[LU-14629] Prevent file renaming from encrypted to unencrypted dir Created: 22/Apr/21  Updated: 01/Oct/21  Resolved: 01/Oct/21

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.15.0
Fix Version/s: Lustre 2.15.0

Type: Bug Priority: Minor
Reporter: Sebastien Buisson Assignee: Sebastien Buisson
Resolution: Fixed Votes: 0
Labels: encryption, patch, sec

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

fscrypt allows renaming an encrypted file from an encrypted directory to an unencrypted directory, according to the documentation at:
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html

Access semantics

With the key

Unencrypted files, or files encrypted with a different encryption policy (i.e. different key, modes, or flags), cannot be renamed or linked into an encrypted directory; see Encryption policy enforcement. Attempts to do so will fail with EXDEV. However, encrypted files can be renamed within an encrypted directory, or into an unencrypted directory.

However, it seems odd to allow such a rename. Indeed, once the encrypted file has been renamed into the unencrypted directory, it does remain encrypted: it keeps its flags saying it is encrypted, its content remains encrypted (because file data has not been touched by rename), and only its name appears in clear text. As such, access to the file is possible only with the key, even if it sits into an unencrypted directory. And the only way to input the key is to unlock the encrypted dir from which the file is originating. Of course, there is no obvious relationship between the renamed file and its original directory, and only the one who proceeded to the rename might have this information.
Note it is still possible to rename the encrypted file back to its original encrypted dir, but not to another encrypted dir. And if the original encrypted directory gets removed, then we lose any possibility to input the encryption key for the renamed file.

Taking this into consideration, I would like to submit a patch in llite that prevents a file in an encrypted directory from being renamed into an unencrypted directory.

 Comments   
Comment by Gerrit Updater [ 22/Apr/21 ]

Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: https://review.whamcloud.com/43404
Subject: LU-14629 sec: forbid file rename from enc to unencrypted dir
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 57927cd9a0f33c5dd34b48c8d6f9ece7a9c5fb7d

Comment by Gerrit Updater [ 02/Jun/21 ]

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/43404/
Subject: LU-14629 sec: forbid file rename from enc to unencrypted dir
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 1158386ac9c6a638f791f62e47a7513b2322772c

Comment by Peter Jones [ 02/Jun/21 ]

Landed for 2.15

Comment by Sebastien Buisson [ 27/Sep/21 ]

An issue was found with patch https://review.whamcloud.com/43908. We intentionally forbid file and directory rename from encrypted to unencrypted directory. But we must not block rename of the topmost encrypted directory.

Comment by Gerrit Updater [ 27/Sep/21 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/45054
Subject: LU-14629 sec: do not block rename of topmost encrypted dir
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 51cb9e840b650f5ac9655a09bd9f811da06b31e8

Comment by Gerrit Updater [ 01/Oct/21 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/45054/
Subject: LU-14629 sec: do not block rename of topmost encrypted dir
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 3db8e31797535570e5f2e99f6c8471b49d395efe

Generated at Sat Feb 10 03:11:24 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.