mgr/volumes: Enforce enctag max size

author Christopher Hoffman <choffman@redhat.com>

Wed, 20 Aug 2025 19:36:14 +0000 (19:36 +0000)

committer Christopher Hoffman <choffman@redhat.com>

Wed, 5 Nov 2025 13:59:36 +0000 (13:59 +0000)
author Christopher Hoffman <choffman@redhat.com>
Wed, 20 Aug 2025 19:36:14 +0000 (19:36 +0000)
committer Christopher Hoffman <choffman@redhat.com>
Wed, 5 Nov 2025 13:59:36 +0000 (13:59 +0000)
diff --git a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py

index eee849e7ed1d15ab6289f984513093969d3410c1..5ceb9bcc2bc3cdf8f728e80c1fa1cec2c7173faf 100644 (file)
--- a/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py
+++ b/src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py
@@ -346,7 +346,12 @@ class SubvolumeBase(object):
          enctag = attrs.get("enctag", None)
          if enctag is not None:
              fs_enctag = CephFSVolumeEncryptionTag(self.fs, path)
-            fs_enctag.set_tag(enctag)
+            try:
+                fs_enctag.set_tag(enctag)
+            except EncryptionTagException:
+                raise VolumeException(-errno.EINVAL,
+                                      "invalid enctag specified: length '{0} > {1}'".format(len(enctag), fs_enctag.ENCTAG_MAX))
+
  
          fscrypt_auth = attrs.get("fscrypt_auth")
          if fscrypt_auth is not None:
diff --git a/src/python-common/ceph/fs/enctag.py b/src/python-common/ceph/fs/enctag.py

index 14bdbac656013bc92b357e528a6e6c89ee9cae01..a3633dbed43ac04659067dcd5411c9a6822a3831 100644 (file)
--- a/src/python-common/ceph/fs/enctag.py
+++ b/src/python-common/ceph/fs/enctag.py
@@ -36,19 +36,21 @@ class EncryptionTagException(Exception):
  
  
  class CephFSVolumeEncryptionTag:
+    ENCTAG_MAX = 255
+
      def __init__(self, fs, path: str) -> None:
          self.fs = fs
          self.path = path
  
      def _handle_cephfs_error(self, e: Exception, action: str) -> None:
          if isinstance(e, ValueError):
-            raise EncryptionTagException(errno.EINVAL, f"Invalid encryption tag specified: {e}") from e
+            raise EncryptionTagException(-errno.EINVAL, f"Invalid encryption tag specified: {e}") from e
          elif isinstance(e, OSError):
              log.error(f"Error {action} encryption tag: {e}")
              raise EncryptionTagException(-e.errno, e.strerror) from e
          else:
              log.error(f"Unexpected error {action} encryption tag: {e}")
-            raise EncryptionTagException(errno.EIO, "Unexpected error") from e
+            raise EncryptionTagException(-errno.EIO, "Unexpected error") from e
  
      def get_tag(self) -> Optional[str]:
          try:
@@ -63,6 +65,9 @@ class CephFSVolumeEncryptionTag:
  
      def set_tag(self, enc_tag: str):
          try:
+            if len(enc_tag) > self.ENCTAG_MAX:
+                raise ValueError(f"length '{len(enc_tag)} > {self.ENCTAG_MAX}'")
+
              self.fs.setxattr(self.path, XATTR_SUBVOLUME_ENCTAG_NAME, enc_tag.encode('utf-8'), 0)
              log.info(f"Encryption Tag '{enc_tag}' set on {self.path}.")
          except Exception as e:
author	Christopher Hoffman <choffman@redhat.com>
	Wed, 20 Aug 2025 19:36:14 +0000 (19:36 +0000)
committer	Christopher Hoffman <choffman@redhat.com>
	Wed, 5 Nov 2025 13:59:36 +0000 (13:59 +0000)
src/pybind/mgr/volumes/fs/operations/versions/subvolume_base.py		patch \| blob \| history
src/python-common/ceph/fs/enctag.py		patch \| blob \| history