From: Eric Biggers <ebiggers@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: linux-fscrypt@vger.kernel.org,
Satya Tangirala <satyat@google.com>,
linux-api@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net, keyrings@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [RFC PATCH v3 00/18] fscrypt: key management improvements
Date: Wed, 20 Feb 2019 10:36:20 -0800 [thread overview]
Message-ID: <20190220183619.GA177939@gmail.com> (raw)
In-Reply-To: <14023.1550686042@warthog.procyon.org.uk>
Hi David,
On Wed, Feb 20, 2019 at 06:07:22PM +0000, David Howells wrote:
> I have a couple of patches that add ACLs to keyrings, that you can find at the
> top of the branch here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-acl
>
> I have other patches that allow tags to be used as subjects in the ACL, with a
> container supplying a tag, e.g.:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=container&id=e0fdc5613a32b9475b025f58e7a2267329b3f3a4
>
> Might something similar be of use to you here, perhaps specifying a tag
> referring to the blockdev of interest rather than the container?
>
> David
I don't think so. The main point of adding keys directly to the filesystem is
that it's generally inappropriate to apply OS-level access control or
process-based visibility restrictions to fscrypt keys given that:
- The unlocked/locked status of files is already filesystem-level.
- The purpose of encryption is orthogonal to OS-level access control.
The ioctl based interface also makes it *much* easier to implement all the
semantics needed for removing fscrypt keys.
I don't see how key ACLs would be appropriate here, except that key ACLs would
allow userspace to opt-in to fixing the denial of service vulnerability where
keyctl_invalidate() only requires Search permission. But for fscrypt that's
addressed by my proposal too, and is just one of many problems it addresses.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: linux-ext4@vger.kernel.org, linux-api@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fscrypt@vger.kernel.org, keyrings@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Satya Tangirala <satyat@google.com>,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [RFC PATCH v3 00/18] fscrypt: key management improvements
Date: Wed, 20 Feb 2019 18:36:20 +0000 [thread overview]
Message-ID: <20190220183619.GA177939@gmail.com> (raw)
In-Reply-To: <14023.1550686042@warthog.procyon.org.uk>
Hi David,
On Wed, Feb 20, 2019 at 06:07:22PM +0000, David Howells wrote:
> I have a couple of patches that add ACLs to keyrings, that you can find at the
> top of the branch here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-acl
>
> I have other patches that allow tags to be used as subjects in the ACL, with a
> container supplying a tag, e.g.:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=container&idàfdc5613a32b9475b025f58e7a2267329b3f3a4
>
> Might something similar be of use to you here, perhaps specifying a tag
> referring to the blockdev of interest rather than the container?
>
> David
I don't think so. The main point of adding keys directly to the filesystem is
that it's generally inappropriate to apply OS-level access control or
process-based visibility restrictions to fscrypt keys given that:
- The unlocked/locked status of files is already filesystem-level.
- The purpose of encryption is orthogonal to OS-level access control.
The ioctl based interface also makes it *much* easier to implement all the
semantics needed for removing fscrypt keys.
I don't see how key ACLs would be appropriate here, except that key ACLs would
allow userspace to opt-in to fixing the denial of service vulnerability where
keyctl_invalidate() only requires Search permission. But for fscrypt that's
addressed by my proposal too, and is just one of many problems it addresses.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: linux-ext4@vger.kernel.org, linux-api@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fscrypt@vger.kernel.org, keyrings@vger.kernel.org,
linux-mtd@lists.infradead.org, linux-crypto@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Satya Tangirala <satyat@google.com>,
Paul Crowley <paulcrowley@google.com>
Subject: Re: [RFC PATCH v3 00/18] fscrypt: key management improvements
Date: Wed, 20 Feb 2019 10:36:20 -0800 [thread overview]
Message-ID: <20190220183619.GA177939@gmail.com> (raw)
In-Reply-To: <14023.1550686042@warthog.procyon.org.uk>
Hi David,
On Wed, Feb 20, 2019 at 06:07:22PM +0000, David Howells wrote:
> I have a couple of patches that add ACLs to keyrings, that you can find at the
> top of the branch here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-acl
>
> I have other patches that allow tags to be used as subjects in the ACL, with a
> container supplying a tag, e.g.:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=container&id=e0fdc5613a32b9475b025f58e7a2267329b3f3a4
>
> Might something similar be of use to you here, perhaps specifying a tag
> referring to the blockdev of interest rather than the container?
>
> David
I don't think so. The main point of adding keys directly to the filesystem is
that it's generally inappropriate to apply OS-level access control or
process-based visibility restrictions to fscrypt keys given that:
- The unlocked/locked status of files is already filesystem-level.
- The purpose of encryption is orthogonal to OS-level access control.
The ioctl based interface also makes it *much* easier to implement all the
semantics needed for removing fscrypt keys.
I don't see how key ACLs would be appropriate here, except that key ACLs would
allow userspace to opt-in to fixing the denial of service vulnerability where
keyctl_invalidate() only requires Search permission. But for fscrypt that's
addressed by my proposal too, and is just one of many problems it addresses.
- Eric
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2019-02-20 18:36 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-20 6:52 [RFC PATCH v3 00/18] fscrypt: key management improvements Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 01/18] fs, fscrypt: move uapi definitions to new header <linux/fscrypt.h> Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 02/18] fscrypt: use FSCRYPT_ prefix for uapi constants Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 03/18] fscrypt: use FSCRYPT_* definitions, not FS_* Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 04/18] fs: add ->s_master_keys to struct super_block Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 23:19 ` Richard Weinberger
2019-02-20 23:19 ` Richard Weinberger
2019-02-20 23:19 ` Richard Weinberger
2019-02-20 23:19 ` Richard Weinberger
2019-02-20 6:52 ` [RFC PATCH v3 05/18] fscrypt: add ->ci_inode to fscrypt_info Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 06/18] fscrypt: refactor v1 policy key setup into keysetup_legacy.c Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 07/18] fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 23:52 ` Richard Weinberger
2019-02-20 23:52 ` Richard Weinberger
2019-02-20 23:52 ` Richard Weinberger
2019-02-20 23:52 ` Richard Weinberger
2019-02-21 5:49 ` Eric Biggers
2019-02-21 5:49 ` Eric Biggers
2019-02-21 5:49 ` Eric Biggers
2019-02-21 9:33 ` Richard Weinberger
2019-02-21 9:33 ` Richard Weinberger
2019-02-21 9:33 ` Richard Weinberger
2019-02-21 18:42 ` Eric Biggers
2019-02-21 18:42 ` Eric Biggers
2019-02-21 18:42 ` Eric Biggers
2019-02-21 18:42 ` Eric Biggers
2019-03-18 23:08 ` Eric Biggers
2019-03-18 23:08 ` Eric Biggers
2019-03-18 23:08 ` Eric Biggers
2019-03-18 23:08 ` Eric Biggers
2019-03-18 23:08 ` [f2fs-dev] " Eric Biggers
2019-03-22 22:02 ` Richard Weinberger
2019-03-22 22:02 ` Richard Weinberger
2019-03-22 22:02 ` Richard Weinberger
2019-03-22 22:02 ` Richard Weinberger
2019-02-20 6:52 ` [RFC PATCH v3 08/18] fs/dcache.c: add shrink_dcache_inode() Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 09/18] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 10/18] fscrypt: add FS_IOC_GET_ENCRYPTION_KEY_STATUS ioctl Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 11/18] fscrypt: add an HKDF-SHA512 implementation Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 12/18] fscrypt: v2 encryption policy support Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 13/18] fscrypt: allow unprivileged users to add/remove keys for v2 policies Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 14/18] fscrypt: require that key be added when setting a v2 encryption policy Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 15/18] ext4: wire up new fscrypt ioctls Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [f2fs-dev] " Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 16/18] f2fs: " Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 17/18] ubifs: " Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` [RFC PATCH v3 18/18] fscrypt: document the new ioctls and policy version Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 6:52 ` Eric Biggers
2019-02-20 7:18 ` [RFC PATCH v3 00/18] fscrypt: key management improvements Andreas Dilger
2019-02-20 7:18 ` Andreas Dilger
2019-02-20 7:18 ` Andreas Dilger
2019-02-20 7:54 ` Eric Biggers
2019-02-20 7:54 ` Eric Biggers
2019-02-20 7:54 ` Eric Biggers
2019-02-20 7:54 ` [f2fs-dev] " Eric Biggers
2019-02-20 18:07 ` David Howells
2019-02-20 18:07 ` David Howells
2019-02-20 18:07 ` David Howells
2019-02-20 18:07 ` David Howells
2019-02-20 18:36 ` Eric Biggers [this message]
2019-02-20 18:36 ` Eric Biggers
2019-02-20 18:36 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190220183619.GA177939@gmail.com \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=paulcrowley@google.com \
--cc=satyat@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.