Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753448AbdCHP0J (ORCPT ); Wed, 8 Mar 2017 10:26:09 -0500 Received: from mail-it0-f66.google.com ([209.85.214.66]:34946 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752223AbdCHP0H (ORCPT ); Wed, 8 Mar 2017 10:26:07 -0500 Subject: Re: [f2fs-dev] [PATCH] f2fs: don't allow rename unencrypted file to encrypted directory To: Chao Yu , jaegeuk@kernel.org References: <20170308120820.86785-1-yuchao0@huawei.com> Cc: chao@kernel.org, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Kinglong Mee From: Kinglong Mee Message-ID: <99c57433-c631-4516-b5a2-e22c79e9a93d@gmail.com> Date: Wed, 8 Mar 2017 21:35:25 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20170308120820.86785-1-yuchao0@huawei.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1931 Lines: 54 On 3/8/2017 20:08, Chao Yu wrote: > In commit d9cdc9033181 ("ext4 crypto: enforce context consistency") we > declared that: > > 2) All files or directories in a directory must be protected using the > same key as their containing directory. > > But in f2fs_cross_rename there is a vulnerability that allow to cross > rename unencrypted file into encrypted directory, it needs to be refused. fscrypt_has_permitted_context has do the checking as this patch, 168 /* no restrictions if the parent directory is not encrypted */ 169 if (!parent->i_sb->s_cop->is_encrypted(parent)) 170 return 1; 171 /* if the child directory is not encrypted, this is always a problem */ 172 if (!parent->i_sb->s_cop->is_encrypted(child)) 173 return 0; So, the cross rename unencrypted file into encrypted directory is permitted right now. I have a encrypted directory "ncry", "new" is unencrypted file. [root@nfstestnic f2fs]# renameat2 -x encry/hello new Operation not permitted [root@nfstestnic f2fs]# renameat2 -x encry/hello new Operation not permitted How do you test it? thanks, Kinglong Mee > > Signed-off-by: Chao Yu > --- > fs/f2fs/namei.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c > index 25c073f6c7d4..8de684b84cb9 100644 > --- a/fs/f2fs/namei.c > +++ b/fs/f2fs/namei.c > @@ -855,6 +855,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, > !fscrypt_has_encryption_key(new_dir))) > return -ENOKEY; > > + if (f2fs_encrypted_inode(old_dir) && !f2fs_encrypted_inode(new_inode) || > + f2fs_encrypted_inode(new_dir) && !f2fs_encrypted_inode(old_inode)) > + return -EPERM; > + > if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) && > (old_dir != new_dir) && > (!fscrypt_has_permitted_context(new_dir, old_inode) || >