From 4e38bdac102612f4cd0d4905b44d0e048d85763e Mon Sep 17 00:00:00 2001 From: Marcel Lauhoff Date: Fri, 12 Aug 2022 15:05:02 +0200 Subject: [PATCH] fscrypt: fsync encrypted dir after setting policy [workaround] Revert once our google/fscrypt dependency is upgraded to a version that includes https://github.com/google/fscrypt/pull/359 gets accepted Signed-off-by: Marcel Lauhoff --- internal/util/fscrypt/fscrypt.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/internal/util/fscrypt/fscrypt.go b/internal/util/fscrypt/fscrypt.go index 9ca822d67..3d35b142c 100644 --- a/internal/util/fscrypt/fscrypt.go +++ b/internal/util/fscrypt/fscrypt.go @@ -111,6 +111,20 @@ func createKeyFuncFromVolumeEncryption( return keyFunc, nil } +// fsyncEncryptedDirectory calls sync on dirPath. It is intended to +// work around the fscrypt library not syncing the directory it sets a +// policy on. +// TODO Remove when the fscrypt dependency has https://github.com/google/fscrypt/pull/359 +func fsyncEncryptedDirectory(dirPath string) error { + dir, err := os.Open(dirPath) + if err != nil { + return err + } + defer dir.Close() + + return dir.Sync() +} + // unlockExisting tries to unlock an already set up fscrypt directory using keys from Ceph CSI. func unlockExisting( ctx context.Context, @@ -225,6 +239,12 @@ func initializeAndUnlock( return err } + if err = fsyncEncryptedDirectory(encryptedPath); err != nil { + log.ErrorLog(ctx, "fscrypt: fsync encrypted dir - to flush kernel policy to disk failed %v", err) + + return err + } + return nil }