[LU-14629] Prevent file renaming from encrypted to unencrypted dir

Fri, 1 Oct 2021 23:23:47 +0000

fscrypt allows renaming an encrypted file from an encrypted directory to an unencrypted directory, according to the documentation at:
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html

Access semantics

With the key

Unencrypted files, or files encrypted with a different encryption policy (i.e. different key, modes, or flags), cannot be renamed or linked into an encrypted directory; see Encryption policy enforcement. Attempts to do so will fail with EXDEV. However, encrypted files can be renamed within an encrypted directory, or into an unencrypted directory.

However, it seems odd to allow such a rename. Indeed, once the encrypted file has been renamed into the unencrypted directory, it does remain encrypted: it keeps its flags saying it is encrypted, its content remains encrypted (because file data has not been touched by rename), and only its name appears in clear text. As such, access to the file is possible only with the key, even if it sits into an unencrypted directory. And the only way to input the key is to unlock the encrypted dir from which the file is originating. Of course, there is no obvious relationship between the renamed file and its original directory, and only the one who proceeded to the rename might have this information.
Note it is still possible to rename the encrypted file back to its original encrypted dir, but not to another encrypted dir. And if the original encrypted directory gets removed, then we lose any possibility to input the encryption key for the renamed file.

Taking this into consideration, I would like to submit a patch in llite that prevents a file in an encrypted directory from being renamed into an unencrypted directory.

Whamcloud Community JIRA

[LU-14629] Prevent file renaming from encrypted to unencrypted dir