1. 09 Mar, 2019 26 commits
    • J. R. Okajima's avatar
      aufs: mount option, warning about the permissions · 59444fad
      J. R. Okajima authored
      
      
      While most people (especially who use tmpfs as top writable branch)
      doesn't care, I care and think it can be a security problem.
      For example, when the lower readonly branch may contain
      /etc/{passwd,shadow} and the permission bits of the upper empty
      branch is world-writable, then a malicious user can make these files
      manually with by-passing aufs.
      Aufs can do nothing but produce a warning.
      
      For details, see aufs manual in aufs-util.git.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      59444fad
    • J. R. Okajima's avatar
      aufs: dirren 6/6, mount options · 852c25f7
      J. R. Okajima authored
      
      
      Introduce the new mount options, dirren and nodirren, which activates
      and deactivates DIRREN feature.
      In remount and unmount, the inum-list per branch should be flushed to
      the file.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      852c25f7
    • J. R. Okajima's avatar
      aufs: dirren 1/6, inum-list of the renamed dir in a branch · 53c63b41
      J. R. Okajima authored
      
      
      This commits brings a list of the inode numbers which indicates the
      logically renamed dir into a branch. The list will be referred in
      lookup, and its lifetime is equivalent to the branch's, ie. the list is
      loaded/created in adding a branch, and stored/deleted in deleting a
      branch. The simple storing happens in remounting and unmounting aufs
      too.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      53c63b41
    • J. R. Okajima's avatar
      aufs: statfs sum options · 4541724e
      J. R. Okajima authored
      
      
      Since aufs can have multiple writable branches, these options are
      useful.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      4541724e
    • J. R. Okajima's avatar
      aufs: dirwh option · 0b7972a4
      J. R. Okajima authored
      
      
      This is a feature to optimize for rmdir and rename dir.
      When the number of whiteouts under the target dir is very many, it may
      take a long time to remove them all. To prevent this, 'dirwh=%d' option
      specifies the watermark to decide when to remove them.
      
      For details, see aufs manual in aufs-util.git.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      0b7972a4
    • J. R. Okajima's avatar
      aufs: dirperm1 option · b3b9c456
      J. R. Okajima authored
      
      
      Sometimes the aufs policy to respect the branch fs's permission bits
      makes users confused. IE. the direcotry permission bits on the top branch
      allows users to read, but the lower branch prohibts. This option may be
      useful for such case.
      See also the document in this commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      b3b9c456
    • J. R. Okajima's avatar
      aufs: branch management, modify the permission and attribute · 6462d8eb
      J. R. Okajima authored
      
      
      The permissions and attributes of a branch can be modified dynamically.
      See also the document in this commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      6462d8eb
    • J. R. Okajima's avatar
      aufs: branch management, delete 3/3, mount option · dea1d77c
      J. R. Okajima authored
      
      
      Implement the user interface.
      Since users often wonder "Why I cannot delete this branch?", 'verbose'
      option was introduced.
      
      You may think aufs should not hold several strings for the variation of
      the option, and the mount helper (/sbin/mount.aufs) can convert all
      variations to a single fixed string, and in kernel space aufs should
      contain this only one string.
      I agree, but in our real world, many users don't install
      /sbin/mount.aufs. To be convenient, aufs contains these variations.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      dea1d77c
    • J. R. Okajima's avatar
      aufs: branch management, delete 2/3, body · b79632ef
      J. R. Okajima authored
      
      
      Delete a branch which is not busy.
      Aufs judges the branch is deletable by testing the opened files, the
      cached dentries and inodes. Even if a directory is in use, as long as
      the same named entry exist on another branch, then the branch is
      deletable.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      b79632ef
    • J. R. Okajima's avatar
      aufs: udba=none has no ->getattr() 2/2, refresh inode_operations · e4dbdb8c
      J. R. Okajima authored
      
      
      An enhancement for udba=none if possible.
      The condition is same to the 'no ->d_revalidate()' patch series.
      Refresh i_op in all cached inodes at the remount-time.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      e4dbdb8c
    • J. R. Okajima's avatar
      aufs: dentry op, opt-out ->d_revalidate() · ab70d2ad
      J. R. Okajima authored
      
      
      Optimize out ->d_revalidate() if possible.
      If the refreshing failed, then ->d_revalidate() remains. In this case,
      aufs has two types of dentries. One has ->d_revalidate, the other
      doesn't. I am afraid it will confuse me someday.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      ab70d2ad
    • J. R. Okajima's avatar
      aufs: remount 4/5, refresh the internal branch array · fb70a624
      J. R. Okajima authored
      
      
      Maintain the internal array including corresponding XINO file and sysfs
      entries.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      fb70a624
    • J. R. Okajima's avatar
      aufs: virtual or vertical directory 1/2, intro · 47118316
      J. R. Okajima authored
      
      
      This commit is just to prepare for the succeeding commit, and split to
      suppress the size of a single commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      47118316
    • J. R. Okajima's avatar
      aufs: hnotify 3/3, callers · f8ec4890
      J. R. Okajima authored
      
      
      In order to prevent firing the notify event from aufs itself, hnotify
      feature is suspend/resume-able. They are combined with mutex lock/unlock
      for the parent dir.
      
      See also previous commits.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      f8ec4890
    • J. R. Okajima's avatar
      aufs: hnotify 1/3, headers · 9dc58c2b
      J. R. Okajima authored
      
      
      This is the hardest test to support UDBA (users' direct branch access).
      It uses 'fsnotify' internally.  Detecting UDBA, decrements the
      generation of the cached aufs objects.  In the next access to the file,
      aufs detects the generation is obsoleted and tries refreshing it.
      Eventually aufs cache will be updated to latest status.
      
      The fsnotify is set on the cached dirs on the non-RR branches.
      The RR (real readonly) branches will never be modified and it is
      unnecessary to set fsnotify for them.
      
      This commit is for the declarations mainly, and the body parts will be
      in succeeding commits.
      
      This feature is compiled only when CONFIG_AUFS_HNOTIFY is enabled.
      See also the document in this commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      9dc58c2b
    • J. R. Okajima's avatar
      aufs: DIO and dynamically customize address_space_operations · 5b336293
      J. R. Okajima authored
      
      
      As a result of branch management, the virtual inode may point a
      different real inode from it used to. And aufs has to maintain its
      address_space_operations, since its definition may affect the
      behaviour.
      I know some people (including grsec-patch) doesn't like a non-const
      address_space_operations, but in order to keep the consistency of the
      behaviour, the correct address_space_operations is important.
      
      See also the document in this commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      5b336293
    • J. R. Okajima's avatar
      aufs: users' direct branch access · 27c33497
      J. R. Okajima authored
      
      
      Aufs allows users' direct branch access (UDBA), ie. by-passing aufs.
      Of course it will make aufs inode/dentry-caches obsolete. In order to
      detect such change by the several tests, "udba=" option is introduced.
      
      For details, see lookup.txt in later commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      27c33497
    • J. R. Okajima's avatar
      aufs: writable branch select policy 2/2, variations · 2ef06b5a
      J. R. Okajima authored
      
      
      Several policies to select one among multiple writable branches.
      See also the document in previous commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      2ef06b5a
    • J. R. Okajima's avatar
      aufs: writable branch select policy 1/2, core · 60b24eed
      J. R. Okajima authored
      
      
      Aufs can have multiple writable branches, and there are several
      policies to select one among them.
      This commit implements default "top-down-parent" for both of
      creating-policy and copyup-policy.
      
      See also the document in this commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      60b24eed
    • J. R. Okajima's avatar
      aufs: writable branch 2/3, body · 59ad1975
      J. R. Okajima authored
      
      
      Actually prepare the whiteout bases on the adding writable branch.
      For details, refer to previous commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      59ad1975
    • J. R. Okajima's avatar
      aufs: pseudo-link and procfs support · c7ae8357
      J. R. Okajima authored
      
      
      Aufs pseudo-link (plink) represents a virtual hardlink across the
      branches. To implement the plink maintenance mode, aufs uses procfs.
      See also the document in this commit.
      
      There is an external user-space utility called 'auplink' in
      aufs-util.git, which has these features.
      - 'list' shows the pseudo-linked inode numbers and filenames.
      - 'cpup' copies-up all pseudo-link to the writable branch.
      - 'flush' calls 'cpup', and then 'mount -o remount,clean_plink=inum'
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      c7ae8357
    • J. R. Okajima's avatar
      aufs: xino truncation · 2a150b32
      J. R. Okajima authored
      
      
      As mentioned earlier, sometimes the size of XINO file is a problem.
      Aufs has a feature to truncate it asynchronously using workqueue. But it
      may not be so effective in some cases, and you may want to stop
      discontiguous distribution of the inode numbers on branch fs.
      See also the log in another commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      2a150b32
    • J. R. Okajima's avatar
      aufs: xino 2/2, callers · 8fe49c5d
      J. R. Okajima authored
      
      
      XINO and XIB files are read and written frequently after unlinked, and
      it means that the remote filesystems are not suitable for them.
      Additionally aufs shows their metadata via debugfs (in later commit).
      To make it easier to do this, aufs expects branch filesystems to
      maintain their i_size and i_blocks. And it means some filesystem are not
      suitable for XINO.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      8fe49c5d
    • J. R. Okajima's avatar
      aufs: xino 1/2, core · 6fe05098
      J. R. Okajima authored
      
      
      XINO and XIB files are to maintain the inode numbers in aufs
      (cf. struct.txt and aufs manual in aufs-util.git).
      
      XINO file contains just a sequence of the inode numbers, and their
      offset in the file is real_inum x sizeof(inum).  So the size is limited
      by s_maxbytes of the filesystem where XINO file is located.  In order to
      support the larger inum, aufs stores XINO files as an internal array.
      
      Sometimes the size of XINO file can be a problem, ie. too big,
      particularly when XINO files are located on tmpfs. In this case, another
      separate patch tmpfs-ino.patch in aufs4-standalone.git is recommended
      (as well as vfs-ino.patch). The patch makes tmpfs to maintain inode
      number within itself and suppress its discontiguous distribution.
      
      See also the document in next commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      6fe05098
    • J. R. Okajima's avatar
      aufs: readonly branch 2/2, callers · 66bc346d
      J. R. Okajima authored
      
      
      For details, see previous commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      66bc346d
    • J. R. Okajima's avatar
      aufs: readonly branch 1/2, definition · b7051459
      J. R. Okajima authored
      
      
      The branch object is managed by the sbinfo object as an element of its
      internal array. The iinfo and dinfo objects contain the branch id, and
      it will be used to implement the correct order in branch management
      (add/del).
      
      See also the documents in this commit.
      Signed-off-by: default avatarJ. R. Okajima <hooanon05g@gmail.com>
      b7051459