From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org,
Richard Weinberger <richard@nod.at>,
Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-unionfs@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org,
Sarthak Kukreti <sarthakkukreti@chromium.org>,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org
Subject: Re: [PATCH v2 0/5] fscrypt: d_revalidate fixes and cleanups
Date: Mon, 1 Apr 2019 10:11:21 -0700 [thread overview]
Message-ID: <20190401171119.GC131675@gmail.com> (raw)
In-Reply-To: <20190320183913.12686-1-ebiggers@kernel.org>
On Wed, Mar 20, 2019 at 11:39:08AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> This patch series improves dentry revalidation in fscrypt.
>
> To recap, fscrypt (aka ext4/f2fs/ubifs encryption) encrypts both file
> contents and file names in individual directory trees. A single
> filesystem can contain many encrypted directory trees using many
> different encryption keys. Major users of fscrypt require the ability
> to delete encrypted files when their encryption key is unavailable, e.g.
> when the system needs to delete a removed user's home directory or free
> up space from a logged-out user's cache directory.
>
> Therefore fscrypt allows listing, looking up, and deleting files in
> encrypted directories via encoded ciphertext names, but only before the
> key is added. After the key is added, the ciphertext names are
> invalidated via ->d_revalidate() and plaintext names are shown instead.
>
> fscrypt isn't a stacked filesystem, and it's explicitly for storage
> encryption, not OS-level access control. Thus, whether each directory
> inode has its key or not is a global state, not per-process. Also, the
> inode keeps its key until it's evicted from the inode cache. So,
> plaintext names shouldn't ever get invalidated by ->d_revalidate().
>
> This patch series makes the following improvements:
>
> - Only assign ->d_revalidate() to ciphertext filenames, thus allowing
> overlayfs to use an fscrypt-encrypted upperdir in some cases.
> (Previous discussion: https://lkml.org/lkml/2019/3/13/255)
>
> - Fix cases where plaintext filenames would wrongly be invalidated,
> including a real-world bug recently reported on Chromium OS.
>
> - Fix cases where ciphertext filenames would wrongly not be invalidated.
>
> - Allow rcu-walk lookups in encrypted directories with the key, which
> improves performance.
> (Previous attempt: https://patchwork.kernel.org/patch/10594133/)
>
> - Fix cases where rename() and link() could succeed on ciphertext names.
>
> Changed since v1:
>
> - Fixed comment in fscrypt_d_revalidate() to explain that dget_parent()
> is actually still required.
>
> - Moved clearing DCACHE_ENCRYPTED_NAME into fscrypt.h, to avoid an extra
> #ifdef and cluttering up dcache.c.
>
> Eric Biggers (5):
> fscrypt: clean up and improve dentry revalidation
> fscrypt: fix race allowing rename() and link() of ciphertext dentries
> fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory
> fscrypt: only set dentry_operations on ciphertext dentries
> fscrypt: fix race where ->lookup() marks plaintext dentry as
> ciphertext
>
> fs/crypto/crypto.c | 58 ++++++++++++++++---------------
> fs/crypto/fname.c | 1 +
> fs/crypto/hooks.c | 28 ++++++++++-----
> fs/dcache.c | 2 ++
> fs/ext4/ext4.h | 62 +++++++++++++++++++++++++--------
> fs/ext4/namei.c | 76 ++++++++++++++++++++++++++++-------------
> fs/f2fs/namei.c | 17 +++++----
> fs/ubifs/dir.c | 8 ++---
> include/linux/dcache.h | 2 +-
> include/linux/fscrypt.h | 61 +++++++++++++++++++++++----------
> 10 files changed, 208 insertions(+), 107 deletions(-)
>
> --
> 2.21.0.225.g810b269d1ac-goog
>
Any more comments on these patches? I'd like to apply them to the fscrypt tree
for 5.2. Richard, can you check whether these solve your overlayfs use case?
Also, patch 5 could use Acks from ext4, f2fs, and ubifs people.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org,
Richard Weinberger <richard@nod.at>,
Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-unionfs@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org,
Sarthak Kukreti <sarthakkukreti@chromium.org>,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org
Subject: Re: [f2fs-dev] [PATCH v2 0/5] fscrypt: d_revalidate fixes and cleanups
Date: Mon, 1 Apr 2019 10:11:21 -0700 [thread overview]
Message-ID: <20190401171119.GC131675@gmail.com> (raw)
In-Reply-To: <20190320183913.12686-1-ebiggers@kernel.org>
On Wed, Mar 20, 2019 at 11:39:08AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> This patch series improves dentry revalidation in fscrypt.
>
> To recap, fscrypt (aka ext4/f2fs/ubifs encryption) encrypts both file
> contents and file names in individual directory trees. A single
> filesystem can contain many encrypted directory trees using many
> different encryption keys. Major users of fscrypt require the ability
> to delete encrypted files when their encryption key is unavailable, e.g.
> when the system needs to delete a removed user's home directory or free
> up space from a logged-out user's cache directory.
>
> Therefore fscrypt allows listing, looking up, and deleting files in
> encrypted directories via encoded ciphertext names, but only before the
> key is added. After the key is added, the ciphertext names are
> invalidated via ->d_revalidate() and plaintext names are shown instead.
>
> fscrypt isn't a stacked filesystem, and it's explicitly for storage
> encryption, not OS-level access control. Thus, whether each directory
> inode has its key or not is a global state, not per-process. Also, the
> inode keeps its key until it's evicted from the inode cache. So,
> plaintext names shouldn't ever get invalidated by ->d_revalidate().
>
> This patch series makes the following improvements:
>
> - Only assign ->d_revalidate() to ciphertext filenames, thus allowing
> overlayfs to use an fscrypt-encrypted upperdir in some cases.
> (Previous discussion: https://lkml.org/lkml/2019/3/13/255)
>
> - Fix cases where plaintext filenames would wrongly be invalidated,
> including a real-world bug recently reported on Chromium OS.
>
> - Fix cases where ciphertext filenames would wrongly not be invalidated.
>
> - Allow rcu-walk lookups in encrypted directories with the key, which
> improves performance.
> (Previous attempt: https://patchwork.kernel.org/patch/10594133/)
>
> - Fix cases where rename() and link() could succeed on ciphertext names.
>
> Changed since v1:
>
> - Fixed comment in fscrypt_d_revalidate() to explain that dget_parent()
> is actually still required.
>
> - Moved clearing DCACHE_ENCRYPTED_NAME into fscrypt.h, to avoid an extra
> #ifdef and cluttering up dcache.c.
>
> Eric Biggers (5):
> fscrypt: clean up and improve dentry revalidation
> fscrypt: fix race allowing rename() and link() of ciphertext dentries
> fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory
> fscrypt: only set dentry_operations on ciphertext dentries
> fscrypt: fix race where ->lookup() marks plaintext dentry as
> ciphertext
>
> fs/crypto/crypto.c | 58 ++++++++++++++++---------------
> fs/crypto/fname.c | 1 +
> fs/crypto/hooks.c | 28 ++++++++++-----
> fs/dcache.c | 2 ++
> fs/ext4/ext4.h | 62 +++++++++++++++++++++++++--------
> fs/ext4/namei.c | 76 ++++++++++++++++++++++++++++-------------
> fs/f2fs/namei.c | 17 +++++----
> fs/ubifs/dir.c | 8 ++---
> include/linux/dcache.h | 2 +-
> include/linux/fscrypt.h | 61 +++++++++++++++++++++++----------
> 10 files changed, 208 insertions(+), 107 deletions(-)
>
> --
> 2.21.0.225.g810b269d1ac-goog
>
Any more comments on these patches? I'd like to apply them to the fscrypt tree
for 5.2. Richard, can you check whether these solve your overlayfs use case?
Also, patch 5 could use Acks from ext4, f2fs, and ubifs people.
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org,
Richard Weinberger <richard@nod.at>,
Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, linux-unionfs@vger.kernel.org,
Sarthak Kukreti <sarthakkukreti@chromium.org>,
Gao Xiang <gaoxiang25@huawei.com>
Subject: Re: [PATCH v2 0/5] fscrypt: d_revalidate fixes and cleanups
Date: Mon, 1 Apr 2019 10:11:21 -0700 [thread overview]
Message-ID: <20190401171119.GC131675@gmail.com> (raw)
In-Reply-To: <20190320183913.12686-1-ebiggers@kernel.org>
On Wed, Mar 20, 2019 at 11:39:08AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> This patch series improves dentry revalidation in fscrypt.
>
> To recap, fscrypt (aka ext4/f2fs/ubifs encryption) encrypts both file
> contents and file names in individual directory trees. A single
> filesystem can contain many encrypted directory trees using many
> different encryption keys. Major users of fscrypt require the ability
> to delete encrypted files when their encryption key is unavailable, e.g.
> when the system needs to delete a removed user's home directory or free
> up space from a logged-out user's cache directory.
>
> Therefore fscrypt allows listing, looking up, and deleting files in
> encrypted directories via encoded ciphertext names, but only before the
> key is added. After the key is added, the ciphertext names are
> invalidated via ->d_revalidate() and plaintext names are shown instead.
>
> fscrypt isn't a stacked filesystem, and it's explicitly for storage
> encryption, not OS-level access control. Thus, whether each directory
> inode has its key or not is a global state, not per-process. Also, the
> inode keeps its key until it's evicted from the inode cache. So,
> plaintext names shouldn't ever get invalidated by ->d_revalidate().
>
> This patch series makes the following improvements:
>
> - Only assign ->d_revalidate() to ciphertext filenames, thus allowing
> overlayfs to use an fscrypt-encrypted upperdir in some cases.
> (Previous discussion: https://lkml.org/lkml/2019/3/13/255)
>
> - Fix cases where plaintext filenames would wrongly be invalidated,
> including a real-world bug recently reported on Chromium OS.
>
> - Fix cases where ciphertext filenames would wrongly not be invalidated.
>
> - Allow rcu-walk lookups in encrypted directories with the key, which
> improves performance.
> (Previous attempt: https://patchwork.kernel.org/patch/10594133/)
>
> - Fix cases where rename() and link() could succeed on ciphertext names.
>
> Changed since v1:
>
> - Fixed comment in fscrypt_d_revalidate() to explain that dget_parent()
> is actually still required.
>
> - Moved clearing DCACHE_ENCRYPTED_NAME into fscrypt.h, to avoid an extra
> #ifdef and cluttering up dcache.c.
>
> Eric Biggers (5):
> fscrypt: clean up and improve dentry revalidation
> fscrypt: fix race allowing rename() and link() of ciphertext dentries
> fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory
> fscrypt: only set dentry_operations on ciphertext dentries
> fscrypt: fix race where ->lookup() marks plaintext dentry as
> ciphertext
>
> fs/crypto/crypto.c | 58 ++++++++++++++++---------------
> fs/crypto/fname.c | 1 +
> fs/crypto/hooks.c | 28 ++++++++++-----
> fs/dcache.c | 2 ++
> fs/ext4/ext4.h | 62 +++++++++++++++++++++++++--------
> fs/ext4/namei.c | 76 ++++++++++++++++++++++++++++-------------
> fs/f2fs/namei.c | 17 +++++----
> fs/ubifs/dir.c | 8 ++---
> include/linux/dcache.h | 2 +-
> include/linux/fscrypt.h | 61 +++++++++++++++++++++++----------
> 10 files changed, 208 insertions(+), 107 deletions(-)
>
> --
> 2.21.0.225.g810b269d1ac-goog
>
Any more comments on these patches? I'd like to apply them to the fscrypt tree
for 5.2. Richard, can you check whether these solve your overlayfs use case?
Also, patch 5 could use Acks from ext4, f2fs, and ubifs people.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org,
Richard Weinberger <richard@nod.at>,
Miklos Szeredi <miklos@szeredi.hu>
Cc: Gao Xiang <gaoxiang25@huawei.com>,
linux-unionfs@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org,
Sarthak Kukreti <sarthakkukreti@chromium.org>,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org
Subject: Re: [PATCH v2 0/5] fscrypt: d_revalidate fixes and cleanups
Date: Mon, 1 Apr 2019 10:11:21 -0700 [thread overview]
Message-ID: <20190401171119.GC131675@gmail.com> (raw)
In-Reply-To: <20190320183913.12686-1-ebiggers@kernel.org>
On Wed, Mar 20, 2019 at 11:39:08AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> This patch series improves dentry revalidation in fscrypt.
>
> To recap, fscrypt (aka ext4/f2fs/ubifs encryption) encrypts both file
> contents and file names in individual directory trees. A single
> filesystem can contain many encrypted directory trees using many
> different encryption keys. Major users of fscrypt require the ability
> to delete encrypted files when their encryption key is unavailable, e.g.
> when the system needs to delete a removed user's home directory or free
> up space from a logged-out user's cache directory.
>
> Therefore fscrypt allows listing, looking up, and deleting files in
> encrypted directories via encoded ciphertext names, but only before the
> key is added. After the key is added, the ciphertext names are
> invalidated via ->d_revalidate() and plaintext names are shown instead.
>
> fscrypt isn't a stacked filesystem, and it's explicitly for storage
> encryption, not OS-level access control. Thus, whether each directory
> inode has its key or not is a global state, not per-process. Also, the
> inode keeps its key until it's evicted from the inode cache. So,
> plaintext names shouldn't ever get invalidated by ->d_revalidate().
>
> This patch series makes the following improvements:
>
> - Only assign ->d_revalidate() to ciphertext filenames, thus allowing
> overlayfs to use an fscrypt-encrypted upperdir in some cases.
> (Previous discussion: https://lkml.org/lkml/2019/3/13/255)
>
> - Fix cases where plaintext filenames would wrongly be invalidated,
> including a real-world bug recently reported on Chromium OS.
>
> - Fix cases where ciphertext filenames would wrongly not be invalidated.
>
> - Allow rcu-walk lookups in encrypted directories with the key, which
> improves performance.
> (Previous attempt: https://patchwork.kernel.org/patch/10594133/)
>
> - Fix cases where rename() and link() could succeed on ciphertext names.
>
> Changed since v1:
>
> - Fixed comment in fscrypt_d_revalidate() to explain that dget_parent()
> is actually still required.
>
> - Moved clearing DCACHE_ENCRYPTED_NAME into fscrypt.h, to avoid an extra
> #ifdef and cluttering up dcache.c.
>
> Eric Biggers (5):
> fscrypt: clean up and improve dentry revalidation
> fscrypt: fix race allowing rename() and link() of ciphertext dentries
> fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory
> fscrypt: only set dentry_operations on ciphertext dentries
> fscrypt: fix race where ->lookup() marks plaintext dentry as
> ciphertext
>
> fs/crypto/crypto.c | 58 ++++++++++++++++---------------
> fs/crypto/fname.c | 1 +
> fs/crypto/hooks.c | 28 ++++++++++-----
> fs/dcache.c | 2 ++
> fs/ext4/ext4.h | 62 +++++++++++++++++++++++++--------
> fs/ext4/namei.c | 76 ++++++++++++++++++++++++++++-------------
> fs/f2fs/namei.c | 17 +++++----
> fs/ubifs/dir.c | 8 ++---
> include/linux/dcache.h | 2 +-
> include/linux/fscrypt.h | 61 +++++++++++++++++++++++----------
> 10 files changed, 208 insertions(+), 107 deletions(-)
>
> --
> 2.21.0.225.g810b269d1ac-goog
>
Any more comments on these patches? I'd like to apply them to the fscrypt tree
for 5.2. Richard, can you check whether these solve your overlayfs use case?
Also, patch 5 could use Acks from ext4, f2fs, and ubifs people.
- Eric
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2019-04-01 17:11 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-20 18:39 [PATCH v2 0/5] fscrypt: d_revalidate fixes and cleanups Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` [PATCH v2 1/5] fscrypt: clean up and improve dentry revalidation Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` [f2fs-dev] " Eric Biggers
2019-04-16 23:08 ` Theodore Ts'o
2019-04-16 23:08 ` Theodore Ts'o
2019-04-17 0:10 ` Eric Biggers
2019-04-17 0:10 ` Eric Biggers
2019-04-17 0:10 ` Eric Biggers
2019-04-17 0:10 ` [f2fs-dev] " Eric Biggers
2019-04-17 13:50 ` Theodore Ts'o
2019-04-17 13:50 ` Theodore Ts'o
2019-04-17 13:50 ` Theodore Ts'o
2019-03-20 18:39 ` [PATCH v2 2/5] fscrypt: fix race allowing rename() and link() of ciphertext dentries Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` [f2fs-dev] " Eric Biggers
2019-04-17 13:53 ` Theodore Ts'o
2019-04-17 13:53 ` Theodore Ts'o
2019-04-17 13:53 ` Theodore Ts'o
2019-03-20 18:39 ` [PATCH v2 3/5] fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-04-17 14:06 ` Theodore Ts'o
2019-04-17 14:06 ` Theodore Ts'o
2019-03-20 18:39 ` [PATCH v2 4/5] fscrypt: only set dentry_operations on ciphertext dentries Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` [f2fs-dev] " Eric Biggers
2019-04-17 14:07 ` Theodore Ts'o
2019-04-17 14:07 ` Theodore Ts'o
2019-04-17 14:07 ` Theodore Ts'o
2019-03-20 18:39 ` [PATCH v2 5/5] fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` Eric Biggers
2019-03-20 18:39 ` [f2fs-dev] " Eric Biggers
2019-04-17 14:24 ` Theodore Ts'o
2019-04-17 14:24 ` Theodore Ts'o
2019-04-17 14:24 ` Theodore Ts'o
2019-04-01 17:11 ` Eric Biggers [this message]
2019-04-01 17:11 ` [PATCH v2 0/5] fscrypt: d_revalidate fixes and cleanups Eric Biggers
2019-04-01 17:11 ` Eric Biggers
2019-04-01 17:11 ` [f2fs-dev] " Eric Biggers
2019-04-08 8:22 ` Richard Weinberger
2019-04-08 8:22 ` Richard Weinberger
2019-04-08 8:22 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190401171119.GC131675@gmail.com \
--to=ebiggers@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=richard@nod.at \
--cc=sarthakkukreti@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.