client: Check for supported fscrypt policy

When setting a policy on a directory, check to make sure
policy is supported.

Signed-off-by: Christopher Hoffman <choffman@redhat.com>

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 51f7ae5d072e1f1b16b5e2514a8f35dedad98e3a..075968a87db84abb0b4e6a49855a3c2d15241c08 100644 (file)
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -18334,6 +18334,11 @@ int Client::ll_set_fscrypt_policy_v2(Inode *in, const struct fscrypt_policy_v2&
   }
 
   FSCryptContext fsc(cct);
+
+  if (!fsc.is_supported_policy(policy)) {
+    return -EINVAL;
+  }
+
   fsc.init(policy);
   fsc.generate_new_nonce();
 

diff --git a/src/client/FSCrypt.h b/src/client/FSCrypt.h
index 9d58100ec655e75ae7a007e37a13a0b1de0e722f..038775eb7a5fb1f4e50955d7285a6a34ec511a22 100644 (file)
--- a/src/client/FSCrypt.h
+++ b/src/client/FSCrypt.h
@@ -125,6 +125,19 @@ public:
 
   virtual ~FSCryptPolicy() {}
 
+  bool is_supported_policy(fscrypt_policy_v2 policy) {
+    if (policy.version != 2) {
+      return false;
+    }
+
+    if (policy.contents_encryption_mode != FSCRYPT_MODE_AES_256_XTS ||
+       policy.filenames_encryption_mode != FSCRYPT_MODE_AES_256_CTS) {
+      return false;
+    }
+
+    return true;
+  }
+
   void init(const struct fscrypt_policy_v2& policy) {
     version = policy.version;
     contents_encryption_mode = policy.contents_encryption_mode;