Re: [PATCH 3/5] xfs_db: fix metadump name obfuscation for ascii-ci filesystems

Eric Sandeen <sandeen@xxxxxxxxxxx> · Mon, 5 Jun 2023 12:18:53 -0500




On 6/5/23 12:09 PM, Darrick J. Wong wrote:
On Mon, Jun 05, 2023 at 11:59:45AM -0500, Eric Sandeen wrote:
On 6/5/23 10:36 AM, Darrick J. Wong wrote:
@@ -1205,9 +1264,9 @@ generate_obfuscated_name(
   	/* Obfuscate the name (if possible) */
-	hash = libxfs_da_hashname(name, namelen);
-	obfuscate_name(hash, namelen, name);
-	ASSERT(hash == libxfs_da_hashname(name, namelen));
+	hash = dirattr_hashname(ino != 0, name, namelen);
+	obfuscate_name(hash, namelen, name, ino != 0);
+	ASSERT(hash == dirattr_hashname(ino != 0, name, namelen));

This makes sense to me - comments above here remind us that "inode == 0"
means we're obfuscating an xattr value, not a filename or path name, but ...

   	/*
   	 * Make sure the name is not something already seen.  If we
@@ -1320,7 +1379,7 @@ obfuscate_path_components(
   			/* last (or single) component */
   			namelen = strnlen((char *)comp, len);
   			hash = libxfs_da_hashname(comp, namelen);
-			obfuscate_name(hash, namelen, comp);
+			obfuscate_name(hash, namelen, comp, false);
   			ASSERT(hash == libxfs_da_hashname(comp, namelen));
   			break;
   		}
@@ -1332,7 +1391,7 @@ obfuscate_path_components(
   			continue;
   		}
   		hash = libxfs_da_hashname(comp, namelen);
-		obfuscate_name(hash, namelen, comp);
+		obfuscate_name(hash, namelen, comp, false);
   		ASSERT(hash == libxfs_da_hashname(comp, namelen));
   		comp += namelen + 1;
   		len -= namelen + 1;


here, why is "is_dirent" false? Shouldn't a symlink path component match the
associated dirents, and be obsucated the same way?

Name obfuscation replaces every byte except for the last five bytes with
a random printable character, and then flips bits in those last five
bytes to make the hash match.  Chances are good that calling
obfuscate_name() twice on the same name will return different results,
which means that symlink targets won't point anywhere useful after the
obfuscation.

One could make metadump remember the (input -> output) pairs instead of
regenerating the names every time, but this comes at a cost of higher
memory consumption.  I actually did this for parent pointers so that
obfuscated dumped pptrs are still verifiable by xfs_repair.

However, symlink targets aren't required to point to a valid path, so
there doesn't seem to be much reason to add that overhead.

Fair enough, thanks. If you wanted to throw in a comment it might be 
nice, but I'll leave that up to you, esp. if we're killing off ascii-ci 
in the long run anyway.

Thanks,
-Eric







