Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption

From: Xiubo Li
Date: Thu Mar 17 2022 - 08:31:43 EST

Next message: Rex-BC Chen: "Re: [PATCH v3,2/3] dt-bindings: display: mediatek: dsi: Add compatible for MediaTek MT8186"
Previous message: Boris Petkov: "Re: [kbuild-all] Re: [tip:locking/core 4/5] vmlinux.o: warning: objtool: do_machine_check()+0x419: call to mca_msr_reg() leaves .noinstr.text section"
In reply to: Jeff Layton: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Next in thread: Jeff Layton: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/17/22 8:01 PM, Jeff Layton wrote:

On Thu, 2022-03-17 at 11:11 +0000, Luís Henriques wrote:

Xiubo Li <xiubli@xxxxxxxxxx> writes:

On 3/17/22 6:01 PM, Jeff Layton wrote:

I'm not sure we want to worry about .snap directories here since they
aren't "real". IIRC, snaps are inherited from parents too, so you could
do something like

mkdir dir1
mkdir dir1/.snap/snap1
mkdir dir1/dir2
fscrypt encrypt dir1/dir2

There should be nothing to prevent encrypting dir2, but I'm pretty sure
dir2/.snap will not be empty at that point.

If we don't take care of this. Then we don't know which snapshots should do
encrypt/dencrypt and which shouldn't when building the path in lookup and when
reading the snapdir ?

In my patchset (which I plan to send a new revision later today, I think I
still need to rebase it) this is handled by using the *real* snapshot
parent inode. If we're decrypting/encrypting a name for a snapshot that
starts with a '_' character, we first find the parent inode for that
snapshot and only do the operation if that parent is encrypted.

In the other email I suggested that we could prevent enabling encryption
in a directory when there are snapshots above in the hierarchy. But now
that I think more about it, it won't solve any problem because you could
create those snapshots later and then you would still need to handle these
(non-encrypted) "_name_xxxx" snapshots anyway.

Yeah, that sounds about right.

What happens if you don't have the snapshot parent's inode in cache?
That can happen if you (e.g.) are running NFS over ceph, or if you get
crafty with name_to_handle_at() and open_by_handle_at().

Do we have to do a LOOKUPINO in that case or does the trace contain that
info? If it doesn't then that could really suck in a big hierarchy if
there are a lot of different snapshot parent inodes to hunt down.

I think this is a case where the client just doesn't have complete
control over the dentry name. It may be better to just not encrypt them
if it's too ugly.

Another idea might be to just use the same parent inode (maybe the
root?) for all snapshot names. It's not as secure, but it's probably
better than nothing.

Does it allow to have different keys for the subdirs in the hierarchy ? From my test it doesn't.

If so we can always use the same oldest ancestor in the hierarchy, who has encryption key, to encyrpt/decrypt all the .snap in the hierarchy, then just need to lookup oldest ancestor inode only once.

-- Xiubo

Next message: Rex-BC Chen: "Re: [PATCH v3,2/3] dt-bindings: display: mediatek: dsi: Add compatible for MediaTek MT8186"
Previous message: Boris Petkov: "Re: [kbuild-all] Re: [tip:locking/core 4/5] vmlinux.o: warning: objtool: do_machine_check()+0x419: call to mca_msr_reg() leaves .noinstr.text section"
In reply to: Jeff Layton: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Next in thread: Jeff Layton: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]