* ext4, f2fs: fscrypt_has_permitted_context() check in file open
@ 2016-09-22 12:24 Richard Weinberger
2016-09-22 13:44 ` Theodore Ts'o
0 siblings, 1 reply; 4+ messages in thread
From: Richard Weinberger @ 2016-09-22 12:24 UTC (permalink / raw)
To: Theodore Ts'o, Jaegeuk Kim
Cc: linux-ext4, linux-f2fs-devel, linux-fsdevel,
linux-kernel@vger.kernel.org
Hi!
Both ext4 and f2fs check in the file open code the context of the parent directory too:
ext4:
if (ext4_encrypted_inode(d_inode(dir)) &&
!fscrypt_has_permitted_context(d_inode(dir), inode)) {
ext4_warning(inode->i_sb,
"Inconsistent encryption contexts: %lu/%lu",
(unsigned long) d_inode(dir)->i_ino,
(unsigned long) inode->i_ino);
dput(dir);
return -EPERM;
}
f2fs:
if (f2fs_encrypted_inode(d_inode(dir)) &&
!fscrypt_has_permitted_context(d_inode(dir), inode)) {
dput(dir);
return -EPERM;
}
Why do we need this check? AFAIK this situation can never happen unless due to
a bug in the filesystem code.
Thanks,
//richard
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: ext4, f2fs: fscrypt_has_permitted_context() check in file open 2016-09-22 12:24 ext4, f2fs: fscrypt_has_permitted_context() check in file open Richard Weinberger @ 2016-09-22 13:44 ` Theodore Ts'o 2016-09-22 14:21 ` Richard Weinberger 0 siblings, 1 reply; 4+ messages in thread From: Theodore Ts'o @ 2016-09-22 13:44 UTC (permalink / raw) To: Richard Weinberger Cc: Jaegeuk Kim, linux-ext4, linux-f2fs-devel, linux-fsdevel, linux-kernel@vger.kernel.org On Thu, Sep 22, 2016 at 02:24:35PM +0200, Richard Weinberger wrote: > Hi! > > Both ext4 and f2fs check in the file open code the context of the parent directory too: > > ext4: > if (ext4_encrypted_inode(d_inode(dir)) && > !fscrypt_has_permitted_context(d_inode(dir), inode)) { > ext4_warning(inode->i_sb, > "Inconsistent encryption contexts: %lu/%lu", > (unsigned long) d_inode(dir)->i_ino, > (unsigned long) inode->i_ino); > dput(dir); > return -EPERM; > } > > f2fs: > if (f2fs_encrypted_inode(d_inode(dir)) && > !fscrypt_has_permitted_context(d_inode(dir), inode)) { > dput(dir); > return -EPERM; > } > > Why do we need this check? AFAIK this situation can never happen unless due to > a bug in the filesystem code. Or in the case of a malicious attacker who is trying to achieve an off-line attack on your file system.... applications aren't going to be checking to see if they are writing their file with encryption enabled (and with the correct key), because they will largely be encryption oblivious. So imagine a case where you have a file, say, dissidents.txt. This file is encrypted, and is in a encrypted directory. The bad guy, in an offline attack (e.g., using a tool like debugfs), creates a replacement directory which is unencrypted, and creates a link to the encrypted dissidents.txt file to that replacement directory. You then go back to your hotel room in Beijing, boot your laptop, fire up your editor, and then edit the dissidents.txt file. You have the keys, so it is read in just fine into vi or emacs. But when when you write out the file, the editor writes the file into dissidents.txt.new, calls fsync on it, and then renames dissidents.txt to dissidents.txt~, and renames dissidents.txt.new to dissidents.txt. But since it is now in an unencrypted directory, dissidents.txt is now unencrypted. You then leave the hotel room, and the MSS agent goes back to your room, and completes the exfiltration of dissidents.txt. Cheers, - Ted P.S. If you're from China, replace MSS with FBI, and Beijing with Washington, D.C. :-) The principle is the same in either case. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ext4, f2fs: fscrypt_has_permitted_context() check in file open 2016-09-22 13:44 ` Theodore Ts'o @ 2016-09-22 14:21 ` Richard Weinberger 2016-09-22 15:59 ` Theodore Ts'o 0 siblings, 1 reply; 4+ messages in thread From: Richard Weinberger @ 2016-09-22 14:21 UTC (permalink / raw) To: Theodore Ts'o, Jaegeuk Kim Cc: linux-ext4, linux-f2fs-devel, linux-fsdevel, linux-kernel@vger.kernel.org, David Gstir Ted, On 22.09.2016 15:44, Theodore Ts'o wrote: > On Thu, Sep 22, 2016 at 02:24:35PM +0200, Richard Weinberger wrote: >> Why do we need this check? AFAIK this situation can never happen unless due to >> a bug in the filesystem code. > > Or in the case of a malicious attacker who is trying to achieve an > off-line attack on your file system.... applications aren't going to > be checking to see if they are writing their file with encryption > enabled (and with the correct key), because they will largely be > encryption oblivious. > > So imagine a case where you have a file, say, dissidents.txt. This > file is encrypted, and is in a encrypted directory. The bad guy, in > an offline attack (e.g., using a tool like debugfs), creates a > replacement directory which is unencrypted, and creates a link to the > encrypted dissidents.txt file to that replacement directory. > > You then go back to your hotel room in Beijing, boot your laptop, fire > up your editor, and then edit the dissidents.txt file. You have the > keys, so it is read in just fine into vi or emacs. But when when you > write out the file, the editor writes the file into > dissidents.txt.new, calls fsync on it, and then renames dissidents.txt > to dissidents.txt~, and renames dissidents.txt.new to dissidents.txt. > But since it is now in an unencrypted directory, dissidents.txt is now > unencrypted. Got it. So, the use case is preventing off-line attacks. But I fear this is only a drop in the bucket. What we really need is meta data authentication. Thanks, //richard ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ext4, f2fs: fscrypt_has_permitted_context() check in file open 2016-09-22 14:21 ` Richard Weinberger @ 2016-09-22 15:59 ` Theodore Ts'o 0 siblings, 0 replies; 4+ messages in thread From: Theodore Ts'o @ 2016-09-22 15:59 UTC (permalink / raw) To: Richard Weinberger Cc: David Gstir, linux-kernel@vger.kernel.org, linux-f2fs-devel, linux-fsdevel, Jaegeuk Kim, linux-ext4 On Thu, Sep 22, 2016 at 04:21:30PM +0200, Richard Weinberger wrote: > > Got it. So, the use case is preventing off-line attacks. > But I fear this is only a drop in the bucket. What we really need is > meta data authentication. True security requires a system-wide design, sure. For example, you might want a locked bootloader that will only boot signed kernels. The kernel might then require to use a read-only root file system with dm-verity to make sure the system software can't be trojan'ed. And then you want the system software to enforce that the top-level directories which contain encrypted information are protected using the correct keys, perhaps using some trusted hardware store where the user's keys are stored (and only released when the proper password / pin is given). Given all of those induction steps, *then* the file system level checks that require that all subdirectories and files in an encrypted directories must be encrypted using the same key as their parent will provide the security you need. Cheers, - Ted ------------------------------------------------------------------------------ ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-09-22 16:01 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-09-22 12:24 ext4, f2fs: fscrypt_has_permitted_context() check in file open Richard Weinberger 2016-09-22 13:44 ` Theodore Ts'o 2016-09-22 14:21 ` Richard Weinberger 2016-09-22 15:59 ` Theodore Ts'o
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).