diff options
author | Roberto Sassu <roberto.sassu@polito.it> | 2011-03-21 11:00:55 -0400 |
---|---|---|
committer | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2011-03-28 02:49:43 -0400 |
commit | b5695d04634fa4ccca7dcbc05bb4a66522f02e0b (patch) | |
tree | 568155380ea1b1fa3b9e68f68dd74cdd9d651229 /fs | |
parent | 950983fc04e02232e0d25717903461578a755ebb (diff) |
eCryptfs: write lock requested keys
A requested key is write locked in order to prevent modifications on the
authentication token while it is being used.
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/ecryptfs/keystore.c | 26 | ||||
-rw-r--r-- | fs/ecryptfs/main.c | 4 |
2 files changed, 23 insertions, 7 deletions
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index d95dd505433e..03e609c45012 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c | |||
@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig( | |||
516 | goto out_invalid_auth_tok; | 516 | goto out_invalid_auth_tok; |
517 | } | 517 | } |
518 | 518 | ||
519 | down_write(&(walker->global_auth_tok_key->sem)); | ||
519 | rc = ecryptfs_verify_auth_tok_from_key( | 520 | rc = ecryptfs_verify_auth_tok_from_key( |
520 | walker->global_auth_tok_key, auth_tok); | 521 | walker->global_auth_tok_key, auth_tok); |
521 | if (rc) | 522 | if (rc) |
522 | goto out_invalid_auth_tok; | 523 | goto out_invalid_auth_tok_unlock; |
523 | 524 | ||
524 | (*auth_tok_key) = walker->global_auth_tok_key; | 525 | (*auth_tok_key) = walker->global_auth_tok_key; |
525 | key_get(*auth_tok_key); | 526 | key_get(*auth_tok_key); |
@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig( | |||
527 | } | 528 | } |
528 | rc = -ENOENT; | 529 | rc = -ENOENT; |
529 | goto out; | 530 | goto out; |
531 | out_invalid_auth_tok_unlock: | ||
532 | up_write(&(walker->global_auth_tok_key->sem)); | ||
530 | out_invalid_auth_tok: | 533 | out_invalid_auth_tok: |
531 | printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); | 534 | printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); |
532 | walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; | 535 | walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; |
@@ -869,8 +872,10 @@ out_free_unlock: | |||
869 | out_unlock: | 872 | out_unlock: |
870 | mutex_unlock(s->tfm_mutex); | 873 | mutex_unlock(s->tfm_mutex); |
871 | out: | 874 | out: |
872 | if (auth_tok_key) | 875 | if (auth_tok_key) { |
876 | up_write(&(auth_tok_key->sem)); | ||
873 | key_put(auth_tok_key); | 877 | key_put(auth_tok_key); |
878 | } | ||
874 | kfree(s); | 879 | kfree(s); |
875 | return rc; | 880 | return rc; |
876 | } | 881 | } |
@@ -1106,8 +1111,10 @@ out: | |||
1106 | (*filename_size) = 0; | 1111 | (*filename_size) = 0; |
1107 | (*filename) = NULL; | 1112 | (*filename) = NULL; |
1108 | } | 1113 | } |
1109 | if (auth_tok_key) | 1114 | if (auth_tok_key) { |
1115 | up_write(&(auth_tok_key->sem)); | ||
1110 | key_put(auth_tok_key); | 1116 | key_put(auth_tok_key); |
1117 | } | ||
1111 | kfree(s); | 1118 | kfree(s); |
1112 | return rc; | 1119 | return rc; |
1113 | } | 1120 | } |
@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, | |||
1638 | (*auth_tok_key) = NULL; | 1645 | (*auth_tok_key) = NULL; |
1639 | goto out; | 1646 | goto out; |
1640 | } | 1647 | } |
1641 | 1648 | down_write(&(*auth_tok_key)->sem); | |
1642 | rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); | 1649 | rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); |
1643 | if (rc) { | 1650 | if (rc) { |
1651 | up_write(&(*auth_tok_key)->sem); | ||
1644 | key_put(*auth_tok_key); | 1652 | key_put(*auth_tok_key); |
1645 | (*auth_tok_key) = NULL; | 1653 | (*auth_tok_key) = NULL; |
1646 | goto out; | 1654 | goto out; |
@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat, | |||
1865 | find_next_matching_auth_tok: | 1873 | find_next_matching_auth_tok: |
1866 | found_auth_tok = 0; | 1874 | found_auth_tok = 0; |
1867 | if (auth_tok_key) { | 1875 | if (auth_tok_key) { |
1876 | up_write(&(auth_tok_key->sem)); | ||
1868 | key_put(auth_tok_key); | 1877 | key_put(auth_tok_key); |
1869 | auth_tok_key = NULL; | 1878 | auth_tok_key = NULL; |
1870 | } | 1879 | } |
@@ -1951,8 +1960,10 @@ found_matching_auth_tok: | |||
1951 | out_wipe_list: | 1960 | out_wipe_list: |
1952 | wipe_auth_tok_list(&auth_tok_list); | 1961 | wipe_auth_tok_list(&auth_tok_list); |
1953 | out: | 1962 | out: |
1954 | if (auth_tok_key) | 1963 | if (auth_tok_key) { |
1964 | up_write(&(auth_tok_key->sem)); | ||
1955 | key_put(auth_tok_key); | 1965 | key_put(auth_tok_key); |
1966 | } | ||
1956 | return rc; | 1967 | return rc; |
1957 | } | 1968 | } |
1958 | 1969 | ||
@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base, | |||
2446 | rc = -EINVAL; | 2457 | rc = -EINVAL; |
2447 | goto out_free; | 2458 | goto out_free; |
2448 | } | 2459 | } |
2460 | up_write(&(auth_tok_key->sem)); | ||
2449 | key_put(auth_tok_key); | 2461 | key_put(auth_tok_key); |
2450 | auth_tok_key = NULL; | 2462 | auth_tok_key = NULL; |
2451 | } | 2463 | } |
@@ -2460,8 +2472,10 @@ out_free: | |||
2460 | out: | 2472 | out: |
2461 | if (rc) | 2473 | if (rc) |
2462 | (*len) = 0; | 2474 | (*len) = 0; |
2463 | if (auth_tok_key) | 2475 | if (auth_tok_key) { |
2476 | up_write(&(auth_tok_key->sem)); | ||
2464 | key_put(auth_tok_key); | 2477 | key_put(auth_tok_key); |
2478 | } | ||
2465 | 2479 | ||
2466 | mutex_unlock(&crypt_stat->keysig_list_mutex); | 2480 | mutex_unlock(&crypt_stat->keysig_list_mutex); |
2467 | return rc; | 2481 | return rc; |
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c index 520d05f5ad01..c27c0ecf90bc 100644 --- a/fs/ecryptfs/main.c +++ b/fs/ecryptfs/main.c | |||
@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks( | |||
254 | "option: [%s]\n", global_auth_tok->sig); | 254 | "option: [%s]\n", global_auth_tok->sig); |
255 | global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; | 255 | global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; |
256 | goto out; | 256 | goto out; |
257 | } else | 257 | } else { |
258 | global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; | 258 | global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; |
259 | up_write(&(global_auth_tok->global_auth_tok_key)->sem); | ||
260 | } | ||
259 | } | 261 | } |
260 | out: | 262 | out: |
261 | return rc; | 263 | return rc; |