From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Theodore Y. Ts'o" Subject: Re: [PATCH v7 12/16] fscrypt: require that key be added when setting a v2 encryption policy Date: Sun, 28 Jul 2019 17:24:02 -0400 Message-ID: <20190728212402.GM6088@mit.edu> References: <20190726224141.14044-1-ebiggers@kernel.org> <20190726224141.14044-13-ebiggers@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20190726224141.14044-13-ebiggers@kernel.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-mtd" Errors-To: linux-mtd-bounces+gldm-linux-mtd-36=gmane.org@lists.infradead.org To: Eric Biggers Cc: Satya Tangirala , linux-api@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-fscrypt@vger.kernel.org, keyrings@vger.kernel.org, linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, Paul Crowley List-Id: linux-api@vger.kernel.org On Fri, Jul 26, 2019 at 03:41:37PM -0700, Eric Biggers wrote: > From: Eric Biggers > > By looking up the master keys in a filesystem-level keyring rather than > in the calling processes' key hierarchy, it becomes possible for a user > to set an encryption policy which refers to some key they don't actually > know, then encrypt their files using that key. Cryptographically this > isn't much of a problem, but the semantics of this would be a bit weird. > Thus, enforce that a v2 encryption policy can only be set if the user > has previously added the key, or has capable(CAP_FOWNER). > > We tolerate that this problem will continue to exist for v1 encryption > policies, however; there is no way around that. > > Signed-off-by: Eric Biggers Looks good, feel free to add: Reviewed-by: Theodore Ts'o - Ted ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/