On Fri, Jul 26, 2019 at 03:41:37PM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > By looking up the master keys in a filesystem-level keyring rather than > in the calling processes' key hierarchy, it becomes possible for a user > to set an encryption policy which refers to some key they don't actually > know, then encrypt their files using that key. Cryptographically this > isn't much of a problem, but the semantics of this would be a bit weird. > Thus, enforce that a v2 encryption policy can only be set if the user > has previously added the key, or has capable(CAP_FOWNER). > > We tolerate that this problem will continue to exist for v1 encryption > policies, however; there is no way around that. > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> Looks good, feel free to add: Reviewed-by: Theodore Ts'o <tytso@xxxxxxx> - Ted