| Message ID | 20230313123310.13040-1-lhenriques@suse.de |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1167702wrd;
Mon, 13 Mar 2023 05:57:30 -0700 (PDT)
X-Google-Smtp-Source:
AK7set8VwTN9A5AjbenGaP4o2eiyUuD7nDw8PkZ+s2UFx01/E0c8ycgoVN+LJ8cg4VnEpFsnc+il
X-Received: by 2002:a05:6a20:6d17:b0:cc:7f46:53f7 with SMTP id
fv23-20020a056a206d1700b000cc7f4653f7mr29738170pzb.13.1678712249992;
Mon, 13 Mar 2023 05:57:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1678712249; cv=none;
d=google.com; s=arc-20160816;
b=SK4Te1bDrjB7xyuCp2CapB0DjJICkx3BbNKT8/EeIi7mfb0lhjuwdfhgMh6b32a03T
7kQInp1H1IEBTJD76p2WxfIm71wyUuEt8Eb4vbRSvt4ZiY7QRH0P40kcpyQ9Zq82EtVy
xgvJXtUWwOhigoIT3HjLsiN/hsBGSRhbeCGWBleZbPKU+A7Ba+GsdxLJc/FnzQlk4u8Z
y5KKmdx5Cc+bL20x1jWTJWvLjGGzB2mdg6ANG2+DTXxNktfec3oiqCKMCIi5qGLExRsL
fTH+/xez3IOaeljO97Ul5KxeMnfzEOpvaz74uRUjmn21cQdOpzGzukdcoo9++jqoNGXG
J62A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=clL6isl+kRCjub6IYvTubyA1KWdyBcpxsCA8BvRWS64=;
b=x8s2v1D3x3XHMy2Ii4XVGTy31N9Ek1Ida/yguxsQuQ/58/pr9q76rQuV3rryaz8C7Z
ky1VlksrPHWz9Pbz3IJ3Vp7w5R+d6XTQUZLpL/BJMzGYKVA+e4UUmOflznZd/W0/LEh/
rvTYDd4wTYB+g3/Ir+Eg6xlBKPZ7oSq2TpOr4cIM6SEDx915cSUeqk3bTFGJaqFgL+l/
NuMkGcENN9Dr3DlKKDCN00rK+iY+r+qpvnEb9oWNrE5yAwppfM0FIMT08E9rrkGm1QRD
7r4zK3PyNyEyROKzyxKzFGRRNqfGb2MToKkpcTsag6DiO41eWmWAydJfUyljhQmRDVbd
EQcg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=ynBkq9Jc;
dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519
header.b=uI4rhJso;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
s11-20020a65644b000000b005030925d30asi6593838pgv.347.2023.03.13.05.57.15;
Mon, 13 Mar 2023 05:57:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=ynBkq9Jc;
dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519
header.b=uI4rhJso;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229797AbjCMMdY (ORCPT <rfc822;realc9580@gmail.com> + 99 others);
Mon, 13 Mar 2023 08:33:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58608 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229548AbjCMMdQ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 13 Mar 2023 08:33:16 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de
[IPv6:2001:67c:2178:6::1c])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABE2E19127;
Mon, 13 Mar 2023 05:33:14 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out1.suse.de (Postfix) with ESMTPS id B8C0B221B4;
Mon, 13 Mar 2023 12:33:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1678710792;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=clL6isl+kRCjub6IYvTubyA1KWdyBcpxsCA8BvRWS64=;
b=ynBkq9Jc8ZU6ci4AMmAMpO7o7lEmrVkCTioOZonMHMN585uolQKWXy2I5ezqIB7JzxdsiJ
B0Yl2nkA++fdIXIHRJF0lbT0aATCcwmdmH43aeTTeZSvFTUQvpRoQj0AL9QJk0TnD9BwFN
dxLkQuQkJ2cP28zshfsWJtQuU07BdK8=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1678710792;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=clL6isl+kRCjub6IYvTubyA1KWdyBcpxsCA8BvRWS64=;
b=uI4rhJsoXCvpymp30cEwbeMxOeB6fdG+1djc7TIhhBV/dDqtkwGeAGsc6WbokJOYZaP0NK
oQbvM4+wNobryuAg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 2331013582;
Mon, 13 Mar 2023 12:33:12 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id UWyqBQgYD2RnCQAAMHmgww
(envelope-from <lhenriques@suse.de>); Mon, 13 Mar 2023 12:33:12 +0000
Received: from localhost (brahms.olymp [local])
by brahms.olymp (OpenSMTPD) with ESMTPA id 8f5c4974;
Mon, 13 Mar 2023 12:33:11 +0000 (UTC)
From: =?utf-8?q?Lu=C3=ADs_Henriques?= <lhenriques@suse.de>
To: Eric Biggers <ebiggers@kernel.org>, Xiubo Li <xiubli@redhat.com>,
Jeff Layton <jlayton@kernel.org>
Cc: "Theodore Y. Ts'o" <tytso@mit.edu>, Jaegeuk Kim <jaegeuk@kernel.org>,
Ilya Dryomov <idryomov@gmail.com>, linux-fscrypt@vger.kernel.org,
ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?Lu?=
=?utf-8?q?=C3=ADs_Henriques?= <lhenriques@suse.de>
Subject: [PATCH 0/2] ceph: fscrypt: fix atomic open bug for encrypted
directories
Date: Mon, 13 Mar 2023 12:33:08 +0000
Message-Id: <20230313123310.13040-1-lhenriques@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760257376356024873?=
X-GMAIL-MSGID: =?utf-8?q?1760257376356024873?=
|
| Series |
ceph: fscrypt: fix atomic open bug for encrypted directories
|
|
Message
Luis Henriques
March 13, 2023, 12:33 p.m. UTC
Hi!
I started seeing fstest generic/123 failing in ceph fscrypt, when running it
with 'test_dummy_encryption'. This test is quite simple:
1. Creates a directory with write permissions for root only
2. Writes into a file in that directory
3. Uses 'su' to try to modify that file as a different user, and
gets -EPERM
All the test steps succeed, but the test fails to cleanup: 'rm -rf <dir>'
will fail with -ENOTEMPTY. 'strace' shows that calling unlinkat() to remove
the file got a -ENOENT and then -ENOTEMPTY for the directory.
This is because 'su' does a drop_caches ('su (874): drop_caches: 2' in
dmesg), and ceph's atomic open will do:
if (IS_ENCRYPTED(dir)) {
set_bit(CEPH_MDS_R_FSCRYPT_FILE, &req->r_req_flags);
if (!fscrypt_has_encryption_key(dir)) {
spin_lock(&dentry->d_lock);
dentry->d_flags |= DCACHE_NOKEY_NAME;
spin_unlock(&dentry->d_lock);
}
}
Although 'dir' has the encryption key available, fscrypt_has_encryption_key()
will return 'false' because fscrypt info isn't yet set after the cache
cleanup.
The first patch will add a new helper for the atomic_open that will force
the fscrypt info to be loaded into an inode that has been evicted recently
but for which the key is still available.
The second patch switches ceph atomic_open to use the new fscrypt helper.
Cheers,
--
Luís
Changes since initial RFC (after Eric's review):
- Added kerneldoc comments to the new fscrypt helper
- Dropped '__' from helper name (now fscrypt_prepare_atomic_open())
- Added IS_ENCRYPTED() check in helper
- DCACHE_NOKEY_NAME is not set if fscrypt_get_encryption_info() returns an
error
- Fixed helper for !CONFIG_FS_ENCRYPTION (now defined 'static inline')
Luís Henriques (2):
fscrypt: new helper function - fscrypt_prepare_atomic_open()
ceph: switch atomic open to use new fscrypt helper
fs/ceph/file.c | 8 +++-----
fs/crypto/hooks.c | 35 +++++++++++++++++++++++++++++++++++
include/linux/fscrypt.h | 7 +++++++
3 files changed, 45 insertions(+), 5 deletions(-)
Comments
On Mon, 2023-03-13 at 12:33 +0000, Luís Henriques wrote: > Hi! > > I started seeing fstest generic/123 failing in ceph fscrypt, when running it > with 'test_dummy_encryption'. This test is quite simple: > > 1. Creates a directory with write permissions for root only > 2. Writes into a file in that directory > 3. Uses 'su' to try to modify that file as a different user, and > gets -EPERM > > All the test steps succeed, but the test fails to cleanup: 'rm -rf <dir>' > will fail with -ENOTEMPTY. 'strace' shows that calling unlinkat() to remove > the file got a -ENOENT and then -ENOTEMPTY for the directory. > > This is because 'su' does a drop_caches ('su (874): drop_caches: 2' in > dmesg), and ceph's atomic open will do: > > if (IS_ENCRYPTED(dir)) { > set_bit(CEPH_MDS_R_FSCRYPT_FILE, &req->r_req_flags); > if (!fscrypt_has_encryption_key(dir)) { > spin_lock(&dentry->d_lock); > dentry->d_flags |= DCACHE_NOKEY_NAME; > spin_unlock(&dentry->d_lock); > } > } > > Although 'dir' has the encryption key available, fscrypt_has_encryption_key() > will return 'false' because fscrypt info isn't yet set after the cache > cleanup. > > The first patch will add a new helper for the atomic_open that will force > the fscrypt info to be loaded into an inode that has been evicted recently > but for which the key is still available. > > The second patch switches ceph atomic_open to use the new fscrypt helper. > > Cheers, > -- > Luís > > Changes since initial RFC (after Eric's review): > - Added kerneldoc comments to the new fscrypt helper > - Dropped '__' from helper name (now fscrypt_prepare_atomic_open()) > - Added IS_ENCRYPTED() check in helper > - DCACHE_NOKEY_NAME is not set if fscrypt_get_encryption_info() returns an > error > - Fixed helper for !CONFIG_FS_ENCRYPTION (now defined 'static inline') > > Luís Henriques (2): > fscrypt: new helper function - fscrypt_prepare_atomic_open() > ceph: switch atomic open to use new fscrypt helper > > fs/ceph/file.c | 8 +++----- > fs/crypto/hooks.c | 35 +++++++++++++++++++++++++++++++++++ > include/linux/fscrypt.h | 7 +++++++ > 3 files changed, 45 insertions(+), 5 deletions(-) > Looks like a nice cleanup. Reviewed-by: Jeff Layton <jlayton@kernel.org>