From 87d79b646384af04465e7fc221fb8808bdfc00be Mon Sep 17 00:00:00 2001
From: Christopher Hoffman <choffman@redhat.com>
Date: Wed, 12 Mar 2025 21:31:35 +0000
Subject: [PATCH] client: Add client_fscrypt_as option

Add option to toggle enforcement of fscrypt access semantics.

Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---
 src/client/Client.cc                  |  6 +++---
 src/common/options/mds-client.yaml.in | 10 ++++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/client/Client.cc b/src/client/Client.cc
index c5d741f45153..27cdf27312c9 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -3988,7 +3988,7 @@ int Client::get_caps(Fh *fh, int need, int want, int *phave, loff_t endoff)
     if ((need & CEPH_CAP_FILE_WR) &&
         ((in->auth_cap && in->auth_cap->session->readonly) ||
         // (is locked)
-        (in->is_fscrypt_enabled() && is_inode_locked(in))))
+        (in->is_fscrypt_enabled() && is_inode_locked(in) && cct->_conf.get_val<bool>("client_fscrypt_as"))))
       return -EROFS;
 
     if (in->flags & I_CAP_DROPPED) {
@@ -6371,7 +6371,7 @@ int Client::may_open(const InodeRef& in, int flags, const UserPerm& perms)
   ldout(cct, 20) << __func__ << " " << *in << "; " << perms << dendl;
   unsigned want = 0;
 
-  if (!in->is_dir() && is_inode_locked(in))
+  if (!in->is_dir() && is_inode_locked(in) && cct->_conf.get_val<bool>("client_fscrypt_as"))
     return -ENOKEY;
 
   if ((flags & O_ACCMODE) == O_WRONLY)
@@ -6427,7 +6427,7 @@ out:
 int Client::may_create(const InodeRef& dir, const UserPerm& perms)
 {
   ldout(cct, 20) << __func__ << " " << *dir << "; " << perms << dendl;
-  if (dir->is_dir() && is_inode_locked(dir))
+  if (dir->is_dir() && is_inode_locked(dir) && cct->_conf.get_val<bool>("client_fscrypt_as"))
     return -ENOKEY;
 
   int r = _getattr_for_perm(dir, perms);
diff --git a/src/common/options/mds-client.yaml.in b/src/common/options/mds-client.yaml.in
index cb77a0c91ff2..82e6995244ea 100644
--- a/src/common/options/mds-client.yaml.in
+++ b/src/common/options/mds-client.yaml.in
@@ -618,3 +618,13 @@ options:
   services:
   - mds_client
   min: 0
+- name: client_fscrypt_as
+  type: bool
+  level: advanced
+  desc: Enable fscrypt access semantics
+  long_desc: Enable fscrypt access semantics for locked/unlocked states.
+  default: true
+  services:
+  - mds_client
+  flags:
+  - runtime
-- 
2.47.3