summaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs
Commit message (Collapse)AuthorAgeFilesLines
* ecryptfs: fix failure handling in ->readlink()Al Viro2014-01-251-16/+13
| | | | | | | | | | If ecryptfs_readlink_lower() fails, buf remains an uninitialized pointer and passing it nd_set_link() won't do anything good. Fixed by switching ecryptfs_readlink_lower() to saner API - make it return buf or ERR_PTR(...) and update callers. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* Merge tag 'ecryptfs-3.13-rc1-quiet-checkers' of ↵Linus Torvalds2013-11-221-6/+2
|\ | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull minor eCryptfs fix from Tyler Hicks: "Quiet static checkers by removing unneeded conditionals" * tag 'ecryptfs-3.13-rc1-quiet-checkers' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: eCryptfs: file->private_data is always valid
| * eCryptfs: file->private_data is always validTyler Hicks2013-11-141-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When accessing the lower_file pointer located in private_data of eCryptfs files, there is no need to check to see if the private_data pointer has been initialized to a non-NULL value. The file->private_data and file->private_data->lower_file pointers are always initialized to non-NULL values in ecryptfs_open(). This change quiets a Smatch warning: CHECK /var/scm/kernel/linux/fs/ecryptfs/file.c fs/ecryptfs/file.c:321 ecryptfs_unlocked_ioctl() error: potential NULL dereference 'lower_file'. fs/ecryptfs/file.c:335 ecryptfs_compat_ioctl() error: potential NULL dereference 'lower_file'. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Geyslan G. Bem <geyslan@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk>
* | tree-wide: use reinit_completion instead of INIT_COMPLETIONWolfram Sang2013-11-151-1/+1
|/ | | | | | | | | | | | Use this new function to make code more comprehensible, since we are reinitialzing the completion, not initializing. [akpm@linux-foundation.org: linux-next resyncs] Signed-off-by: Wolfram Sang <wsa@the-dreams.de> Acked-by: Linus Walleij <linus.walleij@linaro.org> (personally at LCE13) Cc: Ingo Molnar <mingo@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Merge branch 'for-linus' of ↵Linus Torvalds2013-11-135-54/+34
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs updates from Al Viro: "All kinds of stuff this time around; some more notable parts: - RCU'd vfsmounts handling - new primitives for coredump handling - files_lock is gone - Bruce's delegations handling series - exportfs fixes plus misc stuff all over the place" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (101 commits) ecryptfs: ->f_op is never NULL locks: break delegations on any attribute modification locks: break delegations on link locks: break delegations on rename locks: helper functions for delegation breaking locks: break delegations on unlink namei: minor vfs_unlink cleanup locks: implement delegations locks: introduce new FL_DELEG lock flag vfs: take i_mutex on renamed file vfs: rename I_MUTEX_QUOTA now that it's not used for quotas vfs: don't use PARENT/CHILD lock classes for non-directories vfs: pull ext4's double-i_mutex-locking into common code exportfs: fix quadratic behavior in filehandle lookup exportfs: better variable name exportfs: move most of reconnect_path to helper function exportfs: eliminate unused "noprogress" counter exportfs: stop retrying once we race with rename/remove exportfs: clear DISCONNECTED on all parents sooner exportfs: more detailed comment for path_reconnect ...
| * ecryptfs: ->f_op is never NULLAl Viro2013-11-091-1/+1
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * locks: break delegations on any attribute modificationJ. Bruce Fields2013-11-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | NFSv4 uses leases to guarantee that clients can cache metadata as well as data. Cc: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz> Cc: David Howells <dhowells@redhat.com> Cc: Tyler Hicks <tyhicks@canonical.com> Cc: Dustin Kirkland <dustin.kirkland@gazzang.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * locks: break delegations on linkJ. Bruce Fields2013-11-091-1/+1
| | | | | | | | | | | | | | | | Cc: Tyler Hicks <tyhicks@canonical.com> Cc: Dustin Kirkland <dustin.kirkland@gazzang.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * locks: break delegations on renameJ. Bruce Fields2013-11-091-1/+2
| | | | | | | | | | | | | | Cc: David Howells <dhowells@redhat.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * locks: break delegations on unlinkJ. Bruce Fields2013-11-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We need to break delegations on any operation that changes the set of links pointing to an inode. Start with unlink. Such operations also hold the i_mutex on a parent directory. Breaking a delegation may require waiting for a timeout (by default 90 seconds) in the case of a unresponsive NFS client. To avoid blocking all directory operations, we therefore drop locks before waiting for the delegation. The logic then looks like: acquire locks ... test for delegation; if found: take reference on inode release locks wait for delegation break drop reference on inode retry It is possible this could never terminate. (Even if we take precautions to prevent another delegation being acquired on the same inode, we could get a different inode on each retry.) But this seems very unlikely. The initial test for a delegation happens after the lock on the target inode is acquired, but the directory inode may have been acquired further up the call stack. We therefore add a "struct inode **" argument to any intervening functions, which we use to pass the inode back up to the caller in the case it needs a delegation synchronously broken. Cc: David Howells <dhowells@redhat.com> Cc: Tyler Hicks <tyhicks@canonical.com> Cc: Dustin Kirkland <dustin.kirkland@gazzang.com> Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * file->f_op is never NULL...Al Viro2013-10-241-4/+4
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * new helper: kfree_put_link()Al Viro2013-10-241-11/+1
| | | | | | | | | | | | duplicated to hell and back... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ecryptfs: ->lower_path.dentry is never NULLAl Viro2013-10-241-2/+1
| | | | | | | | | | | | ... on anything found via ->d_fsdata Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ecryptfs: get rid of ecryptfs_set_dentry_lower{,_mnt}Al Viro2013-10-243-18/+3
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ecryptfs: don't leave RCU pathwalk immediatelyAl Viro2013-10-242-15/+20
| | | | | | | | | | | | | | | | If the underlying dentry doesn't have ->d_revalidate(), there's no need to force dropping out of RCU mode. All we need for that is to make freeing ecryptfs_dentry_info RCU-delayed. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ecryptfs: check DCACHE_OP_REVALIDATE instead of ->d_opAl Viro2013-10-241-1/+1
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | eCryptfs: fix 32 bit corruption issueColin Ian King2013-10-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Shifting page->index on 32 bit systems was overflowing, causing data corruption of > 4GB files. Fix this by casting it first. https://launchpad.net/bugs/1243636 Signed-off-by: Colin Ian King <colin.king@canonical.com> Reported-by: Lars Duesing <lars.duesing@camelotsweb.de> Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
* | ecryptfs: Fix memory leakage in keystore.cGeyslan G. Bem2013-10-161-1/+2
|/ | | | | | | | | | In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem <geyslan@gmail.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Cc: stable@vger.kernel.org # v2.6.28+
* ecryptfs: avoid ctx initialization raceKees Cook2013-09-061-6/+6
| | | | | | | | | | | It might be possible for two callers to race the mutex lock after the NULL ctx check. Instead, move the lock above the check so there isn't the possibility of leaking a crypto ctx. Additionally, report the full algo name when failing. Signed-off-by: Kees Cook <keescook@chromium.org> [tyhicks: remove out label, which is no longer used] Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
* ecryptfs: remove check for if an array is NULLDan Carpenter2013-09-061-4/+0
| | | | | | | | It doesn't make sense to check if an array is NULL. The compiler just removes the check. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
* Merge tag 'ecryptfs-3.11-rc1-cleanup' of ↵Linus Torvalds2013-07-114-269/+85
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull eCryptfs updates from Tyler Hicks: "Code cleanups and improved buffer handling during page crypto operations: - Remove redundant code by merging some encrypt and decrypt functions - Get rid of a helper page allocation during page decryption by using in-place decryption - Better use of entire pages during page crypto operations - Several code cleanups" * tag 'ecryptfs-3.11-rc1-cleanup' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: Use ecryptfs_dentry_to_lower_path in a couple of places eCryptfs: Make extent and scatterlist crypt function parameters similar eCryptfs: Collapse crypt_page_offset() into crypt_extent() eCryptfs: Merge ecryptfs_encrypt_extent() and ecryptfs_decrypt_extent() eCryptfs: Combine page_offset crypto functions eCryptfs: Combine encrypt_scatterlist() and decrypt_scatterlist() eCryptfs: Decrypt pages in-place eCryptfs: Accept one offset parameter in page offset crypto functions eCryptfs: Simplify lower file offset calculation eCryptfs: Read/write entire page during page IO eCryptfs: Use entire helper page during page crypto operations eCryptfs: Cocci spatch "memdup.spatch"
| * Use ecryptfs_dentry_to_lower_path in a couple of placesMatthew Wilcox2013-07-092-8/+6
| | | | | | | | | | | | | | | | | | | | | | There are two places in ecryptfs that benefit from using ecryptfs_dentry_to_lower_path() instead of separate calls to ecryptfs_dentry_to_lower() and ecryptfs_dentry_to_lower_mnt(). Both sites use fewer instructions and less stack (determined by examining objdump output). Signed-off-by: Matthew Wilcox <willy@linux.intel.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Make extent and scatterlist crypt function parameters similarTyler Hicks2013-06-071-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | The 'dest' abbreviation is only used in crypt_scatterlist(), while all other functions in crypto.c use 'dst' so dest_sg should be renamed to dst_sg. The crypt_stat parameter is typically the first parameter in internal eCryptfs functions so crypt_stat and dst_page should be swapped in crypt_extent(). Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Collapse crypt_page_offset() into crypt_extent()Tyler Hicks2013-06-071-36/+14
| | | | | | | | | | | | | | | | crypt_page_offset() simply initialized the two scatterlists and called crypt_scatterlist() so it is simple enough to move into the only function that calls it. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Merge ecryptfs_encrypt_extent() and ecryptfs_decrypt_extent()Tyler Hicks2013-06-071-54/+20
| | | | | | | | | | | | | | They are identical except if the src_page or dst_page index is used, so they can be merged safely if page_index is conditionally assigned. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Combine page_offset crypto functionsTyler Hicks2013-06-071-51/+18
| | | | | | | | | | | | | | | | | | Combine ecryptfs_encrypt_page_offset() and ecryptfs_decrypt_page_offset(). These two functions are functionally identical so they can be safely merged if the caller can indicate whether an encryption or decryption operation should occur. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Combine encrypt_scatterlist() and decrypt_scatterlist()Tyler Hicks2013-06-071-86/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | These two functions are identical except for a debug printk and whether they call crypto_ablkcipher_encrypt() or crypto_ablkcipher_decrypt(), so they can be safely merged if the caller can indicate if encryption or decryption should occur. The debug printk is useless so it is removed. Two new #define's are created to indicate if an ENCRYPT or DECRYPT operation is desired. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Decrypt pages in-placeTyler Hicks2013-06-071-16/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When reading in a page, eCryptfs would allocate a helper page, fill it with encrypted data from the lower filesytem, and then decrypt the data from the encrypted page and store the result in the eCryptfs page cache page. The crypto API supports in-place crypto operations which means that the allocation of the helper page is unnecessary when decrypting. This patch gets rid of the unneeded page allocation by reading encrypted data from the lower filesystem directly into the page cache page. The page cache page is then decrypted in-place. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Accept one offset parameter in page offset crypto functionsTyler Hicks2013-06-071-26/+16
| | | | | | | | | | | | | | | | There is no longer a need to accept different offset values for the source and destination pages when encrypting/decrypting an extent in an eCryptfs page. The two offsets can be collapsed into a single parameter. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Simplify lower file offset calculationTyler Hicks2013-06-071-11/+7
| | | | | | | | | | | | | | | | Now that lower filesystem IO operations occur for complete PAGE_CACHE_SIZE bytes, the calculation for converting an eCryptfs extent index into a lower file offset can be simplified. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Read/write entire page during page IOTyler Hicks2013-06-071-35/+31
| | | | | | | | | | | | | | | | | | | | When reading and writing encrypted pages, perform IO using the entire page all at once rather than 4096 bytes at a time. This only affects architectures where PAGE_CACHE_SIZE is larger than 4096 bytes. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Use entire helper page during page crypto operationsTyler Hicks2013-06-071-13/+16
| | | | | | | | | | | | | | | | | | | | | | When encrypting eCryptfs pages and decrypting pages from the lower filesystem, utilize the entire helper page rather than only the first 4096 bytes. This only affects architectures where PAGE_CACHE_SIZE is larger than 4096 bytes. Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Cocci spatch "memdup.spatch"Thomas Meyer2013-06-071-2/+1
| | | | | | | | | | Signed-off-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
* | helper for reading ->d_countAl Viro2013-07-051-1/+1
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | ecryptfs: switch ecryptfs_decode_and_decrypt_filename() from dentry to sbAl Viro2013-06-294-10/+8
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | [readdir] convert ecryptfsAl Viro2013-06-291-20/+15
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | [readdir] introduce iterate_dir() and dir_contextAl Viro2013-06-291-1/+3
|/ | | | | | | | | | | iterate_dir(): new helper, replacing vfs_readdir(). struct dir_context: contains the readdir callback (and will get more stuff in it), embedded into whatever data that callback wants to deal with; eventually, we'll be passing it to ->readdir() replacement instead of (data,filldir) pair. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* eCryptfs: Check return of filemap_write_and_wait during fsyncTyler Hicks2013-06-041-1/+6
| | | | | | | | | Error out of ecryptfs_fsync() if filemap_write_and_wait() fails. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Cc: Paul Taysom <taysom@chromium.org> Cc: Olof Johansson <olofj@chromium.org> Cc: stable@vger.kernel.org # v3.6+
* ecryptfs: fixed msync to flush dataPaul Taysom2013-05-241-0/+1
| | | | | | | | | | | | | | | | When msync is called on a memory mapped file, that data is not flushed to the disk. In Linux, msync calls fsync for the file. For ecryptfs, fsync just calls the lower level file system's fsync. Changed the ecryptfs fsync code to call filemap_write_and_wait before calling the lower level fsync. Addresses the problem described in http://crbug.com/239536 Signed-off-by: Paul Taysom <taysom@chromium.org> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Cc: stable@vger.kernel.org # v3.6+
* Merge tag 'ecryptfs-3.10-rc1-ablkcipher' of ↵Linus Torvalds2013-05-102-41/+103
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull eCryptfs update from Tyler Hicks: "Improve performance when AES-NI (and most likely other crypto accelerators) is available by moving to the ablkcipher crypto API. The improvement is more apparent on faster storage devices. There's no noticeable change when hardware crypto is not available" * tag 'ecryptfs-3.10-rc1-ablkcipher' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: eCryptfs: Use the ablkcipher crypto API
| * eCryptfs: Use the ablkcipher crypto APITyler Hicks2013-05-092-41/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make the switch from the blkcipher kernel crypto interface to the ablkcipher interface. encrypt_scatterlist() and decrypt_scatterlist() now use the ablkcipher interface but, from the eCryptfs standpoint, still treat the crypto operation as a synchronous operation. They submit the async request and then wait until the operation is finished before they return. Most of the changes are contained inside those two functions. Despite waiting for the completion of the crypto operation, the ablkcipher interface provides performance increases in most cases when used on AES-NI capable hardware. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Colin King <colin.king@canonical.com> Reviewed-by: Zeev Zilberman <zeev@annapurnaLabs.com> Cc: Dustin Kirkland <dustin.kirkland@gazzang.com> Cc: Tim Chen <tim.c.chen@intel.com> Cc: Ying Huang <ying.huang@intel.com> Cc: Thieu Le <thieule@google.com> Cc: Li Wang <dragonylffly@163.com> Cc: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>
* | Merge branch 'for-linus' of ↵Linus Torvalds2013-05-091-8/+1
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull more vfs fixes from Al Viro: "Regression fix from Geert + yet another open-coded kernel_read()" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ecryptfs: don't open-code kernel_read() xtensa simdisk: Fix proc_create_data() conversion fallout
| * | ecryptfs: don't open-code kernel_read()Al Viro2013-05-091-8/+1
| |/ | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | aio: don't include aio.h in sched.hKent Overstreet2013-05-071-0/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | Faster kernel compiles by way of fewer unnecessary includes. [akpm@linux-foundation.org: fix fallout] [akpm@linux-foundation.org: fix build] Signed-off-by: Kent Overstreet <koverstreet@google.com> Cc: Zach Brown <zab@redhat.com> Cc: Felipe Balbi <balbi@ti.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Mark Fasheh <mfasheh@suse.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Jens Axboe <axboe@kernel.dk> Cc: Asai Thambi S P <asamymuthupa@micron.com> Cc: Selvan Mani <smani@micron.com> Cc: Sam Bradshaw <sbradshaw@micron.com> Cc: Jeff Moyer <jmoyer@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Benjamin LaHaise <bcrl@kvack.org> Reviewed-by: "Theodore Ts'o" <tytso@mit.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ecryptfs: close rmmod raceAl Viro2013-04-091-12/+2
| | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* Merge branch 'for-linus' of ↵Linus Torvalds2013-03-091-0/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull namespace bugfixes from Eric Biederman: "This is three simple fixes against 3.9-rc1. I have tested each of these fixes and verified they work correctly. The userns oops in key_change_session_keyring and the BUG_ON triggered by proc_ns_follow_link were found by Dave Jones. I am including the enhancement for mount to only trigger requests of filesystem modules here instead of delaying this for the 3.10 merge window because it is both trivial and the kind of change that tends to bit-rot if left untouched for two months." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: proc: Use nd_jump_link in proc_ns_follow_link fs: Limit sys_mount to only request filesystem modules (Part 2). fs: Limit sys_mount to only request filesystem modules. userns: Stop oopsing in key_change_session_keyring
| * fs: Limit sys_mount to only request filesystem modules.Eric W. Biederman2013-03-031-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Modify the request_module to prefix the file system type with "fs-" and add aliases to all of the filesystems that can be built as modules to match. A common practice is to build all of the kernel code and leave code that is not commonly needed as modules, with the result that many users are exposed to any bug anywhere in the kernel. Looking for filesystems with a fs- prefix limits the pool of possible modules that can be loaded by mount to just filesystems trivially making things safer with no real cost. Using aliases means user space can control the policy of which filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf with blacklist and alias directives. Allowing simple, safe, well understood work-arounds to known problematic software. This also addresses a rare but unfortunate problem where the filesystem name is not the same as it's module name and module auto-loading would not work. While writing this patch I saw a handful of such cases. The most significant being autofs that lives in the module autofs4. This is relevant to user namespaces because we can reach the request module in get_fs_type() without having any special permissions, and people get uncomfortable when a user specified string (in this case the filesystem type) goes all of the way to request_module. After having looked at this issue I don't think there is any particular reason to perform any filtering or permission checks beyond making it clear in the module request that we want a filesystem module. The common pattern in the kernel is to call request_module() without regards to the users permissions. In general all a filesystem module does once loaded is call register_filesystem() and go to sleep. Which means there is not much attack surface exposed by loading a filesytem module unless the filesystem is mounted. In a user namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT, which most filesystems do not set today. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Reported-by: Kees Cook <keescook@google.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
* | Merge tag 'ecryptfs-3.9-rc2-fixes' of ↵Linus Torvalds2013-03-079-26/+64
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs Pull ecryptfs fixes from Tyler Hicks: "Minor code cleanups and new Kconfig option to disable /dev/ecryptfs The code cleanups fix up W=1 compiler warnings and some unnecessary checks. The new Kconfig option, defaulting to N, allows the rarely used eCryptfs kernel to userspace communication channel to be compiled out. This may be the first step in it being eventually removed." Hmm. I'm not sure whether these should be called "fixes", and it probably should have gone in the merge window. But I'll let it slide. * tag 'ecryptfs-3.9-rc2-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs: eCryptfs: allow userspace messaging to be disabled eCryptfs: Fix redundant error check on ecryptfs_find_daemon_by_euid() ecryptfs: ecryptfs_msg_ctx_alloc_to_free(): remove kfree() redundant null check eCryptfs: decrypt_pki_encrypted_session_key(): remove kfree() redundant null check eCryptfs: remove unneeded checks in virt_to_scatterlist() eCryptfs: Fix -Wmissing-prototypes warnings eCryptfs: Fix -Wunused-but-set-variable warnings eCryptfs: initialize payload_len in keystore.c
| * eCryptfs: allow userspace messaging to be disabledKees Cook2013-03-034-6/+53
| | | | | | | | | | | | | | | | | | | | When the userspace messaging (for the less common case of userspace key wrap/unwrap via ecryptfsd) is not needed, allow eCryptfs to build with it removed. This saves on kernel code size and reduces potential attack surface by removing the /dev/ecryptfs node. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| * eCryptfs: Fix redundant error check on ecryptfs_find_daemon_by_euid()Tyler Hicks2013-02-271-1/+1
| | | | | | | | | | | | | | | | | | It is sufficient to check the return code of ecryptfs_find_daemon_by_euid(). If it returns 0, it always sets the daemon pointer to point to a valid ecryptfs_daemon. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Kees Cook <keescook@chromium.org>
OpenPOWER on IntegriCloud