Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3077686imc;
        Wed, 13 Mar 2019 08:19:15 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzVPx4NCix10Z+xuq9+DS/0IRJhS39rTJ9Vxd10HwMSmaAcD1stz0NQlTtQJN8ahW6vQXrg
X-Received: by 2002:a17:902:ab8e:: with SMTP id f14mr45850657plr.84.1552490355476;
        Wed, 13 Mar 2019 08:19:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552490355; cv=none;
        d=google.com; s=arc-20160816;
        b=BjcRy5WFDxs7iyzWzWvya49EDet0ryhc60bdcQoBpzLvnbORTVVCibIkJdHZ1bbACL
         pNpD0J9XgIPuBKa+D4/wr/ZFTZ1mn2txgRwU/+Bdm2etSRDUpMK5xdz5FYQs21MPc1kd
         O5/w9+LhuwXZUuQVrDpc0jW0UEOi/wrivsAgm+LhTkvVdS3hAl+MdMUAvEWJSNxkyAoy
         Zv71Q5r91Iwiw/TEyBtt2RZOcxjlrXo6p2Cee8JdUlf11NMYeDo5kGjDhTIvWbQXqZ8d
         tw+TX1w0Seq1Z1GHlY/MEDu9fnxYy73XfIdeiRoDeCrVKPtEwK8Bu91VjPM7JX9CXsEB
         bzDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date;
        bh=c/hAjyWndHJL/O2dFaCqxVdJx1SRzH7sEXBeqct5MoI=;
        b=hqbE7O+Eqvx0LOIs8PRyys3Xba6n7wGW+r4bi3QiYYfHB45MS68NoKQO5GBBLE4z15
         GRZpG4ICycMMNGnqrldblwzwJs0dLjBZmQ6Fx0k1K18rxhdcmJN+O/fuxh2MpSE0ogBv
         q89bJ5Tq1k2oucqlyawHsRhFQGhhacZr5Zzv/miLW/XZjbgMIJoRCc0Bf0HiqfwuFgHj
         0mB5Rhv5rcCNLi1ZQj/PAabj0W/O/ESAyxoetzZxmFPw4lMD78JVZSNt3dd7nc/YsMA0
         a/asQjMwp1djjI01iKMIwULe2uWkcfnAmyQn7OIuoJXip9NVDWJU/C9lANdoDzFCFoAI
         r2sg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 1si10920687ply.232.2019.03.13.08.18.55;
        Wed, 13 Mar 2019 08:19:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726435AbfCMPQt (ORCPT <rfc822;michael.k.kehoe@gmail.com>
        + 99 others); Wed, 13 Mar 2019 11:16:49 -0400
Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:60513 "EHLO
        outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1725868AbfCMPQs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Mar 2019 11:16:48 -0400
Received: from callcc.thunk.org (guestnat-104-133-0-99.corp.google.com [104.133.0.99] (may be forged))
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2DFGYIp003657
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Wed, 13 Mar 2019 11:16:34 -0400
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id BE27B42080E; Wed, 13 Mar 2019 11:16:33 -0400 (EDT)
Date:   Wed, 13 Mar 2019 11:16:33 -0400
From:   "Theodore Ts'o" <tytso@mit.edu>
To:     Amir Goldstein <amir73il@gmail.com>
Cc:     Richard Weinberger <richard@nod.at>,
        Miklos Szeredi <miklos@szeredi.hu>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-fscrypt@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Paul Lawrence <paullawrence@google.com>
Subject: Re: overlayfs vs. fscrypt
Message-ID: <20190313151633.GA672@mit.edu>
Mail-Followup-To: Theodore Ts'o <tytso@mit.edu>,
        Amir Goldstein <amir73il@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Miklos Szeredi <miklos@szeredi.hu>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-fscrypt@vger.kernel.org,
        overlayfs <linux-unionfs@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Paul Lawrence <paullawrence@google.com>
References: <4603533.ZIfxmiEf7K@blindfold>
 <1854703.ve7plDhYWt@blindfold>
 <CAJfpegtgfuAkgv26QH6Ht25OeMiev-QvEf7ror4KAbud7FADgg@mail.gmail.com>
 <4066872.KGdO14EQMx@blindfold>
 <CAOQ4uxhqQKzriL0An4Tvzc1E_LffL-z9q1otOW_RdD1ZdKWP3Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAOQ4uxhqQKzriL0An4Tvzc1E_LffL-z9q1otOW_RdD1ZdKWP3Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 13, 2019 at 04:26:54PM +0200, Amir Goldstein wrote:
> AFAIK, this feature was born to tailor Android's file based encryption.
> https://source.android.com/security/encryption#file-based
> It is meant to protect data at rest and what happens when user enters
> the screen lock password IIRC, is that some service will get restarted.
> IOW, there should NOT be any processes in Android accessing the
> encrypted user data folders with and without the key simultaneously.
> Also, like OpenWRT, in Android the key does not get removed
> (until boot) AFAIK(?).

Actually, the original use was for ChromeOS, but the primary
assumption is that keying is per user (or profile), and that users are
mutually distrustful.  So when Alice logs out of the system, her keys
will be invalidated and removed from the kernel.  We can (and do) try
to flush cache entries via "echo 3 > /proc/sys/vm/drop_caches" on
logout.  However, this does not guarantee that all dcache entries will
be removed --- a dcache entry can be pinned due to an open file, a
process's current working directory, a bind mount, etc.

The other issue is negative dentries; if you try open a file in an
encrypted file, the file system won't even *know* whether or not a
file exists, since the directory entries are encrypted; hence, there
may be some negative dentries that need to be invalidated.

So a fundamental assumption with fscrypt is that keys will be added
and removed, and that when this happens, dentries will need to be
invalidated.  This is going to surprise overlayfs, so if overlayfs is
going to support fscrypt it *has* to be aware of the fact that this
can happen.  It's not even clear what the proper security semantics
should be; *especially* if the upper and lower directories aren't
similarly protected using the same fscrypt encryption key.  Suppose
the lower directory is encrypted, and the upper is not.  Now on a copy
up operation, the previously encrypted file, which might contain
credit card numbers, medical records, or other things that would cause
a GDPR regulator to have a freak out attack, would *poof* become
decrypted.

So before we talk about how to make things work from a technical
perspective, we should consider what the use case happens to be, and
what are the security requirements.  *Why* are we trying to use the
combination of overlayfs and fscrypt, and what are the security
properties we are trying to provide to someone who is relying on this
combination?

						- Ted