Re: [PATCH v4] ceph: mark directory as non-complete complete after loading key
From: Jeff Layton
Date: Wed Nov 30 2022 - 05:11:17 EST
On Wed, 2022-11-30 at 16:25 +0800, Xiubo Li wrote:
> On 30/11/2022 14:54, Gregory Farnum wrote:
> > On Tue, Nov 29, 2022 at 7:21 AM Ilya Dryomov <idryomov@xxxxxxxxx> wrote:
> > > On Tue, Nov 29, 2022 at 3:50 PM Xiubo Li <xiubli@xxxxxxxxxx> wrote:
> > > >
> > > > On 29/11/2022 22:32, Ilya Dryomov wrote:
> > > > > On Tue, Nov 29, 2022 at 3:15 PM Xiubo Li <xiubli@xxxxxxxxxx> wrote:
> > > > > > On 29/11/2022 18:39, Luís Henriques wrote:
> > > > > > > When setting a directory's crypt context, ceph_dir_clear_complete() needs to
> > > > > > > be called otherwise if it was complete before, any existing (old) dentry will
> > > > > > > still be valid.
> > > > > > >
> > > > > > > This patch adds a wrapper around __fscrypt_prepare_readdir() which will
> > > > > > > ensure a directory is marked as non-complete if key status changes.
> > > > > > >
> > > > > > > Signed-off-by: Luís Henriques <lhenriques@xxxxxxx>
> > > > > > > ---
> > > > > > > Hi Xiubo,
> > > > > > >
> > > > > > > Here's a rebase of this patch. I did some testing but since this branch
> > > > > > > doesn't really have full fscrypt support, I couldn't even reproduce the
> > > > > > > bug. So, my testing was limited.
> > > > > > I'm planing not to update the wip-fscrypt branch any more, except the IO
> > > > > > path related fixes, which may introduce potential bugs each time as before.
> > > > > >
> > > > > > Since the qa tests PR has finished and the tests have passed, so we are
> > > > > > planing to merge the first none IO part, around 27 patches. And then
> > > > > > pull the reset patches from wip-fscrypt branch.
> > > > > I'm not sure if merging metadata and I/O path patches separately
> > > > > makes sense. What would a user do with just filename encryption?
> > > > Hi Ilya,
> > > >
> > > > I think the IO ones should be followed soon.
> > > >
> > > > Currently the filename ones have been well testes. And the contents will
> > > > be by passed for now.
> > > >
> > > > Since this is just for Dev Preview feature IMO it should be okay (?)
> > > I don't think there is such a thing as a Dev Preview feature when it
> > > comes to the mainline kernel, particularly in the area of filesystems
> > > and storage. It should be ready for users at least to some extent. So
> > > my question stands: what would a user do with just filename encryption?
> > I think how this merges is up to you guys and the kernel practices.
> > Merging only the filename encryption is definitely of *limited*
> > utility, but I don't think it's totally pointless -- the data versus
> > metadata paths are different and you are protecting against somewhat
> > different vulnerabilities and threat models with them. For instance,
> > MDS logs dump filenames, but OSD logs do not dump object data. There's
> > some obvious utility there even if you basically trust your provider,
> > or run your own cluster but want to be more secure about sending logs
> > via ceph-post-file.
>
> Hi Greg,
>
> Sounds reasonable to me.
>
> I will leave this to Ilya.
>
> Thanks!
For the record, the only reason I proposed merging them in multiple sets
was that it is a large set of changes and I was leery of regressions. I
don't see a lot of value in enabling just filename encryption without
the content piece.
I'd be fine with merging it all en-masse, though it's a bit more to wade
through if we end up having to bisect to track down a bug.
--
Jeff Layton <jlayton@xxxxxxxxxx>