lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 4 Sep 2019 08:55:25 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     linux-ext4@...r.kernel.org
Cc:     linux-fscrypt@...r.kernel.org
Subject: Re: [PATCH v3] e2fsck: check for consistent encryption policies

On Fri, Aug 23, 2019 at 09:23:39AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> By design, the kernel enforces that all files in an encrypted directory
> use the same encryption policy as the directory.  It's not possible to
> violate this constraint using syscalls.  Lookups of files that violate
> this constraint also fail, in case the disk was manipulated.
> 
> But this constraint can also be violated by accidental filesystem
> corruption.  E.g., a power cut when using ext4 without a journal might
> leave new files without the encryption bit and/or xattr.  Thus, it's
> important that e2fsck correct this condition.
> 
> Therefore, this patch makes the following changes to e2fsck:
> 
> - During pass 1 (inode table scan), create a map from inode number to
>   encryption policy for all encrypted inodes.  But it's optimized so
>   that the full xattrs aren't saved but rather only 32-bit "policy IDs",
>   since usually many inodes share the same encryption policy.  Also, if
>   an encryption xattr is missing, offer to clear the encrypt flag.  If
>   an encryption xattr is clearly corrupt, offer to clear the inode.
> 
> - During pass 2 (directory structure check), use the map to verify that
>   all regular files, directories, and symlinks in encrypted directories
>   use the directory's encryption policy.  Offer to clear any directory
>   entries for which this isn't the case.
> 
> Add a new test "f_bad_encryption" to test the new behavior.
> 
> Due to the new checks, it was also necessary to update the existing test
> "f_short_encrypted_dirent" to add an encryption xattr to the test file,
> since it was missing one before, which is now considered invalid.
> 

Any comments on this patch?

- Eric

Powered by blists - more mailing lists