lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jun 2020 08:31:20 +0900 From: Daeho Jeong <daeho43@...il.com> To: Eric Biggers <ebiggers@...nel.org> Cc: linux-kernel@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net, kernel-team@...roid.com, Daeho Jeong <daehojeong@...gle.com> Subject: Re: [f2fs-dev] [PATCH] f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl > > > > > + > > > > > + if (f2fs_readonly(sbi->sb)) > > > > > + return -EROFS; > > > > > > > > Isn't this redundant with mnt_want_write_file()? > > > > > > > > Also, shouldn't write access to the file be required, i.e. > > > > (filp->f_mode & FMODE_WRITE)? Then the f2fs_readonly() and > > > > mnt_want_write_file() checks would be unnecessary. > > > > > > > > > > Using FMODE_WRITE is more proper for this case, since we're going to > > > modify the data. But I think mnt_want_write_file() is still required > > > to prevent the filesystem from freezing or something else. > > > > Right, the freezing check is actually still necessary. But getting write access > > to the mount is not necessary. I think you should use file_start_write() and > > file_end_write(), like vfs_write() does. I've checked this again. But I think mnt_want_write_file() looks better than the combination of checking FMODE_WRITE and file_start_write(), because mnt_want_write_file() handles all the things we need. It checks FMODE_WRITER, which is set in do_dentry_open() when FMODE_WRITE is already set, and does the stuff that file_start_write() is doing. This is why the other filesystem system calls use it. What do you think? 2020년 6월 10일 (수) 오후 12:55, Daeho Jeong <daeho43@...il.com>님이 작성: > > > > > > > To prevent the file data from garbage collecting, the user needs to > > > use pinfile ioctl and fallocate system call after creating the file. > > > The sequence is like below. > > > 1. create an empty file > > > 2. pinfile > > > 3. fallocate() > > > > Is that persistent? So the file will never be moved afterwards? > > > > Is there a place where this is (or should be) documented? > > Yes, this is persistent. F2FS_IOC_SET_PIN_FILE ioctl is to prevent > file data from moving and being garbage collected, and further update > to the file will be handled in in-place update manner. > I don't see any document on this, but you can find the below in > Documentation/filesystems/f2fs.rst > > However, once F2FS receives ioctl(fd, F2FS_IOC_SET_PIN_FILE) in prior to > fallocate(fd, DEFAULT_MODE), it allocates on-disk blocks addresses having > zero or random data, which is useful to the below scenario where: > > 1. create(fd) > 2. ioctl(fd, F2FS_IOC_SET_PIN_FILE) > 3. fallocate(fd, 0, 0, size) > 4. address = fibmap(fd, offset) > 5. open(blkdev) > 6. write(blkdev, address) > > > Right, the freezing check is actually still necessary. But getting write access > > to the mount is not necessary. I think you should use file_start_write() and > > file_end_write(), like vfs_write() does. > > Yes, agreed. > > 2020년 6월 10일 (수) 오후 12:15, Eric Biggers <ebiggers@...nel.org>님이 작성: > > > > On Wed, Jun 10, 2020 at 11:05:46AM +0900, Daeho Jeong wrote: > > > > > Added a new ioctl to send discard commands or/and zero out > > > > > to whole data area of a regular file for security reason. > > > > > > > > With this ioctl available, what is the exact procedure to write and then later > > > > securely erase a file on f2fs? In particular, how can the user prevent f2fs > > > > from making multiple copies of file data blocks as part of garbage collection? > > > > > > > > > > To prevent the file data from garbage collecting, the user needs to > > > use pinfile ioctl and fallocate system call after creating the file. > > > The sequence is like below. > > > 1. create an empty file > > > 2. pinfile > > > 3. fallocate() > > > > Is that persistent? So the file will never be moved afterwards? > > > > Is there a place where this is (or should be) documented? > > > > > > > + > > > > > + if (f2fs_readonly(sbi->sb)) > > > > > + return -EROFS; > > > > > > > > Isn't this redundant with mnt_want_write_file()? > > > > > > > > Also, shouldn't write access to the file be required, i.e. > > > > (filp->f_mode & FMODE_WRITE)? Then the f2fs_readonly() and > > > > mnt_want_write_file() checks would be unnecessary. > > > > > > > > > > Using FMODE_WRITE is more proper for this case, since we're going to > > > modify the data. But I think mnt_want_write_file() is still required > > > to prevent the filesystem from freezing or something else. > > > > Right, the freezing check is actually still necessary. But getting write access > > to the mount is not necessary. I think you should use file_start_write() and > > file_end_write(), like vfs_write() does. > > > > > > > > > > > + > > > > > + if (get_user(flags, (u32 __user *)arg)) > > > > > + return -EFAULT; > > > > > + if (!(flags & F2FS_TRIM_FILE_MASK)) > > > > > + return -EINVAL; > > > > > > > > Need to reject unknown flags: > > > > > > > > if (flags & ~F2FS_TRIM_FILE_MASK) > > > > return -EINVAL; > > > > > > I needed a different thing here. This was to check neither discard nor > > > zeroing out are not here. But we still need to check unknown flags, > > > too. > > > The below might be better. > > > if (!flags || flags & ~F2FS_TRIM_FILE_MASK) > > > return -EINVAL; > > > > Sure, but please put parentheses around the second clause: > > > > if (flags == 0 || (flags & ~F2FS_TRIM_FILE_MASK)) > > return -EINVAL; > > > > - Eric
Powered by blists - more mailing lists