Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

eCryptfs: write lock requested keys

A requested key is write locked in order to prevent modifications on the
authentication token while it is being used.

Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Roberto Sassu 14 years ago
parent
950983fc04
commit
b5695d0463
2 changed files with 23 additions and 7 deletions
Split View Show Diff Stats
  1. 20 6
      fs/ecryptfs/keystore.c
  2. 3 1
      fs/ecryptfs/main.c

+ 20 - 6
fs/ecryptfs/keystore.c
View File 

@@ -516,10 +516,11 @@ ecryptfs_find_global_auth_tok_for_sig(
 
 			goto out_invalid_auth_tok;
 
 		}
 
 
+		down_write(&(walker->global_auth_tok_key->sem));
 
 		rc = ecryptfs_verify_auth_tok_from_key(
 
 				walker->global_auth_tok_key, auth_tok);
 
 		if (rc)
 
-			goto out_invalid_auth_tok;
 
+			goto out_invalid_auth_tok_unlock;
 
 
 		(*auth_tok_key) = walker->global_auth_tok_key;
 
 		key_get(*auth_tok_key);
 
@@ -527,6 +528,8 @@ ecryptfs_find_global_auth_tok_for_sig(
 
 	}
 
 	rc = -ENOENT;
 
 	goto out;
 
+out_invalid_auth_tok_unlock:
 
+	up_write(&(walker->global_auth_tok_key->sem));
 
 out_invalid_auth_tok:
 
 	printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig);
 
 	walker->flags |= ECRYPTFS_AUTH_TOK_INVALID;
 
@@ -869,8 +872,10 @@ out_free_unlock:
 
 out_unlock:
 
 	mutex_unlock(s->tfm_mutex);
 
 out:
 
-	if (auth_tok_key)
 
+	if (auth_tok_key) {
 
+		up_write(&(auth_tok_key->sem));
 
 		key_put(auth_tok_key);
 
+	}
 
 	kfree(s);
 
 	return rc;
 
 }
 
@@ -1106,8 +1111,10 @@ out:
 
 		(*filename_size) = 0;
 
 		(*filename) = NULL;
 
 	}
 
-	if (auth_tok_key)
 
+	if (auth_tok_key) {
 
+		up_write(&(auth_tok_key->sem));
 
 		key_put(auth_tok_key);
 
+	}
 
 	kfree(s);
 
 	return rc;
 
 }
 
@@ -1638,9 +1645,10 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
 
 		(*auth_tok_key) = NULL;
 
 		goto out;
 
 	}
 
-
 
+	down_write(&(*auth_tok_key)->sem);
 
 	rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
 
 	if (rc) {
 
+		up_write(&(*auth_tok_key)->sem);
 
 		key_put(*auth_tok_key);
 
 		(*auth_tok_key) = NULL;
 
 		goto out;
 
@@ -1865,6 +1873,7 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
 
 find_next_matching_auth_tok:
 
 	found_auth_tok = 0;
 
 	if (auth_tok_key) {
 
+		up_write(&(auth_tok_key->sem));
 
 		key_put(auth_tok_key);
 
 		auth_tok_key = NULL;
 
 	}
 
@@ -1951,8 +1960,10 @@ found_matching_auth_tok:
 
 out_wipe_list:
 
 	wipe_auth_tok_list(&auth_tok_list);
 
 out:
 
-	if (auth_tok_key)
 
+	if (auth_tok_key) {
 
+		up_write(&(auth_tok_key->sem));
 
 		key_put(auth_tok_key);
 
+	}
 
 	return rc;
 
 }
 
 
@@ -2446,6 +2457,7 @@ ecryptfs_generate_key_packet_set(char *dest_base,
 
 			rc = -EINVAL;
 
 			goto out_free;
 
 		}
 
+		up_write(&(auth_tok_key->sem));
 
 		key_put(auth_tok_key);
 
 		auth_tok_key = NULL;
 
 	}
 
@@ -2460,8 +2472,10 @@ out_free:
 
 out:
 
 	if (rc)
 
 		(*len) = 0;
 
-	if (auth_tok_key)
 
+	if (auth_tok_key) {
 
+		up_write(&(auth_tok_key->sem));
 
 		key_put(auth_tok_key);
 
+	}
 
 
 	mutex_unlock(&crypt_stat->keysig_list_mutex);
 
 	return rc;

+ 3 - 1
fs/ecryptfs/main.c
View File 

@@ -254,8 +254,10 @@ static int ecryptfs_init_global_auth_toks(
 
 			       "option: [%s]\n", global_auth_tok->sig);
 
 			global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
 
 			goto out;
 
-		} else
 
+		} else {
 
 			global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
 
+			up_write(&(global_auth_tok->global_auth_tok_key)->sem);
 
+		}
 
 	}
 
 out:
 
 	return rc;