On Fri, Jul 26, 2019 at 03:41:37PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebigg...@google.com>
>
> By looking up the master keys in a filesystem-level keyring rather than
> in the calling processes' key hierarchy, it becomes possible for a user
> to set an encryption policy which refers to some key they don't actually
> know, then encrypt their files using that key. Cryptographically this
> isn't much of a problem, but the semantics of this would be a bit weird.
> Thus, enforce that a v2 encryption policy can only be set if the user
> has previously added the key, or has capable(CAP_FOWNER).
>
> We tolerate that this problem will continue to exist for v1 encryption
> policies, however; there is no way around that.
>
> Signed-off-by: Eric Biggers <ebigg...@google.com>
Looks good, feel free to add:
Reviewed-by: Theodore Ts'o <ty...@mit.edu>
- Ted
