mbox series

[RFC,0/2] ceph: fscrypt: fix atomic open bug for encrypted directories

Message ID 20230309121910.18939-1-lhenriques@suse.de
Headers show
Series ceph: fscrypt: fix atomic open bug for encrypted directories | expand

Message

Luis Henriques March 9, 2023, 12:19 p.m. UTC
Hi!

I started seeing fstest generic/123 failing in ceph fscrypt, when running it
with 'test_dummy_encryption'.  This test is quite simple:

1. Creates a directory with write permissions for root only
2. Writes into a file in that directory
3. Uses 'su' to try to modify that file as a different user, and
   gets -EPERM

All the test steps succeed, but the test fails to cleanup: 'rm -rf <dir>'
will fail with -ENOTEMPTY.  'strace' shows that calling unlinkat() to remove
the file got a -ENOENT and then -ENOTEMPTY for the directory.

This is because 'su' does a drop_caches ('su (874): drop_caches: 2' in
dmesg), and ceph's atomic open will do:

	if (IS_ENCRYPTED(dir)) {
		set_bit(CEPH_MDS_R_FSCRYPT_FILE, &req->r_req_flags);
		if (!fscrypt_has_encryption_key(dir)) {
			spin_lock(&dentry->d_lock);
			dentry->d_flags |= DCACHE_NOKEY_NAME;
			spin_unlock(&dentry->d_lock);
		}
	}

Although 'dir' has the encryption key available, fscrypt_has_encryption_key()
will return 'false' because fscrypt info isn't yet set after the cache
cleanup.

The first patch will add a new helper for the atomic_open that will force
the fscrypt info to be loaded into an inode that has been evicted recently
but for which the key is still available.

The second patch switches ceph atomic_open to use the new fscrypt helper.

Cheers,
--
Luís Henriques

Luís Henriques (2):
  fscrypt: new helper function - __fscrypt_prepare_atomic_open()
  ceph: switch atomic open to use new fscrypt helper

 fs/ceph/file.c          |  8 +++-----
 fs/crypto/hooks.c       | 14 ++++++++++++++
 include/linux/fscrypt.h |  6 ++++++
 3 files changed, 23 insertions(+), 5 deletions(-)

Comments

Luis Henriques March 10, 2023, 12:05 p.m. UTC | #1
Eric Biggers <ebiggers@kernel.org> writes:

> On Thu, Mar 09, 2023 at 12:19:09PM +0000, Luís Henriques wrote:
>> This patch introduces a new helper function which prepares an atomic_open.
>> Because atomic open can act as a lookup if handed a dentry that is negative,
>> we need to set DCACHE_NOKEY_NAME if the key for the parent isn't available.
>> 
>> The reason for getting the encryption info before checking if the directory
>> has the encryption key is because we may have the key available but the
>> encryption info isn't yet set (maybe due to a drop_caches).  The regular
>> open path will use fscrypt_file_open for that but in the atomic open a
>> different approach is required.
>> 
>> Signed-off-by: Luís Henriques <lhenriques@suse.de>
>> ---
>>  fs/crypto/hooks.c       | 14 ++++++++++++++
>>  include/linux/fscrypt.h |  6 ++++++
>>  2 files changed, 20 insertions(+)
>> 
>> diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c
>> index 7b8c5a1104b5..cbb828ecc5eb 100644
>> --- a/fs/crypto/hooks.c
>> +++ b/fs/crypto/hooks.c
>> @@ -117,6 +117,20 @@ int __fscrypt_prepare_readdir(struct inode *dir)
>>  }
>>  EXPORT_SYMBOL_GPL(__fscrypt_prepare_readdir);
>>  
>> +int __fscrypt_prepare_atomic_open(struct inode *dir, struct dentry *dentry)
>
> Anything exported to filesystems should have a kerneldoc comment.  That would be
> a good place to put some of the explanation that you currently have only in the
> commit message.
>
> Also, double-underscored functions are not for use by filesystems directly.
> Normally the pattern would be to make fscrypt_prepare_atomic_open() an inline
> function that checks IS_ENCRYPTED() and calls an out-of-line function
> __fscrypt_prepare_atomic_open().  But if it happens to be simpler to make the
> caller handle the IS_ENCRYPTED() check in this case, then there should simply be
> one function: fscrypt_prepare_atomic_open() (no leading underscores).

Thank you, Eric.  I'll make sure that next rev will take these comments
into account.  It definitely makes sense to move (or duplicate) the
details as a kerneldoc comment.

>> +{
>> +	int err = fscrypt_get_encryption_info(dir, true);
>> +
>> +	if (err || (!err && !fscrypt_has_encryption_key(dir))) {
>> +		spin_lock(&dentry->d_lock);
>> +		dentry->d_flags |= DCACHE_NOKEY_NAME;
>> +		spin_unlock(&dentry->d_lock);
>> +	}
>
> Why does DCACHE_NOKEY_NAME need to be set on error?
> 
> Also note that the '!err &&' part has no effect.

To be honest, I wasn't really sure that if the d_flags should be set on
error either.  I'll drop that, and then the 'if' statement will make more
sense without the '||'.

Cheers