| Message ID | 20190320183913.12686-5-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | fscrypt: d_revalidate fixes and cleanups | expand |
On Wed, Mar 20, 2019 at 11:39:12AM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Plaintext dentries are always valid, so only set fscrypt_d_ops on > ciphertext dentries. > > Besides marginally improved performance, this allows overlayfs to use an > fscrypt-encrypted upperdir, provided that all the following are true: > > (1) The fscrypt encryption key is placed in the keyring before > mounting overlayfs, and remains while the overlayfs is mounted. > > (2) The overlayfs workdir uses the same encryption policy. > > (3) No dentries for the ciphertext names of subdirectories have been > created in the upperdir or workdir yet. (Since otherwise > d_splice_alias() will reuse the old dentry with ->d_op set.) > > One potential use case is using an ephemeral encryption key to encrypt > all files created or changed by a container, so that they can be > securely erased ("crypto-shredded") after the container stops. > > Signed-off-by: Eric Biggers <ebiggers@google.com> Looks good, applied. - Ted
diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c index 2e7498a821a48..9d8910e86ee5d 100644 --- a/fs/crypto/hooks.c +++ b/fs/crypto/hooks.c @@ -115,9 +115,8 @@ int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry) spin_lock(&dentry->d_lock); dentry->d_flags |= DCACHE_ENCRYPTED_NAME; spin_unlock(&dentry->d_lock); + d_set_d_op(dentry, &fscrypt_d_ops); } - - d_set_d_op(dentry, &fscrypt_d_ops); return 0; } EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup);