summaryrefslogtreecommitdiff
path: root/fs/crypto/hooks.c
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2019-03-20 11:39:12 -0700
committerTheodore Ts'o <tytso@mit.edu>2019-04-17 10:06:32 -0400
commitd456a33f041af4b54f3ce495a86d00c246165032 (patch)
tree5ff534692506594efb7fa3ec0f8e2f34b9808d8b /fs/crypto/hooks.c
parent0bf3d5c1604ecbbd4e49e9f5b3c79152b87adb0d (diff)
fscrypt: only set dentry_operations on ciphertext dentries
Plaintext dentries are always valid, so only set fscrypt_d_ops on ciphertext dentries. Besides marginally improved performance, this allows overlayfs to use an fscrypt-encrypted upperdir, provided that all the following are true: (1) The fscrypt encryption key is placed in the keyring before mounting overlayfs, and remains while the overlayfs is mounted. (2) The overlayfs workdir uses the same encryption policy. (3) No dentries for the ciphertext names of subdirectories have been created in the upperdir or workdir yet. (Since otherwise d_splice_alias() will reuse the old dentry with ->d_op set.) One potential use case is using an ephemeral encryption key to encrypt all files created or changed by a container, so that they can be securely erased ("crypto-shredded") after the container stops. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'fs/crypto/hooks.c')
-rw-r--r--fs/crypto/hooks.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c
index 2e7498a821a4..9d8910e86ee5 100644
--- a/fs/crypto/hooks.c
+++ b/fs/crypto/hooks.c
@@ -115,9 +115,8 @@ int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry)
spin_lock(&dentry->d_lock);
dentry->d_flags |= DCACHE_ENCRYPTED_NAME;
spin_unlock(&dentry->d_lock);
+ d_set_d_op(dentry, &fscrypt_d_ops);
}
-
- d_set_d_op(dentry, &fscrypt_d_ops);
return 0;
}
EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup);