diff options
| author | Eric Biggers <ebiggers@google.com> | 2019-09-17 18:07:34 -0700 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2019-10-09 20:18:20 -0400 |
| commit | 2ba05753f70db32618b4e97d5351aa4d359bcdee (patch) | |
| tree | a7c284a2665acd6730dbd6275aea0ee69c827aec /e2fsck/problem.h | |
| parent | 6c1433ba434021b457a9b6aefe57c0e8cb71f5fe (diff) | |
| download | e2fsprogs-2ba05753f70db32618b4e97d5351aa4d359bcdee.tar.gz | |
e2fsck: check for consistent encryption policies
By design, the kernel enforces that all files in an encrypted directory
use the same encryption policy as the directory. It's not possible to
violate this constraint using syscalls. Lookups of files that violate
this constraint also fail, in case the disk was manipulated.
But this constraint can also be violated by accidental filesystem
corruption. E.g., a power cut when using ext4 without a journal might
leave new files without the encryption bit and/or xattr. Thus, it's
important that e2fsck correct this condition.
Therefore, this patch makes the following changes to e2fsck:
- During pass 1 (inode table scan), create a map from inode number to
encryption policy for all encrypted inodes. But it's optimized so
that the full xattrs aren't saved but rather only 32-bit "policy IDs",
since usually many inodes share the same encryption policy. Also, if
an encryption xattr is missing, offer to clear the encrypt flag. If
an encryption xattr is clearly corrupt, offer to clear the inode.
- During pass 2 (directory structure check), use the map to verify that
all regular files, directories, and symlinks in encrypted directories
use the directory's encryption policy. Offer to clear any directory
entries for which this isn't the case.
Add a new test "f_bad_encryption" to test the new behavior.
Due to the new checks, it was also necessary to update the existing test
"f_short_encrypted_dirent" to add an encryption xattr to the test file,
since it was missing one before, which is now considered invalid.
Google-Bug-Id: 135138675
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Diffstat (limited to 'e2fsck/problem.h')
| -rw-r--r-- | e2fsck/problem.h | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/e2fsck/problem.h b/e2fsck/problem.h index 5cc89249..c7f65f6d 100644 --- a/e2fsck/problem.h +++ b/e2fsck/problem.h @@ -667,8 +667,8 @@ struct problem_context { /* Inode leaf has a duplicate extent mapping */ #define PR_1_EXTENT_COLLISION 0x01007D -/* Error allocating memory for encrypted directory list */ -#define PR_1_ALLOCATE_ENCRYPTED_DIRLIST 0x01007E +/* Error allocating memory for encrypted inode list */ +#define PR_1_ALLOCATE_ENCRYPTED_INODE_LIST 0x01007E /* Inode extent tree could be more shallow */ #define PR_1_EXTENT_BAD_MAX_DEPTH 0x01007F @@ -701,6 +701,11 @@ struct problem_context { /* Casefold flag set, but file system is missing the casefold feature */ #define PR_1_CASEFOLD_FEATURE 0x010089 +/* Inode has encrypt flag but no encryption extended attribute */ +#define PR_1_MISSING_ENCRYPTION_XATTR 0x01008A + +/* Encrypted inode has corrupt encryption extended attribute */ +#define PR_1_CORRUPT_ENCRYPTION_XATTR 0x01008B /* * Pass 1b errors @@ -1017,6 +1022,12 @@ struct problem_context { /* Encrypted directory entry is too short */ #define PR_2_BAD_ENCRYPTED_NAME 0x020050 +/* Encrypted directory contains unencrypted file */ +#define PR_2_UNENCRYPTED_FILE 0x020051 + +/* Encrypted directory contains file with different encryption policy */ +#define PR_2_INCONSISTENT_ENCRYPTION_POLICY 0x020052 + /* * Pass 3 errors */ |