From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2A4A8C31E40 for ; Mon, 12 Aug 2019 14:17:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E6A3D20842 for ; Mon, 12 Aug 2019 14:17:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726585AbfHLORT (ORCPT ); Mon, 12 Aug 2019 10:17:19 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:33943 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726354AbfHLORS (ORCPT ); Mon, 12 Aug 2019 10:17:18 -0400 Received: from callcc.thunk.org (guestnat-104-133-9-109.corp.google.com [104.133.9.109] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7CEGtiI013115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Aug 2019 10:16:57 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 7E7C44218EF; Mon, 12 Aug 2019 10:16:55 -0400 (EDT) Date: Mon, 12 Aug 2019 10:16:55 -0400 From: "Theodore Y. Ts'o" To: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, linux-api@vger.kernel.org, linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, Paul Crowley , Satya Tangirala Subject: Re: [PATCH v7 07/16] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl Message-ID: <20190812141655.GA11831@mit.edu> References: <20190726224141.14044-1-ebiggers@kernel.org> <20190726224141.14044-8-ebiggers@kernel.org> <20190728192417.GG6088@mit.edu> <20190729195827.GF169027@gmail.com> <20190731183802.GA687@sol.localdomain> <20190731233843.GA2769@mit.edu> <20190801011140.GB687@sol.localdomain> <20190801053108.GD2769@mit.edu> <20190801220432.GC223822@gmail.com> <20190802043827.GA19201@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190802043827.GA19201@sol.localdomain> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Aug 01, 2019 at 09:38:27PM -0700, Eric Biggers wrote: > > Here's a slightly updated version (I missed removing some stale text): Apologies for the delaying in getting back. Thanks, this looks great. - Ted > > Removing keys > ------------- > > Two ioctls are available for removing a key that was added by > `FS_IOC_ADD_ENCRYPTION_KEY`_: > > - `FS_IOC_REMOVE_ENCRYPTION_KEY`_ > - `FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS`_ > > These two ioctls differ only in cases where v2 policy keys are added > or removed by non-root users. > > These ioctls don't work on keys that were added via the legacy > process-subscribed keyrings mechanism. > > Before using these ioctls, read the `Kernel memory compromise`_ > section for a discussion of the security goals and limitations of > these ioctls. > > FS_IOC_REMOVE_ENCRYPTION_KEY > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The FS_IOC_REMOVE_ENCRYPTION_KEY ioctl removes a claim to a master > encryption key from the filesystem, and possibly removes the key > itself. It can be executed on any file or directory on the target > filesystem, but using the filesystem's root directory is recommended. > It takes in a pointer to a :c:type:`struct fscrypt_remove_key_arg`, > defined as follows:: > > struct fscrypt_remove_key_arg { > struct fscrypt_key_specifier key_spec; > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 > __u32 removal_status_flags; /* output */ > __u32 __reserved[5]; > }; > > This structure must be zeroed, then initialized as follows: > > - The key to remove is specified by ``key_spec``: > > - To remove a key used by v1 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR and fill > in ``key_spec.u.descriptor``. To remove this type of key, the > calling process must have the CAP_SYS_ADMIN capability in the > initial user namespace. > > - To remove a key used by v2 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER and fill > in ``key_spec.u.identifier``. > > For v2 policy keys, this ioctl is usable by non-root users. However, > to make this possible, it actually just removes the current user's > claim to the key, undoing a single call to FS_IOC_ADD_ENCRYPTION_KEY. > Only after all claims are removed is the key really removed. > > For example, if FS_IOC_ADD_ENCRYPTION_KEY was called with uid 1000, > then the key will be "claimed" by uid 1000, and > FS_IOC_REMOVE_ENCRYPTION_KEY will only succeed as uid 1000. Or, if > both uids 1000 and 2000 added the key, then for each uid > FS_IOC_REMOVE_ENCRYPTION_KEY will only remove their own claim. Only > once *both* are removed is the key really removed. (Think of it like > unlinking a file that may have hard links.) > > If FS_IOC_REMOVE_ENCRYPTION_KEY really removes the key, it will also > try to "lock" all files that had been unlocked with the key. It won't > lock files that are still in-use, so this ioctl is expected to be used > in cooperation with userspace ensuring that none of the files are > still open. However, if necessary, the ioctl can be executed again > later to retry locking any remaining files. > > FS_IOC_REMOVE_ENCRYPTION_KEY returns 0 if either the key was removed > (but may still have files remaining to be locked), the user's claim to > the key was removed, or the key was already removed but had files > remaining to be the locked so the ioctl retried locking them. In any > of these cases, ``removal_status_flags`` is filled in with the > following informational status flags: > > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY``: set if some file(s) > are still in-use. Not guaranteed to be set in the case where only > the user's claim to the key was removed. > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS``: set if only the > user's claim to the key was removed, not the key itself > > FS_IOC_REMOVE_ENCRYPTION_KEY can fail with the following errors: > > - ``EACCES``: The FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR key specifier type > was specified, but the caller does not have the CAP_SYS_ADMIN > capability in the initial user namespace > - ``EINVAL``: invalid key specifier type, or reserved bits were set > - ``ENOKEY``: the key object was not found at all, i.e. it was never > added in the first place or was already fully removed including all > files locked; or, the user does not have a claim to the key. > - ``ENOTTY``: this type of filesystem does not implement encryption > - ``EOPNOTSUPP``: the kernel was not configured with encryption > support for this filesystem, or the filesystem superblock has not > had encryption enabled on it > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS is exactly the same as > `FS_IOC_REMOVE_ENCRYPTION_KEY`_, except that for v2 policy keys, the > ALL_USERS version of the ioctl will remove all users' claims to the > key, not just the current user's. I.e., the key itself will always be > removed, no matter how many users have added it. This difference is > only meaningful if non-root users are adding and removing keys. > > Because of this, FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS also requires > "root", namely the CAP_SYS_ADMIN capability in the initial user > namespace. Otherwise it will fail with ``EACCES``. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Theodore Y. Ts'o" Date: Mon, 12 Aug 2019 14:16:55 +0000 Subject: Re: [PATCH v7 07/16] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl Message-Id: <20190812141655.GA11831@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit List-Id: References: <20190726224141.14044-1-ebiggers@kernel.org> <20190726224141.14044-8-ebiggers@kernel.org> <20190728192417.GG6088@mit.edu> <20190729195827.GF169027@gmail.com> <20190731183802.GA687@sol.localdomain> <20190731233843.GA2769@mit.edu> <20190801011140.GB687@sol.localdomain> <20190801053108.GD2769@mit.edu> <20190801220432.GC223822@gmail.com> <20190802043827.GA19201@sol.localdomain> In-Reply-To: <20190802043827.GA19201@sol.localdomain> To: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, linux-api@vger.kernel.org, linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, Paul Crowley , Satya Tangirala On Thu, Aug 01, 2019 at 09:38:27PM -0700, Eric Biggers wrote: > > Here's a slightly updated version (I missed removing some stale text): Apologies for the delaying in getting back. Thanks, this looks great. - Ted > > Removing keys > ------------- > > Two ioctls are available for removing a key that was added by > `FS_IOC_ADD_ENCRYPTION_KEY`_: > > - `FS_IOC_REMOVE_ENCRYPTION_KEY`_ > - `FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS`_ > > These two ioctls differ only in cases where v2 policy keys are added > or removed by non-root users. > > These ioctls don't work on keys that were added via the legacy > process-subscribed keyrings mechanism. > > Before using these ioctls, read the `Kernel memory compromise`_ > section for a discussion of the security goals and limitations of > these ioctls. > > FS_IOC_REMOVE_ENCRYPTION_KEY > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The FS_IOC_REMOVE_ENCRYPTION_KEY ioctl removes a claim to a master > encryption key from the filesystem, and possibly removes the key > itself. It can be executed on any file or directory on the target > filesystem, but using the filesystem's root directory is recommended. > It takes in a pointer to a :c:type:`struct fscrypt_remove_key_arg`, > defined as follows:: > > struct fscrypt_remove_key_arg { > struct fscrypt_key_specifier key_spec; > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 > __u32 removal_status_flags; /* output */ > __u32 __reserved[5]; > }; > > This structure must be zeroed, then initialized as follows: > > - The key to remove is specified by ``key_spec``: > > - To remove a key used by v1 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR and fill > in ``key_spec.u.descriptor``. To remove this type of key, the > calling process must have the CAP_SYS_ADMIN capability in the > initial user namespace. > > - To remove a key used by v2 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER and fill > in ``key_spec.u.identifier``. > > For v2 policy keys, this ioctl is usable by non-root users. However, > to make this possible, it actually just removes the current user's > claim to the key, undoing a single call to FS_IOC_ADD_ENCRYPTION_KEY. > Only after all claims are removed is the key really removed. > > For example, if FS_IOC_ADD_ENCRYPTION_KEY was called with uid 1000, > then the key will be "claimed" by uid 1000, and > FS_IOC_REMOVE_ENCRYPTION_KEY will only succeed as uid 1000. Or, if > both uids 1000 and 2000 added the key, then for each uid > FS_IOC_REMOVE_ENCRYPTION_KEY will only remove their own claim. Only > once *both* are removed is the key really removed. (Think of it like > unlinking a file that may have hard links.) > > If FS_IOC_REMOVE_ENCRYPTION_KEY really removes the key, it will also > try to "lock" all files that had been unlocked with the key. It won't > lock files that are still in-use, so this ioctl is expected to be used > in cooperation with userspace ensuring that none of the files are > still open. However, if necessary, the ioctl can be executed again > later to retry locking any remaining files. > > FS_IOC_REMOVE_ENCRYPTION_KEY returns 0 if either the key was removed > (but may still have files remaining to be locked), the user's claim to > the key was removed, or the key was already removed but had files > remaining to be the locked so the ioctl retried locking them. In any > of these cases, ``removal_status_flags`` is filled in with the > following informational status flags: > > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY``: set if some file(s) > are still in-use. Not guaranteed to be set in the case where only > the user's claim to the key was removed. > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS``: set if only the > user's claim to the key was removed, not the key itself > > FS_IOC_REMOVE_ENCRYPTION_KEY can fail with the following errors: > > - ``EACCES``: The FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR key specifier type > was specified, but the caller does not have the CAP_SYS_ADMIN > capability in the initial user namespace > - ``EINVAL``: invalid key specifier type, or reserved bits were set > - ``ENOKEY``: the key object was not found at all, i.e. it was never > added in the first place or was already fully removed including all > files locked; or, the user does not have a claim to the key. > - ``ENOTTY``: this type of filesystem does not implement encryption > - ``EOPNOTSUPP``: the kernel was not configured with encryption > support for this filesystem, or the filesystem superblock has not > had encryption enabled on it > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS is exactly the same as > `FS_IOC_REMOVE_ENCRYPTION_KEY`_, except that for v2 policy keys, the > ALL_USERS version of the ioctl will remove all users' claims to the > key, not just the current user's. I.e., the key itself will always be > removed, no matter how many users have added it. This difference is > only meaningful if non-root users are adding and removing keys. > > Because of this, FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS also requires > "root", namely the CAP_SYS_ADMIN capability in the initial user > namespace. Otherwise it will fail with ``EACCES``. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C24CC31E40 for ; Mon, 12 Aug 2019 14:17:16 +0000 (UTC) Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C7FB420679; Mon, 12 Aug 2019 14:17:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=sourceforge.net header.i=@sourceforge.net header.b="UL3IKH3G"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=sf.net header.i=@sf.net header.b="RhhlRnfI" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C7FB420679 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=mit.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-f2fs-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hxB8N-0002Ze-7Y; Mon, 12 Aug 2019 14:17:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hxB8M-0002ZW-2C for linux-f2fs-devel@lists.sourceforge.net; Mon, 12 Aug 2019 14:17:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=In-Reply-To:Content-Type:MIME-Version:References: Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=C+AeBb6siX8Vz/dx0icJCICxDEOB/Hx3z9OydgM51lg=; b=UL3IKH3GGHfuhLvgYlo15M5C5L DiP1ZoMIui+sqvozBfHtKDzrxj6hrHkYvNmPVQzEj2cKBv7UKEVkuJHzeK0vvj6UkJ874qI2ygL9Z ox0cLhVttjO7ibg9ayQumWuKUJDqrvR42TxR1o9FkH1FPf+dS4L9Xbi4NRVqoviChgmA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To: From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=C+AeBb6siX8Vz/dx0icJCICxDEOB/Hx3z9OydgM51lg=; b=RhhlRnfI4i3RrxxmAulGX633Rs RAsOomFk9av6nnfOylsP0Q2Q8a3b5UX0P4YZnkF4Dv3FYOoXzOjlAGIFPjrBFg6v+TXs5mmHxaSs6 N/ErFyER/Ow2kqRsPxjOjQhzE8T4YgbEHtiNSDwpZmN5O68/oAE7mbtlYUx2Wr8krWsE=; Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1hxB8J-000ihR-Vl for linux-f2fs-devel@lists.sourceforge.net; Mon, 12 Aug 2019 14:17:14 +0000 Received: from callcc.thunk.org (guestnat-104-133-9-109.corp.google.com [104.133.9.109] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7CEGtiI013115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Aug 2019 10:16:57 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 7E7C44218EF; Mon, 12 Aug 2019 10:16:55 -0400 (EDT) Date: Mon, 12 Aug 2019 10:16:55 -0400 From: "Theodore Y. Ts'o" To: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, linux-api@vger.kernel.org, linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, Paul Crowley , Satya Tangirala Message-ID: <20190812141655.GA11831@mit.edu> References: <20190726224141.14044-1-ebiggers@kernel.org> <20190726224141.14044-8-ebiggers@kernel.org> <20190728192417.GG6088@mit.edu> <20190729195827.GF169027@gmail.com> <20190731183802.GA687@sol.localdomain> <20190731233843.GA2769@mit.edu> <20190801011140.GB687@sol.localdomain> <20190801053108.GD2769@mit.edu> <20190801220432.GC223822@gmail.com> <20190802043827.GA19201@sol.localdomain> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20190802043827.GA19201@sol.localdomain> User-Agent: Mutt/1.10.1 (2018-07-13) X-Headers-End: 1hxB8J-000ihR-Vl Subject: Re: [f2fs-dev] [PATCH v7 07/16] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl X-BeenThere: linux-f2fs-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net On Thu, Aug 01, 2019 at 09:38:27PM -0700, Eric Biggers wrote: > > Here's a slightly updated version (I missed removing some stale text): Apologies for the delaying in getting back. Thanks, this looks great. - Ted > > Removing keys > ------------- > > Two ioctls are available for removing a key that was added by > `FS_IOC_ADD_ENCRYPTION_KEY`_: > > - `FS_IOC_REMOVE_ENCRYPTION_KEY`_ > - `FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS`_ > > These two ioctls differ only in cases where v2 policy keys are added > or removed by non-root users. > > These ioctls don't work on keys that were added via the legacy > process-subscribed keyrings mechanism. > > Before using these ioctls, read the `Kernel memory compromise`_ > section for a discussion of the security goals and limitations of > these ioctls. > > FS_IOC_REMOVE_ENCRYPTION_KEY > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The FS_IOC_REMOVE_ENCRYPTION_KEY ioctl removes a claim to a master > encryption key from the filesystem, and possibly removes the key > itself. It can be executed on any file or directory on the target > filesystem, but using the filesystem's root directory is recommended. > It takes in a pointer to a :c:type:`struct fscrypt_remove_key_arg`, > defined as follows:: > > struct fscrypt_remove_key_arg { > struct fscrypt_key_specifier key_spec; > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 > __u32 removal_status_flags; /* output */ > __u32 __reserved[5]; > }; > > This structure must be zeroed, then initialized as follows: > > - The key to remove is specified by ``key_spec``: > > - To remove a key used by v1 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR and fill > in ``key_spec.u.descriptor``. To remove this type of key, the > calling process must have the CAP_SYS_ADMIN capability in the > initial user namespace. > > - To remove a key used by v2 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER and fill > in ``key_spec.u.identifier``. > > For v2 policy keys, this ioctl is usable by non-root users. However, > to make this possible, it actually just removes the current user's > claim to the key, undoing a single call to FS_IOC_ADD_ENCRYPTION_KEY. > Only after all claims are removed is the key really removed. > > For example, if FS_IOC_ADD_ENCRYPTION_KEY was called with uid 1000, > then the key will be "claimed" by uid 1000, and > FS_IOC_REMOVE_ENCRYPTION_KEY will only succeed as uid 1000. Or, if > both uids 1000 and 2000 added the key, then for each uid > FS_IOC_REMOVE_ENCRYPTION_KEY will only remove their own claim. Only > once *both* are removed is the key really removed. (Think of it like > unlinking a file that may have hard links.) > > If FS_IOC_REMOVE_ENCRYPTION_KEY really removes the key, it will also > try to "lock" all files that had been unlocked with the key. It won't > lock files that are still in-use, so this ioctl is expected to be used > in cooperation with userspace ensuring that none of the files are > still open. However, if necessary, the ioctl can be executed again > later to retry locking any remaining files. > > FS_IOC_REMOVE_ENCRYPTION_KEY returns 0 if either the key was removed > (but may still have files remaining to be locked), the user's claim to > the key was removed, or the key was already removed but had files > remaining to be the locked so the ioctl retried locking them. In any > of these cases, ``removal_status_flags`` is filled in with the > following informational status flags: > > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY``: set if some file(s) > are still in-use. Not guaranteed to be set in the case where only > the user's claim to the key was removed. > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS``: set if only the > user's claim to the key was removed, not the key itself > > FS_IOC_REMOVE_ENCRYPTION_KEY can fail with the following errors: > > - ``EACCES``: The FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR key specifier type > was specified, but the caller does not have the CAP_SYS_ADMIN > capability in the initial user namespace > - ``EINVAL``: invalid key specifier type, or reserved bits were set > - ``ENOKEY``: the key object was not found at all, i.e. it was never > added in the first place or was already fully removed including all > files locked; or, the user does not have a claim to the key. > - ``ENOTTY``: this type of filesystem does not implement encryption > - ``EOPNOTSUPP``: the kernel was not configured with encryption > support for this filesystem, or the filesystem superblock has not > had encryption enabled on it > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS is exactly the same as > `FS_IOC_REMOVE_ENCRYPTION_KEY`_, except that for v2 policy keys, the > ALL_USERS version of the ioctl will remove all users' claims to the > key, not just the current user's. I.e., the key itself will always be > removed, no matter how many users have added it. This difference is > only meaningful if non-root users are adding and removing keys. > > Because of this, FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS also requires > "root", namely the CAP_SYS_ADMIN capability in the initial user > namespace. Otherwise it will fail with ``EACCES``. _______________________________________________ Linux-f2fs-devel mailing list Linux-f2fs-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94604C31E40 for ; Mon, 12 Aug 2019 14:17:24 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2BA9320679 for ; Mon, 12 Aug 2019 14:17:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="oAZmQYvC" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2BA9320679 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=mit.edu Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=3eBlmEGpVy29ixrD9ArZXhx6vu6hygs2Uqsi1/Mer2I=; b=oAZmQYvCyi5yBa KCSbmAmEmEpbm4Op3Ty6MB7iY67jDaeRq2FIqy06vlnkmYIlGKtvZhNiR0a+LufQ0AMGkk5MGfbf7 UuWNfMk5Ex43H1SRtoQUt/JiLolqS10diqN0FbdwOF9yNeT4QEovi6Yjoong9X4HB4hgZLvlIK994 3NT54Nv8GengWjHaXFyezwBAK+xvovwv6vuponZDwzPnzKgzmBWdLTf2QM5Hy7b2UBJiX3++iDDzl fDpKYvCv/N6ATT5KjRcSDrO9UgO4VtJc+fv/W67pH68S8gvuQzGVKPfnFWDxLOjUICDiyPvvobc2b /ptWH4O1AVxg21fxXrxg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hxB8F-00089u-9P; Mon, 12 Aug 2019 14:17:07 +0000 Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hxB8B-00088l-5p for linux-mtd@lists.infradead.org; Mon, 12 Aug 2019 14:17:05 +0000 Received: from callcc.thunk.org (guestnat-104-133-9-109.corp.google.com [104.133.9.109] (may be forged)) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7CEGtiI013115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Aug 2019 10:16:57 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 7E7C44218EF; Mon, 12 Aug 2019 10:16:55 -0400 (EDT) Date: Mon, 12 Aug 2019 10:16:55 -0400 From: "Theodore Y. Ts'o" To: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, linux-api@vger.kernel.org, linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, Paul Crowley , Satya Tangirala Subject: Re: [PATCH v7 07/16] fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl Message-ID: <20190812141655.GA11831@mit.edu> References: <20190726224141.14044-1-ebiggers@kernel.org> <20190726224141.14044-8-ebiggers@kernel.org> <20190728192417.GG6088@mit.edu> <20190729195827.GF169027@gmail.com> <20190731183802.GA687@sol.localdomain> <20190731233843.GA2769@mit.edu> <20190801011140.GB687@sol.localdomain> <20190801053108.GD2769@mit.edu> <20190801220432.GC223822@gmail.com> <20190802043827.GA19201@sol.localdomain> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20190802043827.GA19201@sol.localdomain> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190812_071703_391194_EF31C707 X-CRM114-Status: GOOD ( 24.81 ) X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-mtd" Errors-To: linux-mtd-bounces+linux-mtd=archiver.kernel.org@lists.infradead.org On Thu, Aug 01, 2019 at 09:38:27PM -0700, Eric Biggers wrote: > > Here's a slightly updated version (I missed removing some stale text): Apologies for the delaying in getting back. Thanks, this looks great. - Ted > > Removing keys > ------------- > > Two ioctls are available for removing a key that was added by > `FS_IOC_ADD_ENCRYPTION_KEY`_: > > - `FS_IOC_REMOVE_ENCRYPTION_KEY`_ > - `FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS`_ > > These two ioctls differ only in cases where v2 policy keys are added > or removed by non-root users. > > These ioctls don't work on keys that were added via the legacy > process-subscribed keyrings mechanism. > > Before using these ioctls, read the `Kernel memory compromise`_ > section for a discussion of the security goals and limitations of > these ioctls. > > FS_IOC_REMOVE_ENCRYPTION_KEY > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > The FS_IOC_REMOVE_ENCRYPTION_KEY ioctl removes a claim to a master > encryption key from the filesystem, and possibly removes the key > itself. It can be executed on any file or directory on the target > filesystem, but using the filesystem's root directory is recommended. > It takes in a pointer to a :c:type:`struct fscrypt_remove_key_arg`, > defined as follows:: > > struct fscrypt_remove_key_arg { > struct fscrypt_key_specifier key_spec; > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY 0x00000001 > #define FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS 0x00000002 > __u32 removal_status_flags; /* output */ > __u32 __reserved[5]; > }; > > This structure must be zeroed, then initialized as follows: > > - The key to remove is specified by ``key_spec``: > > - To remove a key used by v1 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR and fill > in ``key_spec.u.descriptor``. To remove this type of key, the > calling process must have the CAP_SYS_ADMIN capability in the > initial user namespace. > > - To remove a key used by v2 encryption policies, set > ``key_spec.type`` to FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER and fill > in ``key_spec.u.identifier``. > > For v2 policy keys, this ioctl is usable by non-root users. However, > to make this possible, it actually just removes the current user's > claim to the key, undoing a single call to FS_IOC_ADD_ENCRYPTION_KEY. > Only after all claims are removed is the key really removed. > > For example, if FS_IOC_ADD_ENCRYPTION_KEY was called with uid 1000, > then the key will be "claimed" by uid 1000, and > FS_IOC_REMOVE_ENCRYPTION_KEY will only succeed as uid 1000. Or, if > both uids 1000 and 2000 added the key, then for each uid > FS_IOC_REMOVE_ENCRYPTION_KEY will only remove their own claim. Only > once *both* are removed is the key really removed. (Think of it like > unlinking a file that may have hard links.) > > If FS_IOC_REMOVE_ENCRYPTION_KEY really removes the key, it will also > try to "lock" all files that had been unlocked with the key. It won't > lock files that are still in-use, so this ioctl is expected to be used > in cooperation with userspace ensuring that none of the files are > still open. However, if necessary, the ioctl can be executed again > later to retry locking any remaining files. > > FS_IOC_REMOVE_ENCRYPTION_KEY returns 0 if either the key was removed > (but may still have files remaining to be locked), the user's claim to > the key was removed, or the key was already removed but had files > remaining to be the locked so the ioctl retried locking them. In any > of these cases, ``removal_status_flags`` is filled in with the > following informational status flags: > > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY``: set if some file(s) > are still in-use. Not guaranteed to be set in the case where only > the user's claim to the key was removed. > - ``FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS``: set if only the > user's claim to the key was removed, not the key itself > > FS_IOC_REMOVE_ENCRYPTION_KEY can fail with the following errors: > > - ``EACCES``: The FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR key specifier type > was specified, but the caller does not have the CAP_SYS_ADMIN > capability in the initial user namespace > - ``EINVAL``: invalid key specifier type, or reserved bits were set > - ``ENOKEY``: the key object was not found at all, i.e. it was never > added in the first place or was already fully removed including all > files locked; or, the user does not have a claim to the key. > - ``ENOTTY``: this type of filesystem does not implement encryption > - ``EOPNOTSUPP``: the kernel was not configured with encryption > support for this filesystem, or the filesystem superblock has not > had encryption enabled on it > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS is exactly the same as > `FS_IOC_REMOVE_ENCRYPTION_KEY`_, except that for v2 policy keys, the > ALL_USERS version of the ioctl will remove all users' claims to the > key, not just the current user's. I.e., the key itself will always be > removed, no matter how many users have added it. This difference is > only meaningful if non-root users are adding and removing keys. > > Because of this, FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS also requires > "root", namely the CAP_SYS_ADMIN capability in the initial user > namespace. Otherwise it will fail with ``EACCES``. ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/