Don't drop as many caches when evicting CE key
When a user's CE key is removed, write "2" to /proc/sys/vm/drop_caches
rather than "3". This avoids unnecessarily evicting the pagecache of
in-use inodes. It's only necessary to evict the inodes of the relevant
encrypted files, and these are already sync'ed and no longer in-use.
For this mode "2" suffices, as this evicts "reclaimable slab objects",
including inodes; and evicting an inode implies evicting its pagecache.
This matches the recommendation I've made in the documentation for the
fscrypt kernel feature at
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html#online-attacks
Test: Sanity check that directories are still "locked" properly:
Unlock device with PIN. Then in adb shell: 'stop; start;
sleep 10; ls /data/data/' still shows filenames in ciphertext form.
Change-Id: I1bdf3c420ebf63e98cc314498211061ea36f2942
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index ea8bb73..c3455a0 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -411,11 +411,18 @@
return true;
}
+// "Lock" all encrypted directories whose key has been removed. This is needed
+// because merely removing the keyring key doesn't affect inodes in the kernel's
+// inode cache whose per-file key was already set up. So to remove the per-file
+// keys and make the files "appear encrypted", these inodes must be evicted.
+//
+// To do this, sync() to clean all dirty inodes, then drop all reclaimable slab
+// objects systemwide. This is overkill, but it's the best available method
+// currently. Don't use drop_caches mode "3" because that also evicts pagecache
+// for in-use files; all files relevant here are already closed and sync'ed.
static void drop_caches() {
- // Clean any dirty pages (otherwise they won't be dropped).
sync();
- // Drop inode and page caches.
- if (!writeStringToFile("3", "/proc/sys/vm/drop_caches")) {
+ if (!writeStringToFile("2", "/proc/sys/vm/drop_caches")) {
PLOG(ERROR) << "Failed to drop caches during key eviction";
}
}