From 1158386ac9c6a638f791f62e47a7513b2322772c Mon Sep 17 00:00:00 2001
From: Sebastien Buisson <sbuisson@ddn.com>
Date: Thu, 22 Apr 2021 11:26:51 +0200
Subject: [PATCH] LU-14629 sec: forbid file rename from enc to unencrypted dir

fscrypt allows renaming an encrypted file from an encrypted directory
into an unencrypted directory. But it leaves the file encrypted,
sitting in an unencrypted directory, which can lead to unexpected
issues.
So just prevent this kind of rename, and adapt sanity-sec test_47
accordingly.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I38e17caa4786c1c8d80a363a826a5aa298eb0980
Reviewed-on: https://review.whamcloud.com/43404
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
---
 lustre/llite/namei.c       | 5 +++++
 lustre/mdd/mdd_dir.c       | 9 +++++++++
 lustre/tests/sanity-sec.sh | 5 +++--
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lustre/llite/namei.c b/lustre/llite/namei.c
index 8470499..bcfdf37 100644
--- a/lustre/llite/namei.c
+++ b/lustre/llite/namei.c
@@ -1874,6 +1874,11 @@ static int ll_rename(struct inode *src, struct dentry *src_dchild,
 #endif
 	if (err)
 		RETURN(err);
+	/* we prevent an encrypted file from being renamed
+	 * into an unencrypted dir
+	 */
+	if (IS_ENCRYPTED(src) && !IS_ENCRYPTED(tgt))
+		RETURN(-EXDEV);
 
 	if (src_dchild->d_inode)
 		mode = src_dchild->d_inode->i_mode;
diff --git a/lustre/mdd/mdd_dir.c b/lustre/mdd/mdd_dir.c
index e0c1842..0fb1374 100644
--- a/lustre/mdd/mdd_dir.c
+++ b/lustre/mdd/mdd_dir.c
@@ -2804,6 +2804,15 @@ static int mdd_rename_sanity_check(const struct lu_env *env,
 	    (pattr->la_projid != tpattr->la_projid)))
 		RETURN(-EXDEV);
 
+	/* we prevent an encrypted file from being renamed
+	 * into an unencrypted dir
+	 */
+	if ((cattr->la_valid & LA_FLAGS &&
+	     cattr->la_flags & LUSTRE_ENCRYPT_FL) &&
+	    !(tpattr->la_valid & LA_FLAGS &&
+	      tpattr->la_flags & LUSTRE_ENCRYPT_FL))
+		RETURN(-EXDEV);
+
 	rc = mdd_may_delete(env, src_pobj, pattr, sobj, cattr, NULL, 1, 0);
 	if (rc)
 		RETURN(rc);
diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh
index 4c06c93..b887dcb 100755
--- a/lustre/tests/sanity-sec.sh
+++ b/lustre/tests/sanity-sec.sh
@@ -3404,8 +3404,9 @@ test_47() {
 		error "link from encrypted to unencrypted dir should succeed"
 	rm -f $tmpfile
 
-	mrename $testfile2 $tmpfile ||
-		error "rename from encrypted to unencrypted dir should succeed"
+	mrename $testfile2 $tmpfile &&
+		error "rename from encrypted to unencrypted dir should fail"
+	touch $tmpfile
 
 	dd if=/dev/zero of=$testfile bs=512K count=1
 	mkdir $DIR/$tdir/mydir
-- 
1.8.3.1