On Thu, 2022-03-17 at 20:31 +0800, Xiubo Li wrote: > On 3/17/22 8:01 PM, Jeff Layton wrote: > > On Thu, 2022-03-17 at 11:11 +0000, Luís Henriques wrote: > > > Xiubo Li <xiubli@xxxxxxxxxx> writes: > > > > > > > On 3/17/22 6:01 PM, Jeff Layton wrote: > > > > > I'm not sure we want to worry about .snap directories here since they > > > > > aren't "real". IIRC, snaps are inherited from parents too, so you could > > > > > do something like > > > > > > > > > > mkdir dir1 > > > > > mkdir dir1/.snap/snap1 > > > > > mkdir dir1/dir2 > > > > > fscrypt encrypt dir1/dir2 > > > > > > > > > > There should be nothing to prevent encrypting dir2, but I'm pretty sure > > > > > dir2/.snap will not be empty at that point. > > > > If we don't take care of this. Then we don't know which snapshots should do > > > > encrypt/dencrypt and which shouldn't when building the path in lookup and when > > > > reading the snapdir ? > > > In my patchset (which I plan to send a new revision later today, I think I > > > still need to rebase it) this is handled by using the *real* snapshot > > > parent inode. If we're decrypting/encrypting a name for a snapshot that > > > starts with a '_' character, we first find the parent inode for that > > > snapshot and only do the operation if that parent is encrypted. > > > > > > In the other email I suggested that we could prevent enabling encryption > > > in a directory when there are snapshots above in the hierarchy. But now > > > that I think more about it, it won't solve any problem because you could > > > create those snapshots later and then you would still need to handle these > > > (non-encrypted) "_name_xxxx" snapshots anyway. > > > > > Yeah, that sounds about right. > > > > What happens if you don't have the snapshot parent's inode in cache? > > That can happen if you (e.g.) are running NFS over ceph, or if you get > > crafty with name_to_handle_at() and open_by_handle_at(). > > > > Do we have to do a LOOKUPINO in that case or does the trace contain that > > info? If it doesn't then that could really suck in a big hierarchy if > > there are a lot of different snapshot parent inodes to hunt down. > > > > I think this is a case where the client just doesn't have complete > > control over the dentry name. It may be better to just not encrypt them > > if it's too ugly. > > > > Another idea might be to just use the same parent inode (maybe the > > root?) for all snapshot names. It's not as secure, but it's probably > > better than nothing. > > Does it allow to have different keys for the subdirs in the hierarchy ? > From my test it doesn't. > No. Once you set a key on directory you can't set another on a subtree of it. > If so we can always use the same oldest ancestor in the hierarchy, who > has encryption key, to encyrpt/decrypt all the .snap in the hierarchy, > then just need to lookup oldest ancestor inode only once. > That's a possibility. -- Jeff Layton <jlayton@xxxxxxxxxx>
