eCryptfs: write lock requested keys
A requested key is write locked in order to prevent modifications on the authentication token while it is being used. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
This commit is contained in:
parent
950983fc04
commit
b5695d0463
|
@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig(
|
||||||
goto out_invalid_auth_tok;
|
goto out_invalid_auth_tok;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
down_write(&(walker->global_auth_tok_key->sem));
|
||||||
rc = ecryptfs_verify_auth_tok_from_key(
|
rc = ecryptfs_verify_auth_tok_from_key(
|
||||||
walker->global_auth_tok_key, auth_tok);
|
walker->global_auth_tok_key, auth_tok);
|
||||||
if (rc)
|
if (rc)
|
||||||
goto out_invalid_auth_tok;
|
goto out_invalid_auth_tok_unlock;
|
||||||
|
|
||||||
(*auth_tok_key) = walker->global_auth_tok_key;
|
(*auth_tok_key) = walker->global_auth_tok_key;
|
||||||
key_get(*auth_tok_key);
|
key_get(*auth_tok_key);
|
||||||
|
@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig(
|
||||||
}
|
}
|
||||||
rc = -ENOENT;
|
rc = -ENOENT;
|
||||||
goto out;
|
goto out;
|
||||||
|
out_invalid_auth_tok_unlock:
|
||||||
|
up_write(&(walker->global_auth_tok_key->sem));
|
||||||
out_invalid_auth_tok:
|
out_invalid_auth_tok:
|
||||||
printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
|
printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
|
||||||
walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
|
walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
|
||||||
|
@ -869,8 +872,10 @@ out_free_unlock:
|
||||||
out_unlock:
|
out_unlock:
|
||||||
mutex_unlock(s->tfm_mutex);
|
mutex_unlock(s->tfm_mutex);
|
||||||
out:
|
out:
|
||||||
if (auth_tok_key)
|
if (auth_tok_key) {
|
||||||
|
up_write(&(auth_tok_key->sem));
|
||||||
key_put(auth_tok_key);
|
key_put(auth_tok_key);
|
||||||
|
}
|
||||||
kfree(s);
|
kfree(s);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
@ -1106,8 +1111,10 @@ out:
|
||||||
(*filename_size) = 0;
|
(*filename_size) = 0;
|
||||||
(*filename) = NULL;
|
(*filename) = NULL;
|
||||||
}
|
}
|
||||||
if (auth_tok_key)
|
if (auth_tok_key) {
|
||||||
|
up_write(&(auth_tok_key->sem));
|
||||||
key_put(auth_tok_key);
|
key_put(auth_tok_key);
|
||||||
|
}
|
||||||
kfree(s);
|
kfree(s);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
|
||||||
(*auth_tok_key) = NULL;
|
(*auth_tok_key) = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
down_write(&(*auth_tok_key)->sem);
|
||||||
rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
|
rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
|
||||||
if (rc) {
|
if (rc) {
|
||||||
|
up_write(&(*auth_tok_key)->sem);
|
||||||
key_put(*auth_tok_key);
|
key_put(*auth_tok_key);
|
||||||
(*auth_tok_key) = NULL;
|
(*auth_tok_key) = NULL;
|
||||||
goto out;
|
goto out;
|
||||||
|
@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
|
||||||
find_next_matching_auth_tok:
|
find_next_matching_auth_tok:
|
||||||
found_auth_tok = 0;
|
found_auth_tok = 0;
|
||||||
if (auth_tok_key) {
|
if (auth_tok_key) {
|
||||||
|
up_write(&(auth_tok_key->sem));
|
||||||
key_put(auth_tok_key);
|
key_put(auth_tok_key);
|
||||||
auth_tok_key = NULL;
|
auth_tok_key = NULL;
|
||||||
}
|
}
|
||||||
|
@ -1951,8 +1960,10 @@ found_matching_auth_tok:
|
||||||
out_wipe_list:
|
out_wipe_list:
|
||||||
wipe_auth_tok_list(&auth_tok_list);
|
wipe_auth_tok_list(&auth_tok_list);
|
||||||
out:
|
out:
|
||||||
if (auth_tok_key)
|
if (auth_tok_key) {
|
||||||
|
up_write(&(auth_tok_key->sem));
|
||||||
key_put(auth_tok_key);
|
key_put(auth_tok_key);
|
||||||
|
}
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
|
||||||
rc = -EINVAL;
|
rc = -EINVAL;
|
||||||
goto out_free;
|
goto out_free;
|
||||||
}
|
}
|
||||||
|
up_write(&(auth_tok_key->sem));
|
||||||
key_put(auth_tok_key);
|
key_put(auth_tok_key);
|
||||||
auth_tok_key = NULL;
|
auth_tok_key = NULL;
|
||||||
}
|
}
|
||||||
|
@ -2460,8 +2472,10 @@ out_free:
|
||||||
out:
|
out:
|
||||||
if (rc)
|
if (rc)
|
||||||
(*len) = 0;
|
(*len) = 0;
|
||||||
if (auth_tok_key)
|
if (auth_tok_key) {
|
||||||
|
up_write(&(auth_tok_key->sem));
|
||||||
key_put(auth_tok_key);
|
key_put(auth_tok_key);
|
||||||
|
}
|
||||||
|
|
||||||
mutex_unlock(&crypt_stat->keysig_list_mutex);
|
mutex_unlock(&crypt_stat->keysig_list_mutex);
|
||||||
return rc;
|
return rc;
|
||||||
|
|
|
@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks(
|
||||||
"option: [%s]\n", global_auth_tok->sig);
|
"option: [%s]\n", global_auth_tok->sig);
|
||||||
global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
|
global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
|
||||||
goto out;
|
goto out;
|
||||||
} else
|
} else {
|
||||||
global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
|
global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
|
||||||
|
up_write(&(global_auth_tok->global_auth_tok_key)->sem);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
return rc;
|
return rc;
|
||||||
|
|
Loading…
Reference in New Issue