Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1279559pxp;
        Thu, 17 Mar 2022 06:33:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy0jBs5xwMxKOczOp0ZMzidv/+w0QT90pCSCYmIO1pBb2sVrDOmctVlgTK8pBadl9pZ+5By
X-Received: by 2002:aa7:ca01:0:b0:415:ece6:b0d9 with SMTP id y1-20020aa7ca01000000b00415ece6b0d9mr4475790eds.303.1647523996656;
        Thu, 17 Mar 2022 06:33:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647523996; cv=none;
        d=google.com; s=arc-20160816;
        b=DtD6luujV+MGFTVeI42RLMsSp9eBtjonXUXHyoPkw3ZfwVo23Qhml5e4CQYS5SoZz9
         uV/Fe2qZggyuO4mA3RYcJe3TlGFwqcXLjZkb4Tpu36UYDwHrscniJhxj8CtHPQdHrHTW
         W5XLzKCURnrOQZTEPMZeGOyHAV4QRmrGxzAX2fvSI7BJqK3IUlXuze7D5n8NcDuTOT5z
         3dniD9CPco7tHotbssid5UrPx+CwOAjvjA+Gll5lmGy5cP/q8OnMtVoA3dXpTlHiXMvr
         uo0nzLM5WYWGIil2hKGCxUzxPJeamltH9nNxhkdi4/r1CnS64iT/4EQCxkpdGCba7Y0r
         UAlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id:dkim-signature;
        bh=PaP0SgbikahF+QMKJBLqkHaic425GuJjXeiXrDgoYy0=;
        b=Kbl/C9J2hr5ct9NEtr2496Xu8hDCqRHz4dK4hxTGPoD3MnlO/o9Evmee5i2ZLznCP/
         3XgZQZFfwEb3mBB9vKoe2GI8IfugOy4deFkNTjdW86b74dRoWy/MgotjRcDuxWTJJG2a
         pSZNS0hleyQe5Zao2FvXAtVzQs0ImdLaSnJpLWIliDRyDKSMFy5pp7G/YHkmX6dMo5Xd
         ///YavqJ1Xbws2kC6GVnjJ5qknH144ZswTji714xsLOmb88N94/qqFK4FTh35DTk25OW
         tVsPJAB3f9Re3S14uGphoJAgBxa6vslBNQdh5wiEL4lyF6ncIwk72SgavWdsLz2+BgRb
         91zg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tdxDnyrb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id v26-20020a50f09a000000b00418c2b5be02si1591568edl.228.2022.03.17.06.32.48;
        Thu, 17 Mar 2022 06:33:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tdxDnyrb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233337AbiCQMCn (ORCPT <rfc822;smith.dustin2017@gmail.com>
        + 99 others); Thu, 17 Mar 2022 08:02:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53044 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231549AbiCQMCm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Mar 2022 08:02:42 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4CBC318FADD;
        Thu, 17 Mar 2022 05:01:22 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id F418AB80E8A;
        Thu, 17 Mar 2022 12:01:20 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id ED6FAC340E9;
        Thu, 17 Mar 2022 12:01:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1647518479;
        bh=Qf8CBbHvzkdofb9fpNdW6CQM9HNMKy+UOcace2VJYCw=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=tdxDnyrbQ3jnvwbKN7ctQjVnoMcyTI0dYBfVhBAXFaZFNcyJ0WjMLi9BGyKlALHvL
         hXtKP+3jnMTbE8SrVCsfrl3pKxqoRzBF9m5txFRmwJRUNnX9NMUnm5cmCl33whIMBJ
         X3vW8nyoNp4NTB04PYRzNffMdIqhXEMDSmm9ET/RaWs8LMOjM610DISEgyi14rRcvu
         cjkdPrXDnNjOlyU4F/CoNwbbobxnXWHY3hCvNnQ9aDfjHH89kXxoI88gtALsWldwEz
         SbiFEjJeZrp2/anICt9K8uprD41kdKphA8UKIes+FtDK3UeHoYpvb+a5s8A7SXCWPn
         3naZaDM9tNqbg==
Message-ID: <c2f494b61674e63985e4e2a0fb3b6c503e17334b.camel@kernel.org>
Subject: Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names
 encryption
From:   Jeff Layton <jlayton@kernel.org>
To:     =?ISO-8859-1?Q?Lu=EDs?= Henriques <lhenriques@suse.de>,
        Xiubo Li <xiubli@redhat.com>
Cc:     Ilya Dryomov <idryomov@gmail.com>,
        Ceph Development <ceph-devel@vger.kernel.org>,
        linux-kernel@vger.kernel.org
Date:   Thu, 17 Mar 2022 08:01:17 -0400
In-Reply-To: <87wngshlzb.fsf@brahms.olymp>
References: <20220315161959.19453-1-lhenriques@suse.de>
         <5b53e812-d49b-45f0-1219-3dbc96febbc1@redhat.com>
         <329abedd9d9938de95bf4f5600acdcd6a846e6be.camel@kernel.org>
         <3c8b78c4-5392-b81c-e76f-64fcce4f3c0f@redhat.com>
         <87wngshlzb.fsf@brahms.olymp>
Content-Type: text/plain; charset="ISO-8859-15"
User-Agent: Evolution 3.42.4 (3.42.4-1.fc35) 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2022-03-17 at 11:11 +0000, Lu?s Henriques wrote:
> Xiubo Li <xiubli@redhat.com> writes:
> 
> > On 3/17/22 6:01 PM, Jeff Layton wrote:
> > > I'm not sure we want to worry about .snap directories here since they
> > > aren't "real". IIRC, snaps are inherited from parents too, so you could
> > > do something like
> > > 
> > >      mkdir dir1
> > >      mkdir dir1/.snap/snap1
> > >      mkdir dir1/dir2
> > >      fscrypt encrypt dir1/dir2
> > > 
> > > There should be nothing to prevent encrypting dir2, but I'm pretty sure
> > > dir2/.snap will not be empty at that point.
> > 
> > If we don't take care of this. Then we don't know which snapshots should do
> > encrypt/dencrypt and which shouldn't when building the path in lookup and when
> > reading the snapdir ?
> 
> In my patchset (which I plan to send a new revision later today, I think I
> still need to rebase it) this is handled by using the *real* snapshot
> parent inode.  If we're decrypting/encrypting a name for a snapshot that
> starts with a '_' character, we first find the parent inode for that
> snapshot and only do the operation if that parent is encrypted.
> 
> In the other email I suggested that we could prevent enabling encryption
> in a directory when there are snapshots above in the hierarchy.  But now
> that I think more about it, it won't solve any problem because you could
> create those snapshots later and then you would still need to handle these
> (non-encrypted) "_name_xxxx" snapshots anyway.
> 

Yeah, that sounds about right.

What happens if you don't have the snapshot parent's inode in cache?
That can happen if you (e.g.) are running NFS over ceph, or if you get
crafty with name_to_handle_at() and open_by_handle_at().

Do we have to do a LOOKUPINO in that case or does the trace contain that
info? If it doesn't then that could really suck in a big hierarchy if
there are a lot of different snapshot parent inodes to hunt down.

I think this is a case where the client just doesn't have complete
control over the dentry name. It may be better to just not encrypt them
if it's too ugly.

Another idea might be to just use the same parent inode (maybe the
root?) for all snapshot names. It's not as secure, but it's probably
better than nothing.
-- 
Jeff Layton <jlayton@kernel.org>