On Wed, Mar 13, 2019 at 2:00 PM Richard Weinberger <richard@xxxxxx> wrote: > > Am Mittwoch, 13. März 2019, 13:58:11 CET schrieb Miklos Szeredi: > > On Wed, Mar 13, 2019 at 1:47 PM Richard Weinberger <richard@xxxxxx> wrote: > > > > > > Am Mittwoch, 13. März 2019, 13:36:02 CET schrieb Miklos Szeredi: > > > > I don't get it. Does fscrypt try to check permissions via > > > > ->d_revalidate? Why is it not doing that via ->permission()? > > > > > > Please let me explain. Suppose we have a fscrypto directory /mnt and > > > I *don't* have the key. > > > > > > When reading the directory contents of /mnt will return an encrypted filename. > > > e.g. > > > # ls /mnt > > > +mcQ46ne5Y8U6JMV9Wdq2C > > > > Why does showing the encrypted contents make any sense? It could just > > return -EPERM on all operations? > > The use case is that you can delete these files if the DAC/MAC permissions allow it. > Just like on NTFS. If a user encrypts files, the admin cannot read them but can > remove them if the user is gone or loses the key. There's the underlying filesystem view where admin can delete files, etc. And there's the fscrypt layer stacked on top of the underlying fs, which en/decrypts files *in case the user has the key*. What if one user has a key, but the other one doesn't? Will d_revalidate constantly switch the set of dentries between the encrypted filenames and the decrypted ones? Sounds crazy. And the fact that NTFS does this doesn't make it any less crazy... Thanks, Miklos
