Commit d55140ce authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6:
  Ecryptfs: Add mount option to check uid of device being mounted = expect uid
  eCryptfs: Fix payload_len unitialized variable warning
  eCryptfs: fix compile error
  eCryptfs: Return error when lower file pointer is NULL
parents af9d220b 76435548
config ECRYPT_FS config ECRYPT_FS
tristate "eCrypt filesystem layer support (EXPERIMENTAL)" tristate "eCrypt filesystem layer support (EXPERIMENTAL)"
depends on EXPERIMENTAL && KEYS && CRYPTO depends on EXPERIMENTAL && KEYS && CRYPTO && (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
select CRYPTO_ECB select CRYPTO_ECB
select CRYPTO_CBC select CRYPTO_CBC
select CRYPTO_MD5 select CRYPTO_MD5
......
...@@ -1973,7 +1973,7 @@ pki_encrypt_session_key(struct key *auth_tok_key, ...@@ -1973,7 +1973,7 @@ pki_encrypt_session_key(struct key *auth_tok_key,
{ {
struct ecryptfs_msg_ctx *msg_ctx = NULL; struct ecryptfs_msg_ctx *msg_ctx = NULL;
char *payload = NULL; char *payload = NULL;
size_t payload_len; size_t payload_len = 0;
struct ecryptfs_message *msg; struct ecryptfs_message *msg;
int rc; int rc;
......
...@@ -175,6 +175,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig, ...@@ -175,6 +175,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only,
ecryptfs_opt_check_dev_ruid,
ecryptfs_opt_err }; ecryptfs_opt_err };
static const match_table_t tokens = { static const match_table_t tokens = {
...@@ -191,6 +192,7 @@ static const match_table_t tokens = { ...@@ -191,6 +192,7 @@ static const match_table_t tokens = {
{ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
{ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
{ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"},
{ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
{ecryptfs_opt_err, NULL} {ecryptfs_opt_err, NULL}
}; };
...@@ -236,6 +238,7 @@ static void ecryptfs_init_mount_crypt_stat( ...@@ -236,6 +238,7 @@ static void ecryptfs_init_mount_crypt_stat(
* ecryptfs_parse_options * ecryptfs_parse_options
* @sb: The ecryptfs super block * @sb: The ecryptfs super block
* @options: The options passed to the kernel * @options: The options passed to the kernel
* @check_ruid: set to 1 if device uid should be checked against the ruid
* *
* Parse mount options: * Parse mount options:
* debug=N - ecryptfs_verbosity level for debug output * debug=N - ecryptfs_verbosity level for debug output
...@@ -251,7 +254,8 @@ static void ecryptfs_init_mount_crypt_stat( ...@@ -251,7 +254,8 @@ static void ecryptfs_init_mount_crypt_stat(
* *
* Returns zero on success; non-zero on error * Returns zero on success; non-zero on error
*/ */
static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options,
uid_t *check_ruid)
{ {
char *p; char *p;
int rc = 0; int rc = 0;
...@@ -276,6 +280,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) ...@@ -276,6 +280,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
char *cipher_key_bytes_src; char *cipher_key_bytes_src;
char *fn_cipher_key_bytes_src; char *fn_cipher_key_bytes_src;
*check_ruid = 0;
if (!options) { if (!options) {
rc = -EINVAL; rc = -EINVAL;
goto out; goto out;
...@@ -380,6 +386,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) ...@@ -380,6 +386,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
mount_crypt_stat->flags |= mount_crypt_stat->flags |=
ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY;
break; break;
case ecryptfs_opt_check_dev_ruid:
*check_ruid = 1;
break;
case ecryptfs_opt_err: case ecryptfs_opt_err:
default: default:
printk(KERN_WARNING printk(KERN_WARNING
...@@ -475,6 +484,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags ...@@ -475,6 +484,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
const char *err = "Getting sb failed"; const char *err = "Getting sb failed";
struct inode *inode; struct inode *inode;
struct path path; struct path path;
uid_t check_ruid;
int rc; int rc;
sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
...@@ -483,7 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags ...@@ -483,7 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
goto out; goto out;
} }
rc = ecryptfs_parse_options(sbi, raw_data); rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
if (rc) { if (rc) {
err = "Error parsing options"; err = "Error parsing options";
goto out; goto out;
...@@ -521,6 +531,15 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags ...@@ -521,6 +531,15 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
"known incompatibilities\n"); "known incompatibilities\n");
goto out_free; goto out_free;
} }
if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
rc = -EPERM;
printk(KERN_ERR "Mount of device (uid: %d) not owned by "
"requested user (uid: %d)\n",
path.dentry->d_inode->i_uid, current_uid());
goto out_free;
}
ecryptfs_set_superblock_lower(s, path.dentry->d_sb); ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
s->s_maxbytes = path.dentry->d_sb->s_maxbytes; s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
s->s_blocksize = path.dentry->d_sb->s_blocksize; s->s_blocksize = path.dentry->d_sb->s_blocksize;
......
...@@ -39,15 +39,16 @@ ...@@ -39,15 +39,16 @@
int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data, int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data,
loff_t offset, size_t size) loff_t offset, size_t size)
{ {
struct ecryptfs_inode_info *inode_info; struct file *lower_file;
mm_segment_t fs_save; mm_segment_t fs_save;
ssize_t rc; ssize_t rc;
inode_info = ecryptfs_inode_to_private(ecryptfs_inode); lower_file = ecryptfs_inode_to_private(ecryptfs_inode)->lower_file;
BUG_ON(!inode_info->lower_file); if (!lower_file)
return -EIO;
fs_save = get_fs(); fs_save = get_fs();
set_fs(get_ds()); set_fs(get_ds());
rc = vfs_write(inode_info->lower_file, data, size, &offset); rc = vfs_write(lower_file, data, size, &offset);
set_fs(fs_save); set_fs(fs_save);
mark_inode_dirty_sync(ecryptfs_inode); mark_inode_dirty_sync(ecryptfs_inode);
return rc; return rc;
...@@ -225,15 +226,16 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset, ...@@ -225,15 +226,16 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
int ecryptfs_read_lower(char *data, loff_t offset, size_t size, int ecryptfs_read_lower(char *data, loff_t offset, size_t size,
struct inode *ecryptfs_inode) struct inode *ecryptfs_inode)
{ {
struct ecryptfs_inode_info *inode_info = struct file *lower_file;
ecryptfs_inode_to_private(ecryptfs_inode);
mm_segment_t fs_save; mm_segment_t fs_save;
ssize_t rc; ssize_t rc;
BUG_ON(!inode_info->lower_file); lower_file = ecryptfs_inode_to_private(ecryptfs_inode)->lower_file;
if (!lower_file)
return -EIO;
fs_save = get_fs(); fs_save = get_fs();
set_fs(get_ds()); set_fs(get_ds());
rc = vfs_read(inode_info->lower_file, data, size, &offset); rc = vfs_read(lower_file, data, size, &offset);
set_fs(fs_save); set_fs(fs_save);
return rc; return rc;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment