lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 Oct 2022 12:26:53 +0100
From:   Luís Henriques <lhenriques@...e.de>
To:     Xiubo Li <xiubli@...hat.com>, Ilya Dryomov <idryomov@...il.com>,
        Jeff Layton <jlayton@...nel.org>
Cc:     ceph-devel@...r.kernel.org, linux-kernel@...r.kernel.org,
        Luís Henriques <lhenriques@...e.de>
Subject: [RFC PATCH] ceph: allow encrypting a directory while not having Ax caps

If a client doesn't have Fx caps on a directory, it will get errors while
trying encrypt it:

ceph: handle_cap_grant: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len 0 new len 48)
fscrypt (ceph, inode 1099511627812): Error -105 getting encryption context

A simple way to reproduce this is to use two clients:

    client1 # mkdir /mnt/mydir

    client2 # ls /mnt/mydir

    client1 # fscrypt encrypt /mnt/mydir
    client1 # echo hello > /mnt/mydir/world

This happens because, in __ceph_setattr(), we only initialize
ci->fscrypt_auth if we have Ax.  If we don't have, we'll need to do that
later, in handle_cap_grant().

Signed-off-by: Luís Henriques <lhenriques@...e.de>
---
Hi!

To be honest, I'm not really sure about the conditions in the 'if': shall
I bother checking it's really a dir and that it is empty?

Cheers,
--
Luís

 fs/ceph/caps.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 443fce066d42..e33b5c276cf3 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -3511,9 +3511,29 @@ static void handle_cap_grant(struct inode *inode,
 		     from_kuid(&init_user_ns, inode->i_uid),
 		     from_kgid(&init_user_ns, inode->i_gid));
 #if IS_ENABLED(CONFIG_FS_ENCRYPTION)
-		if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len ||
-		    memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth,
-			   ci->fscrypt_auth_len))
+		if ((ci->fscrypt_auth_len == 0) &&
+		    (extra_info->fscrypt_auth_len > 0) &&
+		    S_ISDIR(inode->i_mode) &&
+		    (ci->i_rsubdirs + ci->i_rfiles == 1)) {
+			/*
+			 * We'll get here when setting up an encrypted directory
+			 * but we don't have Fx in that directory, i.e. other
+			 * clients have accessed this directory too.
+			 */
+			ci->fscrypt_auth = kmemdup(extra_info->fscrypt_auth,
+						   extra_info->fscrypt_auth_len,
+						   GFP_KERNEL);
+			if (ci->fscrypt_auth) {
+				inode->i_flags |= S_ENCRYPTED;
+				ci->fscrypt_auth_len = extra_info->fscrypt_auth_len;
+			} else {
+				pr_err("Failed to alloc memory for %llx.%llx fscrypt_auth\n",
+					ceph_vinop(inode));
+			}
+			dout("ino %llx.%llx is now encrypted\n", ceph_vinop(inode));
+		} else if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len ||
+			   memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth,
+				  ci->fscrypt_auth_len))
 			pr_warn_ratelimited("%s: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len %d new len %d)\n",
 				__func__, ci->fscrypt_auth_len, extra_info->fscrypt_auth_len);
 #endif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ