From cd1f0238463ae5777a58022c422c489606221dca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Attila=20F=C3=BCl=C3=B6p?= Date: Fri, 4 Nov 2022 19:07:29 +0100 Subject: [PATCH] Deny receiving into encrypted datasets if the keys are not loaded (#14139) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 68ddc06b611854560fefa377437eb3c9480e084b introduced support for receiving unencrypted datasets as children of encrypted ones but unfortunately got the logic upside down. This resulted in failing to deny receives of incremental sends into encrypted datasets without their keys loaded. If receiving a filesystem, the receive was done into a newly created unencrypted child dataset of the target. In case of volumes the receive made the target volume undeletable since a dataset was created below it, which we obviously can't handle. Incremental streams with embedded blocks are affected as well. We fix the broken logic to properly deny receives in such cases. Reviewed-by: Brian Behlendorf Signed-off-by: Attila Fülöp Closes #13598 Closes #14055 Closes #14119 --- module/zfs/dmu_recv.c | 2 +- .../zfs_receive/zfs_receive_to_encrypted.ksh | 31 +++++++++++++------ 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/module/zfs/dmu_recv.c b/module/zfs/dmu_recv.c index 99eeceeb41..98ca2b3bce 100644 --- a/module/zfs/dmu_recv.c +++ b/module/zfs/dmu_recv.c @@ -602,7 +602,7 @@ dmu_recv_begin_check(void *arg, dmu_tx_t *tx) * so add the DS_HOLD_FLAG_DECRYPT flag only if we are dealing * with a dataset we may encrypt. */ - if (drba->drba_dcp != NULL && + if (drba->drba_dcp == NULL || drba->drba_dcp->cp_crypt != ZIO_CRYPT_OFF) { dsflags |= DS_HOLD_FLAG_DECRYPT; } diff --git a/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh b/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh index 5d76c220fc..8bd9a68549 100755 --- a/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh +++ b/tests/zfs-tests/tests/functional/cli_root/zfs_receive/zfs_receive_to_encrypted.ksh @@ -25,13 +25,16 @@ # ZFS should receive to an encrypted child dataset. # # STRATEGY: -# 1. Snapshot the default dataset -# 2. Create an encrypted dataset -# 3. Attempt to receive a stream to an encrypted child -# 4. Attempt to receive a stream with properties to an encrypted child -# 5. Attempt to receive a replication stream to an encrypted child -# 6. Unmount and unload the encrypted dataset keys -# 7. Attempt to receive a snapshot stream to an encrypted child +# 1. Snapshot the default dataset +# 2. Create an encrypted dataset +# 3. Attempt to receive a stream to an encrypted child +# 4. Unload the key +# 5. Attempt to receive an incremental stream to an encrypted child (must fail) +# 6. Attempt to receive a stream with properties to an unencrypted child +# 7. Attempt to receive an incremental stream to an unencrypted child +# 8. Attempt to receive with -o encryption=off to an unencrypted child +# 9. Attempt to receive a replication stream to an unencrypted child +# 10. Attempt to receive a snapshot stream to an encrypted child (must fail) # verify_runnable "both" @@ -39,6 +42,7 @@ verify_runnable "both" function cleanup { snapexists $snap && destroy_dataset $snap -f + snapexists $snap2 && destroy_dataset $snap2 -f datasetexists $TESTPOOL/$TESTFS1 && \ destroy_dataset $TESTPOOL/$TESTFS1 -r @@ -50,15 +54,17 @@ log_assert "ZFS should receive encrypted filesystems into child dataset" typeset passphrase="password" typeset snap="$TESTPOOL/$TESTFS@snap" +typeset snap2="$TESTPOOL/$TESTFS@snap2" typeset testfile="testfile" log_must zfs snapshot $snap +log_must zfs snapshot $snap2 log_must eval "echo $passphrase | zfs create -o encryption=on" \ "-o keyformat=passphrase $TESTPOOL/$TESTFS1" log_note "Verifying ZFS will receive to an encrypted child" -log_must eval "zfs send $snap | zfs receive $TESTPOOL/$TESTFS1/c1" +log_must eval "zfs send $snap | zfs receive -u $TESTPOOL/$TESTFS1/c1" log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c1)" != "off" # Unload the key, the following tests won't require it and we will test @@ -66,10 +72,17 @@ log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c1)" != "off" log_must zfs unmount $TESTPOOL/$TESTFS1 log_must zfs unload-key $TESTPOOL/$TESTFS1 +log_note "Verifying ZFS will not receive an incremental into an encrypted" \ + "dataset when the key is unloaded" +log_mustnot eval "zfs send -i $snap $snap2 | zfs receive $TESTPOOL/$TESTFS1/c1" + log_note "Verifying 'send -p' will receive to an unencrypted child" -log_must eval "zfs send -p $snap | zfs receive $TESTPOOL/$TESTFS1/c2" +log_must eval "zfs send -p $snap | zfs receive -u $TESTPOOL/$TESTFS1/c2" log_must test "$(get_prop 'encryption' $TESTPOOL/$TESTFS1/c2)" == "off" +log_note "Verifying 'send -i' will receive to an unencrypted child" +log_must eval "zfs send -i $snap $snap2 | zfs receive $TESTPOOL/$TESTFS1/c2" + # For completeness add the property override case. log_note "Verifying recv -o encyption=off' will receive to an unencrypted child" log_must eval "zfs send $snap | \