diff options
| author | Michael Halcrow <mhalcrow@us.ibm.com> | 2008-04-29 03:59:52 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-04-29 11:06:07 -0400 |
| commit | 6a3fd92e73fffd9e583650c56ad9558afe51dc5c (patch) | |
| tree | d65917432ffd0e6223dab3500819205433de22bd /fs/ecryptfs/miscdev.c | |
| parent | f66e883eb6186bc43a79581b67aff7d1a69d0ff1 (diff) | |
eCryptfs: make key module subsystem respect namespaces
Make eCryptfs key module subsystem respect namespaces.
Since I will be removing the netlink interface in a future patch, I just made
changes to the netlink.c code so that it will not break the build. With my
recent patches, the kernel module currently defaults to the device handle
interface rather than the netlink interface.
[akpm@linux-foundation.org: export free_user_ns()]
Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/ecryptfs/miscdev.c')
| -rw-r--r-- | fs/ecryptfs/miscdev.c | 68 |
1 files changed, 43 insertions, 25 deletions
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c index 0c559731ae34..788995efd1d3 100644 --- a/fs/ecryptfs/miscdev.c +++ b/fs/ecryptfs/miscdev.c | |||
| @@ -46,7 +46,8 @@ ecryptfs_miscdev_poll(struct file *file, poll_table *pt) | |||
| 46 | 46 | ||
| 47 | mutex_lock(&ecryptfs_daemon_hash_mux); | 47 | mutex_lock(&ecryptfs_daemon_hash_mux); |
| 48 | /* TODO: Just use file->private_data? */ | 48 | /* TODO: Just use file->private_data? */ |
| 49 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid); | 49 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid, |
| 50 | current->nsproxy->user_ns); | ||
| 50 | BUG_ON(rc || !daemon); | 51 | BUG_ON(rc || !daemon); |
| 51 | mutex_lock(&daemon->mux); | 52 | mutex_lock(&daemon->mux); |
| 52 | mutex_unlock(&ecryptfs_daemon_hash_mux); | 53 | mutex_unlock(&ecryptfs_daemon_hash_mux); |
| @@ -92,10 +93,12 @@ ecryptfs_miscdev_open(struct inode *inode, struct file *file) | |||
| 92 | "count; rc = [%d]\n", __func__, rc); | 93 | "count; rc = [%d]\n", __func__, rc); |
| 93 | goto out_unlock_daemon_list; | 94 | goto out_unlock_daemon_list; |
| 94 | } | 95 | } |
| 95 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid); | 96 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid, |
| 97 | current->nsproxy->user_ns); | ||
| 96 | if (rc || !daemon) { | 98 | if (rc || !daemon) { |
| 97 | rc = ecryptfs_spawn_daemon(&daemon, current->euid, | 99 | rc = ecryptfs_spawn_daemon(&daemon, current->euid, |
| 98 | current->pid); | 100 | current->nsproxy->user_ns, |
| 101 | task_pid(current)); | ||
| 99 | if (rc) { | 102 | if (rc) { |
| 100 | printk(KERN_ERR "%s: Error attempting to spawn daemon; " | 103 | printk(KERN_ERR "%s: Error attempting to spawn daemon; " |
| 101 | "rc = [%d]\n", __func__, rc); | 104 | "rc = [%d]\n", __func__, rc); |
| @@ -103,18 +106,18 @@ ecryptfs_miscdev_open(struct inode *inode, struct file *file) | |||
| 103 | } | 106 | } |
| 104 | } | 107 | } |
| 105 | mutex_lock(&daemon->mux); | 108 | mutex_lock(&daemon->mux); |
| 106 | if (daemon->pid != current->pid) { | 109 | if (daemon->pid != task_pid(current)) { |
| 107 | rc = -EINVAL; | 110 | rc = -EINVAL; |
| 108 | printk(KERN_ERR "%s: pid [%d] has registered with euid [%d], " | 111 | printk(KERN_ERR "%s: pid [0x%p] has registered with euid [%d], " |
| 109 | "but pid [%d] has attempted to open the handle " | 112 | "but pid [0x%p] has attempted to open the handle " |
| 110 | "instead\n", __func__, daemon->pid, daemon->euid, | 113 | "instead\n", __func__, daemon->pid, daemon->euid, |
| 111 | current->pid); | 114 | task_pid(current)); |
| 112 | goto out_unlock_daemon; | 115 | goto out_unlock_daemon; |
| 113 | } | 116 | } |
| 114 | if (daemon->flags & ECRYPTFS_DAEMON_MISCDEV_OPEN) { | 117 | if (daemon->flags & ECRYPTFS_DAEMON_MISCDEV_OPEN) { |
| 115 | rc = -EBUSY; | 118 | rc = -EBUSY; |
| 116 | printk(KERN_ERR "%s: Miscellaneous device handle may only be " | 119 | printk(KERN_ERR "%s: Miscellaneous device handle may only be " |
| 117 | "opened once per daemon; pid [%d] already has this " | 120 | "opened once per daemon; pid [0x%p] already has this " |
| 118 | "handle open\n", __func__, daemon->pid); | 121 | "handle open\n", __func__, daemon->pid); |
| 119 | goto out_unlock_daemon; | 122 | goto out_unlock_daemon; |
| 120 | } | 123 | } |
| @@ -147,10 +150,11 @@ ecryptfs_miscdev_release(struct inode *inode, struct file *file) | |||
| 147 | int rc; | 150 | int rc; |
| 148 | 151 | ||
| 149 | mutex_lock(&ecryptfs_daemon_hash_mux); | 152 | mutex_lock(&ecryptfs_daemon_hash_mux); |
| 150 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid); | 153 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid, |
| 154 | current->nsproxy->user_ns); | ||
| 151 | BUG_ON(rc || !daemon); | 155 | BUG_ON(rc || !daemon); |
| 152 | mutex_lock(&daemon->mux); | 156 | mutex_lock(&daemon->mux); |
| 153 | BUG_ON(daemon->pid != current->pid); | 157 | BUG_ON(daemon->pid != task_pid(current)); |
| 154 | BUG_ON(!(daemon->flags & ECRYPTFS_DAEMON_MISCDEV_OPEN)); | 158 | BUG_ON(!(daemon->flags & ECRYPTFS_DAEMON_MISCDEV_OPEN)); |
| 155 | daemon->flags &= ~ECRYPTFS_DAEMON_MISCDEV_OPEN; | 159 | daemon->flags &= ~ECRYPTFS_DAEMON_MISCDEV_OPEN; |
| 156 | atomic_dec(&ecryptfs_num_miscdev_opens); | 160 | atomic_dec(&ecryptfs_num_miscdev_opens); |
| @@ -247,7 +251,8 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count, | |||
| 247 | 251 | ||
| 248 | mutex_lock(&ecryptfs_daemon_hash_mux); | 252 | mutex_lock(&ecryptfs_daemon_hash_mux); |
| 249 | /* TODO: Just use file->private_data? */ | 253 | /* TODO: Just use file->private_data? */ |
| 250 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid); | 254 | rc = ecryptfs_find_daemon_by_euid(&daemon, current->euid, |
| 255 | current->nsproxy->user_ns); | ||
| 251 | BUG_ON(rc || !daemon); | 256 | BUG_ON(rc || !daemon); |
| 252 | mutex_lock(&daemon->mux); | 257 | mutex_lock(&daemon->mux); |
| 253 | if (daemon->flags & ECRYPTFS_DAEMON_ZOMBIE) { | 258 | if (daemon->flags & ECRYPTFS_DAEMON_ZOMBIE) { |
| @@ -285,7 +290,8 @@ check_list: | |||
| 285 | goto check_list; | 290 | goto check_list; |
| 286 | } | 291 | } |
| 287 | BUG_ON(current->euid != daemon->euid); | 292 | BUG_ON(current->euid != daemon->euid); |
| 288 | BUG_ON(current->pid != daemon->pid); | 293 | BUG_ON(current->nsproxy->user_ns != daemon->user_ns); |
| 294 | BUG_ON(task_pid(current) != daemon->pid); | ||
| 289 | msg_ctx = list_first_entry(&daemon->msg_ctx_out_queue, | 295 | msg_ctx = list_first_entry(&daemon->msg_ctx_out_queue, |
| 290 | struct ecryptfs_msg_ctx, daemon_out_list); | 296 | struct ecryptfs_msg_ctx, daemon_out_list); |
| 291 | BUG_ON(!msg_ctx); | 297 | BUG_ON(!msg_ctx); |
| @@ -355,15 +361,18 @@ out_unlock_daemon: | |||
| 355 | /** | 361 | /** |
| 356 | * ecryptfs_miscdev_helo | 362 | * ecryptfs_miscdev_helo |
| 357 | * @euid: effective user id of miscdevess sending helo packet | 363 | * @euid: effective user id of miscdevess sending helo packet |
| 364 | * @user_ns: The namespace in which @euid applies | ||
| 358 | * @pid: miscdevess id of miscdevess sending helo packet | 365 | * @pid: miscdevess id of miscdevess sending helo packet |
| 359 | * | 366 | * |
| 360 | * Returns zero on success; non-zero otherwise | 367 | * Returns zero on success; non-zero otherwise |
| 361 | */ | 368 | */ |
| 362 | static int ecryptfs_miscdev_helo(uid_t uid, pid_t pid) | 369 | static int ecryptfs_miscdev_helo(uid_t euid, struct user_namespace *user_ns, |
| 370 | struct pid *pid) | ||
| 363 | { | 371 | { |
| 364 | int rc; | 372 | int rc; |
| 365 | 373 | ||
| 366 | rc = ecryptfs_process_helo(ECRYPTFS_TRANSPORT_MISCDEV, uid, pid); | 374 | rc = ecryptfs_process_helo(ECRYPTFS_TRANSPORT_MISCDEV, euid, user_ns, |
| 375 | pid); | ||
| 367 | if (rc) | 376 | if (rc) |
| 368 | printk(KERN_WARNING "Error processing HELO; rc = [%d]\n", rc); | 377 | printk(KERN_WARNING "Error processing HELO; rc = [%d]\n", rc); |
| 369 | return rc; | 378 | return rc; |
| @@ -372,15 +381,17 @@ static int ecryptfs_miscdev_helo(uid_t uid, pid_t pid) | |||
| 372 | /** | 381 | /** |
| 373 | * ecryptfs_miscdev_quit | 382 | * ecryptfs_miscdev_quit |
| 374 | * @euid: effective user id of miscdevess sending quit packet | 383 | * @euid: effective user id of miscdevess sending quit packet |
| 384 | * @user_ns: The namespace in which @euid applies | ||
| 375 | * @pid: miscdevess id of miscdevess sending quit packet | 385 | * @pid: miscdevess id of miscdevess sending quit packet |
| 376 | * | 386 | * |
| 377 | * Returns zero on success; non-zero otherwise | 387 | * Returns zero on success; non-zero otherwise |
| 378 | */ | 388 | */ |
| 379 | static int ecryptfs_miscdev_quit(uid_t euid, pid_t pid) | 389 | static int ecryptfs_miscdev_quit(uid_t euid, struct user_namespace *user_ns, |
| 390 | struct pid *pid) | ||
| 380 | { | 391 | { |
| 381 | int rc; | 392 | int rc; |
| 382 | 393 | ||
| 383 | rc = ecryptfs_process_quit(euid, pid); | 394 | rc = ecryptfs_process_quit(euid, user_ns, pid); |
| 384 | if (rc) | 395 | if (rc) |
| 385 | printk(KERN_WARNING | 396 | printk(KERN_WARNING |
| 386 | "Error processing QUIT message; rc = [%d]\n", rc); | 397 | "Error processing QUIT message; rc = [%d]\n", rc); |
| @@ -392,13 +403,15 @@ static int ecryptfs_miscdev_quit(uid_t euid, pid_t pid) | |||
| 392 | * @data: Bytes comprising struct ecryptfs_message | 403 | * @data: Bytes comprising struct ecryptfs_message |
| 393 | * @data_size: sizeof(struct ecryptfs_message) + data len | 404 | * @data_size: sizeof(struct ecryptfs_message) + data len |
| 394 | * @euid: Effective user id of miscdevess sending the miscdev response | 405 | * @euid: Effective user id of miscdevess sending the miscdev response |
| 406 | * @user_ns: The namespace in which @euid applies | ||
| 395 | * @pid: Miscdevess id of miscdevess sending the miscdev response | 407 | * @pid: Miscdevess id of miscdevess sending the miscdev response |
| 396 | * @seq: Sequence number for miscdev response packet | 408 | * @seq: Sequence number for miscdev response packet |
| 397 | * | 409 | * |
| 398 | * Returns zero on success; non-zero otherwise | 410 | * Returns zero on success; non-zero otherwise |
| 399 | */ | 411 | */ |
| 400 | static int ecryptfs_miscdev_response(char *data, size_t data_size, | 412 | static int ecryptfs_miscdev_response(char *data, size_t data_size, |
| 401 | uid_t euid, pid_t pid, u32 seq) | 413 | uid_t euid, struct user_namespace *user_ns, |
| 414 | struct pid *pid, u32 seq) | ||
| 402 | { | 415 | { |
| 403 | struct ecryptfs_message *msg = (struct ecryptfs_message *)data; | 416 | struct ecryptfs_message *msg = (struct ecryptfs_message *)data; |
| 404 | int rc; | 417 | int rc; |
| @@ -410,7 +423,7 @@ static int ecryptfs_miscdev_response(char *data, size_t data_size, | |||
| 410 | rc = -EINVAL; | 423 | rc = -EINVAL; |
| 411 | goto out; | 424 | goto out; |
| 412 | } | 425 | } |
| 413 | rc = ecryptfs_process_response(msg, euid, pid, seq); | 426 | rc = ecryptfs_process_response(msg, euid, user_ns, pid, seq); |
| 414 | if (rc) | 427 | if (rc) |
| 415 | printk(KERN_ERR | 428 | printk(KERN_ERR |
| 416 | "Error processing response message; rc = [%d]\n", rc); | 429 | "Error processing response message; rc = [%d]\n", rc); |
| @@ -491,27 +504,32 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf, | |||
| 491 | } | 504 | } |
| 492 | rc = ecryptfs_miscdev_response(&data[i], packet_size, | 505 | rc = ecryptfs_miscdev_response(&data[i], packet_size, |
| 493 | current->euid, | 506 | current->euid, |
| 494 | current->pid, seq); | 507 | current->nsproxy->user_ns, |
| 508 | task_pid(current), seq); | ||
| 495 | if (rc) | 509 | if (rc) |
| 496 | printk(KERN_WARNING "%s: Failed to deliver miscdev " | 510 | printk(KERN_WARNING "%s: Failed to deliver miscdev " |
| 497 | "response to requesting operation; rc = [%d]\n", | 511 | "response to requesting operation; rc = [%d]\n", |
| 498 | __func__, rc); | 512 | __func__, rc); |
| 499 | break; | 513 | break; |
| 500 | case ECRYPTFS_MSG_HELO: | 514 | case ECRYPTFS_MSG_HELO: |
| 501 | rc = ecryptfs_miscdev_helo(current->euid, current->pid); | 515 | rc = ecryptfs_miscdev_helo(current->euid, |
| 516 | current->nsproxy->user_ns, | ||
| 517 | task_pid(current)); | ||
| 502 | if (rc) { | 518 | if (rc) { |
| 503 | printk(KERN_ERR "%s: Error attempting to process " | 519 | printk(KERN_ERR "%s: Error attempting to process " |
| 504 | "helo from pid [%d]; rc = [%d]\n", __func__, | 520 | "helo from pid [0x%p]; rc = [%d]\n", __func__, |
| 505 | current->pid, rc); | 521 | task_pid(current), rc); |
| 506 | goto out_free; | 522 | goto out_free; |
| 507 | } | 523 | } |
| 508 | break; | 524 | break; |
| 509 | case ECRYPTFS_MSG_QUIT: | 525 | case ECRYPTFS_MSG_QUIT: |
| 510 | rc = ecryptfs_miscdev_quit(current->euid, current->pid); | 526 | rc = ecryptfs_miscdev_quit(current->euid, |
| 527 | current->nsproxy->user_ns, | ||
| 528 | task_pid(current)); | ||
| 511 | if (rc) { | 529 | if (rc) { |
| 512 | printk(KERN_ERR "%s: Error attempting to process " | 530 | printk(KERN_ERR "%s: Error attempting to process " |
| 513 | "quit from pid [%d]; rc = [%d]\n", __func__, | 531 | "quit from pid [0x%p]; rc = [%d]\n", __func__, |
| 514 | current->pid, rc); | 532 | task_pid(current), rc); |
| 515 | goto out_free; | 533 | goto out_free; |
| 516 | } | 534 | } |
| 517 | break; | 535 | break; |