)]}' { "log": [ { "commit": "7371a38201d04124a9ff2cf05059731d7c1e35a5", "tree": "0a463fc73700c12c0e28299d2b214394e9bd7249", "parents": [ "f137f15072411618e37b338aa13e5ae43583bcf2" ], "author": { "name": "Jerome Marchand", "email": "jmarchan@redhat.com", "time": "Tue Aug 17 17:24:05 2010 +0200" }, "committer": { "name": "Tyler Hicks", "email": "tyhicks@linux.vnet.ibm.com", "time": "Fri Aug 27 10:50:52 2010 -0500" }, "message": "ecryptfs: properly mark init functions\n\nSome ecryptfs init functions are not prefixed by __init and thus not\nfreed after initialization. This patch saved about 1kB in ecryptfs\nmodule.\n\nSigned-off-by: Jerome Marchand \u003cjmarchan@redhat.com\u003e\nSigned-off-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\n" }, { "commit": "a1275c3b21e433888994f7b979cd1129d384ec9c", "tree": "f9be251a845fb8377af6ff38a8747d329b6298bd", "parents": [ "9fe6206f400646a2322096b56c59891d530e8d51" ], "author": { "name": "Prarit Bhargava", "email": "prarit@redhat.com", "time": "Thu May 27 11:19:30 2010 -0400" }, "committer": { "name": "Tyler Hicks", "email": "tyhicks@linux.vnet.ibm.com", "time": "Mon Aug 09 10:33:03 2010 -0500" }, "message": "ecryptfs: Fix warning in ecryptfs_process_response()\n\nFix warning seen with \"make -j24 CONFIG_DEBUG_SECTION_MISMATCH\u003dy V\u003d1\":\n\nfs/ecryptfs/messaging.c: In function \u0027ecryptfs_process_response\u0027:\nfs/ecryptfs/messaging.c:276: warning: \u0027daemon\u0027 may be used uninitialized in this function\n\nSigned-off-by: Prarit Bhargava \u003cprarit@redhat.com\u003e\nSigned-off-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\n" }, { "commit": "a6f80fb7b5986fda663d94079d3bba0937a6b6ff", "tree": "b8a44b0ed1560ae3f00f1ff4e342f43b7422bcc3", "parents": [ "6c50e1a49b4377b760ee46f824ed04b17be913e3" ], "author": { "name": "Andre Osterhues", "email": "aosterhues@escrypt.com", "time": "Tue Jul 13 15:59:17 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jul 28 19:59:24 2010 -0700" }, "message": "ecryptfs: Bugfix for error related to ecryptfs_hash_buckets\n\nThe function ecryptfs_uid_hash wrongly assumes that the\nsecond parameter to hash_long() is the number of hash\nbuckets instead of the number of hash bits.\nThis patch fixes that and renames the variable\necryptfs_hash_buckets to ecryptfs_hash_bits to make it\nclearer.\n\nFixes: CVE-2010-2492\n\nSigned-off-by: Andre Osterhues \u003caosterhues@escrypt.com\u003e\nSigned-off-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5a0e3ad6af8660be21ca98a971cd00f331318c05", "tree": "5bfb7be11a03176a87296a43ac6647975c00a1d1", "parents": [ "ed391f4ebf8f701d3566423ce8f17e614cde9806" ], "author": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Wed Mar 24 17:04:11 2010 +0900" }, "committer": { "name": "Tejun Heo", "email": "tj@kernel.org", "time": "Tue Mar 30 22:02:32 2010 +0900" }, "message": "include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h\n\npercpu.h is included by sched.h and module.h and thus ends up being\nincluded when building most .c files. percpu.h includes slab.h which\nin turn includes gfp.h making everything defined by the two files\nuniversally available and complicating inclusion dependencies.\n\npercpu.h -\u003e slab.h dependency is about to be removed. Prepare for\nthis change by updating users of gfp and slab facilities include those\nheaders directly instead of assuming availability. As this conversion\nneeds to touch large number of source files, the following script is\nused as the basis of conversion.\n\n http://userweb.kernel.org/~tj/misc/slabh-sweep.py\n\nThe script does the followings.\n\n* Scan files for gfp and slab usages and update includes such that\n only the necessary includes are there. ie. if only gfp is used,\n gfp.h, if slab is used, slab.h.\n\n* When the script inserts a new include, it looks at the include\n blocks and try to put the new include such that its order conforms\n to its surrounding. It\u0027s put in the include block which contains\n core kernel includes, in the same order that the rest are ordered -\n alphabetical, Christmas tree, rev-Xmas-tree or at the end if there\n doesn\u0027t seem to be any matching order.\n\n* If the script can\u0027t find a place to put a new include (mostly\n because the file doesn\u0027t have fitting include block), it prints out\n an error message indicating which .h file needs to be added to the\n file.\n\nThe conversion was done in the following steps.\n\n1. The initial automatic conversion of all .c files updated slightly\n over 4000 files, deleting around 700 includes and adding ~480 gfp.h\n and ~3000 slab.h inclusions. The script emitted errors for ~400\n files.\n\n2. Each error was manually checked. Some didn\u0027t need the inclusion,\n some needed manual addition while adding it to implementation .h or\n embedding .c file was more appropriate for others. This step added\n inclusions to around 150 files.\n\n3. The script was run again and the output was compared to the edits\n from #2 to make sure no file was left behind.\n\n4. Several build tests were done and a couple of problems were fixed.\n e.g. lib/decompress_*.c used malloc/free() wrappers around slab\n APIs requiring slab.h to be added manually.\n\n5. The script was run on all .h files but without automatically\n editing them as sprinkling gfp.h and slab.h inclusions around .h\n files could easily lead to inclusion dependency hell. Most gfp.h\n inclusion directives were ignored as stuff from gfp.h was usually\n wildly available and often used in preprocessor macros. Each\n slab.h inclusion directive was examined and added manually as\n necessary.\n\n6. percpu.h was updated not to include slab.h.\n\n7. Build test were done on the following configurations and failures\n were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my\n distributed build env didn\u0027t work with gcov compiles) and a few\n more options had to be turned off depending on archs to make things\n build (like ipr on powerpc/64 which failed due to missing writeq).\n\n * x86 and x86_64 UP and SMP allmodconfig and a custom test config.\n * powerpc and powerpc64 SMP allmodconfig\n * sparc and sparc64 SMP allmodconfig\n * ia64 SMP allmodconfig\n * s390 SMP allmodconfig\n * alpha SMP allmodconfig\n * um on x86_64 SMP allmodconfig\n\n8. percpu.h modifications were reverted so that it could be applied as\n a separate patch and serve as bisection point.\n\nGiven the fact that I had only a couple of failures from tests on step\n6, I\u0027m fairly confident about the coverage of this conversion patch.\nIf there is a breakage, it\u0027s likely to be something in one of the arch\nheaders which should be easily discoverable easily on most builds of\nthe specific arch.\n\nSigned-off-by: Tejun Heo \u003ctj@kernel.org\u003e\nGuess-its-ok-by: Christoph Lameter \u003ccl@linux-foundation.org\u003e\nCc: Ingo Molnar \u003cmingo@redhat.com\u003e\nCc: Lee Schermerhorn \u003cLee.Schermerhorn@hp.com\u003e\n" }, { "commit": "57ea34d19963781d05eb12f9b31bd4f70d61ec16", "tree": "5a912a7515234eb73147c32197ecbc7ca429bde8", "parents": [ "ae6e84596e7b321d9a08e81679c6a3f799634636" ], "author": { "name": "Tyler Hicks", "email": "tyhicks@linux.vnet.ibm.com", "time": "Sun Mar 15 14:17:01 2009 -0500" }, "committer": { "name": "Tyler Hicks", "email": "tyhicks@linux.vnet.ibm.com", "time": "Wed Apr 22 03:54:13 2009 -0500" }, "message": "eCryptfs: NULL pointer dereference in ecryptfs_send_miscdev()\n\nIf data is NULL, msg_ctx-\u003emsg is set to NULL and then dereferenced\nafterwards. ecryptfs_send_raw_message() is the only place that\necryptfs_send_miscdev() is called with data being NULL, but the only\ncaller of that function (ecryptfs_process_helo()) is never called. In\nshort, there is currently no way to trigger the NULL pointer\ndereference.\n\nThis patch removes the two unused functions and modifies\necryptfs_send_miscdev() to remove the NULL dereferences.\n\nSigned-off-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\n" }, { "commit": "00fcf2cb6f6bb421851c3ba062c0a36760ea6e53", "tree": "741afc144a87af1aa7915d812924da7d7418611f", "parents": [ "e2801806de1c9c1d03b7d1bfcb2e01dd4d389e80" ], "author": { "name": "Johannes Weiner", "email": "hannes@cmpxchg.org", "time": "Tue Mar 31 15:24:42 2009 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Apr 01 08:59:23 2009 -0700" }, "message": "ecryptfs: use kzfree()\n\nUse kzfree() instead of memset() + kfree().\n\nSigned-off-by: Johannes Weiner \u003channes@cmpxchg.org\u003e\nReviewed-by: Pekka Enberg \u003cpenberg@cs.helsinki.fi\u003e\nAcked-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "df261c52abdef147084c76ecf14473184e907547", "tree": "f1f423ba612dbacace82193f2b088252f169a9c6", "parents": [ "87c94c4df0149786ad91d8a03c738a03369ee9c8" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Tue Jan 06 14:42:02 2009 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 06 15:59:22 2009 -0800" }, "message": "eCryptfs: Replace %Z with %z\n\n%Z is a gcc-ism. Using %z instead.\n\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nCc: Dustin Kirkland \u003cdustin.kirkland@gmail.com\u003e\nCc: Eric Sandeen \u003csandeen@redhat.com\u003e\nCc: Tyler Hicks \u003ctchicks@us.ibm.com\u003e\nCc: David Kleikamp \u003cshaggy@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "18b6e0414e42d95183f07d8177e3ff0241abd825", "tree": "91ca2f2d442055e31eb7bb551bf7060f3f4c4cc7", "parents": [ "9789cfe22e5d7bc10cad841a4ea96ecedb34b267" ], "author": { "name": "Serge Hallyn", "email": "serue@us.ibm.com", "time": "Wed Oct 15 16:38:45 2008 -0500" }, "committer": { "name": "Serge E. Hallyn", "email": "serue@us.ibm.com", "time": "Mon Nov 24 18:57:41 2008 -0500" }, "message": "User namespaces: set of cleanups (v2)\n\nThe user_ns is moved from nsproxy to user_struct, so that a struct\ncred by itself is sufficient to determine access (which it otherwise\nwould not be). Corresponding ecryptfs fixes (by David Howells) are\nhere as well.\n\nFix refcounting. The following rules now apply:\n 1. The task pins the user struct.\n 2. The user struct pins its user namespace.\n 3. The user namespace pins the struct user which created it.\n\nUser namespaces are cloned during copy_creds(). Unsharing a new user_ns\nis no longer possible. (We could re-add that, but it\u0027ll cause code\nduplication and doesn\u0027t seem useful if PAM doesn\u0027t need to clone user\nnamespaces).\n\nWhen a user namespace is created, its first user (uid 0) gets empty\nkeyrings and a clean group_info.\n\nThis incorporates a previous patch by David Howells. Here\nis his original patch description:\n\n\u003eI suggest adding the attached incremental patch. It makes the following\n\u003echanges:\n\u003e\n\u003e (1) Provides a current_user_ns() macro to wrap accesses to current\u0027s user\n\u003e namespace.\n\u003e\n\u003e (2) Fixes eCryptFS.\n\u003e\n\u003e (3) Renames create_new_userns() to create_user_ns() to be more consistent\n\u003e with the other associated functions and because the \u0027new\u0027 in the name is\n\u003e superfluous.\n\u003e\n\u003e (4) Moves the argument and permission checks made for CLONE_NEWUSER to the\n\u003e beginning of do_fork() so that they\u0027re done prior to making any attempts\n\u003e at allocation.\n\u003e\n\u003e (5) Calls create_user_ns() after prepare_creds(), and gives it the new creds\n\u003e to fill in rather than have it return the new root user. I don\u0027t imagine\n\u003e the new root user being used for anything other than filling in a cred\n\u003e struct.\n\u003e\n\u003e This also permits me to get rid of a get_uid() and a free_uid(), as the\n\u003e reference the creds were holding on the old user_struct can just be\n\u003e transferred to the new namespace\u0027s creator pointer.\n\u003e\n\u003e (6) Makes create_user_ns() reset the UIDs and GIDs of the creds under\n\u003e preparation rather than doing it in copy_creds().\n\u003e\n\u003eDavid\n\n\u003eSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n\nChangelog:\n\tOct 20: integrate dhowells comments\n\t\t1. leave thread_keyring alone\n\t\t2. use current_user_ns() in set_user()\n\nSigned-off-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\n" }, { "commit": "4eea03539d9a8e3f5056aed690efde1f75535e7b", "tree": "1dd58dee9a286459c7a70b8f82edcb63d20b2c07", "parents": [ "ec4c2aacd16672febca053109eb9ddf672108ca1" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri Nov 14 10:38:49 2008 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Nov 14 10:38:49 2008 +1100" }, "message": "CRED: Wrap task credential accesses in the eCryptFS filesystem\n\nWrap access to task credentials so that they can be separated more easily from\nthe task_struct during the introduction of COW creds.\n\nChange most current-\u003e(|e|s|fs)[ug]id to current_(|e|s|fs)[ug]id().\n\nChange some task-\u003ee?[ug]id to task_e?[ug]id(). In some places it makes more\nsense to use RCU directly rather than a convenient wrapper; these will be\naddressed by later patches.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nCc: Mike Halcrow \u003cmhalcrow@us.ibm.com\u003e\nCc: Phillip Hellewell \u003cphillip@hellewell.homeip.net\u003e\nCc: ecryptfs-devel@lists.sourceforge.net\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "624ae5284516870657505103ada531c64dba2a9a", "tree": "1098d75abc1f4d335e2276dd9dde00a60ee568b5", "parents": [ "807b7ebe41ab80d96e89a53bc290d49613e56f48" ], "author": { "name": "Tyler Hicks", "email": "tyhicks@linux.vnet.ibm.com", "time": "Wed Oct 15 22:02:51 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu Oct 16 11:21:39 2008 -0700" }, "message": "eCryptfs: remove netlink transport\n\nThe netlink transport code has not worked for a while and the miscdev\ntransport is a simpler solution. This patch removes the netlink code and\nmakes the miscdev transport the only eCryptfs kernel to userspace\ntransport.\n\nSigned-off-by: Tyler Hicks \u003ctyhicks@linux.vnet.ibm.com\u003e\nCc: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nCc: Dustin Kirkland \u003ckirkland@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "6a3fd92e73fffd9e583650c56ad9558afe51dc5c", "tree": "d65917432ffd0e6223dab3500819205433de22bd", "parents": [ "f66e883eb6186bc43a79581b67aff7d1a69d0ff1" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Tue Apr 29 00:59:52 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:07 2008 -0700" }, "message": "eCryptfs: make key module subsystem respect namespaces\n\nMake eCryptfs key module subsystem respect namespaces.\n\nSince I will be removing the netlink interface in a future patch, I just made\nchanges to the netlink.c code so that it will not break the build. With my\nrecent patches, the kernel module currently defaults to the device handle\ninterface rather than the netlink interface.\n\n[akpm@linux-foundation.org: export free_user_ns()]\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f66e883eb6186bc43a79581b67aff7d1a69d0ff1", "tree": "9fc1fb65586ff334a1f8c1afb9a43edf077d338f", "parents": [ "8bf2debd5f7bf12d122124e34fec14af5b1e8ecf" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Tue Apr 29 00:59:51 2008 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Apr 29 08:06:07 2008 -0700" }, "message": "eCryptfs: integrate eCryptfs device handle into the module.\n\nUpdate the versioning information. Make the message types generic. Add an\noutgoing message queue to the daemon struct. Make the functions to parse\nand write the packet lengths available to the rest of the module. Add\nfunctions to create and destroy the daemon structs. Clean up some of the\ncomments and make the code a little more consistent with itself.\n\n[akpm@linux-foundation.org: printk fixes]\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "c8161f64ccdcc3ac05c7bbfebc031e7ad5ca6412", "tree": "24adc1225b4f56b28533efe59ee357fe912403c5", "parents": [ "c525460e2754dbb33abe2b37d3d941126b2ea830" ], "author": { "name": "Eric Sandeen", "email": "sandeen@redhat.com", "time": "Sat Dec 22 14:03:26 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Sun Dec 23 12:54:37 2007 -0800" }, "message": "ecryptfs: fix unlocking in error paths\n\nThanks to Josef Bacik for finding these.\n\nA couple of ecryptfs error paths don\u0027t properly unlock things they locked.\n\nSigned-off-by: Eric Sandeen \u003csandeen@redhat.com\u003e\nCc: Josef Bacik \u003cjbacik@redhat.com\u003e\nCc: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "5dda6992a3138f3839dcaecbcd2fbea4dd514c7c", "tree": "c9ca012364edc18a2baed74721052b7da9d39f53", "parents": [ "45eaab79678b9e27e08f0cf250eb2df9d6a48df0" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Tue Oct 16 01:28:06 2007 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Tue Oct 16 09:43:12 2007 -0700" }, "message": "eCryptfs: remove assignments in if-statements\n\nRemove assignments in if-statements.\n\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e8edc6e03a5c8562dc70a6d969f732bdb355a7e7", "tree": "fc86c863655128a7041dfe613d14393d761fa7b9", "parents": [ "ff1be9ad61e3e17ba83702d8ed0b534e5b8ee15c" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon May 21 01:22:52 2007 +0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon May 21 09:18:19 2007 -0700" }, "message": "Detach sched.h from mm.h\n\nFirst thing mm.h does is including sched.h solely for can_do_mlock() inline\nfunction which has \"current\" dereference inside. By dealing with can_do_mlock()\nmm.h can be detached from sched.h which is good. See below, why.\n\nThis patch\na) removes unconditional inclusion of sched.h from mm.h\nb) makes can_do_mlock() normal function in mm/mlock.c\nc) exports can_do_mlock() to not break compilation\nd) adds sched.h inclusions back to files that were getting it indirectly.\ne) adds less bloated headers to some files (asm/signal.h, jiffies.h) that were\n getting them indirectly\n\nNet result is:\na) mm.h users would get less code to open, read, preprocess, parse, ... if\n they don\u0027t need sched.h\nb) sched.h stops being dependency for significant number of files:\n on x86_64 allmodconfig touching sched.h results in recompile of 4083 files,\n after patch it\u0027s only 3744 (-8.3%).\n\nCross-compile tested on\n\n\tall arm defconfigs, all mips defconfigs, all powerpc defconfigs,\n\talpha alpha-up\n\tarm\n\ti386 i386-up i386-defconfig i386-allnoconfig\n\tia64 ia64-up\n\tm68k\n\tmips\n\tparisc parisc-up\n\tpowerpc powerpc-up\n\ts390 s390-up\n\tsparc sparc-up\n\tsparc64 sparc64-up\n\tum-x86_64\n\tx86_64 x86_64-up x86_64-defconfig x86_64-allnoconfig\n\nas well as my two usual configs.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "008983d9669b80ac628b6b09ce4d78e75844b294", "tree": "53e3cade52b4249b20057524106be3caefe43e98", "parents": [ "eb95e7ffa50fa2921ef1845a5dcb2fe5b21e83a2" ], "author": { "name": "Thomas Hisch", "email": "t.hisch@gmail.com", "time": "Fri Feb 16 01:28:41 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Fri Feb 16 08:14:01 2007 -0800" }, "message": "[PATCH] ecryptfs: fix forgotten format specifier\n\nAdd format specifier %d for uid in ecryptfs_printk\n\nSigned-off-by: Thomas Hisch \u003ct.hisch@gmail.com\u003e\nCc: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dd2a3b7ad98f8482cae481cad89dfed5eee48365", "tree": "986c09754176ea4c6e8308c6e2cdbf3fc0658a0b", "parents": [ "17398957aa0a05ef62535060b41d103590dcc533" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Mon Feb 12 00:53:46 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:36 2007 -0800" }, "message": "[PATCH] eCryptfs: Generalize metadata read/write\n\nGeneralize the metadata reading and writing mechanisms, with two targets for\nnow: metadata in file header and metadata in the user.ecryptfs xattr of the\nlower file.\n\n[akpm@osdl.org: printk warning fix]\n[bunk@stusta.de: make some needlessly global code static]\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "dddfa461fc8951f9b5f951c13565b6cac678635a", "tree": "eaf51d6825bd97087b9c700f7010ed08e3f83047", "parents": [ "88b4a07e6610f4c93b08b0bb103318218db1e9f6" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Mon Feb 12 00:53:44 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:36 2007 -0800" }, "message": "[PATCH] eCryptfs: Public key; packet management\n\nPublic key support code. This reads and writes packets in the header that\ncontain public key encrypted file keys. It calls the messaging code in the\nprevious patch to send and receive encryption and decryption request\npackets from the userspace daemon.\n\n[akpm@osdl.org: cleab fix]\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "88b4a07e6610f4c93b08b0bb103318218db1e9f6", "tree": "32e2f2650bd4841ba6b2fafc724c2806219351b4", "parents": [ "b5d5dfbd59577aed72263f22e28d3eaf98e1c6e5" ], "author": { "name": "Michael Halcrow", "email": "mhalcrow@us.ibm.com", "time": "Mon Feb 12 00:53:43 2007 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Mon Feb 12 09:48:36 2007 -0800" }, "message": "[PATCH] eCryptfs: Public key transport mechanism\n\nThis is the transport code for public key functionality in eCryptfs. It\nmanages encryption/decryption request queues with a transport mechanism.\nCurrently, netlink is the only implemented transport.\n\nEach inode has a unique File Encryption Key (FEK). Under passphrase, a File\nEncryption Key Encryption Key (FEKEK) is generated from a salt/passphrase\ncombo on mount. This FEKEK encrypts each FEK and writes it into the header of\neach file using the packet format specified in RFC 2440. This is all\nsymmetric key encryption, so it can all be done via the kernel crypto API.\n\nThese new patches introduce public key encryption of the FEK. There is no\nasymmetric key encryption support in the kernel crypto API, so eCryptfs pushes\nthe FEK encryption and decryption out to a userspace daemon. After\nconsidering our requirements and determining the complexity of using various\ntransport mechanisms, we settled on netlink for this communication.\n\neCryptfs stores authentication tokens into the kernel keyring. These tokens\ncorrelate with individual keys. For passphrase mode of operation, the\nauthentication token contains the symmetric FEKEK. For public key, the\nauthentication token contains a PKI type and an opaque data blob managed by\nindividual PKI modules in userspace.\n\nEach user who opens a file under an eCryptfs partition mounted in public key\nmode must be running a daemon. That daemon has the user\u0027s credentials and has\naccess to all of the keys to which the user should have access. The daemon,\nwhen started, initializes the pluggable PKI modules available on the system\nand registers itself with the eCryptfs kernel module. Userspace utilities\nregister public key authentication tokens into the user session keyring.\nThese authentication tokens correlate key signatures with PKI modules and PKI\nblobs. The PKI blobs contain PKI-specific information necessary for the PKI\nmodule to carry out asymmetric key encryption and decryption.\n\nWhen the eCryptfs module parses the header of an existing file and finds a Tag\n1 (Public Key) packet (see RFC 2440), it reads in the public key identifier\n(signature). The asymmetrically encrypted FEK is in the Tag 1 packet;\neCryptfs puts together a decrypt request packet containing the signature and\nthe encrypted FEK, then it passes it to the daemon registered for the\ncurrent-\u003eeuid via a netlink unicast to the PID of the daemon, which was\nregistered at the time the daemon was started by the user.\n\nThe daemon actually just makes calls to libecryptfs, which implements request\npacket parsing and manages PKI modules. libecryptfs grabs the public key\nauthentication token for the given signature from the user session keyring.\nThis auth tok tells libecryptfs which PKI module should receive the request.\nlibecryptfs then makes a decrypt() call to the PKI module, and it passes along\nthe PKI block from the auth tok. The PKI uses the blob to figure out how it\nshould decrypt the data passed to it; it performs the decryption and passes\nthe decrypted data back to libecryptfs. libecryptfs then puts together a\nreply packet with the decrypted FEK and passes that back to the eCryptfs\nmodule.\n\nThe eCryptfs module manages these request callouts to userspace code via\nmessage context structs. The module maintains an array of message context\nstructs and places the elements of the array on two lists: a free and an\nallocated list. When eCryptfs wants to make a request, it moves a msg ctx\nfrom the free list to the allocated list, sets its state to pending, and fires\noff the message to the user\u0027s registered daemon.\n\nWhen eCryptfs receives a netlink message (via the callback), it correlates the\nmsg ctx struct in the alloc list with the data in the message itself. The\nmsg-\u003eindex contains the offset of the array of msg ctx structs. It verifies\nthat the registered daemon PID is the same as the PID of the process that sent\nthe message. It also validates a sequence number between the received packet\nand the msg ctx. Then, it copies the contents of the message (the reply\npacket) into the msg ctx struct, sets the state in the msg ctx to done, and\nwakes up the process that was sleeping while waiting for the reply.\n\nThe sleeping process was whatever was performing the sys_open(). This process\noriginally called ecryptfs_send_message(); it is now in\necryptfs_wait_for_response(). When it wakes up and sees that the msg ctx\nstate was set to done, it returns a pointer to the message contents (the reply\npacket) and returns. If all went well, this packet contains the decrypted\nFEK, which is then copied into the crypt_stat struct, and life continues as\nnormal.\n\nThe case for creation of a new file is very similar, only instead of a decrypt\nrequest, eCryptfs sends out an encrypt request.\n\n\u003e - We have a great clod of key mangement code in-kernel. Why is that\n\u003e not suitable (or growable) for public key management?\n\neCryptfs uses Howells\u0027 keyring to store persistent key data and PKI state\ninformation. It defers public key cryptographic transformations to userspace\ncode. The userspace data manipulation request really is orthogonal to key\nmanagement in and of itself. What eCryptfs basically needs is a secure way to\ncommunicate with a particular daemon for a particular task doing a syscall,\nbased on the UID. Nothing running under another UID should be able to access\nthat channel of communication.\n\n\u003e - Is it appropriate that new infrastructure for public key\n\u003e management be private to a particular fs?\n\nThe messaging.c file contains a lot of code that, perhaps, could be extracted\ninto a separate kernel service. In essence, this would be a sort of\nrequest/reply mechanism that would involve a userspace daemon. I am not aware\nof anything that does quite what eCryptfs does, so I was not aware of any\nexisting tools to do just what we wanted.\n\n\u003e What happens if one of these daemons exits without sending a quit\n\u003e message?\n\nThere is a stale uid\u003c-\u003epid association in the hash table for that user. When\nthe user registers a new daemon, eCryptfs cleans up the old association and\ngenerates a new one. See ecryptfs_process_helo().\n\n\u003e - _why_ does it use netlink?\n\nNetlink provides the transport mechanism that would minimize the complexity of\nthe implementation, given that we can have multiple daemons (one per user). I\nexplored the possibility of using relayfs, but that would involve having to\nintroduce control channels and a protocol for creating and tearing down\nchannels for the daemons. We do not have to worry about any of that with\nnetlink.\n\nSigned-off-by: Michael Halcrow \u003cmhalcrow@us.ibm.com\u003e\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" } ] }