Hello! I'm the "GNOME people" who Christian is referring to On 1/17/24 09:52, Matthew Wilcox wrote:
I feel like we're in an XY trap [1]. What Christian actually wants is to not be able to access the contents of a file while the device it's on is suspended, and we've gone from there to "must drop the page cache".
What we really want is for the plaintext contents of the files to be gone from memory while the dm-crypt device backing them is suspended.
Ultimately my goal is to limit the chance that an attacker with access to a user's suspended laptop will be able to access the user's encrypted data. I need to achieve this without forcing the user to completely log out/power off/etc their system; it must be invisible to the user. The key word here is limit; if we can remove _most_ files from memory _most_ of the time Ithink luksSuspend would be a lot more useful against cold boot than it is today.
I understand that perfectly wiping all the files out of memory without completely unmounting the filesystem isn't feasible, and that's probably OK for our use-case. As long as most files can be removed from memory most of the time, anyway...
We have numerous ways to intercept file reads and make them either block or fail. The obvious one to me is security_file_permission() called from rw_verify_area(). Can we do everything we need with an LSM? [1] https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem
As Christian mentioned: the LSM may be a good addition, but it would have to be in addition to wiping the data out of the page cache, not instead of. An LSM will not help against a cold boot attack
Adrian
