From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org
Cc: linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [PATCH] fscrypt: don't print name of busy file when removing key
Date: Wed, 22 Jan 2020 14:59:18 -0800 [thread overview]
Message-ID: <20200122225917.GA182745@gmail.com> (raw)
In-Reply-To: <20200120060732.390362-1-ebiggers@kernel.org>
On Sun, Jan 19, 2020 at 10:07:32PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> When an encryption key can't be fully removed due to file(s) protected
> by it still being in-use, we shouldn't really print the path to one of
> these files to the kernel log, since parts of this path are likely to be
> encrypted on-disk, and (depending on how the system is set up) the
> confidentiality of this path might be lost by printing it to the log.
>
> This is a trade-off: a single file path often doesn't matter at all,
> especially if it's a directory; the kernel log might still be protected
> in some way; and I had originally hoped that any "inode(s) still busy"
> bugs (which are security weaknesses in their own right) would be quickly
> fixed and that to do so it would be super helpful to always know the
> file path and not have to run 'find dir -inum $inum' after the fact.
>
> But in practice, these bugs can be hard to fix (e.g. due to asynchronous
> process killing that is difficult to eliminate, for performance
> reasons), and also not tied to specific files, so knowing a file path
> doesn't necessarily help.
>
> So to be safe, for now let's just show the inode number, not the path.
> If someone really wants to know a path they can use 'find -inum'.
>
> Fixes: b1c0ec3599f4 ("fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl")
> Cc: <stable@vger.kernel.org> # v5.4+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Applied to fscrypt.git#master for 5.6.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-fscrypt@vger.kernel.org
Cc: linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH] fscrypt: don't print name of busy file when removing key
Date: Wed, 22 Jan 2020 14:59:18 -0800 [thread overview]
Message-ID: <20200122225917.GA182745@gmail.com> (raw)
In-Reply-To: <20200120060732.390362-1-ebiggers@kernel.org>
On Sun, Jan 19, 2020 at 10:07:32PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> When an encryption key can't be fully removed due to file(s) protected
> by it still being in-use, we shouldn't really print the path to one of
> these files to the kernel log, since parts of this path are likely to be
> encrypted on-disk, and (depending on how the system is set up) the
> confidentiality of this path might be lost by printing it to the log.
>
> This is a trade-off: a single file path often doesn't matter at all,
> especially if it's a directory; the kernel log might still be protected
> in some way; and I had originally hoped that any "inode(s) still busy"
> bugs (which are security weaknesses in their own right) would be quickly
> fixed and that to do so it would be super helpful to always know the
> file path and not have to run 'find dir -inum $inum' after the fact.
>
> But in practice, these bugs can be hard to fix (e.g. due to asynchronous
> process killing that is difficult to eliminate, for performance
> reasons), and also not tied to specific files, so knowing a file path
> doesn't necessarily help.
>
> So to be safe, for now let's just show the inode number, not the path.
> If someone really wants to know a path they can use 'find -inum'.
>
> Fixes: b1c0ec3599f4 ("fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl")
> Cc: <stable@vger.kernel.org> # v5.4+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Applied to fscrypt.git#master for 5.6.
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next prev parent reply other threads:[~2020-01-22 22:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 6:07 [PATCH] fscrypt: don't print name of busy file when removing key Eric Biggers
2020-01-20 6:07 ` [f2fs-dev] " Eric Biggers
2020-01-22 22:59 ` Eric Biggers [this message]
2020-01-22 22:59 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122225917.GA182745@gmail.com \
--to=ebiggers@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.