From: Eric Biggers <ebiggers@kernel.org>
To: Daeho Jeong <daeho43@gmail.com>
Cc: Daeho Jeong <daehojeong@google.com>,
kernel-team@android.com, linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH] f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl
Date: Tue, 9 Jun 2020 20:15:32 -0700 [thread overview]
Message-ID: <20200610031532.GA6286@sol.localdomain> (raw)
In-Reply-To: <CACOAw_xEZ+au9yhFerq9amkRO62Dzxj7h71gEc=i16ReYu5xrg@mail.gmail.com>
On Wed, Jun 10, 2020 at 11:05:46AM +0900, Daeho Jeong wrote:
> > > Added a new ioctl to send discard commands or/and zero out
> > > to whole data area of a regular file for security reason.
> >
> > With this ioctl available, what is the exact procedure to write and then later
> > securely erase a file on f2fs? In particular, how can the user prevent f2fs
> > from making multiple copies of file data blocks as part of garbage collection?
> >
>
> To prevent the file data from garbage collecting, the user needs to
> use pinfile ioctl and fallocate system call after creating the file.
> The sequence is like below.
> 1. create an empty file
> 2. pinfile
> 3. fallocate()
Is that persistent? So the file will never be moved afterwards?
Is there a place where this is (or should be) documented?
> > > +
> > > + if (f2fs_readonly(sbi->sb))
> > > + return -EROFS;
> >
> > Isn't this redundant with mnt_want_write_file()?
> >
> > Also, shouldn't write access to the file be required, i.e.
> > (filp->f_mode & FMODE_WRITE)? Then the f2fs_readonly() and
> > mnt_want_write_file() checks would be unnecessary.
> >
>
> Using FMODE_WRITE is more proper for this case, since we're going to
> modify the data. But I think mnt_want_write_file() is still required
> to prevent the filesystem from freezing or something else.
Right, the freezing check is actually still necessary. But getting write access
to the mount is not necessary. I think you should use file_start_write() and
file_end_write(), like vfs_write() does.
> >
> > > +
> > > + if (get_user(flags, (u32 __user *)arg))
> > > + return -EFAULT;
> > > + if (!(flags & F2FS_TRIM_FILE_MASK))
> > > + return -EINVAL;
> >
> > Need to reject unknown flags:
> >
> > if (flags & ~F2FS_TRIM_FILE_MASK)
> > return -EINVAL;
>
> I needed a different thing here. This was to check neither discard nor
> zeroing out are not here. But we still need to check unknown flags,
> too.
> The below might be better.
> if (!flags || flags & ~F2FS_TRIM_FILE_MASK)
> return -EINVAL;
Sure, but please put parentheses around the second clause:
if (flags == 0 || (flags & ~F2FS_TRIM_FILE_MASK))
return -EINVAL;
- Eric
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Daeho Jeong <daeho43@gmail.com>
Cc: linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net, kernel-team@android.com,
Daeho Jeong <daehojeong@google.com>
Subject: Re: [f2fs-dev] [PATCH] f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl
Date: Tue, 9 Jun 2020 20:15:32 -0700 [thread overview]
Message-ID: <20200610031532.GA6286@sol.localdomain> (raw)
In-Reply-To: <CACOAw_xEZ+au9yhFerq9amkRO62Dzxj7h71gEc=i16ReYu5xrg@mail.gmail.com>
On Wed, Jun 10, 2020 at 11:05:46AM +0900, Daeho Jeong wrote:
> > > Added a new ioctl to send discard commands or/and zero out
> > > to whole data area of a regular file for security reason.
> >
> > With this ioctl available, what is the exact procedure to write and then later
> > securely erase a file on f2fs? In particular, how can the user prevent f2fs
> > from making multiple copies of file data blocks as part of garbage collection?
> >
>
> To prevent the file data from garbage collecting, the user needs to
> use pinfile ioctl and fallocate system call after creating the file.
> The sequence is like below.
> 1. create an empty file
> 2. pinfile
> 3. fallocate()
Is that persistent? So the file will never be moved afterwards?
Is there a place where this is (or should be) documented?
> > > +
> > > + if (f2fs_readonly(sbi->sb))
> > > + return -EROFS;
> >
> > Isn't this redundant with mnt_want_write_file()?
> >
> > Also, shouldn't write access to the file be required, i.e.
> > (filp->f_mode & FMODE_WRITE)? Then the f2fs_readonly() and
> > mnt_want_write_file() checks would be unnecessary.
> >
>
> Using FMODE_WRITE is more proper for this case, since we're going to
> modify the data. But I think mnt_want_write_file() is still required
> to prevent the filesystem from freezing or something else.
Right, the freezing check is actually still necessary. But getting write access
to the mount is not necessary. I think you should use file_start_write() and
file_end_write(), like vfs_write() does.
> >
> > > +
> > > + if (get_user(flags, (u32 __user *)arg))
> > > + return -EFAULT;
> > > + if (!(flags & F2FS_TRIM_FILE_MASK))
> > > + return -EINVAL;
> >
> > Need to reject unknown flags:
> >
> > if (flags & ~F2FS_TRIM_FILE_MASK)
> > return -EINVAL;
>
> I needed a different thing here. This was to check neither discard nor
> zeroing out are not here. But we still need to check unknown flags,
> too.
> The below might be better.
> if (!flags || flags & ~F2FS_TRIM_FILE_MASK)
> return -EINVAL;
Sure, but please put parentheses around the second clause:
if (flags == 0 || (flags & ~F2FS_TRIM_FILE_MASK))
return -EINVAL;
- Eric
next prev parent reply other threads:[~2020-06-10 3:15 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 6:01 [f2fs-dev] [PATCH] f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl Daeho Jeong
2020-06-09 6:01 ` Daeho Jeong
2020-06-09 16:51 ` [f2fs-dev] " Eric Biggers
2020-06-09 16:51 ` Eric Biggers
2020-06-10 2:05 ` Daeho Jeong
2020-06-10 2:05 ` Daeho Jeong
2020-06-10 3:15 ` Eric Biggers [this message]
2020-06-10 3:15 ` Eric Biggers
2020-06-10 3:55 ` Daeho Jeong
2020-06-10 3:55 ` Daeho Jeong
2020-06-10 23:31 ` Daeho Jeong
2020-06-10 23:31 ` Daeho Jeong
2020-06-10 23:53 ` Daeho Jeong
2020-06-10 23:53 ` Daeho Jeong
2020-06-11 0:00 ` Eric Biggers
2020-06-11 0:00 ` Eric Biggers
2020-06-11 0:23 ` Daeho Jeong
2020-06-11 0:23 ` Daeho Jeong
2020-06-11 1:56 ` Eric Biggers
2020-06-11 1:56 ` Eric Biggers
2020-06-11 2:05 ` Daeho Jeong
2020-06-11 2:05 ` Daeho Jeong
-- strict thread matches above, loose matches on Subject: below --
2020-06-11 3:08 Daeho Jeong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200610031532.GA6286@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=daeho43@gmail.com \
--cc=daehojeong@google.com \
--cc=kernel-team@android.com \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.