From patchwork Fri Feb 17 23:33:21 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 729388 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vQ8ZW4yP2z9s8L for ; Sat, 18 Feb 2017 10:37:23 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="rZxxV5Ht"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964884AbdBQXhC (ORCPT ); Fri, 17 Feb 2017 18:37:02 -0500 Received: from mail-pg0-f65.google.com ([74.125.83.65]:35019 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964847AbdBQXhA (ORCPT ); Fri, 17 Feb 2017 18:37:00 -0500 Received: by mail-pg0-f65.google.com with SMTP id y6so4900566pgy.2; Fri, 17 Feb 2017 15:34:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=uizrFFa8MmTrRngyVQSjvglhmurBsi1ShwBZdep7QHE=; b=rZxxV5HtOV/s9ZyWKQ6bvOYqEd/rZe4Jfmol6u7rsiJEK5ByaV0TPrUuhc/0e9cKoD xIHc8RFUdLibeX5X5ETm4ISIMaUDxKl1oQrPcqZAnx/milYP9yQuZH/5mvXCEXEfGtFJ t+ggKdyfcr6Y20IUFW2OBCtFfgYvTlUzmXYtvwMPrlxmwUbes3C4gy/NjXjwhc3p6Xx/ FyY+XZHEr+k/cJdUQVw2pfzLTpggPfu3zoUP54W4mervi0SwUrLgoJKGUX9hR+7moPQk j7StUpatbafXJ+mnIr8CrmM3NeHSet63KQwypOBe0wNB4Hduw1CocvZan6ynbzFP26KD BkxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=uizrFFa8MmTrRngyVQSjvglhmurBsi1ShwBZdep7QHE=; b=XlMVEj7WZtv8XTm+KPL6z66JPMmvyVjL21xnJgtXZiHygTo9NGvIegkPhyYUjtBOLb XDWjs4hcgpUyrHeXMeSglZoulD1+LINrNy6eSTrFx4piE7H1MgoK5JkYZMQ5dBXRRfxV YO0v0QSAO69qHrTRCY9xbz6/3AfG+eHxpBe278OU0W/57g6Dna3ufpZn+/Ly9mmypLjs n2o5NenGTU5eCXbQmjMzbfxpKFepiIB5sdA5zPzfapEF66RsHx8qx1ZbL3IVeC9RrA0X ipKBlTyjCTnMZp9h9+s6h8S30k8E44/G96EsGQ/Q5z46oPr54wjxkySzQ4Hqi/yzgm2o 12AQ== X-Gm-Message-State: AMke39kKsaIBJXRmkVdBAgfy6PHbPi12zA6IK0GFCl7Kn9YEYuaEkNNep5X4Hej1QsjEUA== X-Received: by 10.99.39.71 with SMTP id n68mr12900965pgn.85.1487374475107; Fri, 17 Feb 2017 15:34:35 -0800 (PST) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.119.30.131]) by smtp.gmail.com with ESMTPSA id s8sm21500241pfj.30.2017.02.17.15.34.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 17 Feb 2017 15:34:34 -0800 (PST) From: Eric Biggers To: linux-ext4@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, Theodore Ts'o , Andreas Dilger , Jaegeuk Kim , Eric Biggers Subject: [PATCH] ext4: inherit encryption xattr before other xattrs Date: Fri, 17 Feb 2017 15:33:21 -0800 Message-Id: <20170217233321.108637-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.11.0.483.g087da7b7c-goog Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org From: Eric Biggers When using both encryption and SELinux (or another feature that requires an xattr per file) on a filesystem with 256-byte inodes, each file's xattrs usually spill into an external xattr block. Currently, the xattrs are inherited in the order ACL, security, then encryption. Therefore, if spillage occurs, the encryption xattr will always end up in the external block. This is not ideal because the encryption xattrs contain a nonce, so they will always be unique and will prevent the external xattr blocks from being deduplicated. To improve the situation, change the inheritance order to encryption, ACL, then security. This gives the encryption xattr a better chance to be stored in-inode, allowing the other xattr(s) to be deduplicated. Note that it may be better for userspace to format the filesystem with 512-byte inodes in this case. However, it's not the default. Signed-off-by: Eric Biggers Reviewed-by: Andreas Dilger --- fs/ext4/ialloc.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c index b14bae2598bc..0304e28c2014 100644 --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -1096,6 +1096,17 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir, if (err) goto fail_drop; + /* + * Since the encryption xattr will always be unique, create it first so + * that it's less likely to end up in an external xattr block and + * prevent its deduplication. + */ + if (encrypt) { + err = fscrypt_inherit_context(dir, inode, handle, true); + if (err) + goto fail_free_drop; + } + err = ext4_init_acl(handle, inode, dir); if (err) goto fail_free_drop; @@ -1117,12 +1128,6 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir, ei->i_datasync_tid = handle->h_transaction->t_tid; } - if (encrypt) { - err = fscrypt_inherit_context(dir, inode, handle, true); - if (err) - goto fail_free_drop; - } - err = ext4_mark_inode_dirty(handle, inode); if (err) { ext4_std_error(sb, err);