summaryrefslogtreecommitdiffstats
path: root/fs/crypto/policy.c
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2016-12-19 14:20:13 -0800
committerTheodore Ts'o <tytso@mit.edu>2016-12-31 00:47:05 -0500
commit42d97eb0ade31e1bc537d086842f5d6e766d9d51 (patch)
tree04f4a277ddf959f3cabb6a97c7743806d9bd953e /fs/crypto/policy.c
parentfe4f6c801c03bc13113d0dc32f02d4ea8ed89ffd (diff)
downloadlinux-42d97eb0ade31e1bc537d086842f5d6e766d9d51.tar.gz
linux-42d97eb0ade31e1bc537d086842f5d6e766d9d51.tar.bz2
linux-42d97eb0ade31e1bc537d086842f5d6e766d9d51.zip
fscrypt: fix renaming and linking special files
Attempting to link a device node, named pipe, or socket file into an encrypted directory through rename(2) or link(2) always failed with EPERM. This happened because fscrypt_has_permitted_context() saw that the file was unencrypted and forbid creating the link. This behavior was unexpected because such files are never encrypted; only regular files, directories, and symlinks can be encrypted. To fix this, make fscrypt_has_permitted_context() always return true on special files. This will be covered by a test in my encryption xfstests patchset. Fixes: 9bd8212f981e ("ext4 crypto: add encryption policy and password salt support") Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Richard Weinberger <richard@nod.at> Cc: stable@vger.kernel.org Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Diffstat (limited to 'fs/crypto/policy.c')
-rw-r--r--fs/crypto/policy.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
index 6ed7c2eebeec..d6cd7ea4851d 100644
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -179,6 +179,11 @@ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
BUG_ON(1);
}
+ /* No restrictions on file types which are never encrypted */
+ if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
+ !S_ISLNK(child->i_mode))
+ return 1;
+
/* no restrictions if the parent directory is not encrypted */
if (!parent->i_sb->s_cop->is_encrypted(parent))
return 1;