Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
From:   =?UTF-8?q?Lu=C3=ADs=20Henriques?= <lhenriques@suse.de>
To:     Jeff Layton <jlayton@kernel.org>, Xiubo Li <xiubli@redhat.com>,
        Ilya Dryomov <idryomov@gmail.com>
Cc:     ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
        =?UTF-8?q?Lu=C3=ADs=20Henriques?= <lhenriques@suse.de>
Subject: [RFC PATCH v3 0/4] ceph: add support for snapshot names encryption
Date:   Thu, 17 Mar 2022 15:45:17 +0000
Message-Id: <20220317154521.6615-1-lhenriques@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Hi!

Here's another iteration on my encrypted snapshot names series.  And
here's the changes since v1:

- Use ceph_find_inode() instead of ceph_get_inode() for finding a snapshot
  parent in function parse_longname().  I've also added a fallback to
  ceph_get_inode() in case we fail to find the inode.  This may happen if,
  for example, the mount root doesn't include that inode.  The iput() was
  also complemented by a discard_new_inode() if the inode is in the I_NEW
  state. (patch 0002)

- Move the check for '_' snapshots further up in the ceph_fname_to_usr()
  and ceph_encode_encrypted_dname().  This fixes the case pointed out by
  Xiubo in v2. (patch 0002)

- Use NAME_MAX for tmp arrays (patch 0002)

- Added an extra patch for replacing the base64url encoding by a different
  encoding standard, the one used for IMAP mailboxes (which uses '+' and
  ',' instead of '-' and '_').  This should fix the issue with snapshot
  names starting with '_'. (patch 0003)

Regarding this last patch, there are other alternatives:

1. Simply replace any initial '_' in snapshot names by another character
   (I was using the '=').  This was a bit more hacky because this name
   could never be sent as-is to the base64 functions, so the '=' would
   need to be replace back by an '_'.

2. Append an extra (known) char to every snapshot name.  This would also
   be hacky because it would need to be removed again for base64
   operations.  And the snapshot name size limitations would need to be
   adjusted too.

3. Modify the fscrypt base64 encoding/decoding functions to receive an
   alternative table to use in these operations.  This would need to be
   accepted by the fscrypt maintainers, of course.

As before, in order to test this code the following PRs are required:

  mds: add protection from clients without fscrypt support #45073
  mds: use the whole string as the snapshot long name #45192
  mds: support alternate names for snapshots #45224
  mds: limit the snapshot names to 240 characters #45312

Changes since v1:

- Dropped the dentry->d_flags change in ceph_mkdir().  Thanks to Xiubo
  suggestion, patch 0001 now skips calling ceph_fscrypt_prepare_context()
  if we're handling a snapshot.

- Added error handling to ceph_get_snapdir() in patch 0001 (Jeff had
  already pointed that out but I forgot to include that change in previous
  revision).

- Rebased patch 0002 to the latest wip-fscrypt branch.

- Added some documentation regarding snapshots naming restrictions.

Luís Henriques (4):
  ceph: add support for encrypted snapshot names
  ceph: handle encrypted snapshot names in subdirectories
  ceph: update documentation regarding snapshot naming limitations
  ceph: replace base64url by the encoding used for mailbox names

 Documentation/filesystems/ceph.rst |  10 ++
 fs/ceph/crypto.c                   | 238 +++++++++++++++++++++++++----
 fs/ceph/crypto.h                   |  14 +-
 fs/ceph/dir.c                      |   2 +-
 fs/ceph/inode.c                    |  33 +++-
 5 files changed, 259 insertions(+), 38 deletions(-)