Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3209892pxb;
        Mon, 9 Nov 2020 05:40:17 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzEdvr/WhEZU2eZo5KhBgoTSfvmXUD3SmavmsdPsb61/CzUq8Dbkgyiu+jKIO5pwExhxuCF
X-Received: by 2002:aa7:d407:: with SMTP id z7mr15718471edq.234.1604929216826;
        Mon, 09 Nov 2020 05:40:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604929216; cv=none;
        d=google.com; s=arc-20160816;
        b=L8waQ3aBAbZNDCGP9bQMa5AcSROt11s+BTdhheH7j1ANbZ+UwkPDA316QTztGRnZaB
         NuNbj0UTWt+AjL4atubkuKRePEXAgtlfONh1TlSWOJ+ptXUd93cyi0tZN9a1IPj+Kp9O
         wLgyOn0lpITEkORyBUQuzs3tq+riKGhCs5gmJPkbvbxeiPqellna5cakkZnH0rmmjqTB
         0akAP847QD5GW/kguyZx3PcVeYRzi6CcijjAgW3H0MhlDX08OMkguhSCJP4AE2b8yVV3
         mkbk5fQsXKD6fogzeoZEglz6EBIbq/j4E9QX+RU4EY5/k89lB8iBrsY30mpfPxsa1F9S
         u/gQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Z7ICvQ3nxz5I499PbMed3IAPfWQhToaySWlRjuoH9zg=;
        b=UJQuzziyzsDmly2nIq12eh7Tolab6WriOkLa2zBtIgMMOhQQ93DfLx8Nk8eRDpFg+Z
         9k4eUwsIPo7o/lSk+L4DkuNaOx7d/SvpwJ+j7IKgKQIDgJm2tEIw/BF8l4TROjhzLjsY
         oXRKBrzmyfLQke7Z5C82N9qJJ6wrtlaHyQVj+N4fSWmepkrHuSz8evPs5xc9I+OGsWFf
         jQhBWUoToqN5H13qdMwBNPEr799sChBsOwzgWiKUuq0RYksu5phcuHcjAEQ8hTZaCj8Z
         zswwTWh+drNlZgGXV+8uHc1CZE1eRGBxtjcrMkZ8HPh2N2dxUCEmaiLmOmr3kpGcjtBU
         gGYw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=AogZnScJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u1si7187302edp.86.2020.11.09.05.39.53;
        Mon, 09 Nov 2020 05:40:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=AogZnScJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387582AbgKINih (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Mon, 9 Nov 2020 08:38:37 -0500
Received: from mail.kernel.org ([198.145.29.99]:56058 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730628AbgKINCK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Nov 2020 08:02:10 -0500
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id CF72F20679;
        Mon,  9 Nov 2020 13:02:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1604926929;
        bh=sWet1cjhewvRw9MNkFUUMoClxXeZSaWrtM/rSFu6yLE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=AogZnScJlq42uBAfalBEoMm3Cgnyp5cyaVxv+GcTiuG41e8YjOlmPXaQWr7iC10qZ
         XBXZEsEk6uRnILqmhdsZR4Fn2z1Pr1tGBWNAs1PXt6G6dao9TTi+c6hsSd8jI5zqy8
         D+BXX7PIIyrzOsgFx5cSpzKUe5saOgmoEIOW9rTc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Michael Halcrow <mhalcrow@google.com>,
        Joe Richey <joerichey@google.com>,
        Eric Biggers <ebiggers@google.com>
Subject: [PATCH 4.9 012/117] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
Date:   Mon,  9 Nov 2020 13:53:58 +0100
Message-Id: <20201109125026.231238102@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201109125025.630721781@linuxfoundation.org>
References: <20201109125025.630721781@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream.

Currently, trying to rename or link a regular file, directory, or
symlink into an encrypted directory fails with EPERM when the source
file is unencrypted or is encrypted with a different encryption policy,
and is on the same mountpoint.  It is correct for the operation to fail,
but the choice of EPERM breaks tools like 'mv' that know to copy rather
than rename if they see EXDEV, but don't know what to do with EPERM.

Our original motivation for EPERM was to encourage users to securely
handle their data.  Encrypting files by "moving" them into an encrypted
directory can be insecure because the unencrypted data may remain in
free space on disk, where it can later be recovered by an attacker.
It's much better to encrypt the data from the start, or at least try to
securely delete the source data e.g. using the 'shred' program.

However, the current behavior hasn't been effective at achieving its
goal because users tend to be confused, hack around it, and complain;
see e.g. https://github.com/google/fscrypt/issues/76.  And in some cases
it's actually inconsistent or unnecessary.  For example, 'mv'-ing files
between differently encrypted directories doesn't work even in cases
where it can be secure, such as when in userspace the same passphrase
protects both directories.  Yet, you *can* already 'mv' unencrypted
files into an encrypted directory if the source files are on a different
mountpoint, even though doing so is often insecure.

There are probably better ways to teach users to securely handle their
files.  For example, the 'fscrypt' userspace tool could provide a
command that migrates unencrypted files into an encrypted directory,
acting like 'shred' on the source files and providing appropriate
warnings depending on the type of the source filesystem and disk.

Receiving errors on unimportant files might also force some users to
disable encryption, thus making the behavior counterproductive.  It's
desirable to make encryption as unobtrusive as possible.

Therefore, change the error code from EPERM to EXDEV so that tools
looking for EXDEV will fall back to a copy.

This, of course, doesn't prevent users from still doing the right things
to securely manage their files.  Note that this also matches the
behavior when a file is renamed between two project quota hierarchies;
so there's precedent for using EXDEV for things other than mountpoints.

xfstests generic/398 will require an update with this change.

[Rewritten from an earlier patch series by Michael Halcrow.]

Cc: Michael Halcrow <mhalcrow@google.com>
Cc: Joe Richey <joerichey@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/crypto/policy.c |    3 +--
 fs/ext4/namei.c    |    6 +++---
 fs/f2fs/namei.c    |    6 +++---
 3 files changed, 7 insertions(+), 8 deletions(-)

--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -180,8 +180,7 @@ EXPORT_SYMBOL(fscrypt_get_policy);
  * malicious offline violations of this constraint, while the link and rename
  * checks are needed to prevent online violations of this constraint.
  *
- * Return: 1 if permitted, 0 if forbidden.  If forbidden, the caller must fail
- * the filesystem operation with EPERM.
+ * Return: 1 if permitted, 0 if forbidden.
  */
 int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
 {
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3259,7 +3259,7 @@ static int ext4_link(struct dentry *old_
 		return -EMLINK;
 	if (ext4_encrypted_inode(dir) &&
 			!fscrypt_has_permitted_context(dir, inode))
-		return -EPERM;
+		return -EXDEV;
 
        if ((ext4_test_inode_flag(dir, EXT4_INODE_PROJINHERIT)) &&
 	   (!projid_eq(EXT4_I(dir)->i_projid,
@@ -3597,7 +3597,7 @@ static int ext4_rename(struct inode *old
 	if ((old.dir != new.dir) &&
 	    ext4_encrypted_inode(new.dir) &&
 	    !fscrypt_has_permitted_context(new.dir, old.inode)) {
-		retval = -EPERM;
+		retval = -EXDEV;
 		goto end_rename;
 	}
 
@@ -3776,7 +3776,7 @@ static int ext4_cross_rename(struct inod
 	    (old_dir != new_dir) &&
 	    (!fscrypt_has_permitted_context(new_dir, old.inode) ||
 	     !fscrypt_has_permitted_context(old_dir, new.inode)))
-		return -EPERM;
+		return -EXDEV;
 
 	if ((ext4_test_inode_flag(new_dir, EXT4_INODE_PROJINHERIT) &&
 	     !projid_eq(EXT4_I(new_dir)->i_projid,
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -177,7 +177,7 @@ static int f2fs_link(struct dentry *old_
 
 	if (f2fs_encrypted_inode(dir) &&
 			!fscrypt_has_permitted_context(dir, inode))
-		return -EPERM;
+		return -EXDEV;
 
 	f2fs_balance_fs(sbi, true);
 
@@ -667,7 +667,7 @@ static int f2fs_rename(struct inode *old
 
 	if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) &&
 			!fscrypt_has_permitted_context(new_dir, old_inode)) {
-		err = -EPERM;
+		err = -EXDEV;
 		goto out;
 	}
 
@@ -855,7 +855,7 @@ static int f2fs_cross_rename(struct inod
 			(old_dir != new_dir) &&
 			(!fscrypt_has_permitted_context(new_dir, old_inode) ||
 			 !fscrypt_has_permitted_context(old_dir, new_inode)))
-		return -EPERM;
+		return -EXDEV;
 
 	old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
 	if (!old_entry) {