e2fsck: check for consistent encryption policies
By design, the kernel enforces that all files in an encrypted directory
use the same encryption policy as the directory. It's not possible to
violate this constraint using syscalls. Lookups of files that violate
this constraint also fail, in case the disk was manipulated.
But this constraint can also be violated by accidental filesystem
corruption. E.g., a power cut when using ext4 without a journal might
leave new files without the encryption bit and/or xattr. Thus, it's
important that e2fsck correct this condition.
Therefore, this patch makes the following changes to e2fsck:
- During pass 1 (inode table scan), create a map from inode number to
encryption policy for all encrypted inodes. But it's optimized so
that the full xattrs aren't saved but rather only 32-bit "policy IDs",
since usually many inodes share the same encryption policy. Also, if
an encryption xattr is missing, offer to clear the encrypt flag. If
an encryption xattr is clearly corrupt, offer to clear the inode.
- During pass 2 (directory structure check), use the map to verify that
all regular files, directories, and symlinks in encrypted directories
use the directory's encryption policy. Offer to clear any directory
entries for which this isn't the case.
Add a new test "f_bad_encryption" to test the new behavior.
Due to the new checks, it was also necessary to update the existing test
"f_short_encrypted_dirent" to add an encryption xattr to the test file,
since it was missing one before, which is now considered invalid.
Google-Bug-Id:
135138675
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>