Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp80471pxf; Wed, 7 Apr 2021 20:50:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyhLPHwRxM/nvtaZKSwoIb08kI34bj/U3MmDHc5bzGrF7AyskgbF3q340PJBca3waEUfrAA X-Received: by 2002:a50:f29a:: with SMTP id f26mr8537033edm.13.1617853809200; Wed, 07 Apr 2021 20:50:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617853809; cv=none; d=google.com; s=arc-20160816; b=AwRui3fVhPQ4xKv3GWk8xs5YhU/yr6jtRgCUxNAAhKKNmYwUUFzLz7hXMgGyK3mZPW t9ameDls9LCQOEYuS4EfufI3cQ4wy/sUP2yzx60ae5kQzCF73cCccfYsqr5dvO4qksfH FDuX6LDZTOaD5aTNI8mwxxvax5f3v1TJ1TDsQpD7S7lurBA0lMP0q4vnkHCniF+45Igc CKi9+dlCTNrsnZZXnwn6Yf5w4Dr5QHGIFlhCKBJT7bKnhWWBdAU+6yC88t0dkC6TEMPj vD8CE6fBnNuOKYEbMUhb3hP1SizfJtP09MM9ZY7TIRtcLRORzclbfEuKIsBppiFOUI7+ 9fag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=FcxD6AwBfocPcelAYuVBztCXNvGeRrS8VpWIaG34Q/o=; b=DsgL+7peLGInMZ0f5CcQ6YHm9tbl4x10LoB33/3ozVvNfnPOr0kUDIMsFeyYIwvj2q cwDNl5jDxCl+cJcZOMQ4Uld8IgdpJLaHAoNQtOHINm3WEUVGQVTyaXdWtFA2LtLykoAX j1D+3V23A7InqnJzDFussjn2OVCYdPN4R5B8SkWMar/l/2nTU41znAhswcMFUGS23mxX pvBfZ4NeakEISe3ofzZzah6Alq+xN+c8jPg0ncsAxmxuZ/3IEAwySA5gYhH07O3CUCae NkE0+H/LBYOLNOLReoTi7Hm2UyFe0oGtMKzMI/0KWUJQlm+eC1C1kWdV8VE6i+MPfCUG wGfQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e18si3859870ejs.95.2021.04.07.20.49.27; Wed, 07 Apr 2021 20:50:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229540AbhDHDs4 (ORCPT + 99 others); Wed, 7 Apr 2021 23:48:56 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:37871 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S229506AbhDHDsz (ORCPT ); Wed, 7 Apr 2021 23:48:55 -0400 Received: from cwcc.thunk.org (pool-72-74-133-215.bstnma.fios.verizon.net [72.74.133.215]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1383me61021585 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 7 Apr 2021 23:48:41 -0400 Received: by cwcc.thunk.org (Postfix, from userid 15806) id 5021C15C3B0C; Wed, 7 Apr 2021 23:48:40 -0400 (EDT) Date: Wed, 7 Apr 2021 23:48:40 -0400 From: "Theodore Ts'o" To: Eric Biggers Cc: Leah Rumancik , linux-ext4@vger.kernel.org Subject: Re: [PATCH v2 1/2] ext4: wipe filename upon file deletion Message-ID: References: <20210407154202.1527941-1-leah.rumancik@gmail.com> <20210407154202.1527941-2-leah.rumancik@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, Apr 07, 2021 at 02:33:15PM -0700, Eric Biggers wrote: > On Wed, Apr 07, 2021 at 03:42:01PM +0000, Leah Rumancik wrote: > > Zero out filename and file type fields when file is deleted. > > Why? Eric is right that we need to have a better explanation in the commit description. In answer to Eric's question, the problem that is trying to be solved here is that if a customer happens to be storing PII in filenames (e-mail addresses, SSN's, etc.) that they might want to have a guarantee that if a file is deleted, the filename and the file's contents can be considered as *gone* after some wipeout time period has elapsed. So the use case is every N hours, some system daemon will execute FITRIM and FS_IOC_CHKPT_JRNL with the CHKPT_JRNL_DISCARD flag set, in order to meet this particular guarantee. Yes, we can't guarantee that discard will always zap all unused data blocks in the general case and SSD's may very well have copies made as a side effect of their GC operations, yadda, yadda. Fortunately, for this particular use case, the primary concern is for cloud customers running services on Google Cloud's Persistent Disks. > Also what about when a dir_entry is moved? Wouldn't you want to make sure that > any copies don't get left around? Yes, we need to also make sure that after we do a hash tree leaf node split in fs/ext4/namei.c:do_split(), that the empty space is also zero'ed out. > > @@ -2492,6 +2492,10 @@ int ext4_generic_delete_entry(struct inode *dir, > > else > > de->inode = 0; > > inode_inc_iversion(dir); > > + > > + memset(de_del->name, 0, de_del->name_len); > > + memset(&de_del->file_type, 0, sizeof(__u8)); > > The second line could be written as simply 'de_del->file_type = 0'. > > Also why zero these two fields in particular and not the whole dir_entry? Agreed, it would be a good diea to clear everything up to rec_len: memset(de_del->name, 0, de_del->rec_len - 12); and we should probably zero out de_del->name_len as well. Better to not leave anything behind. - Ted P.S. By the way, this is a guarantee that we're going to eventually want to care about for XFS as well, since as of COS-85 (Container-Optimized OS), XFS is supported in Preview Mode. This means that eventually we're going to want submit patches so as to be able to support the CHKPT_JRNL_DISCARD flag for FS_IOC_CHKPT_JRNL in XFS as well. P.P.S. We'll also want to have a mount option which supresses file names (for example, from ext4_error() messages) from showing up in kernel logs, to ease potential privacy concerns with respect to serial console and kernel logs. But that's for another patch set....