Data Protection Entitlement and open files

Hi,

I have a question related to Data Protection Entitlement.

I have an app with com.apple.developer.default-data-protection = NSFileProtectionComplete. There is a timer which writes data into a file using the C API (open & write). But there are 2 different behaviours:

  1. If the app doesn't have run in background

When device is locked, the timer is paused and no more data is written. When the device is unlocked, timer is resumed and continues to write successfully into the file (the file descriptor is still valid).

  1. If the app runs in background

After locking the device, timer still writes for 10 seconds and then fails to write. When the device is unlocked, it is still not able to write into the file (file descriptor is still invalid).

For the file NSFileManager.attributesOfItemAtPath returns: NSFileProtectionKey = NSFileProtectionComplete.

I suspect that in the 2. case the encryption removes the access to the file, and that's why the FD is invalid.

But for case 1.

  • Why is the file descriptor still valid after encrypt/decrypt, does the OS reopens the files after decrypt?
  • Should I always reopen all the files after applicationProtectedDataDidBecomeAvailable() or I can assume FD will be valid and don't need to be reopen?

Thanks, Marius

Answered by DTS Engineer in 733685022

You seem to be mixing up “ability to write to a file” with “has a valid file descriptor”. These are not the same thing. Data protection does not operate at the file descriptor level. Specifically, protected data becoming unavailable does not close your file descriptor.

Rather, data protection work much deeper in the file system. In order to read or write file data the encryption key for that file must be available. If the file is subject to data protection then the encryption key is dropped when protected data becomes unavailable, and thus the reads or write fails. If protected data becomes available again, so does the encryption key and reads or writes start to work again.

IIRC Apple Platform Security has a bunch of info about the mechanics of data protection.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

You seem to be mixing up “ability to write to a file” with “has a valid file descriptor”. These are not the same thing. Data protection does not operate at the file descriptor level. Specifically, protected data becoming unavailable does not close your file descriptor.

Rather, data protection work much deeper in the file system. In order to read or write file data the encryption key for that file must be available. If the file is subject to data protection then the encryption key is dropped when protected data becomes unavailable, and thus the reads or write fails. If protected data becomes available again, so does the encryption key and reads or writes start to work again.

IIRC Apple Platform Security has a bunch of info about the mechanics of data protection.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, you're right I was mixing them, not it is clear.

Thanks.

Data Protection Entitlement and open files
 
 
Q