1. 13 Jul, 2012 1 commit
    • Tyler Hicks's avatar
      eCryptfs: Revert to a writethrough cache model · 821f7494
      Tyler Hicks authored
      A change was made about a year ago to get eCryptfs to better utilize its
      page cache during writes. The idea was to do the page encryption
      operations during page writeback, rather than doing them when initially
      writing into the page cache, to reduce the number of page encryption
      operations during sequential writes. This meant that the encrypted page
      would only be written to the lower filesystem during page writeback,
      which was a change from how eCryptfs had previously wrote to the lower
      filesystem in ecryptfs_write_end().
      
      The change caused a few eCryptfs-internal bugs that were shook out.
      Unfortunately, more grave side effects have been identified that will
      force changes outside of eCryptfs. Because the lower filesystem isn't
      consulted until page writeback, eCryptfs has no way to pass lower write
      errors (ENOSPC, mainly) back to userspace. Additionaly, it was reported
      that quotas could be bypassed because of the way eCryptfs may sometimes
      open the lower filesystem using a privileged kthread.
      
      It would be nice to resolve the latest issues, but it is best if the
      eCryptfs commits be reverted to the old behavior in the meantime.
      
      This reverts:
      32001d6f "eCryptfs: Flush file in vma close"
      5be79de2 "eCryptfs: Flush dirty pages in setattr"
      57db4e8d "ecryptfs: modify write path to encrypt page in writepage"
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Tested-by: default avatarColin King <colin.king@canonical.com>
      Cc: Colin King <colin.king@canonical.com>
      Cc: Thieu Le <thieule@google.com>
      821f7494
  2. 08 Jul, 2012 8 commits
    • Tyler Hicks's avatar
      eCryptfs: Initialize empty lower files when opening them · e3ccaa97
      Tyler Hicks authored
      Historically, eCryptfs has only initialized lower files in the
      ecryptfs_create() path. Lower file initialization is the act of writing
      the cryptographic metadata from the inode's crypt_stat to the header of
      the file. The ecryptfs_open() path already expects that metadata to be
      in the header of the file.
      
      A number of users have reported empty lower files in beneath their
      eCryptfs mounts. Most of the causes for those empty files being left
      around have been addressed, but the presence of empty files causes
      problems due to the lack of proper cryptographic metadata.
      
      To transparently solve this problem, this patch initializes empty lower
      files in the ecryptfs_open() error path. If the metadata is unreadable
      due to the lower inode size being 0, plaintext passthrough support is
      not in use, and the metadata is stored in the header of the file (as
      opposed to the user.ecryptfs extended attribute), the lower file will be
      initialized.
      
      The number of nested conditionals in ecryptfs_open() was getting out of
      hand, so a helper function was created. To avoid the same nested
      conditional problem, the conditional logic was reversed inside of the
      helper function.
      
      https://launchpad.net/bugs/911507Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: Colin Ian King <colin.king@canonical.com>
      e3ccaa97
    • Tyler Hicks's avatar
      eCryptfs: Unlink lower inode when ecryptfs_create() fails · 8bc2d3cf
      Tyler Hicks authored
      ecryptfs_create() creates a lower inode, allocates an eCryptfs inode,
      initializes the eCryptfs inode and cryptographic metadata attached to
      the inode, and then writes the metadata to the header of the file.
      
      If an error was to occur after the lower inode was created, an empty
      lower file would be left in the lower filesystem. This is a problem
      because ecryptfs_open() refuses to open any lower files which do not
      have the appropriate metadata in the file header.
      
      This patch properly unlinks the lower inode when an error occurs in the
      later stages of ecryptfs_create(), reducing the chance that an empty
      lower file will be left in the lower filesystem.
      
      https://launchpad.net/bugs/872905Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: Colin Ian King <colin.king@canonical.com>
      8bc2d3cf
    • Tyler Hicks's avatar
      eCryptfs: Make all miscdev functions use daemon ptr in file private_data · 2ecaf55d
      Tyler Hicks authored
      Now that a pointer to a valid struct ecryptfs_daemon is stored in the
      private_data of an opened /dev/ecryptfs file, the remaining miscdev
      functions can utilize the pointer rather than looking up the
      ecryptfs_daemon at the beginning of each operation.
      
      The security model of /dev/ecryptfs is simplified a little bit with this
      patch. Upon opening /dev/ecryptfs, a per-user ecryptfs_daemon is
      registered. Another daemon cannot be registered for that user until the
      last file reference is released. During the lifetime of the
      ecryptfs_daemon, access checks are not performed on the /dev/ecryptfs
      operations because it is assumed that the application securely handles
      the opened file descriptor and does not unintentionally leak it to
      processes that are not trusted.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Cc: Sasha Levin <levinsasha928@gmail.com>
      2ecaf55d
    • Tyler Hicks's avatar
      eCryptfs: Remove unused messaging declarations and function · 56696886
      Tyler Hicks authored
      These are no longer needed.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Cc: Sasha Levin <levinsasha928@gmail.com>
      56696886
    • Tyler Hicks's avatar
      eCryptfs: Copy up POSIX ACL and read-only flags from lower mount · 069ddcda
      Tyler Hicks authored
      When the eCryptfs mount options do not include '-o acl', but the lower
      filesystem's mount options do include 'acl', the MS_POSIXACL flag is not
      flipped on in the eCryptfs super block flags. This flag is what the VFS
      checks in do_last() when deciding if the current umask should be applied
      to a newly created inode's mode or not. When a default POSIX ACL mask is
      set on a directory, the current umask is incorrectly applied to new
      inodes created in the directory. This patch ignores the MS_POSIXACL flag
      passed into ecryptfs_mount() and sets the flag on the eCryptfs super
      block depending on the flag's presence on the lower super block.
      
      Additionally, it is incorrect to allow a writeable eCryptfs mount on top
      of a read-only lower mount. This missing check did not allow writes to
      the read-only lower mount because permissions checks are still performed
      on the lower filesystem's objects but it is best to simply not allow a
      rw mount on top of ro mount. However, a ro eCryptfs mount on top of a rw
      mount is valid and still allowed.
      
      https://launchpad.net/bugs/1009207Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reported-by: default avatarStefan Beller <stefanbeller@googlemail.com>
      Cc: John Johansen <john.johansen@canonical.com>
      069ddcda
    • Linus Torvalds's avatar
      Linux 3.5-rc6 · bd0a521e
      Linus Torvalds authored
      bd0a521e
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · a0127afb
      Linus Torvalds authored
      Pull security docs update from James Morris.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        security: Minor improvements to no_new_privs documentation
      a0127afb
    • Linus Torvalds's avatar
      vfs: make O_PATH file descriptors usable for 'fchdir()' · 332a2e12
      Linus Torvalds authored
      We already use them for openat() and friends, but fchdir() also wants to
      be able to use O_PATH file descriptors.  This should make it comparable
      to the O_SEARCH of Solaris.  In particular, O_PATH allows you to access
      (not-quite-open) a directory you don't have read persmission to, only
      execute permission.
      
      Noticed during development of multithread support for ksh93.
      Reported-by: default avatarольга крыжановская <olga.kryzhanovska@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@kernel.org    # O_PATH introduced in 3.0+
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      332a2e12
  3. 07 Jul, 2012 2 commits
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.linaro.org/people/rmk/linux-arm · cd6407fe
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "Last merge window, we had some updates from Al cleaning up the signal
        restart handling.  These have caused some problems on ARM, and while
        Al has some fixes, we have some concerns with Al's patches but we've
        been unsuccesful with discussing this.
      
        We have got to the point where we need to do something, and we've
        decided that the best solution is to revert the appropriate commits
        until Al is able to reply to us.
      
        Also included here are four patches to fix warnings that I've noticed
        in my build system, and one fix for kprobes test code."
      
      * 'fixes' of git://git.linaro.org/people/rmk/linux-arm:
        ARM: fix warning caused by wrongly typed arm_dma_limit
        ARM: fix warnings about atomic64_read
        ARM: 7440/1: kprobes: only test 'sub pc, pc, #1b-2b+8-2' on ARMv6
        ARM: 7441/1: perf: return -EOPNOTSUPP if requested mode exclusion is unavailable
        ARM: 7443/1: Revert "new way of handling ERESTART_RESTARTBLOCK"
        ARM: 7442/1: Revert "remove unused restart trampoline"
        ARM: fix set_domain() macro
        ARM: fix mach-versatile/pci.c warning
      cd6407fe
    • Andy Lutomirski's avatar
      security: Minor improvements to no_new_privs documentation · c540521b
      Andy Lutomirski authored
      The documentation didn't actually mention how to enable no_new_privs.
      This also adds a note about possible interactions between
      no_new_privs and LSMs (i.e. why teaching systemd to set no_new_privs
      is not necessarily a good idea), and it references the new docs
      from include/linux/prctl.h.
      Suggested-by: default avatarRob Landley <rob@landley.net>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      c540521b
  4. 06 Jul, 2012 11 commits
  5. 05 Jul, 2012 17 commits
  6. 04 Jul, 2012 1 commit