]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3111472) | patch
fscrypt: handle test_dummy_encryption in more logical way
authorEric Biggers <ebiggers@google.com>
Thu, 17 Sep 2020 04:11:35 +0000 (21:11 -0700)
committerEric Biggers <ebiggers@google.com>
Tue, 22 Sep 2020 13:48:49 +0000 (06:48 -0700)
commitac4acb1f4b2b6b7e8d913537cccec8789903e164
treee6999a5cae6cb884d844450d19b59da6049186e5tree
parent31114726b69364f3bf8dd945c600ceed4c430f4fcommit | diff
fscrypt: handle test_dummy_encryption in more logical way

The behavior of the test_dummy_encryption mount option is that when a
new file (or directory or symlink) is created in an unencrypted
directory, it's automatically encrypted using a dummy encryption policy.
That's it; in particular, the encryption (or lack thereof) of existing
files (or directories or symlinks) doesn't change.

Unfortunately the implementation of test_dummy_encryption is a bit weird
and confusing.  When test_dummy_encryption is enabled and a file is
being created in an unencrypted directory, we set up an encryption key
(->i_crypt_info) for the directory.  This isn't actually used to do any
encryption, however, since the directory is still unencrypted!  Instead,
->i_crypt_info is only used for inheriting the encryption policy.

One consequence of this is that the filesystem ends up providing a
"dummy context" (policy + nonce) instead of a "dummy policy".  In
commit ed318a6cc0b6 ("fscrypt: support test_dummy_encryption=v2"), I
mistakenly thought this was required.  However, actually the nonce only
ends up being used to derive a key that is never used.

Another consequence of this implementation is that it allows for
'inode->i_crypt_info != NULL && !IS_ENCRYPTED(inode)', which is an edge
case that can be forgotten about.  For example, currently
FS_IOC_GET_ENCRYPTION_POLICY on an unencrypted directory may return the
dummy encryption policy when the filesystem is mounted with
test_dummy_encryption.  That seems like the wrong thing to do, since
again, the directory itself is not actually encrypted.

Therefore, switch to a more logical and maintainable implementation
where the dummy encryption policy inheritance is done without setting up
keys for unencrypted directories.  This involves:

- Adding a function fscrypt_policy_to_inherit() which returns the
  encryption policy to inherit from a directory.  This can be a real
  policy, a dummy policy, or no policy.

- Replacing struct fscrypt_dummy_context, ->get_dummy_context(), etc.
  with struct fscrypt_dummy_policy, ->get_dummy_policy(), etc.

- Making fscrypt_fname_encrypted_size() take an fscrypt_policy instead
  of an inode.

Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Acked-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/20200917041136.178600-13-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
fs/crypto/fname.c diff | blob | blame | history
fs/crypto/fscrypt_private.h diff | blob | blame | history
fs/crypto/hooks.c diff | blob | blame | history
fs/crypto/keysetup.c diff | blob | blame | history
fs/crypto/policy.c diff | blob | blame | history
fs/ext4/ext4.h diff | blob | blame | history
fs/ext4/super.c diff | blob | blame | history
fs/f2fs/f2fs.h diff | blob | blame | history
fs/f2fs/super.c diff | blob | blame | history
include/linux/fscrypt.h diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror