Re: overlayfs vs. fscrypt
From: Miklos Szeredi
Date: Wed Mar 13 2019 - 09:25:02 EST
On Wed, Mar 13, 2019 at 2:00 PM Richard Weinberger <richard@xxxxxx> wrote:
>
> Am Mittwoch, 13. MÃrz 2019, 13:58:11 CET schrieb Miklos Szeredi:
> > On Wed, Mar 13, 2019 at 1:47 PM Richard Weinberger <richard@xxxxxx> wrote:
> > >
> > > Am Mittwoch, 13. MÃrz 2019, 13:36:02 CET schrieb Miklos Szeredi:
> > > > I don't get it. Does fscrypt try to check permissions via
> > > > ->d_revalidate? Why is it not doing that via ->permission()?
> > >
> > > Please let me explain. Suppose we have a fscrypto directory /mnt and
> > > I *don't* have the key.
> > >
> > > When reading the directory contents of /mnt will return an encrypted filename.
> > > e.g.
> > > # ls /mnt
> > > +mcQ46ne5Y8U6JMV9Wdq2C
> >
> > Why does showing the encrypted contents make any sense? It could just
> > return -EPERM on all operations?
>
> The use case is that you can delete these files if the DAC/MAC permissions allow it.
> Just like on NTFS. If a user encrypts files, the admin cannot read them but can
> remove them if the user is gone or loses the key.
There's the underlying filesystem view where admin can delete files,
etc. And there's the fscrypt layer stacked on top of the underlying
fs, which en/decrypts files *in case the user has the key*. What if
one user has a key, but the other one doesn't? Will d_revalidate
constantly switch the set of dentries between the encrypted filenames
and the decrypted ones? Sounds crazy. And the fact that NTFS does
this doesn't make it any less crazy...
Thanks,
Miklos