e2fsck: check for consistent encryption policies
commit2ba05753f70db32618b4e97d5351aa4d359bcdee
authorEric Biggers <ebiggers@google.com>
Wed, 18 Sep 2019 01:07:34 +0000 (17 18:07 -0700)
committerTheodore Ts'o <tytso@mit.edu>
Thu, 10 Oct 2019 00:18:20 +0000 (9 20:18 -0400)
treea7c284a2665acd6730dbd6275aea0ee69c827aec
parent6c1433ba434021b457a9b6aefe57c0e8cb71f5fe
e2fsck: check for consistent encryption policies

By design, the kernel enforces that all files in an encrypted directory
use the same encryption policy as the directory.  It's not possible to
violate this constraint using syscalls.  Lookups of files that violate
this constraint also fail, in case the disk was manipulated.

But this constraint can also be violated by accidental filesystem
corruption.  E.g., a power cut when using ext4 without a journal might
leave new files without the encryption bit and/or xattr.  Thus, it's
important that e2fsck correct this condition.

Therefore, this patch makes the following changes to e2fsck:

- During pass 1 (inode table scan), create a map from inode number to
  encryption policy for all encrypted inodes.  But it's optimized so
  that the full xattrs aren't saved but rather only 32-bit "policy IDs",
  since usually many inodes share the same encryption policy.  Also, if
  an encryption xattr is missing, offer to clear the encrypt flag.  If
  an encryption xattr is clearly corrupt, offer to clear the inode.

- During pass 2 (directory structure check), use the map to verify that
  all regular files, directories, and symlinks in encrypted directories
  use the directory's encryption policy.  Offer to clear any directory
  entries for which this isn't the case.

Add a new test "f_bad_encryption" to test the new behavior.

Due to the new checks, it was also necessary to update the existing test
"f_short_encrypted_dirent" to add an encryption xattr to the test file,
since it was missing one before, which is now considered invalid.

Google-Bug-Id: 135138675
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
18 files changed:
e2fsck/Android.bp
e2fsck/Makefile.in
e2fsck/e2fsck.c
e2fsck/e2fsck.h
e2fsck/encrypted_files.c [new file with mode: 0644]
e2fsck/pass1.c
e2fsck/pass2.c
e2fsck/problem.c
e2fsck/problem.h
po/POTFILES.in
tests/f_bad_encryption/expect.1 [new file with mode: 0644]
tests/f_bad_encryption/expect.2 [copied from tests/f_short_encrypted_dirent/expect.2 with 76% similarity]
tests/f_bad_encryption/image.gz [new file with mode: 0644]
tests/f_bad_encryption/mkimage.sh [new file with mode: 0755]
tests/f_bad_encryption/name [new file with mode: 0644]
tests/f_short_encrypted_dirent/expect.1
tests/f_short_encrypted_dirent/expect.2
tests/f_short_encrypted_dirent/image.gz