linux-hardened/Documentation/filesystems
Eric Biggers f5e55e777c fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
Currently, trying to rename or link a regular file, directory, or
symlink into an encrypted directory fails with EPERM when the source
file is unencrypted or is encrypted with a different encryption policy,
and is on the same mountpoint.  It is correct for the operation to fail,
but the choice of EPERM breaks tools like 'mv' that know to copy rather
than rename if they see EXDEV, but don't know what to do with EPERM.

Our original motivation for EPERM was to encourage users to securely
handle their data.  Encrypting files by "moving" them into an encrypted
directory can be insecure because the unencrypted data may remain in
free space on disk, where it can later be recovered by an attacker.
It's much better to encrypt the data from the start, or at least try to
securely delete the source data e.g. using the 'shred' program.

However, the current behavior hasn't been effective at achieving its
goal because users tend to be confused, hack around it, and complain;
see e.g. https://github.com/google/fscrypt/issues/76.  And in some cases
it's actually inconsistent or unnecessary.  For example, 'mv'-ing files
between differently encrypted directories doesn't work even in cases
where it can be secure, such as when in userspace the same passphrase
protects both directories.  Yet, you *can* already 'mv' unencrypted
files into an encrypted directory if the source files are on a different
mountpoint, even though doing so is often insecure.

There are probably better ways to teach users to securely handle their
files.  For example, the 'fscrypt' userspace tool could provide a
command that migrates unencrypted files into an encrypted directory,
acting like 'shred' on the source files and providing appropriate
warnings depending on the type of the source filesystem and disk.

Receiving errors on unimportant files might also force some users to
disable encryption, thus making the behavior counterproductive.  It's
desirable to make encryption as unobtrusive as possible.

Therefore, change the error code from EPERM to EXDEV so that tools
looking for EXDEV will fall back to a copy.

This, of course, doesn't prevent users from still doing the right things
to securely manage their files.  Note that this also matches the
behavior when a file is renamed between two project quota hierarchies;
so there's precedent for using EXDEV for things other than mountpoints.

xfstests generic/398 will require an update with this change.

[Rewritten from an earlier patch series by Michael Halcrow.]

Cc: Michael Halcrow <mhalcrow@google.com>
Cc: Joe Richey <joerichey@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2019-01-23 23:56:43 -05:00
..
caching Documentation: Use "while" instead of "whilst" 2018-11-20 09:30:43 -07:00
cifs cifs: minor updates to documentation 2018-12-28 10:09:46 -06:00
configfs configfs: fix wrong name of struct in documentation 2018-12-20 08:41:38 -07:00
ext4 docs: promote the ext4 data structures book to top level 2018-10-05 19:20:08 -04:00
nfs Olga added support for the NFSv4.2 asynchronous copy protocol. We 2018-10-30 13:03:29 -07:00
9p.txt
adfs.txt
affs.txt
afs.txt afs: Implement @sys substitution handling 2018-04-09 21:12:31 +01:00
autofs-mount-control.txt autofs: use autofs instead of autofs4 in documentation 2018-06-07 17:34:39 -07:00
autofs.txt autofs: use autofs instead of autofs4 in documentation 2018-06-07 17:34:39 -07:00
automount-support.txt autofs: use autofs instead of autofs4 in documentation 2018-06-07 17:34:39 -07:00
befs.txt
bfs.txt Tigran has moved 2017-05-12 15:57:15 -07:00
btrfs.txt
ceph.txt ceph: new mount option to disable usage of copy-from op 2018-10-22 10:28:24 +02:00
coda.txt
conf.py docs-rst: convert filesystems book to ReST 2017-05-16 08:44:08 -03:00
cramfs.txt cramfs: rehabilitate it 2017-10-15 00:47:23 -04:00
dax.txt doc: filesystems: fix bad references to nonexistent ext4.rst file 2019-01-03 09:28:45 -07:00
debugfs.txt
devpts.txt devpts: Make each mount of devpts an independent filesystem. 2016-06-05 10:36:01 -07:00
directory-locking vfs: remove unused i_op->rename 2016-09-27 11:03:58 +02:00
dlmfs.txt
dnotify.txt Documentation: fix selftests related file refs 2017-10-19 12:58:21 -06:00
ecryptfs.txt
efivarfs.txt
exofs.txt
ext2.txt doc: filesystems: fix bad references to nonexistent ext4.rst file 2019-01-03 09:28:45 -07:00
ext3.txt
f2fs.txt f2fs: checkpoint disabling 2018-10-16 09:36:39 -07:00
fiemap.txt
files.txt
fscrypt.rst fscrypt: return -EXDEV for incompatible rename or link into encrypted dir 2019-01-23 23:56:43 -05:00
fuse-io.txt fuse: add writeback documentation 2018-03-20 17:11:45 +01:00
fuse.txt
gfs2-glocks.txt GFS2: Minor improvements to comments and documentation 2018-04-12 10:07:51 -07:00
gfs2-uevents.txt
gfs2.txt
hfs.txt
hfsplus.txt
hpfs.txt
index.rst docs: improve pathname-lookup document structure 2018-12-20 08:47:18 -07:00
inotify.txt
isofs.txt
jfs.txt
Locking overlayfs update for 4.19 2018-08-21 18:19:09 -07:00
locks.txt docs: fix locations of several documents that got moved 2016-10-24 08:12:35 -02:00
mandatory-locking.txt
nilfs2.txt MAINTAINERS, nilfs2: change project home URLs 2018-01-13 10:42:48 -08:00
ntfs.txt
ocfs2-online-filecheck.txt Doc: ocfs: Fix typo in filesystems/ocfs2-online-filecheck.txt 2016-07-01 16:17:15 -06:00
ocfs2.txt
omfs.txt
orangefs.txt Orangefs: documentation updates 2018-04-04 14:05:48 -04:00
overlayfs.txt ovl: automatically enable redirect_dir on metacopy=on 2018-11-01 21:31:39 +01:00
path-lookup.rst docs: improve pathname-lookup document structure 2018-12-20 08:47:18 -07:00
path-lookup.txt
porting vfs: rework data cloning infrastructure 2018-11-02 09:33:08 -07:00
proc.txt A fairly normal cycle for documentation stuff. We have a new 2018-12-29 11:21:49 -08:00
qnx6.txt Documentation: Use "while" instead of "whilst" 2018-11-20 09:30:43 -07:00
quota.txt scripts/spelling.txt: add "an user" pattern and fix typo instances 2017-02-27 18:43:46 -08:00
ramfs-rootfs-initramfs.txt initramfs: move gen_initramfs_list.sh from scripts/ to usr/ 2018-08-22 23:21:44 +09:00
relay.txt Documentation : Update relay function types 2018-07-10 15:11:00 -06:00
romfs.txt
seq_file.txt fs/seq_file.c: simplify seq_file iteration code and interface 2018-08-17 16:20:28 -07:00
sharedsubtree.txt
spufs.txt Documentation: fix spelling mistake, EACCESS -> EACCES 2018-11-07 15:28:55 -07:00
squashfs.txt
sysfs-pci.txt PCI: Add pci_mmap_resource_range() and use it for ARM64 2017-04-20 08:47:47 -05:00
sysfs-tagging.txt
sysfs.txt Documentation: driver core: remove use of BUS_ATTR 2019-01-08 15:17:45 +01:00
sysv-fs.txt
tmpfs.txt docs/vm: move numa_memory_policy.rst to Documentation/admin-guide/mm 2018-05-08 09:31:31 -06:00
ubifs-authentication.md Documentation: ubifs: Add authentication whitepaper 2018-10-23 13:49:01 +02:00
ubifs.txt ubifs: Enable authentication support 2018-10-23 13:49:01 +02:00
udf.txt udf: Remove never implemented mount options 2018-02-27 10:25:33 +01:00
ufs.txt
vfat.txt Documentation/filesystems/vfat.txt: fix a remark that implies UCS2 2017-12-21 13:39:28 -07:00
vfs.txt Documentation: Use "while" instead of "whilst" 2018-11-20 09:30:43 -07:00
xfs-delayed-logging-design.txt
xfs-self-describing-metadata.txt Documentation: Use "while" instead of "whilst" 2018-11-20 09:30:43 -07:00
xfs.txt Documentation: Use "while" instead of "whilst" 2018-11-20 09:30:43 -07:00