Received: by 10.213.65.68 with SMTP id h4csp438837imn; Wed, 28 Mar 2018 06:34:14 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/9Pr2h5dBT4f43JzfGv15mgygekYD4A8b+9myiQ+y6DH+1rF95KdO8+Y3xIs6kXnDpjCxr X-Received: by 2002:a17:902:5409:: with SMTP id d9-v6mr3929687pli.176.1522244054524; Wed, 28 Mar 2018 06:34:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522244054; cv=none; d=google.com; s=arc-20160816; b=Ab0qu2yjQAi1etIMz8qqMs6KmnnNCPhj1KmGbxFjPtGlJ4OwvSnbBHkWMypfZZYBdh d34ZG+St5VeiFa7A2gNS456ODncCgHjxfrG7BoT73+1czLFYMPO1JEB3tkBbGZhTJRys MFRePYlnO/IMRudnxwLwK8Fb/dP32UAiggTi3j/7mucL+Cgn4lwEBtiJ/KX6iG118OJa uxlHqTZH5RFiC4HB5Ti81cSvCMLV41ymxQD8QokeSgnxmtJaxNyYsFwSzMa99/hp6zWo ajHleJKD27yKPTmoCAGQ7DEh0y7u9j9xQjvD7DdlXt45uHn9APn4Q879k6DXJ3eDlw1D DuxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=1Lep/sjbNsCnXoOu39qGxxjmc3HsFRPBaDBwiIfusL8=; b=nXfq8PJQcOoOuNYygEMlMTDb9mL8ctrmVTgA4I3roveRuBaqbr7jPH0hYP0t0wgJS/ zv36vjfa7+LiDEb1I+hVsAfpPTVX2UhbSAhWWiWHim6JZCma4N0Yym7POflSKpAwzBJw jEG9lYwPpB2dcCVf3lee8IexRvlKIZGdGRaXeEevcQTHC0XVtrkcDpI1kkwDmbCs0Z2y W6VpyXMcealIhE0/rXljcDNzBupvVcJkKU/fykigOLRpPcPffRQmlyEak0TYxnei9l/M iyLqgD566g68fwt2ZgbMAV9x31o8NZaWXnhtZKCmx3SWp8WUaQLgcwV20HbvC1YsFPDO ZajA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=FUHPuL/q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l185si2448962pgd.108.2018.03.28.06.34.00; Wed, 28 Mar 2018 06:34:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=FUHPuL/q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752796AbeC1NdG (ORCPT + 99 others); Wed, 28 Mar 2018 09:33:06 -0400 Received: from mail-pl0-f66.google.com ([209.85.160.66]:42105 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751219AbeC1NdE (ORCPT ); Wed, 28 Mar 2018 09:33:04 -0400 Received: by mail-pl0-f66.google.com with SMTP id g20-v6so1566662plo.9; Wed, 28 Mar 2018 06:33:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=1Lep/sjbNsCnXoOu39qGxxjmc3HsFRPBaDBwiIfusL8=; b=FUHPuL/qXgiycKUUk9dEAOXa3Gg5Mhf5rrwk9jYFA/6jBRwMo9oYz3Y+TJM6jEISsh 2VNg0YLhGHqsruE1TSnl+793e73y8LlGkdBeWMvUc4wiS3gNHTlHfBZFHqsHnG/4cTSR +E3oOklyA3rRw0uHQX8dIO8vDD71oNdTk2ORVdgtCgFoUrFOvwfmK1ojSit+Zm5ZrcaF UGKQ899nDT9hM0xCaGippkwVJiG+Fc7OQSYBMhtrfhU7GFLcq43Y9S45tr3hs9UHMuDF puam2klKKn72bv6c6N/iNcaT7k0lfTffhIfd0tshxgS3JUq8v9CFZKRy9FR9wcd9A2yE NDpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=1Lep/sjbNsCnXoOu39qGxxjmc3HsFRPBaDBwiIfusL8=; b=HHahcWGGEsNHeONlZg+ex8DqiT2KrjsUenPuZNQG6vqMsuHw83061pQDI/estp4lqT nDJlwBk02oBPi0x/ctdPqL6eLdfcsw+XkXtg+o2FWCyhHwdVupgEPgE5xctGv3gz3BBI 8nR6gORZCGVHQTLdiuo8ex4e1xJd+jtsmWatc5/Vx54C9xHqHgymiAq1uCdO0Z/V6lD7 mNGlqHq7xF6xxix9tOkJma1rhi2Wdw3xrnDl7BktewwLj/gRsqTIvAFVzmA87gDM7uNg nykwgwxJDYgra25b6C8oSfsnnKhCLE5Sd1V73OMAoNtS9ohZ+5Lht3lNt6PmJsvjuijd 49hw== X-Gm-Message-State: AElRT7G5eLfDgB9dPADZiiwWbK7Sqeq49JYbh3gzcUE+vPShpqg2MD+m Y/bUrZQkkB37lTXERZkd9WQ= X-Received: by 2002:a17:902:d03:: with SMTP id 3-v6mr3873464plu.245.1522243984258; Wed, 28 Mar 2018 06:33:04 -0700 (PDT) Received: from server.roeck-us.net (108-223-40-66.lightspeed.sntcca.sbcglobal.net. [108.223.40.66]) by smtp.gmail.com with ESMTPSA id e3sm8863612pfb.120.2018.03.28.06.33.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Mar 2018 06:33:03 -0700 (PDT) Subject: Re: [PATCH] ecryptfs: Restore support for both encrypted and unencrypted file names To: Tyler Hicks Cc: ecryptfs@vger.kernel.org, linux-kernel@vger.kernel.org, Al Viro References: <1518561368-8324-1-git-send-email-linux@roeck-us.net> <740f5325-331d-d38c-e9d4-5f81b95a6872@canonical.com> From: Guenter Roeck Message-ID: <6f35b462-8c36-5ba3-4712-a0782961e548@roeck-us.net> Date: Wed, 28 Mar 2018 06:33:02 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <740f5325-331d-d38c-e9d4-5f81b95a6872@canonical.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/27/2018 08:58 AM, Tyler Hicks wrote: > Hello Guenter > > On 02/13/2018 04:36 PM, Guenter Roeck wrote: >> Commit 88ae4ab9802e ("ecryptfs_lookup(): try either only encrypted or >> plaintext name") was supposed to fix a situation where two files with >> the same name and same inode could be created in ecryptfs. One of those >> files had an encrypted file name, the other file name was unencrypted. > > That's correct. Al was concerned about possible deadlocks with aliased > dentries and I thought it would be best to only support encrypted and > unencrypted but not both. > >> >> After commit 88ae4ab9802e, having a mix of encrypted and unencrypted file >> names is no longer supposed to be possible. However, that is not the case. >> The only difference is that it is now even easier to create a situation >> where two files with the same name coexist (one encrypted and the other >> not encrypted). In practice, this looks like the following (files >> created with v4.14.12). >> >> ecryptfs mounted with file name encryption enabled: >> >> $ ls -li >> total 48 >> 5252822 -rw-rw-r-- 1 groeck groeck 10 Jan 20 13:02 myfile >> 5252822 -rw-rw-r-- 1 groeck groeck 10 Jan 20 13:02 myfile >> 5252824 -rw-rw-r-- 1 groeck groeck 10 Jan 20 15:36 myfile2 >> 5252824 -rw-rw-r-- 1 groeck groeck 10 Jan 20 15:36 myfile2 >> $ grep . * >> myfile:encrypted >> myfile:encrypted >> myfile2:encrypted >> myfile2:encrypted >> >> $ ls -li >> total 48 >> 5252824 -rw-rw-r-- 1 groeck groeck 10 Jan 20 15:36 >> ECRYPTFS_FNEK_ENCRYPTED.FWbF9U6H6L6ekEZYGWnkfR4wMiyeTVoCeVun.BU8Zu5-njbcIPoApxk7-E-- >> 5252822 -rw-rw-r-- 1 groeck groeck 10 Jan 20 13:02 >> ECRYPTFS_FNEK_ENCRYPTED.FWbF9U6H6L6ekEZYGWnkfR4wMiyeTVoCeVunt0fda7t9YCtJ70cm911yZ--- >> 5252817 -rw-rw-r-- 1 groeck groeck 12 Jan 20 12:52 myfile >> 5252827 -rw-rw-r-- 1 groeck groeck 12 Jan 20 15:37 myfile2 >> >> $ grep . * >> ECRYPTFS_FNEK_ENCRYPTED.FWbF9U6H6L6ekEZYGWnkfR4wMiyeTVoCeVun.BU8Zu5-njbcIPoApxk7-E--:encrypted >> ECRYPTFS_FNEK_ENCRYPTED.FWbF9U6H6L6ekEZYGWnkfR4wMiyeTVoCeVunt0fda7t9YCtJ70cm911yZ---:encrypted >> myfile:unencrypted >> myfile2:unencrypted >> >> Creating a file with file name encryption disabled and remounting with >> file name encryption enabled results in the following. >> >> $ ls -li >> ls: cannot access 'myfile3': No such file or directory >> total 48 >> 5252822 -rw-rw-r-- 1 groeck groeck 10 Jan 20 13:02 myfile >> 5252822 -rw-rw-r-- 1 groeck groeck 10 Jan 20 13:02 myfile >> 5252824 -rw-rw-r-- 1 groeck groeck 10 Jan 20 15:36 myfile2 >> 5252824 -rw-rw-r-- 1 groeck groeck 10 Jan 20 15:36 myfile2 >> ? -????????? ? ? ? ? ? myfile3 >> >> Prior to commit 88ae4ab9802e, the file system had to be mounted with >> encrypted file names first to create a file, then the same had to be >> repeated after mounting with unencrypted file names. Now the duplicate >> files can be created both ways (unencrypted _or_ encrypted first). >> >> The only real difference is that it is no longer possible to have a >> _working_ combination of encrypted and unencrypted file names. In other >> words, commit 88ae4ab9802e results in reduced functionality with no >> benefit whatsoever. >> >> Restore ability to have a mix of unencrypted and encrypted files. >> This effectively reverts commit 88ae4ab9802e, but the code is now >> better readable since it avoids a number of goto statements. > > I'd like for us to correctly fix 88ae4ab9802e rather than try to support > both filename types under a single mount since that's complex and there > are unknown corner cases to consider. I think this can be done by not > copying up the lower filename when an error is encountered in > ecryptfs_decode_and_decrypt_filename(). If filename encryption is > enabled, it should only return decrypted filenames or an error if it > isn't possible to decrypt the lower filename. > NP. I'll leave it alone, then. Since our use case requires both encrypted and unencrypted file names, our "fix" will be to carry this patch along locally as long as needed and stop using ecryptfs otherwise. Guenter > Tyler > >> >> Cc: Al Viro >> Signed-off-by: Guenter Roeck >> --- >> fs/ecryptfs/inode.c | 10 +++++----- >> 1 file changed, 5 insertions(+), 5 deletions(-) >> >> diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c >> index 847904aa63a9..14a5c096ead6 100644 >> --- a/fs/ecryptfs/inode.c >> +++ b/fs/ecryptfs/inode.c >> @@ -392,11 +392,11 @@ static struct dentry *ecryptfs_lookup(struct inode *ecryptfs_dir_inode, >> int rc = 0; >> >> lower_dir_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry->d_parent); >> - >> + lower_dentry = lookup_one_len_unlocked(name, lower_dir_dentry, len); >> mount_crypt_stat = &ecryptfs_superblock_to_private( >> ecryptfs_dentry->d_sb)->mount_crypt_stat; >> - if (mount_crypt_stat >> - && (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) { >> + if (IS_ERR(lower_dentry) && >> + (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)) { >> rc = ecryptfs_encrypt_and_encode_filename( >> &encrypted_and_encoded_name, &len, >> mount_crypt_stat, name, len); >> @@ -405,10 +405,10 @@ static struct dentry *ecryptfs_lookup(struct inode *ecryptfs_dir_inode, >> "filename; rc = [%d]\n", __func__, rc); >> return ERR_PTR(rc); >> } >> - name = encrypted_and_encoded_name; >> + lower_dentry = lookup_one_len_unlocked( >> + encrypted_and_encoded_name, lower_dir_dentry, len); >> } >> >> - lower_dentry = lookup_one_len_unlocked(name, lower_dir_dentry, len); >> if (IS_ERR(lower_dentry)) { >> ecryptfs_printk(KERN_DEBUG, "%s: lookup_one_len() returned " >> "[%ld] on lower_dentry = [%s]\n", __func__, >> > >