On Wed, Sep 09, 2020 at 08:26:51AM -0400, Jeff Layton wrote: > On Mon, 2020-09-07 at 22:12 -0700, Eric Biggers wrote: > > On Fri, Sep 04, 2020 at 12:05:34PM -0400, Jeff Layton wrote: > > > If we have an encrypted dentry, then we need to test whether a new key > > > might have been established or removed. Do that before we test anything > > > else about the dentry. > > > > A more accurate explanation would be: > > > > "If we have a dentry which represents a no-key name, then we need to test > > whether the parent directory's encryption key has since been added." > > > > Can't a key also be removed (e.g. fscrypt lock /path/to/dir)? > > Does that result in the dentries below that point being invalidated? It results in the dentries (and inodes) being evicted, not invalidated. See try_to_lock_encrypted_files() in fs/crypto/keyring.c. So, fscrypt_d_revalidate() doesn't need to consider key removal. - Eric
