Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3064958imc; Wed, 13 Mar 2019 08:04:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxMcG+HLnt8L7Q49bQHM4DRU5q7R07gkX16zjIp5i8k5oG7n8UPHy1sM6IHCP6n4A7Qlog2 X-Received: by 2002:a63:5321:: with SMTP id h33mr12036244pgb.168.1552489444654; Wed, 13 Mar 2019 08:04:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552489444; cv=none; d=google.com; s=arc-20160816; b=R9VhvUcGM+B0x7AmPaeIxoKhY/2OVH7uOPYSpyRJNt7CJyxc46wyK8PuIpl52Y1oSk h/GQ6o26x83kPifIzV2sEjLJIq+LZlT9ZYOAM1izjE2HjFpNYYtlcQNqsXos1o9w5iSt pPAqczrGaAjDb2vKLHGzM3ojVr14BNG255OmqHunbTe+1DORRCkwIVKxOW9zpScDbPFj vupoabZe5e35sl/2Bm7o41fIUkrWmCh/cWhOhaFOnE2BjDeiSwk/FBnTLCRfFN4GJCqO tgKDQESGnaLF+6KFb6uMl38rU3tAXlXwM/BPZ5gHNv4cRPcben43/fGsTfb4kWDGuRoj nv9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=jGbloVcRER3R3j/Qs3Hqr457w+hz7J3ciXKdAXxnGEU=; b=oUnLv8YE9JFPzbgrcBAGrXLbrM8TMBEi/ytCDr/VxE72fAsYFkeqLJjwZMppyBOHUT wa3jt1OQ6465CRsXlfGtiUTjHor3IthS4HdHeQ+ZL7LQWi6jfvI6uCJx1/MJH+kcEC+Q c84VBtMLJUMY2EKTAglDFSMJg1Wln5zgP62D86b01KNVjA/l+u7UuQPPyW2Xdohtl5g4 uHq2opY33nNny8dXA6f4XM7uwRbnzqZlAH+3dSQSaf2c6zbNnOl3Wafu3oASMJqz+Yov NTC9TBVRbu+vHBvfxLQAliUCZMoclmDFDE5q97K7J9whQxGx9ZZiDgd3pRqp1tgBvz+u 3z+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2gTHzdSY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l192si10800162pfc.147.2019.03.13.08.03.44; Wed, 13 Mar 2019 08:04:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2gTHzdSY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726655AbfCMPBb (ORCPT + 99 others); Wed, 13 Mar 2019 11:01:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:42718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725832AbfCMPBa (ORCPT ); Wed, 13 Mar 2019 11:01:30 -0400 Received: from sol.localdomain (c-107-3-167-184.hsd1.ca.comcast.net [107.3.167.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DC1B720854; Wed, 13 Mar 2019 15:01:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552489289; bh=OTCzs9epR1x+rftJKOXM8+vG3z0qr4yHWD+Tpbwfke0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=2gTHzdSY+2ZBI/Ya3hRs7NzN/Y2uSyeSZvL6E0kEYorVxXElfNSWM/hZ0be1tVSi9 j9THNpoSlxXBRoR2OLp47KsuO121pMRNug/5IYe4luwvMWTjU3qs1BHT71xbnzNza3 c6FIRyd+zNEbaqLmwGMokz5s9QWooqfWunou/xLU= Date: Wed, 13 Mar 2019 08:01:27 -0700 From: Eric Biggers To: Miklos Szeredi Cc: Richard Weinberger , linux-fsdevel@vger.kernel.org, linux-fscrypt@vger.kernel.org, overlayfs , linux-kernel@vger.kernel.org Subject: Re: overlayfs vs. fscrypt Message-ID: <20190313150126.GA703@sol.localdomain> References: <4603533.ZIfxmiEf7K@blindfold> <1852545.qrIQg0rEWx@blindfold> <1854703.ve7plDhYWt@blindfold> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.11.3 (2019-02-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Miklos, On Wed, Mar 13, 2019 at 02:24:47PM +0100, Miklos Szeredi wrote: > On Wed, Mar 13, 2019 at 2:00 PM Richard Weinberger wrote: > > > > Am Mittwoch, 13. M?rz 2019, 13:58:11 CET schrieb Miklos Szeredi: > > > On Wed, Mar 13, 2019 at 1:47 PM Richard Weinberger wrote: > > > > > > > > Am Mittwoch, 13. M?rz 2019, 13:36:02 CET schrieb Miklos Szeredi: > > > > > I don't get it. Does fscrypt try to check permissions via > > > > > ->d_revalidate? Why is it not doing that via ->permission()? > > > > > > > > Please let me explain. Suppose we have a fscrypto directory /mnt and > > > > I *don't* have the key. > > > > > > > > When reading the directory contents of /mnt will return an encrypted filename. > > > > e.g. > > > > # ls /mnt > > > > +mcQ46ne5Y8U6JMV9Wdq2C > > > > > > Why does showing the encrypted contents make any sense? It could just > > > return -EPERM on all operations? > > > > The use case is that you can delete these files if the DAC/MAC permissions allow it. > > Just like on NTFS. If a user encrypts files, the admin cannot read them but can > > remove them if the user is gone or loses the key. > > There's the underlying filesystem view where admin can delete files, > etc. And there's the fscrypt layer stacked on top of the underlying > fs, which en/decrypts files *in case the user has the key*. What if > one user has a key, but the other one doesn't? Will d_revalidate > constantly switch the set of dentries between the encrypted filenames > and the decrypted ones? Sounds crazy. And the fact that NTFS does > this doesn't make it any less crazy... > fscrypt (aka ext4/f2fs/ubifs encryption) isn't a stacked filesystem. I think you're confusing it with eCryptfs. There's only one "view" of the filesystem. It's true that different processes can put different keys in their process-subscribed keyrings, e.g. their session keyrings. But that doesn't change the fact that each cached inode either has the key or it doesn't, and all users share those same cached inodes. The mistake here is not making the keys be provided at the filesystem level too, and I've proposed to fix that: https://patchwork.kernel.org/cover/10821413/ Note that the the key (->i_crypt_info) is never removed from a cached inode without evicting it. It used to be done, but it was broken and removed. Now a cached inode can only have the key added. For this reason and others, I think fscrypt_d_revalidate() contains unneeded checks and can be simplified to this: static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) { struct dentry *dir; bool valid; if (flags & LOOKUP_RCU) return -ECHILD; if (dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY) return 1; dir = dget_parent(dentry); valid = (d_inode(dir)->i_crypt_info == NULL); dput(dir); return valid; } I think we can even support RCU mode too. Then, one possibility is to move fscrypt_d_revalidate() to the VFS. If we replace DCACHE_ENCRYPTED_WITH_KEY with the opposite meaning, say DCACHE_CIPHERTEXT_NAME, then the VFS will have everything it needs to just do the equivalent of fscrypt_d_revalidate() directly in d_revalidate() in fs/namei.c. So fscrypt_d_ops won't be needed at all. Something like this: #ifdef CONFIG_FS_ENCRYPTION static inline int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) { struct dentry *dir; struct inode *dir_inode; if (!(READ_ONCE(dentry->d_flags) & DCACHE_CIPHERTEXT_NAME)) return 1; dir = READ_ONCE(dentry->d_parent); dir_inode = READ_ONCE(dir->d_inode); return READ_ONCE(dir_inode->i_crypt_info) == NULL; } #else static inline int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags) { return 1; } #endif static inline int d_revalidate(struct dentry *dentry, unsigned int flags) { int status; if (unlikely(dentry->d_flags & DCACHE_OP_REVALIDATE)) status = dentry->d_op->d_revalidate(dentry, flags); else status = 1; if (status > 0) status = fscrypt_d_revalidate(dentry, flags); return status; } What do you think about this? - Eric