Thread (51 messages) 51 messages, 6 authors, 2019-08-12

Re: [PATCH v7 12/16] fscrypt: require that key be added when setting a v2 encryption policy

From: "Theodore Y. Ts'o" <tytso@mit.edu>
Date: 2019-07-28 21:24:22
Also in: keyrings, linux-api, linux-crypto, linux-f2fs-devel, linux-fscrypt, linux-fsdevel

On Fri, Jul 26, 2019 at 03:41:37PM -0700, Eric Biggers wrote:
From: Eric Biggers <redacted>

By looking up the master keys in a filesystem-level keyring rather than
in the calling processes' key hierarchy, it becomes possible for a user
to set an encryption policy which refers to some key they don't actually
know, then encrypt their files using that key.  Cryptographically this
isn't much of a problem, but the semantics of this would be a bit weird.
Thus, enforce that a v2 encryption policy can only be set if the user
has previously added the key, or has capable(CAP_FOWNER).

We tolerate that this problem will continue to exist for v1 encryption
policies, however; there is no way around that.

Signed-off-by: Eric Biggers <redacted>
Looks good, feel free to add:

Reviewed-by: Theodore Ts'o <tytso@mit.edu>

					- Ted
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help