Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932184AbdCIBda (ORCPT ); Wed, 8 Mar 2017 20:33:30 -0500 Received: from szxga03-in.huawei.com ([45.249.212.189]:3948 "EHLO dggrg03-dlp.huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1754781AbdCIBd3 (ORCPT ); Wed, 8 Mar 2017 20:33:29 -0500 Subject: Re: [f2fs-dev] [PATCH] f2fs: don't allow rename unencrypted file to encrypted directory To: Kinglong Mee , References: <20170308120820.86785-1-yuchao0@huawei.com> <99c57433-c631-4516-b5a2-e22c79e9a93d@gmail.com> CC: , , From: Chao Yu Message-ID: <3f804074-49d5-1506-c588-cb2cf2a24200@huawei.com> Date: Thu, 9 Mar 2017 09:33:03 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: <99c57433-c631-4516-b5a2-e22c79e9a93d@gmail.com> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.134.22.195] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.58C0B0D4.02DF,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: a81c4570cc832511876cfbd5731d5d3a Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2172 Lines: 64 On 2017/3/8 21:35, Kinglong Mee wrote: > On 3/8/2017 20:08, Chao Yu wrote: >> In commit d9cdc9033181 ("ext4 crypto: enforce context consistency") we >> declared that: >> >> 2) All files or directories in a directory must be protected using the >> same key as their containing directory. >> >> But in f2fs_cross_rename there is a vulnerability that allow to cross >> rename unencrypted file into encrypted directory, it needs to be refused. > > fscrypt_has_permitted_context has do the checking as this patch, > > 168 /* no restrictions if the parent directory is not encrypted */ > 169 if (!parent->i_sb->s_cop->is_encrypted(parent)) > 170 return 1; > 171 /* if the child directory is not encrypted, this is always a problem */ > 172 if (!parent->i_sb->s_cop->is_encrypted(child)) > 173 return 0; > > So, the cross rename unencrypted file into encrypted directory is permitted right now. > > I have a encrypted directory "ncry", "new" is unencrypted file. > > [root@nfstestnic f2fs]# renameat2 -x encry/hello new > Operation not permitted > [root@nfstestnic f2fs]# renameat2 -x encry/hello new > Operation not permitted I've tried this, the same result as yours, so this patch is wrong, please ignore it, sorry about the noise. Thanks, > > How do you test it? > > thanks, > Kinglong Mee >> >> Signed-off-by: Chao Yu >> --- >> fs/f2fs/namei.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c >> index 25c073f6c7d4..8de684b84cb9 100644 >> --- a/fs/f2fs/namei.c >> +++ b/fs/f2fs/namei.c >> @@ -855,6 +855,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, >> !fscrypt_has_encryption_key(new_dir))) >> return -ENOKEY; >> >> + if (f2fs_encrypted_inode(old_dir) && !f2fs_encrypted_inode(new_inode) || >> + f2fs_encrypted_inode(new_dir) && !f2fs_encrypted_inode(old_inode)) >> + return -EPERM; >> + >> if ((f2fs_encrypted_inode(old_dir) || f2fs_encrypted_inode(new_dir)) && >> (old_dir != new_dir) && >> (!fscrypt_has_permitted_context(new_dir, old_inode) || >> > > . >