Received: by 2002:a05:6622:f08:0:0:0:0 with SMTP id l8csp4488168ivc; Tue, 3 Nov 2020 13:21:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJxZ9pc5mqiqWPUlod8YviLkJTbVLttXnO4qyWnHwhkektOT92ZRAH8OvNbLQhT++tEwMlEc X-Received: by 2002:a05:6402:84c:: with SMTP id b12mr3906685edz.122.1604438497229; Tue, 03 Nov 2020 13:21:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604438497; cv=none; d=google.com; s=arc-20160816; b=QarOh8MSDC7EkpDV9GSygNX3Om4JK2uSd6AbXyB5FIkY9Wcl9kgYy26I68gUpahQcl hdIkg827hV9Su4YWe+k7U+tBY6i0BUNLxlsZ3cNJFNhFIgkIDouQ0gvgrX/Lw1wSn4iQ za/2GExr8FW69skcMMmhY6oh25yemuzoZOqOlyRBdG5DmhUkHY67EMHqKvn6a8LrbxpH qRUMjSm+1NKIvWtraDpET4H51okDamFYBnU0pPAD6KJK+DKwFwRkALfBcUiDpkrVjbLs XBZSiSinXR3nuqb8P/yP6kGWS/EqskRESbw6//NlZXLbaycZb3cv6B3DfXB5EShOs1rg BczA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2DVvKkR9i9zR9XfsfpQq4F3SecoQeAlm4cgmZ5FoboA=; b=db3uccVOAP73y2vh4Yrbf690Mqf0B15DvcMFdmF018e/fkF3xOBZ/uqpofXvrx/U6A cCggdml/bCoObYpoynrMp09eq4B9JNQzMK23xIG0R05S8IM/Y8C740JsEFpFGBjBK0rY hBau60/Nc8gEtHjAZ/0B7VX4Rf7TzzBr9Sscw190yx+106pIN1KUxrZUKkt2HTsdDMVn +xLi9KrPq9cw9Cyg/oEBYxeU46K4689xIYTsYDpose684dl+A0t+/2j4Pk8X9Id6Cc0h FKWGCxLw4g0UymBrpXRHoU5ZYAQOtdbOsWCxhkLOHa6F6xplSR1rzTjZOO2GyDnt0Rri zJKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xw0fMMMV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d20si10786810eds.29.2020.11.03.13.21.14; Tue, 03 Nov 2020 13:21:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xw0fMMMV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388378AbgKCVJF (ORCPT + 99 others); Tue, 3 Nov 2020 16:09:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:48726 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388649AbgKCVJA (ORCPT ); Tue, 3 Nov 2020 16:09:00 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0676421534; Tue, 3 Nov 2020 21:08:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604437739; bh=0oUTKBGJQP2/cY9pKCYFHOQHO0I/75GiG5qbTL/9mhg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xw0fMMMVl5VPmB64cF6stj2NJtJM7RzjdvXBHMD2zWZF4nwDDyjdcZehWBCnKK9EE ZO6dhfDxWT/3Eubm9Qmwo8tJzxy4BqJiABe8aU7eIbl99+94BPl3sqYJlWlfgxF8R9 sDKDCNWtn/NWZQL1tjQwS3eITDm3SdZxL/Ykw058= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Halcrow , Joe Richey , Eric Biggers Subject: [PATCH 4.14 013/125] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir Date: Tue, 3 Nov 2020 21:36:30 +0100 Message-Id: <20201103203158.649403860@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203156.372184213@linuxfoundation.org> References: <20201103203156.372184213@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream. Currently, trying to rename or link a regular file, directory, or symlink into an encrypted directory fails with EPERM when the source file is unencrypted or is encrypted with a different encryption policy, and is on the same mountpoint. It is correct for the operation to fail, but the choice of EPERM breaks tools like 'mv' that know to copy rather than rename if they see EXDEV, but don't know what to do with EPERM. Our original motivation for EPERM was to encourage users to securely handle their data. Encrypting files by "moving" them into an encrypted directory can be insecure because the unencrypted data may remain in free space on disk, where it can later be recovered by an attacker. It's much better to encrypt the data from the start, or at least try to securely delete the source data e.g. using the 'shred' program. However, the current behavior hasn't been effective at achieving its goal because users tend to be confused, hack around it, and complain; see e.g. https://github.com/google/fscrypt/issues/76. And in some cases it's actually inconsistent or unnecessary. For example, 'mv'-ing files between differently encrypted directories doesn't work even in cases where it can be secure, such as when in userspace the same passphrase protects both directories. Yet, you *can* already 'mv' unencrypted files into an encrypted directory if the source files are on a different mountpoint, even though doing so is often insecure. There are probably better ways to teach users to securely handle their files. For example, the 'fscrypt' userspace tool could provide a command that migrates unencrypted files into an encrypted directory, acting like 'shred' on the source files and providing appropriate warnings depending on the type of the source filesystem and disk. Receiving errors on unimportant files might also force some users to disable encryption, thus making the behavior counterproductive. It's desirable to make encryption as unobtrusive as possible. Therefore, change the error code from EPERM to EXDEV so that tools looking for EXDEV will fall back to a copy. This, of course, doesn't prevent users from still doing the right things to securely manage their files. Note that this also matches the behavior when a file is renamed between two project quota hierarchies; so there's precedent for using EXDEV for things other than mountpoints. xfstests generic/398 will require an update with this change. [Rewritten from an earlier patch series by Michael Halcrow.] Cc: Michael Halcrow Cc: Joe Richey Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman --- fs/crypto/policy.c | 3 +-- fs/ext4/namei.c | 6 +++--- fs/f2fs/namei.c | 6 +++--- fs/ubifs/dir.c | 6 +++--- 4 files changed, 10 insertions(+), 11 deletions(-) --- a/fs/crypto/policy.c +++ b/fs/crypto/policy.c @@ -153,8 +153,7 @@ EXPORT_SYMBOL(fscrypt_ioctl_get_policy); * malicious offline violations of this constraint, while the link and rename * checks are needed to prevent online violations of this constraint. * - * Return: 1 if permitted, 0 if forbidden. If forbidden, the caller must fail - * the filesystem operation with EPERM. + * Return: 1 if permitted, 0 if forbidden. */ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) { --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3280,7 +3280,7 @@ static int ext4_link(struct dentry *old_ return -EMLINK; if (ext4_encrypted_inode(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; if ((ext4_test_inode_flag(dir, EXT4_INODE_PROJINHERIT)) && (!projid_eq(EXT4_I(dir)->i_projid, @@ -3618,7 +3618,7 @@ static int ext4_rename(struct inode *old if ((old.dir != new.dir) && ext4_encrypted_inode(new.dir) && !fscrypt_has_permitted_context(new.dir, old.inode)) { - retval = -EPERM; + retval = -EXDEV; goto end_rename; } @@ -3798,7 +3798,7 @@ static int ext4_cross_rename(struct inod (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old.inode) || !fscrypt_has_permitted_context(old_dir, new.inode))) - return -EPERM; + return -EXDEV; if ((ext4_test_inode_flag(new_dir, EXT4_INODE_PROJINHERIT) && !projid_eq(EXT4_I(new_dir)->i_projid, --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -222,7 +222,7 @@ static int f2fs_link(struct dentry *old_ if (f2fs_encrypted_inode(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; if (is_inode_flag_set(dir, FI_PROJ_INHERIT) && (!projid_eq(F2FS_I(dir)->i_projid, @@ -746,7 +746,7 @@ static int f2fs_rename(struct inode *old if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && !fscrypt_has_permitted_context(new_dir, old_inode)) { - err = -EPERM; + err = -EXDEV; goto out; } @@ -942,7 +942,7 @@ static int f2fs_cross_rename(struct inod (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old_inode) || !fscrypt_has_permitted_context(old_dir, new_inode))) - return -EPERM; + return -EXDEV; if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && !projid_eq(F2FS_I(new_dir)->i_projid, --- a/fs/ubifs/dir.c +++ b/fs/ubifs/dir.c @@ -747,7 +747,7 @@ static int ubifs_link(struct dentry *old if (ubifs_crypt_is_encrypted(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; err = fscrypt_setup_filename(dir, &dentry->d_name, 0, &nm); if (err) @@ -1357,7 +1357,7 @@ static int do_rename(struct inode *old_d if (old_dir != new_dir) { if (ubifs_crypt_is_encrypted(new_dir) && !fscrypt_has_permitted_context(new_dir, old_inode)) - return -EPERM; + return -EXDEV; } if (unlink && is_dir) { @@ -1579,7 +1579,7 @@ static int ubifs_xrename(struct inode *o (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, fst_inode) || !fscrypt_has_permitted_context(old_dir, snd_inode))) - return -EPERM; + return -EXDEV; err = fscrypt_setup_filename(old_dir, &old_dentry->d_name, 0, &fst_nm); if (err)