[21/49] lustre: sec: fix migrate for encrypted dir

Message ID	1618459361-17909-22-git-send-email-jsimmons@infradead.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=FD7t=JM=lists.lustre.org=lustre-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4D624610CB From: James Simmons <jsimmons@infradead.org> To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>, NeilBrown <neilb@suse.de> Date: Thu, 15 Apr 2021 00:02:13 -0400 Message-Id: <1618459361-17909-22-git-send-email-jsimmons@infradead.org> In-Reply-To: <1618459361-17909-1-git-send-email-jsimmons@infradead.org> References: <1618459361-17909-1-git-send-email-jsimmons@infradead.org> Subject: [lustre-devel] [PATCH 21/49] lustre: sec: fix migrate for encrypted dir Precedence: list Cc: Lustre Development List <lustre-devel@lists.lustre.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: lustre-devel-bounces@lists.lustre.org Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>
Series	lustre: sync to OpenSFS as of March 30 2021 \| expand [00/49] lustre: sync to OpenSFS as of March 30 2021 [01/49] lnet: libcfs: Fix for unconfigured arch_stackwalk [02/49] lustre: lmv: iput() can safely be passed NULL. [03/49] lustre: llite: mark extended attr and inode flags [04/49] lnet: lnet_notify sets route aliveness incorrectly [05/49] lnet: Prevent discovery on peer marked deletion [06/49] lnet: Prevent discovery on deleted peer [07/49] lnet: Transfer disc src NID when merging peers [08/49] lnet: Lookup lpni after discovery [09/49] lustre: llite: update and fix module loading bug in mounting code [10/49] lnet: socklnd: change various ints to bool. [11/49] lnet: Correct asymmetric route detection [12/49] lustre: fixup ldlm_pool and lu_object shrinker failure cases [13/49] lustre: log: Add ending newline for some messages. [14/49] lustre: use with_imp_locked() more broadly. [15/49] lnet: o2iblnd: change some ints to bool. [16/49] lustre: lmv: striped directory as subdirectory mount [17/49] lustre: llite: create file_operations registration function. [18/49] lustre: osc: fix performance regression in osc_extent_merge() [19/49] lustre: mds: add enums for MDS_ATTR flags [20/49] lustre: uapi: remove OBD_IOC_LOV_GET_CONFIG [21/49] lustre: sec: fix migrate for encrypted dir [22/49] lnet: libcfs: restore LNET_DUMP_ON_PANIC functionality. [23/49] lustre: ptlrpc: fix ASSERTION on scp_rqbd_posted [24/49] lustre: ldlm: not freed req on enqueue [25/49] lnet: uapi: move userland only nidstr.h handling [26/49] lnet: libcfs: don't depend on sysctl support for debugfs [27/49] lustre: ptlrpc: Add a binary heap implementation [28/49] lustre: ptlrpc: Implement NRS Delay Policy [29/49] lustre: ptlrpc: rename cfs_binheap to simply binheap [30/49] lustre: ptlrpc: mark some functions as static [31/49] lustre: use tgt_pool for lov layer [32/49] lustre: quota: make used for pool correct [33/49] lustre: quota: call rhashtable_lookup near params decl [34/49] lustre: lov: cancel layout lock on replay deadlock [35/49] lustre: obdclass: Protect cl_env_percpu[] [36/49] lnet: libcfs: discard cfs_trace_console_buffers[] [37/49] lnet: libcfs: discard cfs_trace_copyin_string() [38/49] lustre: lmv: don't use lqr_alloc spinlock in lmv [39/49] lustre: lov: fault page update cp_lov_index [40/49] lustre: update version to 2.14.51 [41/49] lustre: llite: mirror extend/copy keeps sparseness [42/49] lustre: ptlrpc: don't use list_for_each_entry_safe unnecessarily. [43/49] lnet: Age peer NI out of recovery [44/49] lnet: Only recover known good peer NIs [45/49] lnet: Recover peer NI w/exponential backoff interval [46/49] lustre: lov: return valid stripe_count/size for PFL files [47/49] lnet: convert lpni_refcount to a kref [48/49] lustre: lmv: handle default stripe_count=-1 properly [49/49] lnet: libcfs: discard cfs_array_alloc()

Message ID

1618459361-17909-22-git-send-email-jsimmons@infradead.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4D624610CB
From: James Simmons <jsimmons@infradead.org>
To: Andreas Dilger <adilger@whamcloud.com>, Oleg Drokin <green@whamcloud.com>,
 NeilBrown <neilb@suse.de>
Date: Thu, 15 Apr 2021 00:02:13 -0400
Message-Id: <1618459361-17909-22-git-send-email-jsimmons@infradead.org>
In-Reply-To: <1618459361-17909-1-git-send-email-jsimmons@infradead.org>
References: <1618459361-17909-1-git-send-email-jsimmons@infradead.org>
Subject: [lustre-devel] [PATCH 21/49] lustre: sec: fix migrate for encrypted
 dir
Precedence: list
Cc: Lustre Development List <lustre-devel@lists.lustre.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: lustre-devel-bounces@lists.lustre.org
Sender: "lustre-devel" <lustre-devel-bounces@lists.lustre.org>

Series

lustre: sync to OpenSFS as of March 30 2021 | expand

Commit Message

James Simmons April 15, 2021, 4:02 a.m. UTC

From: Sebastien Buisson <sbuisson@ddn.com>

When setting an encryption policy on a directory that we want to
be encrypted, we need to make sure it is empty.
But, in some cases, setting the LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr
should be allowed on non-empty directories, for instance when a
directory is migrated across MDTs into new shard directories.
Also, it is required for the encrpytion key to be available on the
client when migrating a directory so that the filenames can be
properly rehashed for the new MDT directory shard.
And, in any case, we need to prevent explicit setting of
LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr outside of encryption policy
definition.

WC-bug-id: https://jira.whamcloud.com/browse/LU-14401
Lustre-commit: 67c4cffac6dbd30c ("LU-14401 sec: fix migrate for encrypted dir")
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-on: https://review.whamcloud.com/41413
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: John L. Hammond <jhammond@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Signed-off-by: James Simmons <jsimmons@infradead.org>
---
 fs/lustre/llite/crypto.c         |  1 +
 fs/lustre/llite/file.c           | 12 ++++++++++++
 fs/lustre/llite/llite_internal.h |  8 +++++---
 fs/lustre/llite/xattr.c          | 11 +++++++++++
 4 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/fs/lustre/llite/crypto.c b/fs/lustre/llite/crypto.c
index 0598b3c..8bbb766 100644
--- a/fs/lustre/llite/crypto.c
+++ b/fs/lustre/llite/crypto.c
@@ -104,6 +104,7 @@  static int ll_set_context(struct inode *inode, const void *ctx, size_t len,
 		return -EPERM;
 
 	dentry = (struct dentry *)fs_data;
+	set_bit(LLIF_SET_ENC_CTX, &ll_i2info(inode)->lli_flags);
 	rc = __vfs_setxattr(dentry, inode, LL_XATTR_NAME_ENCRYPTION_CONTEXT,
 			    ctx, len, XATTR_CREATE);
 	if (rc)
diff --git a/fs/lustre/llite/file.c b/fs/lustre/llite/file.c
index 767eafa..225008e 100644
--- a/fs/lustre/llite/file.c
+++ b/fs/lustre/llite/file.c
@@ -4455,6 +4455,18 @@  int ll_migrate(struct inode *parent, struct file *file, struct lmv_user_md *lum,
 		goto out_iput;
 	}
 
+	if (IS_ENCRYPTED(child_inode)) {
+		rc = llcrypt_get_encryption_info(child_inode);
+		if (rc)
+			goto out_iput;
+		if (!llcrypt_has_encryption_key(child_inode)) {
+			CDEBUG(D_SEC, "no enc key for "DFID"\n",
+			       PFID(ll_inode2fid(child_inode)));
+			rc = -ENOKEY;
+			goto out_iput;
+		}
+	}
+
 	op_data = ll_prep_md_op_data(NULL, parent, NULL, name, namelen,
 				     child_inode->i_mode, LUSTRE_OPC_ANY, NULL);
 	if (IS_ERR(op_data)) {
diff --git a/fs/lustre/llite/llite_internal.h b/fs/lustre/llite/llite_internal.h
index 0d97253..dc9ea03 100644
--- a/fs/lustre/llite/llite_internal.h
+++ b/fs/lustre/llite/llite_internal.h
@@ -97,12 +97,14 @@  enum ll_file_flags {
 	LLIF_FILE_RESTORING	= 1,
 	/* Xattr cache is attached to the file */
 	LLIF_XATTR_CACHE	= 2,
+	/* Project inherit */
+	LLIF_PROJECT_INHERIT	= 3,
 	/* update atime from MDS no matter if it's older than
 	 * local inode atime.
 	 */
-	LLIF_UPDATE_ATIME,
-	/* Project inherit */
-	LLIF_PROJECT_INHERIT	= 3,
+	LLIF_UPDATE_ATIME	= 4,
+	/* setting encryption context in progress */
+	LLIF_SET_ENC_CTX	= 6,
 };
 
 /* See comment on trunc_sem_down_read_nowait */
diff --git a/fs/lustre/llite/xattr.c b/fs/lustre/llite/xattr.c
index 119fb26..7004893 100644
--- a/fs/lustre/llite/xattr.c
+++ b/fs/lustre/llite/xattr.c
@@ -133,6 +133,17 @@  static int ll_xattr_set_common(const struct xattr_handler *handler,
 			return -EPERM;
 	}
 
+	/* Setting LL_XATTR_NAME_ENCRYPTION_CONTEXT xattr is only allowed
+	 * when defining an encryption policy on a directory, ie when it
+	 * comes from ll_set_context().
+	 * When new files/dirs are created in an encrypted dir, the xattr
+	 * is set directly in the create request.
+	 */
+	if (handler->flags == XATTR_SECURITY_T &&
+	    !strcmp(name, "c") &&
+	    !test_and_clear_bit(LLIF_SET_ENC_CTX, &ll_i2info(inode)->lli_flags))
+		return -EPERM;
+
 	fullname = kasprintf(GFP_KERNEL, "%s%s", xattr_prefix(handler), name);
 	if (!fullname)
 		return -ENOMEM;

[21/49] lustre: sec: fix migrate for encrypted dir

Commit Message

Patch