Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3347168imc;
        Wed, 13 Mar 2019 15:43:03 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwAdN/MhJ/XlodPnRC35oEjzur9KFKsKCpKIr7CsukeEUbhJtfbOwKjP2K+fW9NwgWsUJV+
X-Received: by 2002:a17:902:22f:: with SMTP id 44mr41941526plc.138.1552516983173;
        Wed, 13 Mar 2019 15:43:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552516983; cv=none;
        d=google.com; s=arc-20160816;
        b=MUEivrwiG/5Tf762N3S+GvmTrIuNErUP/ICoYGgt5FOd9FxbPAtPlkqXKB7qd83PaL
         SuUbLdJE0tfa926QCquo8Tqc9/9QprxrsHNO2y8O+lkkgCQK0hAHBI5Lb3842fmphicX
         3lnWAgS3972+64f4zi87ffHiL/hOshF9gVsGrnB69cdi7IpZh9Xc0m0A2KSXy1aGzW4l
         hGzsUF8dna0jSJQ+xaTJE4r04K9X9h5OsPCeD7/6YMuRDmGtW2LvuYFVTZe/2HHSeoTu
         G31hz4cXZPMO7t9HP/QFHxp4k4XG9iE6I/+ccAPRWnNrQOSV/sCz/QXHDrwlFwsMH7dR
         oF3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=iu5ZbwNUztL6jQAYy1bdMjHtXZBUT5WMKq/l/Y6vSts=;
        b=EsqRW6YI7VvXWvQ9cuFnYwIhFSTQ13+IvPPAPanMoqyzvIf6eYzzsIg3m+W2vNpVDn
         dVymMNf381AH0dZUQp1I3BmZxOpJ8JF14ZOxTE7Axxs3kVGYw8cCEZPYzek7qNcb62gf
         zDKXrQbXfk32aOyyzlAgsZam5HCUyRzvrGXjztIbDZQcp6GdjXMRSvqrsDc1LBjVleTA
         9fWBiQRFh2p2AqumAm2wZvdHu2PoxaslFgQkMzbxuWNPaMYlOvHZTFKZRvbqA8rV/GUC
         3YVm9C5g9SzROaqWQ+QGCgTVku0vlLj3nrzD7d2oh7oxMkRAJSanqGU1FMffE3bjhNyw
         7wEg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d2si10879439pgb.137.2019.03.13.15.42.45;
        Wed, 13 Mar 2019 15:43:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726853AbfCMWmY convert rfc822-to-8bit (ORCPT
        <rfc822;atom.tux.beastie@gmail.com> + 99 others);
        Wed, 13 Mar 2019 18:42:24 -0400
Received: from lithops.sigma-star.at ([195.201.40.130]:51436 "EHLO
        lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725883AbfCMWmY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Mar 2019 18:42:24 -0400
Received: from localhost (localhost [127.0.0.1])
        by lithops.sigma-star.at (Postfix) with ESMTP id 71E246089E22;
        Wed, 13 Mar 2019 23:42:20 +0100 (CET)
Received: from lithops.sigma-star.at ([127.0.0.1])
        by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id sC0lP2ewmzQk; Wed, 13 Mar 2019 23:42:20 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
        by lithops.sigma-star.at (Postfix) with ESMTP id EE29660D4827;
        Wed, 13 Mar 2019 23:42:19 +0100 (CET)
Received: from lithops.sigma-star.at ([127.0.0.1])
        by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id HwA4ubAvkyor; Wed, 13 Mar 2019 23:42:19 +0100 (CET)
Received: from blindfold.localnet (213-47-184-186.cable.dynamic.surfer.at [213.47.184.186])
        by lithops.sigma-star.at (Postfix) with ESMTPSA id 7B6516089E22;
        Wed, 13 Mar 2019 23:42:19 +0100 (CET)
From:   Richard Weinberger <richard@nod.at>
To:     Eric Biggers <ebiggers@kernel.org>
Cc:     Amir Goldstein <amir73il@gmail.com>,
        Miklos Szeredi <miklos@szeredi.hu>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-fscrypt@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Paul Lawrence <paullawrence@google.com>
Subject: Re: overlayfs vs. fscrypt
Date:   Wed, 13 Mar 2019 23:42:18 +0100
Message-ID: <4098793.CtYQtWW4dM@blindfold>
In-Reply-To: <20190313222610.GF10169@gmail.com>
References: <4603533.ZIfxmiEf7K@blindfold> <15244624.W7e5yEypHC@blindfold> <20190313222610.GF10169@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8BIT
Content-Type: text/plain; charset="iso-8859-1"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Am Mittwoch, 13. M?rz 2019, 23:26:11 CET schrieb Eric Biggers:
> On Wed, Mar 13, 2019 at 09:33:10PM +0100, Richard Weinberger wrote:
> > Am Mittwoch, 13. M?rz 2019, 15:26:54 CET schrieb Amir Goldstein:
> > > IMO, the best thing for UBIFS to do would be to modify fscrypt to support
> > > opting out of the revalidate behavior, IWO, sanitize your hack to an API.
> > 
> > Given the WTF/s rate this thread has, this might me a good option.
> > Actually people already asked me how to disable this feature because
> > they saw no use of it.
> > Being able to delete encrypted files looks good on the feature list but in
> > reality it has very few users but causes confusion, IMHO.
> > 
> > I propose a new fscrypt_operations flag, FS_CFLG_NO_CRYPT_FNAMES.
> > If this flag is set, a) fscrypt_setup_filename() will return -EPERM if
> > no key is found.
> > And b) __fscrypt_prepare_lookup() will not attach fscrypt_d_ops to the dentry.
> > 
> > Eric, what do you think?
> > 
> > Thanks,
> > //richard
> > 
> 
> What specifically is wrong with supporting the ciphertext "view" of encrypted
> directories, and why do you want to opt UBIFS out of it specifically but not
> ext4 and f2fs?  (The fscrypt_operations are per-filesystem type, not
> per-filesystem instance, so I assume that's what you had in mind.)  Note that we
> can't unconditionally remove it because people need it to delete files without
> the key.  We could add a mount option to disable it, but why exactly?

You are right, fscrypt_operations is the wrong structure.
My plan was having it per filesystem instance. So a mount-option seems like
a good option. Of course for all filesystems that support fscrypt, not just UBIFS.

Over the last year I've converted many emebdded systems to fscrypt and it happened
more than once that users, and more importantly, applications got confused that
you can mount and walk the filesystem even if you don't have the key loaded yet.
For them it felt more natural that you cannot even readdir if you don't have the key.

In my opinion having such a mount option is useful to match these expectations.
And it is also useful because you can enable only the features you actually need.
On embedded systems that I have in mind you never delete files without having the key
and since fscrypt is used for the whole filesystem you can just recreate it if you
really lost the key.

Thanks,
//richard