|
|
|
|
/* These sb flags are internal to the kernel */
|
|
#define MS_SUBMOUNT (1<<26)
|
|
#define MS_NOREMOTELOCK (1<<27)
|
|
#define MS_NOSEC (1<<28)
|
|
#define MS_BORN (1<<29)
|
|
#define MS_ACTIVE (1<<30)
|
|
#define MS_NOUSER (1<<31)
|
|
|
|
/*
|
|
* Superblock flags that can be altered by MS_REMOUNT
|
|
*/
|
|
#define MS_RMT_MASK (MS_RDONLY|MS_SYNCHRONOUS|MS_MANDLOCK|MS_I_VERSION|\
|
|
MS_LAZYTIME)
|
|
|
|
/*
|
|
* Old magic mount flag and mask
|
|
*/
|
|
#define MS_MGC_VAL 0xC0ED0000
|
|
#define MS_MGC_MSK 0xffff0000
|
|
|
|
/*
|
|
* open_tree() flags.
|
|
*/
|
|
#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */
|
|
#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */
|
|
|
|
/*
|
|
* move_mount() flags.
|
|
*/
|
|
#define MOVE_MOUNT_F_SYMLINKS 0x00000001 /* Follow symlinks on from path */
|
|
#define MOVE_MOUNT_F_AUTOMOUNTS 0x00000002 /* Follow automounts on from path */
|
|
#define MOVE_MOUNT_F_EMPTY_PATH 0x00000004 /* Empty from path permitted */
|
|
#define MOVE_MOUNT_T_SYMLINKS 0x00000010 /* Follow symlinks on to path */
|
|
#define MOVE_MOUNT_T_AUTOMOUNTS 0x00000020 /* Follow automounts on to path */
|
|
#define MOVE_MOUNT_T_EMPTY_PATH 0x00000040 /* Empty to path permitted */
|
|
#define MOVE_MOUNT__MASK 0x00000077
|
|
|
|
/*
|
|
* fsopen() flags.
|
|
*/
|
|
#define FSOPEN_CLOEXEC 0x00000001
|
|
|
|
/*
|
|
* fspick() flags.
|
|
*/
|
|
#define FSPICK_CLOEXEC 0x00000001
|
|
#define FSPICK_SYMLINK_NOFOLLOW 0x00000002
|
|
#define FSPICK_NO_AUTOMOUNT 0x00000004
|
|
#define FSPICK_EMPTY_PATH 0x00000008
|
|
|
|
/*
|
|
* The type of fsconfig() call made.
|
|
*/
|
|
enum fsconfig_command {
|
|
FSCONFIG_SET_FLAG = 0, /* Set parameter, supplying no value */
|
|
FSCONFIG_SET_STRING = 1, /* Set parameter, supplying a string value */
|
|
FSCONFIG_SET_BINARY = 2, /* Set parameter, supplying a binary blob value */
|
|
FSCONFIG_SET_PATH = 3, /* Set parameter, supplying an object by path */
|
|
FSCONFIG_SET_PATH_EMPTY = 4, /* Set parameter, supplying an object by (empty) path */
|
|
FSCONFIG_SET_FD = 5, /* Set parameter, supplying an object by fd */
|
|
FSCONFIG_CMD_CREATE = 6, /* Invoke superblock creation */
|
|
FSCONFIG_CMD_RECONFIGURE = 7, /* Invoke superblock reconfiguration */
|
|
};
|
|
|
|
/*
|
|
* fsmount() flags.
|
|
*/
|
|
#define FSMOUNT_CLOEXEC 0x00000001
|
|
|
|
/*
|
|
* Mount attributes.
|
|
*/
|
|
#define MOUNT_ATTR_RDONLY 0x00000001 /* Mount read-only */
|
|
#define MOUNT_ATTR_NOSUID 0x00000002 /* Ignore suid and sgid bits */
|
|
#define MOUNT_ATTR_NODEV 0x00000004 /* Disallow access to device special files */
|
|
#define MOUNT_ATTR_NOEXEC 0x00000008 /* Disallow program execution */
|
|
#define MOUNT_ATTR__ATIME 0x00000070 /* Setting on how atime should be updated */
|
|
#define MOUNT_ATTR_RELATIME 0x00000000 /* - Update atime relative to mtime/ctime. */
|
|
#define MOUNT_ATTR_NOATIME 0x00000010 /* - Do not update access times. */
|
|
#define MOUNT_ATTR_STRICTATIME 0x00000020 /* - Always perform atime updates */
|
|
#define MOUNT_ATTR_NODIRATIME 0x00000080 /* Do not update directory access times */
|
|
|
|
/*
|
|
* mount_setattr()
|
|
*/
|
|
struct mount_attr {
|
|
__u64 attr_set;
|
|
__u64 attr_clr;
|
|
__u64 propagation;
|
|
__u64 userns_fd;
|
|
};
|
|
|
|
/* List of all mount_attr versions. */
|
|
#define MOUNT_ATTR_SIZE_VER0 32 /* sizeof first published struct */
|
|
|
|
#endif /* _UAPI_LINUX_MOUNT_H */
|