From: Theodore Ts'o <tytso@mit.edu>
To: Richard Weinberger <richard@nod.at>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>,
linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: ext4, f2fs: fscrypt_has_permitted_context() check in file open
Date: Thu, 22 Sep 2016 09:44:33 -0400 [thread overview]
Message-ID: <20160922134433.w3riey2mhtvs54dx@thunk.org> (raw)
In-Reply-To: <6789d30e-f95d-d8bd-cd6e-664a89c0dfd1@nod.at>
On Thu, Sep 22, 2016 at 02:24:35PM +0200, Richard Weinberger wrote:
> Hi!
>
> Both ext4 and f2fs check in the file open code the context of the parent directory too:
>
> ext4:
> if (ext4_encrypted_inode(d_inode(dir)) &&
> !fscrypt_has_permitted_context(d_inode(dir), inode)) {
> ext4_warning(inode->i_sb,
> "Inconsistent encryption contexts: %lu/%lu",
> (unsigned long) d_inode(dir)->i_ino,
> (unsigned long) inode->i_ino);
> dput(dir);
> return -EPERM;
> }
>
> f2fs:
> if (f2fs_encrypted_inode(d_inode(dir)) &&
> !fscrypt_has_permitted_context(d_inode(dir), inode)) {
> dput(dir);
> return -EPERM;
> }
>
> Why do we need this check? AFAIK this situation can never happen unless due to
> a bug in the filesystem code.
Or in the case of a malicious attacker who is trying to achieve an
off-line attack on your file system.... applications aren't going to
be checking to see if they are writing their file with encryption
enabled (and with the correct key), because they will largely be
encryption oblivious.
So imagine a case where you have a file, say, dissidents.txt. This
file is encrypted, and is in a encrypted directory. The bad guy, in
an offline attack (e.g., using a tool like debugfs), creates a
replacement directory which is unencrypted, and creates a link to the
encrypted dissidents.txt file to that replacement directory.
You then go back to your hotel room in Beijing, boot your laptop, fire
up your editor, and then edit the dissidents.txt file. You have the
keys, so it is read in just fine into vi or emacs. But when when you
write out the file, the editor writes the file into
dissidents.txt.new, calls fsync on it, and then renames dissidents.txt
to dissidents.txt~, and renames dissidents.txt.new to dissidents.txt.
But since it is now in an unencrypted directory, dissidents.txt is now
unencrypted.
You then leave the hotel room, and the MSS agent goes back to your
room, and completes the exfiltration of dissidents.txt.
Cheers,
- Ted
P.S. If you're from China, replace MSS with FBI, and Beijing with
Washington, D.C. :-) The principle is the same in either case.
next prev parent reply other threads:[~2016-09-22 13:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-22 12:24 ext4, f2fs: fscrypt_has_permitted_context() check in file open Richard Weinberger
2016-09-22 13:44 ` Theodore Ts'o [this message]
2016-09-22 14:21 ` Richard Weinberger
2016-09-22 15:59 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160922134433.w3riey2mhtvs54dx@thunk.org \
--to=tytso@mit.edu \
--cc=jaegeuk@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).