[Ecryptfs-devel] [PATCH] modify eCryptfs to use the SESSION keyring

Trevor Highland Sat, 20 Oct 2007 14:38:08 -0700

Hi all,

This patch changes eCryptfs to use the session keyring rather than the user
keyring.  The path to the ecryptfsd is currently hardcoded.  The path should
be determined based on where ecryptfsd will be installed, but I was sure how
to do that.


Trevor

From c8aae4e14a6c1c0f5a3612b30114ed51ea868d50 Mon Sep 17 00:00:00 2001
From: Trevor Highland <[EMAIL PROTECTED]>
Date: Sat, 20 Oct 2007 16:29:47 -0500
Subject: [PATCH] modify eCryptfs to use the SESSION keyring instead of the USER 
keyring

---
 src/include/ecryptfs.h            |    4 ++-
 src/libecryptfs/key_management.c  |   24 +++-----------------
 src/libecryptfs/main.c            |   43 +++++++++++++++++++++++++++++++++++++
 src/libecryptfs/netlink_packets.c |    2 +-
 src/utils/io.c                    |    2 +
 src/utils/manager.c               |   22 +++++++++++++-----
 src/utils/mount.ecryptfs.c        |   16 ++++++-------
 7 files changed, 76 insertions(+), 37 deletions(-)

diff --git a/src/include/ecryptfs.h b/src/include/ecryptfs.h
index ed5616f..ce20d78 100644
--- a/src/include/ecryptfs.h
+++ b/src/include/ecryptfs.h
@@ -131,6 +131,8 @@
 
 #define ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME "wrapped-passphrase"
 
+#define ECRYPTFSD_PATHNAME "/usr/bin/ecryptfsd"
+
 extern int ecryptfs_verbosity;
 
 /**
@@ -377,6 +379,7 @@ enum main_menu_enum {
        MME_MOUNT_PASSPHRASE,
        MME_MOUNT_PUBKEY,
        MME_GEN_PUBKEY,
+       MME_ECRYPTFSD,
        MME_ABORT
 };
 
@@ -461,7 +464,6 @@ int ecryptfs_insert_wrapped_passphrase_into_keyring(
        char *auth_tok_sig, char *filename, char *wrapping_passphrase,
        char *salt);
 struct ecryptfs_key_mod_ops *passphrase_get_key_mod_ops(void);
-int ecryptfs_validate_keyring(void);
 #define ECRYPTFS_SHM_KEY 0x3c81b7f5
 #define ECRYPTFS_SEM_KEY 0x3c81b7f6
 #define ECRYPTFS_SHM_SIZE 4096
diff --git a/src/libecryptfs/key_management.c b/src/libecryptfs/key_management.c
index acedc26..d37ece3 100644
--- a/src/libecryptfs/key_management.c
+++ b/src/libecryptfs/key_management.c
@@ -62,7 +62,7 @@ int ecryptfs_add_passphrase_key_to_keyring(char 
*auth_tok_sig, char *passphrase,
                rc = (rc < 0) ? rc : rc * -1;
                goto out;
        }
-       rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0);
+       rc = (int)keyctl_search(KEY_SPEC_SESSION_KEYRING, "user", auth_tok_sig, 
0);
        if (rc != -1) { /* we already have this key in keyring; we're done */
                rc = 1;
                syslog(LOG_WARNING, "Passphrase key already in keyring\n", rc);
@@ -89,7 +89,7 @@ int ecryptfs_add_passphrase_key_to_keyring(char 
*auth_tok_sig, char *passphrase,
                goto out_wipe;
        }
        rc = add_key("user", auth_tok_sig, (void *)auth_tok,
-                    sizeof(struct ecryptfs_auth_tok), KEY_SPEC_USER_KEYRING);
+                    sizeof(struct ecryptfs_auth_tok), 
KEY_SPEC_SESSION_KEYRING);
        if (rc == -1) {
                int errnum = errno;
 
@@ -389,14 +389,14 @@ ecryptfs_add_key_module_key_to_keyring(char *auth_tok_sig,
                       "rc = [%d]\n", rc);
                goto out;
        }
-       rc = (int)keyctl_search(KEY_SPEC_USER_KEYRING, "user", auth_tok_sig, 0);
+       rc = (int)keyctl_search(KEY_SPEC_SESSION_KEYRING, "user", auth_tok_sig, 
0);
        if (rc != -1) { /* we already have this key in keyring; we're done */
                rc = 1;
                goto out;
        }
        rc = add_key("user", auth_tok_sig, (void *)auth_tok,
                     (sizeof(struct ecryptfs_auth_tok) + blob_size),
-                    KEY_SPEC_USER_KEYRING);
+                    KEY_SPEC_SESSION_KEYRING);
        if (rc < 0)
                syslog(LOG_ERR, "Error adding key with sig [%s]; rc ="
                       " [%d]\n", auth_tok_sig, rc);
@@ -501,19 +501,3 @@ int ecryptfs_append_sig(char *auth_tok_sig, char 
*sig_cache_filename)
 out:
        return rc;
 }
-
-int ecryptfs_validate_keyring(void)
-{
-       long rc_long;
-       int rc = 0;
-
-       if ((rc_long = keyctl(KEYCTL_LINK, KEY_SPEC_USER_KEYRING,
-                             KEY_SPEC_SESSION_KEYRING))) {
-               syslog(LOG_ERR, "Error attempting to link the user session "
-                      "keyring into the session keyring\n");
-               rc = -EIO;
-               goto out;
-       }
-out:
-       return rc;
-}
diff --git a/src/libecryptfs/main.c b/src/libecryptfs/main.c
index 8c9988e..d5a0f86 100644
--- a/src/libecryptfs/main.c
+++ b/src/libecryptfs/main.c
@@ -880,6 +880,49 @@ out:
        return rc;
 }
 
+int ecryptfs_start_ecryptfsd(char *sig)
+{
+       int rc = 0;
+       struct ecryptfs_auth_tok *auth_tok = NULL;
+       key_serial_t key_sub;
+       int errnum;
+
+       syslog(LOG_ERR, "Could not find key with signature: [%s]\n", sig);
+       key_sub = request_key("user", sig, NULL, KEY_SPEC_SESSION_KEYRING);
+       if (key_sub < 0) {
+               syslog(LOG_ERR, "Could not find key with signature: "
+                      "[%s]\n", sig);
+               rc = -EINVAL;
+               goto out;
+       }
+       rc = keyctl_read_alloc(key_sub, (void **)(&auth_tok));
+       if (rc == -1) {
+               errnum = errno;
+               syslog(LOG_ERR, "error reading key payload [%s]\n",
+                       strerror(errnum));
+               goto out;
+       }
+       if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY ) {
+               char *cmd[] = {"ecryptfsd", NULL};
+               char *env[] = {NULL};
+               rc = fork();
+               if (rc == 0) {
+                       execve(ECRYPTFSD_PATHNAME, cmd, env);
+               } else if (rc == -1) {
+                       errnum = errno;
+                       syslog(LOG_ERR, "error starting eCryptfsd [%s]\n",
+                               errnum);
+               }
+               rc = 0;
+       }
+       memset(auth_tok, 0, (sizeof(struct ecryptfs_auth_tok)
+                            + auth_tok->token.private_key.data_len));
+       free(auth_tok);
+out:
+       return rc;
+       
+}
+
 static struct ecryptfs_ctx_ops ctx_ops;
 
 struct ecryptfs_ctx_ops *cryptfs_get_ctx_opts (void)
diff --git a/src/libecryptfs/netlink_packets.c 
b/src/libecryptfs/netlink_packets.c
index 3132501..82247f9 100644
--- a/src/libecryptfs/netlink_packets.c
+++ b/src/libecryptfs/netlink_packets.c
@@ -374,7 +374,7 @@ int parse_packet(struct ecryptfs_ctx *ctx,
        }
        memcpy(key, &emsg->data[i], key_size);
        i += key_size;
-       key_sub = request_key("user", signature, NULL, KEY_SPEC_USER_KEYRING);
+       key_sub = request_key("user", signature, NULL, 
KEY_SPEC_SESSION_KEYRING);
        if (key_sub < 0) {
                syslog(LOG_ERR, "Could not find key with signature: "
                       "[%s]\n", signature);
diff --git a/src/utils/io.c b/src/utils/io.c
index 6a70f8d..51620c2 100644
--- a/src/utils/io.c
+++ b/src/utils/io.c
@@ -151,6 +151,7 @@ int manager_menu(void)
        printf("\t%d. Add passphrase key to keyring\n", MME_MOUNT_PASSPHRASE);
        printf("\t%d. Add public key to keyring\n", MME_MOUNT_PUBKEY);
        printf("\t%d. Generate new public/private keypair\n", MME_GEN_PUBKEY);
+       printf("\t%d. Start eCryptfs daemon\n", MME_ECRYPTFSD);
        printf("\t%d. Exit\n", MME_ABORT);
 try_again:
        printf("\nMake selection: ");
@@ -165,6 +166,7 @@ try_again:
        case MME_MOUNT_PASSPHRASE:
        case MME_MOUNT_PUBKEY:
        case MME_GEN_PUBKEY:
+       case MME_ECRYPTFSD:
        case MME_ABORT:
                break;
        default:
diff --git a/src/utils/manager.c b/src/utils/manager.c
index 7f9d441..141c8bc 100644
--- a/src/utils/manager.c
+++ b/src/utils/manager.c
@@ -26,6 +26,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include <sys/mman.h>
 #include "config.h"
 #include "../include/ecryptfs.h"
@@ -34,7 +35,7 @@
 
 int main(int argc, char **argv)
 {
-       int quit, rc, selection;
+       int quit, rc, selection, errnum;
        uint32_t version;
        char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH];
        char salt[ECRYPTFS_SALT_SIZE];
@@ -42,12 +43,9 @@ int main(int argc, char **argv)
        struct ecryptfs_key_mod *key_mod = NULL;
        struct val_node *dummy_mnt_params;
        char auth_tok_sig[ECRYPTFS_SIG_SIZE_HEX+1];
+       char *cmd[] = {"ecryptfsd", NULL};
+       char *env[] = {NULL};
 
-       if ((rc = ecryptfs_validate_keyring())) {
-               printf("Error attempting to validate keyring integrity; "
-                      "rc = [%d]\n", rc);
-               return 1;
-       }
        memset(passphrase, 0, ECRYPTFS_MAX_PASSWORD_LENGTH);
        memset(salt, 0, ECRYPTFS_SALT_SIZE);
 selection:
@@ -127,6 +125,18 @@ selection:
                }
                printf("Returning to main menu\n");
                goto selection;
+       case MME_ECRYPTFSD:
+               rc = fork();
+               if (rc == 0) {
+                       execve(ECRYPTFSD_PATHNAME, cmd, env);
+               } else if (rc == -1) {
+               errnum = errno;
+               syslog(LOG_ERR, "error starting eCryptfsd [%s]\n",
+                       errnum);
+               }
+               rc = 0;
+               printf("Returning to main menu\n");
+               goto selection;
        case MME_ABORT:
                quit = 1;
                goto out_wipe;
diff --git a/src/utils/mount.ecryptfs.c b/src/utils/mount.ecryptfs.c
index 4e14795..57ed8db 100644
--- a/src/utils/mount.ecryptfs.c
+++ b/src/utils/mount.ecryptfs.c
@@ -438,7 +438,7 @@ out:
  * -> trans_func(head). 
  */
 static int ecryptfs_do_mount(int argc, char **argv, struct val_node 
*mnt_params,
-                            int sig_cache)
+                            int sig_cache, char **sig)
 {
        int rc;
        int flags = 0;
@@ -461,6 +461,9 @@ static int ecryptfs_do_mount(int argc, char **argv, struct 
val_node *mnt_params,
                        break;
                temp = new_opts;
                printf("  %s\n", val);
+               if (memcmp(val, "ecryptfs_sig=", 13) == 0) {
+                       asprintf(sig, "%s", &val[13]);
+               }
                if (sig_cache && memcmp(val, "ecryptfs_sig=", 13) == 0) {
                        if ((rc = process_sig(&val[13]))) {
                                printf("Error processing sig; rc = [%d]\n", rc);
@@ -498,6 +501,7 @@ int main(int argc, char **argv)
        char *opts_str;
        struct val_node *mnt_params;
        struct ecryptfs_ctx ctx;
+       char *sig;
        int sig_cache = 1;
        int rc;
 
@@ -531,13 +535,6 @@ int main(int argc, char **argv)
                printf("Enabling passphrase-mode only for now.\n\n");
                version = ECRYPTFS_VERSIONING_PASSPHRASE;
        }
-       if ((rc = ecryptfs_validate_keyring())) {
-               printf("Unable to link the KEY_SPEC_USER_KEYRING into the "
-                      "KEY_SPEC_SESSION_KEYRING; there is something wrong "
-                      "with your kernel keyring. Did you build key retention "
-                      "support into your kernel?\n");
-               goto out;
-       }
        mnt_params = malloc(sizeof(struct val_node));
        memset(mnt_params, 0, sizeof(struct val_node));
        memset(&ctx, 0, sizeof(struct ecryptfs_ctx));
@@ -559,7 +556,7 @@ int main(int argc, char **argv)
                               "report.\n", rc);
                        goto out;
                }
-               rc = ecryptfs_do_mount(argc, argv, mnt_params, sig_cache);
+               rc = ecryptfs_do_mount(argc, argv, mnt_params, sig_cache, &sig);
                if (rc) {
                        if (rc > 0)
                                rc = -rc;
@@ -571,6 +568,7 @@ int main(int argc, char **argv)
                                printf("Try ``modprobe ecryptfs''\n");
                } else
                        printf("Mounted eCryptfs\n");
+               ecryptfs_start_ecryptfsd(sig);
        } else {
                fprintf(stderr, "When are remounting eCryptfs, you need "
                        "to pass the mount utility the -i parameter to avoid "
-- 
1.4.4.2

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

_______________________________________________
eCryptfs-devel mailing list
eCryptfs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ecryptfs-devel

[Ecryptfs-devel] [PATCH] modify eCryptfs to use the SESSION keyring

Reply via email to