On Sep 17, 2019, at 7:07 PM, Eric Biggers wrote: > > From: Eric Biggers > > By design, the kernel enforces that all files in an encrypted directory > use the same encryption policy as the directory. It's not possible to > violate this constraint using syscalls. Lookups of files that violate > this constraint also fail, in case the disk was manipulated. > > But this constraint can also be violated by accidental filesystem > corruption. E.g., a power cut when using ext4 without a journal might > leave new files without the encryption bit and/or xattr. Thus, it's > important that e2fsck correct this condition. > > Therefore, this patch makes the following changes to e2fsck: > > - During pass 1 (inode table scan), create a map from inode number to > encryption policy for all encrypted inodes. But it's optimized so > that the full xattrs aren't saved but rather only 32-bit "policy IDs", > since usually many inodes share the same encryption policy. Also, if > an encryption xattr is missing, offer to clear the encrypt flag. If > an encryption xattr is clearly corrupt, offer to clear the inode. > > - During pass 2 (directory structure check), use the map to verify that > all regular files, directories, and symlinks in encrypted directories > use the directory's encryption policy. Offer to clear any directory > entries for which this isn't the case. > > Add a new test "f_bad_encryption" to test the new behavior. > > Due to the new checks, it was also necessary to update the existing test > "f_short_encrypted_dirent" to add an encryption xattr to the test file, > since it was missing one before, which is now considered invalid. > > Google-Bug-Id: 135138675 > Signed-off-by: Eric Biggers Reviewed-by: Andreas Dilger Cheers, Andreas