Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp2957842imc;
        Wed, 13 Mar 2019 05:37:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzHYhyNs22AKHV4NdfwotKqDyk6j0QeWHTDRVyydhptwBRPwQf8W48cTgLaFsrIRrpoWhMr
X-Received: by 2002:a63:9246:: with SMTP id s6mr39411285pgn.349.1552480623986;
        Wed, 13 Mar 2019 05:37:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552480623; cv=none;
        d=google.com; s=arc-20160816;
        b=BS6NXr88aAFXTOAVutzoL0nc4FTuud3GL7+VhLaAU83ZS0fOClLn7NfOrw/E7Bxtx8
         ToyXYKqzORCwaReQHKr2kR388Nb4JopKGQeNAwWRqM1lfJw8G5oL/3UaYvX5GxB6y1c6
         TKuL1uO1GAEmlhwEDz4Lf0DXDiYOGiMEsIzJkRMnw6xjOpLtGib+mo5lPwKxtF3uzzg9
         bqpTVdrsafziDSx9v49GP5G7tadKIW1TdQhcEIp557gUrRCZCszo19gZX5cIpWBkZ8QC
         ya5aT/m9AKVqjPr+EUDItKWkN9WPPL2ut2LA2ctOr45IhyNn8HDiLToYqVf/CN3Wq5Fg
         nb4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=8M7jpcAWxt1MRSZjQz5VUxSxh/NDSR9u4xI/RScLgBo=;
        b=rfSW3521anCPh1J2BkkPBi45In4oBxHspez3hYogknHL69w4+7PReTe1LoYFNlW7E1
         VLKWvWTEJtWx6YvukGKYfLKfDxS1t8/CxJa8QeP6KNZ51lrIweRMXdZIo+lcYnOMKSOg
         b9+IguZmp0NUxLpyQ38C8t5pCsQ2r4TLjMfx5g1kjU+WYMBg0bIX7B4H30OqTnZ/DVwc
         HAwcdwk/d08VPKne2F/OpdIbvT1RWPKmURWTEYANXPr0NXwGxKgeZRH7honB3I/w62B6
         ELlNGgWw9k6GarSula+GxOkgsnEiyEP3oQw1zcqKezrjaPmydjVZoirK1Xq+VuUSZnnb
         /ztQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=IwmGp9KX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m3si10876292plt.310.2019.03.13.05.36.48;
        Wed, 13 Mar 2019 05:37:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=IwmGp9KX;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726549AbfCMMgO (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Wed, 13 Mar 2019 08:36:14 -0400
Received: from mail-it1-f196.google.com ([209.85.166.196]:35423 "EHLO
        mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726339AbfCMMgO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Mar 2019 08:36:14 -0400
Received: by mail-it1-f196.google.com with SMTP id 188so2586141itb.0
        for <linux-kernel@vger.kernel.org>; Wed, 13 Mar 2019 05:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8M7jpcAWxt1MRSZjQz5VUxSxh/NDSR9u4xI/RScLgBo=;
        b=IwmGp9KXuoK4baC8xTq7eUnQK5GFL6kN5Yig6lfmLORi8CzJLIb/yz9EEFkZqY4bw5
         9D/0SS9bTiPtlcf6BBdH0PZutAzdRoC1hTzvuIRqdFizHG0AKGbfpRhu/84fUtHW0fRu
         vmgjbRaNwT95jVfmE1c2IhQoW2w4H6Eu1ryAg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=8M7jpcAWxt1MRSZjQz5VUxSxh/NDSR9u4xI/RScLgBo=;
        b=WHzTDtXp2BllDl6LdZgaB3usIbNeasdNOyHLzK72RAJWrOcz3usT6qU3KmkLhq+8mj
         kJKPCItcyGwu7x++zRA/XsEWrIV3csW7ON7U/gP22PqhQ3qhWwy/oan+Jp0UaXZzVIyA
         yAOiLKUHm3LPu1lJhXwcngm16lrNDMf3ixKGDQGitfQNx1gwF1wW8BCjms8a3quVomeP
         phDn25Fs6+okgkm3Imxvzx5jI/lN/0fqmESraJCo+Pi8ICvhfxrCiw2sYhAwAUpZJzwF
         Yo0ViAXhre7/jwGYED7WqHEOiqbGbKaGprxMPO9xUTY00VXpxd/gkx6+zC3f5YwK4SKm
         dY4A==
X-Gm-Message-State: APjAAAUfhdcpaKmzWc/XAGNIutdOYjkpZXZOwpczPsN9xP/aKKMn3UfB
        0xK0ktQbse7Hj6745EhNwiXrVWOpmunbT3WizHU20g==
X-Received: by 2002:a24:4161:: with SMTP id x94mr1490157ita.69.1552480572920;
 Wed, 13 Mar 2019 05:36:12 -0700 (PDT)
MIME-Version: 1.0
References: <4603533.ZIfxmiEf7K@blindfold>
In-Reply-To: <4603533.ZIfxmiEf7K@blindfold>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Wed, 13 Mar 2019 13:36:02 +0100
Message-ID: <CAJfpegsy31D+=VJ+By2a9TLCvZJwvAUpb+_bJ5JVTsmsbZJTKQ@mail.gmail.com>
Subject: Re: overlayfs vs. fscrypt
To:     Richard Weinberger <richard@nod.at>
Cc:     linux-fsdevel@vger.kernel.org, linux-fscrypt@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 13, 2019 at 1:31 PM Richard Weinberger <richard@nod.at> wrote:
>
> Hi!
>
> overlayfs and fscrypt are not friends.
> Currently it is not possible to use a fscrypt encrypted directory as upper
> directory with overlayfs.
> The reason for that is, fscrypt implements ->d_revalidate().
>
> From fscrypt's point of view having ->d_revalidate() makes sense because it
> wants to hide/show encrypted filenames if someone loads or unlinks a key.
>
> On the other hand, overlayfs makes sure that the upper directory cannot
> change beneath it. Therefore it checks whether the upper directory is a remote
> filesystem by checking for ->d_revalidate() and refuses to mount if so.
>
> In my little embedded Linux world it is common to use both UBIFS and
> overlayfs. Now with UBIFS being encrypted using fscrypt, overlayfs is a
> problem.
> My current hack is not using fscrypt_d_ops in UBIFS. This works because on a
> typical embedded target you setup your crypto keys exactly once, right before
> you mount overlayfs in an initramfs.
>
> But I'm sure this problem will hit sooner or later users of ext4 and f2fs too.
> Therefore I'd like to discuss possible solutions.
>
> So far I see two options:
>
> 1. Get rid of ->d_revalidate() in fscrypt.
> Maybe we find a way to return a dentry via ->lookup() which is not cached at
> all and therefore no ->d_revalidate() is needed. If unreadable and encrypted
> filename lookups are slow, so what?
> AFAIU this approach is impossible in the current dcache design since it is not
> allowed to have more than one dentry to the same file.

I don't get it.  Does fscrypt try to check permissions via
->d_revalidate?  Why is it not doing that via ->permission()?

>
> 2. Teach overlayfs to deal with a upper that has ->d_revalidate().
> Given the complexity of overlayfs I'm not sure how feasible this is.
> But I'm no overlayfs expert, maybe I miss something.

I don't think it would be too complex.  But first I'd like to
understand exactly why fscrypt is (ab) using d_revalidate().

Thanks,
Miklos