Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption

From: Luís Henriques
Date: Thu Mar 17 2022 - 11:58:53 EST

Next message: Steven Rostedt: "Re: [PATCHv3 02/10] ext4: Fix ext4_fc_stats trace point"
Previous message: Mimi Zohar: "Re: [PATCH v5 5/8] ima: permit fsverity's file digests in the IMA measurement list"
In reply to: Xiubo Li: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Next in thread: Luís Henriques: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeff Layton <jlayton@xxxxxxxxxx> writes:

> On Thu, 2022-03-17 at 11:11 +0000, Luís Henriques wrote:
>> Xiubo Li <xiubli@xxxxxxxxxx> writes:
>>
>> > On 3/17/22 6:01 PM, Jeff Layton wrote:
>> > > I'm not sure we want to worry about .snap directories here since they
>> > > aren't "real". IIRC, snaps are inherited from parents too, so you could
>> > > do something like
>> > >
>> > > mkdir dir1
>> > > mkdir dir1/.snap/snap1
>> > > mkdir dir1/dir2
>> > > fscrypt encrypt dir1/dir2
>> > >
>> > > There should be nothing to prevent encrypting dir2, but I'm pretty sure
>> > > dir2/.snap will not be empty at that point.
>> >
>> > If we don't take care of this. Then we don't know which snapshots should do
>> > encrypt/dencrypt and which shouldn't when building the path in lookup and when
>> > reading the snapdir ?
>>
>> In my patchset (which I plan to send a new revision later today, I think I
>> still need to rebase it) this is handled by using the *real* snapshot
>> parent inode. If we're decrypting/encrypting a name for a snapshot that
>> starts with a '_' character, we first find the parent inode for that
>> snapshot and only do the operation if that parent is encrypted.
>>
>> In the other email I suggested that we could prevent enabling encryption
>> in a directory when there are snapshots above in the hierarchy. But now
>> that I think more about it, it won't solve any problem because you could
>> create those snapshots later and then you would still need to handle these
>> (non-encrypted) "_name_xxxx" snapshots anyway.
>>
>
> Yeah, that sounds about right.
>
> What happens if you don't have the snapshot parent's inode in cache?
> That can happen if you (e.g.) are running NFS over ceph, or if you get
> crafty with name_to_handle_at() and open_by_handle_at().
>
> Do we have to do a LOOKUPINO in that case or does the trace contain that
> info? If it doesn't then that could really suck in a big hierarchy if
> there are a lot of different snapshot parent inodes to hunt down.
>
> I think this is a case where the client just doesn't have complete
> control over the dentry name. It may be better to just not encrypt them
> if it's too ugly.

I *think* this is covered by my last revision. I didn't really tested
NFS, but this was why the patches are using ceph_get_inode() and falling
back to ceph_find_inode(). I tested this by directly mounting an
encrypted directory that had snapshots from a realm that wasn't in the
mount root.

(Obviously, these snapshot names are *not* encrypted because they belong
to snapshots that are not encrypted either.)

Cheers,
--
Luís

> Another idea might be to just use the same parent inode (maybe the
> root?) for all snapshot names. It's not as secure, but it's probably
> better than nothing.
> --
> Jeff Layton <jlayton@xxxxxxxxxx>

Next message: Steven Rostedt: "Re: [PATCHv3 02/10] ext4: Fix ext4_fc_stats trace point"
Previous message: Mimi Zohar: "Re: [PATCH v5 5/8] ima: permit fsverity's file digests in the IMA measurement list"
In reply to: Xiubo Li: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Next in thread: Luís Henriques: "Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]