[RFC,v2,04/18] fscrypt: add fscrypt_new_context_from_inode

Message ID	20200904160537.76663-5-jlayton@kernel.org (mailing list archive)
State	Superseded
Headers	show Return-Path: <SRS0=XUw6=CN=vger.kernel.org=linux-fscrypt-owner@kernel.org> From: Jeff Layton <jlayton@kernel.org> To: ceph-devel@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-fscrypt@vger.kernel.org, ebiggers@kernel.org Subject: [RFC PATCH v2 04/18] fscrypt: add fscrypt_new_context_from_inode Date: Fri, 4 Sep 2020 12:05:23 -0400 Message-Id: <20200904160537.76663-5-jlayton@kernel.org> In-Reply-To: <20200904160537.76663-1-jlayton@kernel.org> References: <20200904160537.76663-1-jlayton@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk
Series	ceph+fscrypt: context, filename and symlink support \| expand [RFC,v2,00/18] ceph+fscrypt: context, filename and symlink support [RFC,v2,01/18] vfs: export new_inode_pseudo [RFC,v2,02/18] fscrypt: drop unused inode argument from fscrypt_fname_alloc_buffer [RFC,v2,03/18] fscrypt: export fscrypt_d_revalidate [RFC,v2,04/18] fscrypt: add fscrypt_new_context_from_inode [RFC,v2,05/18] fscrypt: don't balk when inode is already marked encrypted [RFC,v2,06/18] fscrypt: move nokey_name conversion to separate function and export it [RFC,v2,07/18] lib: lift fscrypt base64 conversion into lib/ [RFC,v2,08/18] ceph: add fscrypt ioctls [RFC,v2,09/18] ceph: crypto context handling for ceph [RFC,v2,10/18] ceph: preallocate inode for ops that may create one [RFC,v2,11/18] ceph: add routine to create context prior to RPC [RFC,v2,12/18] ceph: set S_ENCRYPTED bit if new inode has encryption.ctx xattr [RFC,v2,13/18] ceph: make ceph_msdc_build_path use ref-walk [RFC,v2,14/18] ceph: add encrypted fname handling to ceph_mdsc_build_path [RFC,v2,15/18] ceph: make d_revalidate call fscrypt revalidator for encrypted dentries [RFC,v2,16/18] ceph: add support to readdir for encrypted filenames [RFC,v2,17/18] ceph: add fscrypt support to ceph_fill_trace [RFC,v2,18/18] ceph: create symlinks with encrypted and base64-encoded targets

Message ID

20200904160537.76663-5-jlayton@kernel.org (mailing list archive)

State

Superseded

Headers

From: Jeff Layton <jlayton@kernel.org>
To: ceph-devel@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org, linux-fscrypt@vger.kernel.org,
        ebiggers@kernel.org
Subject: [RFC PATCH v2 04/18] fscrypt: add fscrypt_new_context_from_inode
Date: Fri,  4 Sep 2020 12:05:23 -0400
Message-Id: <20200904160537.76663-5-jlayton@kernel.org>
In-Reply-To: <20200904160537.76663-1-jlayton@kernel.org>
References: <20200904160537.76663-1-jlayton@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-fscrypt-owner@vger.kernel.org
Precedence: bulk

Series

ceph+fscrypt: context, filename and symlink support | expand

Commit Message

Jeff Layton Sept. 4, 2020, 4:05 p.m. UTC

CephFS will need to be able to generate a context for a new "prepared"
inode. Add a new routine for getting the context out of an in-core
inode.

Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/crypto/policy.c      | 20 ++++++++++++++++++++
 include/linux/fscrypt.h |  1 +
 2 files changed, 21 insertions(+)

Comments

Eric Biggers Sept. 8, 2020, 3:48 a.m. UTC | #1

On Fri, Sep 04, 2020 at 12:05:23PM -0400, Jeff Layton wrote:
> CephFS will need to be able to generate a context for a new "prepared"
> inode. Add a new routine for getting the context out of an in-core
> inode.
> 
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
>  fs/crypto/policy.c      | 20 ++++++++++++++++++++
>  include/linux/fscrypt.h |  1 +
>  2 files changed, 21 insertions(+)
> 
> diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
> index c56ad886f7d7..10eddd113a21 100644
> --- a/fs/crypto/policy.c
> +++ b/fs/crypto/policy.c
> @@ -670,6 +670,26 @@ int fscrypt_set_context(struct inode *inode, void *fs_data)
>  }
>  EXPORT_SYMBOL_GPL(fscrypt_set_context);
>  
> +/**
> + * fscrypt_context_from_inode() - fetch the encryption context out of in-core inode

Comment doesn't match the function name.

Also, the name isn't very clear.  How about calling this
fscrypt_context_for_new_inode()?

BTW, I might rename fscrypt_new_context_from_policy() to
fscrypt_context_from_policy() in my patchset.  Since it now makes the caller
provide the nonce, technically it's no longer limited to "new" contexts.

> + * @ctx: where context should be written
> + * @inode: inode from which to fetch context
> + *
> + * Given an in-core prepared, but not-necessarily fully-instantiated inode,
> + * generate an encryption context from its policy and write it to ctx.

Clarify what is meant by "prepared" (fscrypt_prepare_new_inode() was called)
vs. "instantiated".

> + *
> + * Returns size of the context.
> + */
> +int fscrypt_new_context_from_inode(union fscrypt_context *ctx, struct inode *inode)
> +{
> +	struct fscrypt_info *ci = inode->i_crypt_info;
> +
> +	BUILD_BUG_ON(sizeof(*ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE);
> +
> +	return fscrypt_new_context_from_policy(ctx, &ci->ci_policy, ci->ci_nonce);
> +}
> +EXPORT_SYMBOL_GPL(fscrypt_new_context_from_inode);

fscrypt_set_context() should be changed to call this, instead of duplicating the
same logic.  As part of that, the WARN_ON_ONCE(!ci) that's currently in
fscrypt_set_context() should go in here instead.

- Eric

Jeff Layton Sept. 8, 2020, 11:29 a.m. UTC | #2

On Mon, 2020-09-07 at 20:48 -0700, Eric Biggers wrote:
> On Fri, Sep 04, 2020 at 12:05:23PM -0400, Jeff Layton wrote:
> > CephFS will need to be able to generate a context for a new "prepared"
> > inode. Add a new routine for getting the context out of an in-core
> > inode.
> > 
> > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > ---
> >  fs/crypto/policy.c      | 20 ++++++++++++++++++++
> >  include/linux/fscrypt.h |  1 +
> >  2 files changed, 21 insertions(+)
> > 
> > diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
> > index c56ad886f7d7..10eddd113a21 100644
> > --- a/fs/crypto/policy.c
> > +++ b/fs/crypto/policy.c
> > @@ -670,6 +670,26 @@ int fscrypt_set_context(struct inode *inode, void *fs_data)
> >  }
> >  EXPORT_SYMBOL_GPL(fscrypt_set_context);
> >  
> > +/**
> > + * fscrypt_context_from_inode() - fetch the encryption context out of in-core inode
> 
> Comment doesn't match the function name.
> 
> Also, the name isn't very clear.  How about calling this
> fscrypt_context_for_new_inode()?
> 
> BTW, I might rename fscrypt_new_context_from_policy() to
> fscrypt_context_from_policy() in my patchset.  Since it now makes the caller
> provide the nonce, technically it's no longer limited to "new" contexts.
> 

Ahh yes. I didn't properly update the commit message here. Your
suggested names sound fine. I'll plan to fix that up.

> > + * @ctx: where context should be written
> > + * @inode: inode from which to fetch context
> > + *
> > + * Given an in-core prepared, but not-necessarily fully-instantiated inode,
> > + * generate an encryption context from its policy and write it to ctx.
> 
> Clarify what is meant by "prepared" (fscrypt_prepare_new_inode() was called)
> vs. "instantiated".
> 

Ack.

> > + *
> > + * Returns size of the context.
> > + */
> > +int fscrypt_new_context_from_inode(union fscrypt_context *ctx, struct inode *inode)
> > +{
> > +	struct fscrypt_info *ci = inode->i_crypt_info;
> > +
> > +	BUILD_BUG_ON(sizeof(*ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE);
> > +
> > +	return fscrypt_new_context_from_policy(ctx, &ci->ci_policy, ci->ci_nonce);
> > +}
> > +EXPORT_SYMBOL_GPL(fscrypt_new_context_from_inode);
> 
> fscrypt_set_context() should be changed to call this, instead of duplicating the
> same logic.  As part of that, the WARN_ON_ONCE(!ci) that's currently in
> fscrypt_set_context() should go in here instead.

Ok.

Jeff Layton Sept. 8, 2020, 12:29 p.m. UTC | #3

On Mon, 2020-09-07 at 20:48 -0700, Eric Biggers wrote:
> On Fri, Sep 04, 2020 at 12:05:23PM -0400, Jeff Layton wrote:
> > CephFS will need to be able to generate a context for a new "prepared"
> > inode. Add a new routine for getting the context out of an in-core
> > inode.
> > 
> > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > ---
> >  fs/crypto/policy.c      | 20 ++++++++++++++++++++
> >  include/linux/fscrypt.h |  1 +
> >  2 files changed, 21 insertions(+)
> > 
> > diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
> > index c56ad886f7d7..10eddd113a21 100644
> > --- a/fs/crypto/policy.c
> > +++ b/fs/crypto/policy.c
> > @@ -670,6 +670,26 @@ int fscrypt_set_context(struct inode *inode, void *fs_data)
> >  }
> >  EXPORT_SYMBOL_GPL(fscrypt_set_context);
> >  
> > +/**
> > + * fscrypt_context_from_inode() - fetch the encryption context out of in-core inode
> 
> Comment doesn't match the function name.
> 
> Also, the name isn't very clear.  How about calling this
> fscrypt_context_for_new_inode()?
> 
> BTW, I might rename fscrypt_new_context_from_policy() to
> fscrypt_context_from_policy() in my patchset.  Since it now makes the caller
> provide the nonce, technically it's no longer limited to "new" contexts.
> 
> > + * @ctx: where context should be written
> > + * @inode: inode from which to fetch context
> > + *
> > + * Given an in-core prepared, but not-necessarily fully-instantiated inode,
> > + * generate an encryption context from its policy and write it to ctx.
> 
> Clarify what is meant by "prepared" (fscrypt_prepare_new_inode() was called)
> vs. "instantiated".
> 
> > + *
> > + * Returns size of the context.
> > + */
> > +int fscrypt_new_context_from_inode(union fscrypt_context *ctx, struct inode *inode)
> > +{
> > +	struct fscrypt_info *ci = inode->i_crypt_info;
> > +
> > +	BUILD_BUG_ON(sizeof(*ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE);
> > +
> > +	return fscrypt_new_context_from_policy(ctx, &ci->ci_policy, ci->ci_nonce);
> > +}
> > +EXPORT_SYMBOL_GPL(fscrypt_new_context_from_inode);
> 
> fscrypt_set_context() should be changed to call this, instead of duplicating the
> same logic.  As part of that, the WARN_ON_ONCE(!ci) that's currently in
> fscrypt_set_context() should go in here instead.
> 

Note that we can't just move that WARN_ON_ONCE. If we do that, then
fscrypt_set_context will dereference ci before that check can occur, so
we'd be trading a warning and -ENOKEY for a NULL pointer dereference. I
think we'll have to duplicate that in both functions.

Eric Biggers Sept. 8, 2020, 10:34 p.m. UTC | #4

On Tue, Sep 08, 2020 at 08:29:52AM -0400, Jeff Layton wrote:
> > > + *
> > > + * Returns size of the context.
> > > + */
> > > +int fscrypt_new_context_from_inode(union fscrypt_context *ctx, struct inode *inode)
> > > +{
> > > +	struct fscrypt_info *ci = inode->i_crypt_info;
> > > +
> > > +	BUILD_BUG_ON(sizeof(*ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE);
> > > +
> > > +	return fscrypt_new_context_from_policy(ctx, &ci->ci_policy, ci->ci_nonce);
> > > +}
> > > +EXPORT_SYMBOL_GPL(fscrypt_new_context_from_inode);
> > 
> > fscrypt_set_context() should be changed to call this, instead of duplicating the
> > same logic.  As part of that, the WARN_ON_ONCE(!ci) that's currently in
> > fscrypt_set_context() should go in here instead.
> > 
> 
> Note that we can't just move that WARN_ON_ONCE. If we do that, then
> fscrypt_set_context will dereference ci before that check can occur, so
> we'd be trading a warning and -ENOKEY for a NULL pointer dereference. I
> think we'll have to duplicate that in both functions.

You could just make fscrypt_set_context() call fscrypt_new_context_from_inode()
first, before the fscrypt_hash_inode_number() stuff.

- Eric

diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
index c56ad886f7d7..10eddd113a21 100644
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -670,6 +670,26 @@  int fscrypt_set_context(struct inode *inode, void *fs_data)
 }
 EXPORT_SYMBOL_GPL(fscrypt_set_context);
 
+/**
+ * fscrypt_context_from_inode() - fetch the encryption context out of in-core inode
+ * @ctx: where context should be written
+ * @inode: inode from which to fetch context
+ *
+ * Given an in-core prepared, but not-necessarily fully-instantiated inode,
+ * generate an encryption context from its policy and write it to ctx.
+ *
+ * Returns size of the context.
+ */
+int fscrypt_new_context_from_inode(union fscrypt_context *ctx, struct inode *inode)
+{
+	struct fscrypt_info *ci = inode->i_crypt_info;
+
+	BUILD_BUG_ON(sizeof(*ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE);
+
+	return fscrypt_new_context_from_policy(ctx, &ci->ci_policy, ci->ci_nonce);
+}
+EXPORT_SYMBOL_GPL(fscrypt_new_context_from_inode);
+
 /**
  * fscrypt_set_test_dummy_encryption() - handle '-o test_dummy_encryption'
  * @sb: the filesystem on which test_dummy_encryption is being specified
diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
index 16d673c50448..0ddbd27a2e58 100644
--- a/include/linux/fscrypt.h
+++ b/include/linux/fscrypt.h
@@ -157,6 +157,7 @@  int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *arg);
 int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg);
 int fscrypt_has_permitted_context(struct inode *parent, struct inode *child);
 int fscrypt_set_context(struct inode *inode, void *fs_data);
+int fscrypt_new_context_from_inode(union fscrypt_context *ctx, struct inode *inode);
 
 struct fscrypt_dummy_context {
 	const union fscrypt_context *ctx;

[RFC,v2,04/18] fscrypt: add fscrypt_new_context_from_inode

Commit Message

Comments

Patch