Re: [PATCH v3] e2fsck: check for consistent encryption policies

[Eric Biggers <ebiggers@kernel.org>]

On Fri, Aug 23, 2019 at 09:23:39AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> By design, the kernel enforces that all files in an encrypted directory
> use the same encryption policy as the directory.  It's not possible to
> violate this constraint using syscalls.  Lookups of files that violate
> this constraint also fail, in case the disk was manipulated.
> 
> But this constraint can also be violated by accidental filesystem
> corruption.  E.g., a power cut when using ext4 without a journal might
> leave new files without the encryption bit and/or xattr.  Thus, it's
> important that e2fsck correct this condition.
> 
> Therefore, this patch makes the following changes to e2fsck:
> 
> - During pass 1 (inode table scan), create a map from inode number to
>   encryption policy for all encrypted inodes.  But it's optimized so
>   that the full xattrs aren't saved but rather only 32-bit "policy IDs",
>   since usually many inodes share the same encryption policy.  Also, if
>   an encryption xattr is missing, offer to clear the encrypt flag.  If
>   an encryption xattr is clearly corrupt, offer to clear the inode.
> 
> - During pass 2 (directory structure check), use the map to verify that
>   all regular files, directories, and symlinks in encrypted directories
>   use the directory's encryption policy.  Offer to clear any directory
>   entries for which this isn't the case.
> 
> Add a new test "f_bad_encryption" to test the new behavior.
> 
> Due to the new checks, it was also necessary to update the existing test
> "f_short_encrypted_dirent" to add an encryption xattr to the test file,
> since it was missing one before, which is now considered invalid.
> 

Any comments on this patch?

- Eric