| Message ID | 20201125002336.274045-1-ebiggers@kernel.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | Allow deleting files with unsupported encryption policy | expand |
On Tue, Nov 24, 2020 at 04:23:27PM -0800, Eric Biggers wrote: > Currently it's impossible to delete files that use an unsupported > encryption policy, as the kernel will just return an error when > performing any operation on the top-level encrypted directory, even just > a path lookup into the directory or opening the directory for readdir. > > It's desirable to return errors for most operations on files that use an > unsupported encryption policy, but the current behavior is too strict. > We need to allow enough to delete files, so that people can't be stuck > with undeletable files when downgrading kernel versions. That includes > allowing directories to be listed and allowing dentries to be looked up. > > This series fixes this (on ext4, f2fs, and ubifs) by treating an > unsupported encryption policy in the same way as "key unavailable" in > the cases that are required for a recursive delete to work. > > The actual fix is in patch 9, so see that for more details. > > Patches 1-8 are cleanups that prepare for the actual fix by removing > direct use of fscrypt_get_encryption_info() by filesystems. > > This patchset applies to branch "master" (commit 4a4b8721f1a5) of > https://git.kernel.org/pub/scm/fs/fscrypt/fscrypt.git. > > Eric Biggers (9): > ext4: remove ext4_dir_open() > f2fs: remove f2fs_dir_open() > ubifs: remove ubifs_dir_open() > ext4: don't call fscrypt_get_encryption_info() from dx_show_leaf() > fscrypt: introduce fscrypt_prepare_readdir() > fscrypt: move body of fscrypt_prepare_setattr() out-of-line > fscrypt: move fscrypt_require_key() to fscrypt_private.h > fscrypt: unexport fscrypt_get_encryption_info() > fscrypt: allow deleting files with unsupported encryption policy > > fs/crypto/fname.c | 8 +++- > fs/crypto/fscrypt_private.h | 28 ++++++++++++++ > fs/crypto/hooks.c | 16 +++++++- > fs/crypto/keysetup.c | 20 ++++++++-- > fs/crypto/policy.c | 22 +++++++---- > fs/ext4/dir.c | 16 ++------ > fs/ext4/namei.c | 10 +---- > fs/f2fs/dir.c | 10 +---- > fs/ubifs/dir.c | 11 +----- > include/linux/fscrypt.h | 75 +++++++++++++++++++------------------ > 10 files changed, 126 insertions(+), 90 deletions(-) > > > base-commit: 4a4b8721f1a5e4b01e45b3153c68d5a1014b25de Any more comments on this patch series? - Eric
On Dec 2, 2020, at 2:07 PM, Eric Biggers <ebiggers@kernel.org> wrote: > > On Tue, Nov 24, 2020 at 04:23:27PM -0800, Eric Biggers wrote: >> Currently it's impossible to delete files that use an unsupported >> encryption policy, as the kernel will just return an error when >> performing any operation on the top-level encrypted directory, even just >> a path lookup into the directory or opening the directory for readdir. >> >> It's desirable to return errors for most operations on files that use an >> unsupported encryption policy, but the current behavior is too strict. >> We need to allow enough to delete files, so that people can't be stuck >> with undeletable files when downgrading kernel versions. That includes >> allowing directories to be listed and allowing dentries to be looked up. >> >> This series fixes this (on ext4, f2fs, and ubifs) by treating an >> unsupported encryption policy in the same way as "key unavailable" in >> the cases that are required for a recursive delete to work. >> >> The actual fix is in patch 9, so see that for more details. >> >> Patches 1-8 are cleanups that prepare for the actual fix by removing >> direct use of fscrypt_get_encryption_info() by filesystems. >> >> This patchset applies to branch "master" (commit 4a4b8721f1a5) of >> https://git.kernel.org/pub/scm/fs/fscrypt/fscrypt.git. >> >> Eric Biggers (9): >> ext4: remove ext4_dir_open() >> f2fs: remove f2fs_dir_open() >> ubifs: remove ubifs_dir_open() >> ext4: don't call fscrypt_get_encryption_info() from dx_show_leaf() >> fscrypt: introduce fscrypt_prepare_readdir() >> fscrypt: move body of fscrypt_prepare_setattr() out-of-line >> fscrypt: move fscrypt_require_key() to fscrypt_private.h >> fscrypt: unexport fscrypt_get_encryption_info() >> fscrypt: allow deleting files with unsupported encryption policy >> >> fs/crypto/fname.c | 8 +++- >> fs/crypto/fscrypt_private.h | 28 ++++++++++++++ >> fs/crypto/hooks.c | 16 +++++++- >> fs/crypto/keysetup.c | 20 ++++++++-- >> fs/crypto/policy.c | 22 +++++++---- >> fs/ext4/dir.c | 16 ++------ >> fs/ext4/namei.c | 10 +---- >> fs/f2fs/dir.c | 10 +---- >> fs/ubifs/dir.c | 11 +----- >> include/linux/fscrypt.h | 75 +++++++++++++++++++------------------ >> 10 files changed, 126 insertions(+), 90 deletions(-) >> >> >> base-commit: 4a4b8721f1a5e4b01e45b3153c68d5a1014b25de > > Any more comments on this patch series? I think the general idea makes sense. I'll review the ext4 patches in the series. Cheers, Andreas