From: Josef Bacik <josef@toxicpanda.com>
To: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Cc: "Theodore Y. Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Eric Biggers <ebiggers@kernel.org>, Chris Mason <clm@fb.com>,
David Sterba <dsterba@suse.com>,
linux-fscrypt@vger.kernel.org, linux-btrfs@vger.kernel.org,
kernel-team@fb.com, Omar Sandoval <osandov@osandov.com>
Subject: Re: [PATCH v2 18/20] btrfs: adapt directory read and lookup to potentially encrypted filenames
Date: Thu, 8 Sep 2022 16:15:58 -0400 [thread overview]
Message-ID: <YxpNfmMN8H/brIeL@localhost.localdomain> (raw)
In-Reply-To: <a39aff2f5502199152a680e31db90f7162b4f350.1662420176.git.sweettea-kernel@dorminy.me>
On Mon, Sep 05, 2022 at 08:35:33PM -0400, Sweet Tea Dorminy wrote:
> From: Omar Sandoval <osandov@osandov.com>
>
> When filenames can be encrypted, if we don't initially match a desired
> filename, we have to try decrypting it with the directory key to see if
> it matches in plaintext. Similarly, for readdir, we need to read
> encrypted directory items as well as unencrypted.
>
> Signed-off-by: Omar Sandoval <osandov@osandov.com>
> Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
> ---
> fs/btrfs/delayed-inode.c | 32 +++++++++++---
> fs/btrfs/delayed-inode.h | 4 +-
> fs/btrfs/dir-item.c | 23 ++++++++++
> fs/btrfs/inode.c | 90 ++++++++++++++++++++++++++++++++++++----
> 4 files changed, 134 insertions(+), 15 deletions(-)
>
> diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
> index 069326654074..5eef6f96c6b6 100644
> --- a/fs/btrfs/delayed-inode.c
> +++ b/fs/btrfs/delayed-inode.c
> @@ -1493,9 +1493,9 @@ int btrfs_insert_delayed_dir_index(struct btrfs_trans_handle *trans,
>
> ret = __btrfs_add_delayed_item(delayed_node, delayed_item);
> if (unlikely(ret)) {
> + // TODO: It would be nice to print the base64encoded name here maybe?
> btrfs_err(trans->fs_info,
> - "err add delayed dir index item(name: %.*s) into the insertion tree of the delayed node(root id: %llu, inode id: %llu, errno: %d)",
> - fname_len(fname), fname_name(fname),
> + "err add delayed dir index item into the insertion tree of the delayed node (root id: %llu, inode id: %llu, errno: %d)",
> delayed_node->root->root_key.objectid,
> delayed_node->inode_id, ret);
> BUG();
> @@ -1721,7 +1721,9 @@ int btrfs_should_delete_dir_index(struct list_head *del_list,
> * btrfs_readdir_delayed_dir_index - read dir info stored in the delayed tree
> *
> */
> -int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
> +int btrfs_readdir_delayed_dir_index(struct inode *inode,
> + struct fscrypt_str *fstr,
> + struct dir_context *ctx,
> struct list_head *ins_list)
> {
> struct btrfs_dir_item *di;
> @@ -1731,6 +1733,7 @@ int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
> int name_len;
> int over = 0;
> unsigned char d_type;
> + size_t fstr_len = fstr->len;
>
> if (list_empty(ins_list))
> return 0;
> @@ -1758,8 +1761,27 @@ int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
> d_type = fs_ftype_to_dtype(btrfs_dir_flags_to_ftype(di->type));
> btrfs_disk_key_to_cpu(&location, &di->location);
>
> - over = !dir_emit(ctx, name, name_len,
> - location.objectid, d_type);
> + if (di->type & BTRFS_FT_FSCRYPT_NAME) {
> + int ret;
> + struct fscrypt_str iname = FSTR_INIT(name, name_len);
> + fstr->len = fstr_len;
> + /*
> + * The hash is only used when the encryption key is not
> + * available. But if we have delayed insertions, then we
> + * must have the encryption key available or we wouldn't
> + * have been able to create entries in the directory.
> + * So, we don't calculate the hash.
> + */
> + ret = fscrypt_fname_disk_to_usr(inode, 0, 0, &iname,
> + fstr);
> + if (ret)
> + return ret;
> + over = !dir_emit(ctx, fstr->name, fstr->len,
> + location.objectid, d_type);
> + } else {
> + over = !dir_emit(ctx, name, name_len, location.objectid,
> + d_type);
> + }
>
> if (refcount_dec_and_test(&curr->refs))
> kfree(curr);
> diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
> index 8abeb78af14e..9491bf0b7576 100644
> --- a/fs/btrfs/delayed-inode.h
> +++ b/fs/btrfs/delayed-inode.h
> @@ -156,7 +156,9 @@ void btrfs_readdir_put_delayed_items(struct inode *inode,
> struct list_head *del_list);
> int btrfs_should_delete_dir_index(struct list_head *del_list,
> u64 index);
> -int btrfs_readdir_delayed_dir_index(struct dir_context *ctx,
> +int btrfs_readdir_delayed_dir_index(struct inode *inode,
> + struct fscrypt_str *fstr,
> + struct dir_context *ctx,
> struct list_head *ins_list);
>
> /* Used during directory logging. */
> diff --git a/fs/btrfs/dir-item.c b/fs/btrfs/dir-item.c
> index 8d7c3c32ed8e..6b1ea32419fb 100644
> --- a/fs/btrfs/dir-item.c
> +++ b/fs/btrfs/dir-item.c
> @@ -120,6 +120,9 @@ int btrfs_insert_dir_item(struct btrfs_trans_handle *trans,
> struct btrfs_disk_key disk_key;
> u32 data_size;
>
> + if (fname->crypto_buf.name)
> + type |= BTRFS_FT_FSCRYPT_NAME;
> +
> key.objectid = btrfs_ino(dir);
> key.type = BTRFS_DIR_ITEM_KEY;
> key.offset = btrfs_name_hash(fname);
> @@ -385,6 +388,18 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
> u32 cur = 0;
> u32 this_len;
> struct extent_buffer *leaf;
> + bool encrypted = (fname->crypto_buf.name != NULL);
> + struct fscrypt_name unencrypted_fname;
> +
> + if (encrypted) {
> + unencrypted_fname = (struct fscrypt_name){
> + .usr_fname = fname->usr_fname,
> + .disk_name = {
> + .name = (unsigned char *)fname->usr_fname->name,
> + .len = fname->usr_fname->len,
> + },
> + };
> + }
>
> leaf = path->nodes[0];
> dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
> @@ -401,6 +416,14 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
> return dir_item;
> }
>
> + if (encrypted &&
Whitespace.
> + btrfs_dir_name_len(leaf, dir_item) == fname_len(&unencrypted_fname) &&
> + btrfs_fscrypt_match_name(&unencrypted_fname, leaf,
> + (unsigned long)(dir_item + 1),
> + dir_name_len)) {
> + return dir_item;
> + }
> +
> cur += this_len;
> dir_item = (struct btrfs_dir_item *)((char *)dir_item +
> this_len);
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index 4c134a6486b3..1c7681d7770c 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -4292,6 +4292,7 @@ static int __btrfs_unlink_inode(struct btrfs_trans_handle *trans,
> u64 index;
> u64 ino = btrfs_ino(inode);
> u64 dir_ino = btrfs_ino(dir);
> + u64 di_name_len;
>
> path = btrfs_alloc_path();
> if (!path) {
> @@ -4304,6 +4305,13 @@ static int __btrfs_unlink_inode(struct btrfs_trans_handle *trans,
> ret = di ? PTR_ERR(di) : -ENOENT;
> goto err;
> }
> +
> + /*
> + * We have to read the actual name length off disk -- the fname
> + * provided may have been a nokey_name with uncertain length.
> + */
> + di_name_len = btrfs_dir_name_len(path->nodes[0], di);
> +
> ret = btrfs_delete_one_dir_name(trans, root, path, di);
> if (ret)
> goto err;
> @@ -4371,7 +4379,7 @@ static int __btrfs_unlink_inode(struct btrfs_trans_handle *trans,
> if (ret)
> goto out;
>
> - btrfs_i_size_write(dir, dir->vfs_inode.i_size - fname_len(fname) * 2);
> + btrfs_i_size_write(dir, dir->vfs_inode.i_size - di_name_len * 2);
> inode_inc_iversion(&inode->vfs_inode);
> inode_inc_iversion(&dir->vfs_inode);
> inode->vfs_inode.i_ctime = current_time(&inode->vfs_inode);
> @@ -5882,12 +5890,25 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
> struct btrfs_root *root = BTRFS_I(dir)->root;
> struct btrfs_root *sub_root = root;
> struct btrfs_key location;
> + struct fscrypt_name fname;
> u8 di_type = 0;
> int ret = 0;
>
> if (dentry->d_name.len > BTRFS_NAME_LEN)
> return ERR_PTR(-ENAMETOOLONG);
>
> + if (BTRFS_I(dir)->flags & BTRFS_INODE_FSCRYPT_CONTEXT) {
> + ret = fscrypt_prepare_lookup(dir, dentry, &fname);
> + if (ret)
> + return ERR_PTR(ret);
> + } else {
> + fname = (struct fscrypt_name) {
> + .usr_fname = &dentry->d_name,
> + .disk_name = FSTR_INIT((char *) dentry->d_name.name,
> + dentry->d_name.len),
> + };
> + }
> +
> ret = btrfs_inode_by_name(dir, dentry, &location, &di_type);
> if (ret < 0)
> return ERR_PTR(ret);
> @@ -6029,18 +6050,32 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
> struct list_head del_list;
> int ret;
> char *name_ptr;
> - int name_len;
> + u32 name_len;
> int entries = 0;
> int total_len = 0;
> bool put = false;
> struct btrfs_key location;
> + struct fscrypt_str fstr = FSTR_INIT(NULL, 0);
> + u32 fstr_len = 0;
>
> if (!dir_emit_dots(file, ctx))
> return 0;
>
> + if (BTRFS_I(inode)->flags & BTRFS_INODE_FSCRYPT_CONTEXT) {
> + ret = fscrypt_prepare_readdir(inode);
> + if (ret)
> + return ret;
> + ret = fscrypt_fname_alloc_buffer(BTRFS_NAME_LEN, &fstr);
> + if (ret)
> + return ret;
> + fstr_len = fstr.len;
> + }
> +
> path = btrfs_alloc_path();
> - if (!path)
> - return -ENOMEM;
> + if (!path) {
> + ret = -ENOMEM;
> + goto err_fstr;
> + }
>
> addr = private->filldir_buf;
> path->reada = READA_FORWARD;
> @@ -6058,6 +6093,7 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
> struct dir_entry *entry;
> struct extent_buffer *leaf = path->nodes[0];
> u8 di_flags;
> + u32 nokey_len;
>
> if (found_key.objectid != key.objectid)
> break;
> @@ -6069,8 +6105,13 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
> continue;
> di = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
> name_len = btrfs_dir_name_len(leaf, di);
> - if ((total_len + sizeof(struct dir_entry) + name_len) >=
> - PAGE_SIZE) {
> + nokey_len = DIV_ROUND_UP(name_len * 4, 3);
> + /*
> + * If name is encrypted, and we don't have the key, we could
> + * need up to 4/3rds the bytes to print it.
> + */
> + if ((total_len + sizeof(struct dir_entry) + nokey_len)
> + >= PAGE_SIZE) {
> btrfs_release_path(path);
> ret = btrfs_filldir(private->filldir_buf, entries, ctx);
> if (ret)
> @@ -6084,8 +6125,36 @@ static int btrfs_real_readdir(struct file *file, struct dir_context *ctx)
> di_flags = btrfs_dir_flags(leaf, di);
> entry = addr;
> name_ptr = (char *)(entry + 1);
> - read_extent_buffer(leaf, name_ptr,
> - (unsigned long)(di + 1), name_len);
> + if (di_flags & BTRFS_FT_FSCRYPT_NAME) {
> + struct fscrypt_str oname = FSTR_INIT(name_ptr,
> + nokey_len);
> + u32 hash = 0, minor_hash = 0;
> +
> + read_extent_buffer(leaf, fstr.name,
> + (unsigned long)(di + 1), name_len);
> + fstr.len = name_len;
> + /*
> + * We're iterating through DIR_INDEX items, so we don't
> + * have the DIR_ITEM hash handy. Only compute it if
> + * we'll need it.
> + */
> + if (!fscrypt_has_encryption_key(inode)) {
> + struct fscrypt_name fname = {
> + .disk_name = fstr,
> + };
> + u64 name_hash = btrfs_name_hash(&fname);
> + hash = name_hash;
> + minor_hash = name_hash >> 32;
> + }
> + ret = fscrypt_fname_disk_to_usr(inode, hash, minor_hash,
> + &fstr, &oname);
> + if (ret)
> + goto err;
> + name_len = oname.len;
You have this same work in the delayed inode stuff, the only exception is that
you don't do the hash thing. I assume with the delayed inode that
fscrypt_has_encryption_key() would be true, so you could stuff all this in a
helper and use the helper from both places? Thanks,
Josef
next prev parent reply other threads:[~2022-09-08 20:16 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 0:35 [PATCH v2 00/20] btrfs: add fscrypt integration Sweet Tea Dorminy
2022-09-06 0:35 ` [PATCH v2 01/20] fscrypt: expose fscrypt_nokey_name Sweet Tea Dorminy
2022-09-08 13:41 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 02/20] fscrypt: add flag allowing partially-encrypted directories Sweet Tea Dorminy
2022-09-08 13:43 ` Josef Bacik
2022-09-12 1:42 ` Eric Biggers
2022-09-15 18:58 ` Sweet Tea Dorminy
2022-09-13 10:07 ` Anand Jain
2022-09-13 11:02 ` Neal Gompa
2022-09-06 0:35 ` [PATCH v2 03/20] fscrypt: add fscrypt_have_same_policy() to check inode compatibility Sweet Tea Dorminy
2022-09-08 13:53 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 04/20] fscrypt: allow fscrypt_generate_iv() to distinguish filenames Sweet Tea Dorminy
2022-09-08 14:01 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 05/20] fscrypt: add extent-based encryption Sweet Tea Dorminy
2022-09-07 19:59 ` Omar Sandoval
2022-09-08 15:33 ` Josef Bacik
2022-09-10 18:53 ` kernel test robot
2022-09-12 1:34 ` Eric Biggers
2022-09-06 0:35 ` [PATCH v2 06/20] fscrypt: document btrfs' fscrypt quirks Sweet Tea Dorminy
2022-09-08 15:34 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 07/20] btrfs: store directory's encryption state Sweet Tea Dorminy
2022-09-08 15:37 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 08/20] btrfs: use fscrypt_names instead of name/len everywhere Sweet Tea Dorminy
2022-09-07 20:04 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 09/20] btrfs: setup fscrypt_names from dentrys using helper Sweet Tea Dorminy
2022-09-08 19:11 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 10/20] btrfs: factor a fscrypt_name matching method Sweet Tea Dorminy
2022-09-08 19:27 ` Josef Bacik
2022-09-09 10:15 ` David Sterba
2022-09-09 13:00 ` Christoph Hellwig
2022-09-09 13:34 ` David Sterba
2022-09-16 22:18 ` J Lovejoy
2022-09-19 2:00 ` Bradley M. Kuhn
2022-09-19 17:20 ` David Sterba
2022-09-19 16:52 ` David Sterba
2022-09-09 13:41 ` Chris Mason
2022-09-06 0:35 ` [PATCH v2 11/20] btrfs: disable various operations on encrypted inodes Sweet Tea Dorminy
2022-09-06 6:36 ` kernel test robot
2022-09-07 20:11 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 12/20] btrfs: start using fscrypt hooks Sweet Tea Dorminy
2022-09-07 20:17 ` David Sterba
2022-09-07 20:42 ` Sweet Tea Dorminy
2022-09-12 1:50 ` Eric Biggers
2022-09-08 19:42 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 13/20] btrfs: add fscrypt_context items Sweet Tea Dorminy
2022-09-07 20:43 ` David Sterba
2022-09-08 20:06 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 14/20] btrfs: translate btrfs encryption flags and encrypted inode flag Sweet Tea Dorminy
2022-09-08 20:07 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 15/20] btrfs: store a fscrypt extent context per normal file extent Sweet Tea Dorminy
2022-09-07 21:10 ` David Sterba
2022-09-07 21:39 ` Sweet Tea Dorminy
2022-09-09 10:04 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 16/20] btrfs: Add new FEATURE_INCOMPAT_FSCRYPT feature flag Sweet Tea Dorminy
2022-09-09 11:35 ` David Sterba
2022-09-12 1:36 ` Eric Biggers
2022-09-06 0:35 ` [PATCH v2 17/20] btrfs: reuse encrypted filename hash when possible Sweet Tea Dorminy
2022-09-07 21:24 ` David Sterba
2022-09-06 0:35 ` [PATCH v2 18/20] btrfs: adapt directory read and lookup to potentially encrypted filenames Sweet Tea Dorminy
2022-09-08 20:15 ` Josef Bacik [this message]
2022-09-06 0:35 ` [PATCH v2 19/20] btrfs: encrypt normal file extent data if appropriate Sweet Tea Dorminy
2022-09-08 20:19 ` Josef Bacik
2022-09-06 0:35 ` [PATCH v2 20/20] btrfs: implement fscrypt ioctls Sweet Tea Dorminy
2022-09-07 21:33 ` David Sterba
2022-09-06 22:35 ` [PATCH v2 00/20] btrfs: add fscrypt integration Eric Biggers
2022-09-06 23:01 ` Sweet Tea Dorminy
2022-09-06 23:10 ` Eric Biggers
2022-09-07 0:01 ` Sweet Tea Dorminy
2022-09-07 19:38 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YxpNfmMN8H/brIeL@localhost.localdomain \
--to=josef@toxicpanda.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=kernel-team@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=osandov@osandov.com \
--cc=sweettea-kernel@dorminy.me \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox