From: Eric Biggers <ebiggers3@gmail.com>
To: Andreas Dilger <adilger@dilger.ca>
Cc: linux-ext4 <linux-ext4@vger.kernel.org>,
linux-fscrypt@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Eric Biggers <ebiggers@google.com>
Subject: Re: [PATCH] ext4: forbid encrypting root directory
Date: Fri, 16 Jun 2017 10:54:57 -0700 [thread overview]
Message-ID: <20170616175457.GA20865@gmail.com> (raw)
In-Reply-To: <F7BF6774-18AA-4A57-AF64-D7D125A7E73C@dilger.ca>
On Wed, Jun 14, 2017 at 08:02:05PM -0600, Andreas Dilger wrote:
> >>
> >> What about a special case to handle an unencrypted lost+found inode?
> >>
> >> There was also a patch series a while ago to explicitly add lost+found
> >> into the superblock so that it could be found even if the root directory
> >> was corrupted, and to allow flexibility in whether it is always shown in
> >> the root directory or not (e.g. allowing ".lost+found" or similar).
> >
> > It could be done if the lost+found inode was not linked to from any directory
> > and instead had its inode number stored in the superblock so that e2fsck could
> > still find it. However, if e2fsck put files in a lost+found directory that
> > doesn't exist in the filesystem directory structure, how would users retrieve
> > those files? Would users be required to run a special e2fsprogs command to
> > list/read/delete the files in lost+found?
>
> I was thinking that readdir on the root inode could insert the "lost+found"
> or ".lost+found" entry dynamically,
I think this is possible, but not trivial. It's not just readdir; ->lookup()
would also have to special-case lookups of "lost+found", and we'd have to
override the fscrypt_permitted_context() check. It would also have to be a
RO_COMPAT filesystem feature, lest an unaware ext4 driver or e2fsprogs create a
lost+found directory which would then be ambiguous with the "real" one.
> or (a bit less pleasant) is to add a
> special case that this entry is just never encrypted (could compare the
> inode number to the one stored in the superblock, instead of comparing names)?
I think that would be similarly difficult, as it would still require special
logic in readdir and ->lookup(), and would still require a RO_COMPAT filesystem
feature.
Either way, not all filesystems will have the implicit "lost+found" directory
feature, so we're still going to need to forbid encrypting the root directory on
some filesystems anyway.
Eric
prev parent reply other threads:[~2017-06-16 17:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-14 23:17 [PATCH] ext4: forbid encrypting root directory Eric Biggers
2017-06-15 0:00 ` Andreas Dilger
2017-06-15 0:24 ` Eric Biggers
2017-06-15 2:02 ` Andreas Dilger
2017-06-16 17:54 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170616175457.GA20865@gmail.com \
--to=ebiggers3@gmail.com \
--cc=adilger@dilger.ca \
--cc=ebiggers@google.com \
--cc=jaegeuk@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.