• Eric Biggers's avatar
    fscrypt: handle test_dummy_encryption in more logical way · ac4acb1f
    Eric Biggers authored
    The behavior of the test_dummy_encryption mount option is that when a
    new file (or directory or symlink) is created in an unencrypted
    directory, it's automatically encrypted using a dummy encryption policy.
    That's it; in particular, the encryption (or lack thereof) of existing
    files (or directories or symlinks) doesn't change.
    
    Unfortunately the implementation of test_dummy_encryption is a bit weird
    and confusing.  When test_dummy_encryption is enabled and a file is
    being created in an unencrypted directory, we set up an encryption key
    (->i_crypt_info) for the directory.  This isn't actually used to do any
    encryption, however, since the directory is still unencrypted!  Instead,
    ->i_crypt_info is only used for inheriting the encryption policy.
    
    One consequence of this is that the filesystem ends up providing a
    "dummy context" (policy + nonce) instead of a "dummy policy".  In
    commit ed318a6c ("fscrypt: support test_dummy_encryption=v2"), I
    mistakenly thought this was required.  However, actually the nonce only
    ends up being used to derive a key that is never used.
    
    Another consequence of this implementation is that it allows for
    'inode->i_crypt_info != NULL && !IS_ENCRYPTED(inode)', which is an edge
    case that can be forgotten about.  For example, currently
    FS_IOC_GET_ENCRYPTION_POLICY on an unencrypted directory may return the
    dummy encryption policy when the filesystem is mounted with
    test_dummy_encryption.  That seems like the wrong thing to do, since
    again, the directory itself is not actually encrypted.
    
    Therefore, switch to a more logical and maintainable implementation
    where the dummy encryption policy inheritance is done without setting up
    keys for unencrypted directories.  This involves:
    
    - Adding a function fscrypt_policy_to_inherit() which returns the
      encryption policy to inherit from a directory.  This can be a real
      policy, a dummy policy, or no policy.
    
    - Replacing struct fscrypt_dummy_context, ->get_dummy_context(), etc.
      with struct fscrypt_dummy_policy, ->get_dummy_policy(), etc.
    
    - Making fscrypt_fname_encrypted_size() take an fscrypt_policy instead
      of an inode.
    Acked-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
    Acked-by: default avatarJeff Layton <jlayton@kernel.org>
    Link: https://lore.kernel.org/r/20200917041136.178600-13-ebiggers@kernel.orgSigned-off-by: default avatarEric Biggers <ebiggers@google.com>
    ac4acb1f
fscrypt.h 23.9 KB