linux-stable.git/fs/ecryptfs, branch v3.16.40 Linux kernel stable tree fs: Give dentry to inode_change_ok() instead of inode 2017-02-23T03:53:52+00:00 Jan Kara jack@suse.cz 2016-05-26T14:55:18+00:00 50b070e8224f7bf86622ede1abee9fa3d3dc2f10 commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream. inode_change_ok() will be resposible for clearing capabilities and IMA extended attributes and as such will need dentry. Give it as an argument to inode_change_ok() instead of an inode. Also rename inode_change_ok() to setattr_prepare() to better relect that it does also some modifications in addition to checks. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jan Kara <jack@suse.cz> [bwh: Backported to 3.16: - Drop changes to orangefs, overlayfs - Adjust filenames, context - In nfsd, pass dentry to nfsd_sanitize_attrs() - Update ext3 as well] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Revert "fs: Give dentry to inode_change_ok() instead of inode" 2017-02-23T03:53:52+00:00 Ben Hutchings ben@decadent.org.uk 2016-11-30T23:13:05+00:00 1c608c2d1aefca2bf63497663e17cfb49e6b022c This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream. The backport breaks fuse and makes a mess of xfs, which can be improved by picking further upstream commits as I should have done in the first place. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
This reverts commit be9df699432235753c3824b0f5a27d46de7fdc9e, which was
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.  The backport
breaks fuse and makes a mess of xfs, which can be improved by picking
further upstream commits as I should have done in the first place.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
fs: Give dentry to inode_change_ok() instead of inode 2016-11-20T01:17:38+00:00 Jan Kara jack@suse.cz 2016-05-26T14:55:18+00:00 be9df699432235753c3824b0f5a27d46de7fdc9e commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream. inode_change_ok() will be resposible for clearing capabilities and IMA extended attributes and as such will need dentry. Give it as an argument to inode_change_ok() instead of an inode. Also rename inode_change_ok() to setattr_prepare() to better relect that it does also some modifications in addition to checks. Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Jan Kara <jack@suse.cz> [bwh: Backported to 3.16: - Drop changes to orangefs, overlayfs - Adjust filenames, context - In fuse, pass dentry to fuse_do_setattr() - In nfsd, pass dentry to nfsd_sanitize_attrs() - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size() - Update ext3 as well] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 31051c85b5e2aaaf6315f74c72a732673632a905 upstream.

inode_change_ok() will be resposible for clearing capabilities and IMA
extended attributes and as such will need dentry. Give it as an argument
to inode_change_ok() instead of an inode. Also rename inode_change_ok()
to setattr_prepare() to better relect that it does also some
modifications in addition to checks.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
[bwh: Backported to 3.16:
 - Drop changes to orangefs, overlayfs
 - Adjust filenames, context
 - In fuse, pass dentry to fuse_do_setattr()
 - In nfsd, pass dentry to nfsd_sanitize_attrs()
 - In xfs, pass dentry to xfs_setattr_nonsize() and xfs_setattr_size()
 - Update ext3 as well]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
fs: limit filesystem stacking depth 2016-08-22T21:38:27+00:00 Miklos Szeredi mszeredi@suse.cz 2014-10-23T22:14:39+00:00 54c202bbeb9a00042d374561c6bf2bf5d586fc11 commit 69c433ed2ecd2d3264efd7afec4439524b319121 upstream. Add a simple read-only counter to super_block that indicates how deep this is in the stack of filesystems. Previously ecryptfs was the only stackable filesystem and it explicitly disallowed multiple layers of itself. Overlayfs, however, can be stacked recursively and also may be stacked on top of ecryptfs or vice versa. To limit the kernel stack usage we must limit the depth of the filesystem stack. Initially the limit is set to 2. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> [bwh: Backported to 3.16: drop changes to overlayfs] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 69c433ed2ecd2d3264efd7afec4439524b319121 upstream.

Add a simple read-only counter to super_block that indicates how deep this
is in the stack of filesystems.  Previously ecryptfs was the only stackable
filesystem and it explicitly disallowed multiple layers of itself.

Overlayfs, however, can be stacked recursively and also may be stacked
on top of ecryptfs or vice versa.

To limit the kernel stack usage we must limit the depth of the
filesystem stack.  Initially the limit is set to 2.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
[bwh: Backported to 3.16: drop changes to overlayfs]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
ecryptfs: don't allow mmap when the lower fs doesn't support it 2016-08-22T21:38:26+00:00 Jeff Mahoney jeffm@suse.com 2016-07-05T21:32:30+00:00 d9ce899cd99c1b22fb991a5942a1e0e504f6f498 commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream. There are legitimate reasons to disallow mmap on certain files, notably in sysfs or procfs. We shouldn't emulate mmap support on file systems that don't offer support natively. CVE-2016-1583 Signed-off-by: Jeff Mahoney <jeffm@suse.com> [tyhicks: clean up f_op check by using ecryptfs_file_to_lower()] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream.

There are legitimate reasons to disallow mmap on certain files, notably
in sysfs or procfs.  We shouldn't emulate mmap support on file systems
that don't offer support natively.

CVE-2016-1583

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
eCryptfs: Invalidate dcache entries when lower i_nlink is zero 2015-09-28T09:21:45+00:00 Tyler Hicks tyhicks@canonical.com 2015-08-05T16:26:36+00:00 707c89b28d46043e152c61c59d6001892bae3762 commit 5556e7e6d30e8e9b5ee51b0e5edd526ee80e5e36 upstream. Consider eCryptfs dcache entries to be stale when the corresponding lower inode's i_nlink count is zero. This solves a problem caused by the lower inode being directly modified, without going through the eCryptfs mount, leaving stale eCryptfs dentries cached and the eCryptfs inode's i_nlink count not being cleared. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Richard Weinberger <richard@nod.at> [ luis: backported to 3.16: - use dentry->d_inode instead of d_inode(dentry) - adjusted context ] Signed-off-by: Luis Henriques <luis.henriques@canonical.com> 
commit 5556e7e6d30e8e9b5ee51b0e5edd526ee80e5e36 upstream.

Consider eCryptfs dcache entries to be stale when the corresponding
lower inode's i_nlink count is zero. This solves a problem caused by the
lower inode being directly modified, without going through the eCryptfs
mount, leaving stale eCryptfs dentries cached and the eCryptfs inode's
i_nlink count not being cleared.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Richard Weinberger <richard@nod.at>
[ luis: backported to 3.16:
  - use dentry->d_inode instead of d_inode(dentry)
  - adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
eCryptfs: don't pass fs-specific ioctl commands through 2015-03-18T15:06:34+00:00 Tyler Hicks tyhicks@canonical.com 2015-02-25T01:28:10+00:00 1c28096ab939dfbd88e3e262ef58f5c5f3496d74 commit 6d65261a09adaa374c05de807f73a144d783669e upstream. eCryptfs can't be aware of what to expect when after passing an arbitrary ioctl command through to the lower filesystem. The ioctl command may trigger an action in the lower filesystem that is incompatible with eCryptfs. One specific example is when one attempts to use the Btrfs clone ioctl command when the source file is in the Btrfs filesystem that eCryptfs is mounted on top of and the destination fd is from a new file created in the eCryptfs mount. The ioctl syscall incorrectly returns success because the command is passed down to Btrfs which thinks that it was able to do the clone operation. However, the result is an empty eCryptfs file. This patch allows the trim, {g,s}etflags, and {g,s}etversion ioctl commands through and then copies up the inode metadata from the lower inode to the eCryptfs inode to catch any changes made to the lower inode's metadata. Those five ioctl commands are mostly common across all filesystems but the whitelist may need to be further pruned in the future. https://bugzilla.kernel.org/show_bug.cgi?id=93691 https://launchpad.net/bugs/1305335 Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Cc: Rocko <rockorequin@hotmail.com> Cc: Colin Ian King <colin.king@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> 
commit 6d65261a09adaa374c05de807f73a144d783669e upstream.

eCryptfs can't be aware of what to expect when after passing an
arbitrary ioctl command through to the lower filesystem. The ioctl
command may trigger an action in the lower filesystem that is
incompatible with eCryptfs.

One specific example is when one attempts to use the Btrfs clone
ioctl command when the source file is in the Btrfs filesystem that
eCryptfs is mounted on top of and the destination fd is from a new file
created in the eCryptfs mount. The ioctl syscall incorrectly returns
success because the command is passed down to Btrfs which thinks that it
was able to do the clone operation. However, the result is an empty
eCryptfs file.

This patch allows the trim, {g,s}etflags, and {g,s}etversion ioctl
commands through and then copies up the inode metadata from the lower
inode to the eCryptfs inode to catch any changes made to the lower
inode's metadata. Those five ioctl commands are mostly common across all
filesystems but the whitelist may need to be further pruned in the
future.

https://bugzilla.kernel.org/show_bug.cgi?id=93691
https://launchpad.net/bugs/1305335

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Rocko <rockorequin@hotmail.com>
Cc: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
ecryptfs: ->f_op is never NULL 2015-03-18T15:06:31+00:00 Al Viro viro@zeniv.linux.org.uk 2014-09-02T21:31:28+00:00 ae4538c2e24df982bca82b26c5049f4f11bdf0bf commit c2e3f5d5f4620bb6568bc559f712ce80222e20cb upstream. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> [ luis: 3.16-stable, just to make 6d65261a09ad ("eCryptfs: don't pass fs-specific ioctl commands through") a clean cherry-pick ] Signed-off-by: Luis Henriques <luis.henriques@canonical.com> 
commit c2e3f5d5f4620bb6568bc559f712ce80222e20cb upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ luis: 3.16-stable, just to make 6d65261a09ad ("eCryptfs: don't pass
  fs-specific ioctl commands through") a clean cherry-pick ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
eCryptfs: Remove buggy and unnecessary write in file name decode routine 2015-01-15T10:44:18+00:00 Michael Halcrow mhalcrow@google.com 2014-11-26T17:09:16+00:00 ea447345243f8e594c45d413364832a01b3d9751 commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream. Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the end of the allocated buffer during encrypted filename decoding. This fix corrects the issue by getting rid of the unnecessary 0 write when the current bit offset is 2. Signed-off-by: Michael Halcrow <mhalcrow@google.com> Reported-by: Dmitry Chernenkov <dmitryc@google.com> Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> 
commit 942080643bce061c3dd9d5718d3b745dcb39a8bc upstream.

Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the
end of the allocated buffer during encrypted filename decoding. This
fix corrects the issue by getting rid of the unnecessary 0 write when
the current bit offset is 2.

Signed-off-by: Michael Halcrow <mhalcrow@google.com>
Reported-by: Dmitry Chernenkov <dmitryc@google.com>
Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
eCryptfs: Force RO mount when encrypted view is enabled 2015-01-15T10:44:17+00:00 Tyler Hicks tyhicks@canonical.com 2014-10-07T20:51:55+00:00 52676ee1dba6ff4370efea47abe894416396b4cd commit 332b122d39c9cbff8b799007a825d94b2e7c12f2 upstream. The ecryptfs_encrypted_view mount option greatly changes the functionality of an eCryptfs mount. Instead of encrypting and decrypting lower files, it provides a unified view of the encrypted files in the lower filesystem. The presence of the ecryptfs_encrypted_view mount option is intended to force a read-only mount and modifying files is not supported when the feature is in use. See the following commit for more information: e77a56d [PATCH] eCryptfs: Encrypted passthrough This patch forces the mount to be read-only when the ecryptfs_encrypted_view mount option is specified by setting the MS_RDONLY flag on the superblock. Additionally, this patch removes some broken logic in ecryptfs_open() that attempted to prevent modifications of files when the encrypted view feature was in use. The check in ecryptfs_open() was not sufficient to prevent file modifications using system calls that do not operate on a file descriptor. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Priya Bansal <p.bansal@samsung.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> 
commit 332b122d39c9cbff8b799007a825d94b2e7c12f2 upstream.

The ecryptfs_encrypted_view mount option greatly changes the
functionality of an eCryptfs mount. Instead of encrypting and decrypting
lower files, it provides a unified view of the encrypted files in the
lower filesystem. The presence of the ecryptfs_encrypted_view mount
option is intended to force a read-only mount and modifying files is not
supported when the feature is in use. See the following commit for more
information:

  e77a56d [PATCH] eCryptfs: Encrypted passthrough

This patch forces the mount to be read-only when the
ecryptfs_encrypted_view mount option is specified by setting the
MS_RDONLY flag on the superblock. Additionally, this patch removes some
broken logic in ecryptfs_open() that attempted to prevent modifications
of files when the encrypted view feature was in use. The check in
ecryptfs_open() was not sufficient to prevent file modifications using
system calls that do not operate on a file descriptor.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Priya Bansal <p.bansal@samsung.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>