From: Eric Biggers <ebiggers3@gmail.com>
To: linux-fsdevel@vger.kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
jaegeuk@kernel.org, tytso@mit.edu, mhalcrow@google.com,
Eric Biggers <ebiggers3@gmail.com>
Subject: [PATCH 10/13] fscrypto: restrict setting new policy to empty files and directories only
Date: Sun, 3 Apr 2016 00:22:01 -0500 [thread overview]
Message-ID: <1459660924-2960-11-git-send-email-ebiggers3@gmail.com> (raw)
In-Reply-To: <1459660924-2960-1-git-send-email-ebiggers3@gmail.com>
On f2fs, a user could create a regular file of small positive size and
issue FS_IOC_SET_ENCRYPTION_POLICY to set its encryption policy.
However, this did not behave as expected because the existing data was
not actually encrypted by the ioctl.
Fix this by only permitting an encryption policy to be created for empty
regular files and directories.
For a correct solution, it is necessary to conduct the operation under
the inode lock; otherwise the inode's size might be changed concurrently.
Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
---
fs/crypto/policy.c | 42 ++++++++++++++++++++++++++++++------------
1 file changed, 30 insertions(+), 12 deletions(-)
diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
index 93244b5..cb5ba27 100644
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -94,23 +94,41 @@ static int create_encryption_context_from_policy(struct inode *inode,
int fscrypt_set_policy(struct inode *inode, const struct fscrypt_policy *policy)
{
+ int ret = 0;
+
if (policy->version != 0)
return -EINVAL;
+ inode_lock(inode);
+
if (!inode_has_encryption_context(inode)) {
- if (!inode->i_sb->s_cop->empty_dir)
- return -EOPNOTSUPP;
- if (!inode->i_sb->s_cop->empty_dir(inode))
- return -ENOTEMPTY;
- return create_encryption_context_from_policy(inode, policy);
+ /* A new policy may only be set on an empty directory or an
+ * empty regular file. */
+ ret = -EINVAL;
+ if (S_ISDIR(inode->i_mode)) {
+ if (!inode->i_sb->s_cop->empty_dir)
+ ret = -EOPNOTSUPP;
+ else if (inode->i_sb->s_cop->empty_dir(inode))
+ ret = 0;
+ else
+ ret = -ENOTEMPTY;
+ } else if (S_ISREG(inode->i_mode)) {
+ ret = -ENOTEMPTY;
+ if (inode->i_size == 0)
+ ret = 0;
+ }
+ if (!ret) {
+ ret = create_encryption_context_from_policy(inode,
+ policy);
+ }
+ } else if (!is_encryption_context_consistent_with_policy(inode, policy)) {
+ printk(KERN_WARNING
+ "%s: Policy inconsistent with encryption context\n",
+ __func__);
+ ret = -EINVAL;
}
-
- if (is_encryption_context_consistent_with_policy(inode, policy))
- return 0;
-
- printk(KERN_WARNING "%s: Policy inconsistent with encryption context\n",
- __func__);
- return -EINVAL;
+ inode_unlock(inode);
+ return ret;
}
EXPORT_SYMBOL(fscrypt_set_policy);
--
2.7.4
next prev parent reply other threads:[~2016-04-03 5:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-03 5:21 [PATCH 00/13] fscrypto: cleanups and fixes Eric Biggers
2016-04-03 5:21 ` [PATCH 01/13] fscrypto: remove unnecessary includes Eric Biggers
2016-04-03 5:21 ` [PATCH 02/13] fscrypto: rename some functions for clarity Eric Biggers
2016-04-03 7:45 ` Theodore Ts'o
2016-04-03 5:21 ` [PATCH 03/13] fscrypto: rename functions to load and unload inode encryption info Eric Biggers
2016-04-03 5:21 ` [PATCH 04/13] fscrypto: return bool instead of int where appropriate Eric Biggers
2016-04-03 5:21 ` [PATCH 05/13] fscrypto: comment improvements and fixes Eric Biggers
2016-04-03 5:21 ` [PATCH 06/13] fscrypto: crypto_alloc_skcipher() always returns an ERR_PTR(), never NULL Eric Biggers
2016-04-03 5:21 ` [PATCH 07/13] fscrypto: simplify building key descriptor string Eric Biggers
2016-04-03 5:21 ` [PATCH 08/13] fscrypto: use standard macros from kernel.h Eric Biggers
2016-04-03 5:22 ` [PATCH 09/13] fscrypto: make fname_encrypt() actually return length of ciphertext Eric Biggers
2016-04-03 5:22 ` Eric Biggers [this message]
2016-04-03 5:22 ` [PATCH 11/13] fscrypto: restrict setting encryption policy to inode owner Eric Biggers
2016-04-03 5:22 ` [PATCH 12/13] fscrypto: require write access to mount to set encryption policy Eric Biggers
2016-04-03 5:22 ` [PATCH 13/13] fscrypto: improve error handling in fscrypt_set_policy() Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459660924-2960-11-git-send-email-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=jaegeuk@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox