[SOLVED] Can't access ecryptfs with kernel 4.4.14

haary · 06-27-2016, 07:01 AM

I do mount a directory for a second user like this:

Code:

mount -t ecryptfs /home/user2/.Private/ /home/user2/ -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,key=passphrase,ecryptfs_fnek_sig=1234567890abcdef,ecryptfs_unlink_sigs,ecryptfs_passthrough=no

It worked well this way until I upgraded to kernel 4.4.14. The mount itself works, but I can't access the directory any more.

dmesg output:

Code:

[   53.924289] Error opening lower file for lower_dentry [0xeb8a9080] and lower_mnt [0xf08bb0d0]; rc = [-124]
[   53.924294] ecryptfs_open: Error attempting to initialize the lower file for the dentry with name [/]; rc = [-124]

Apparently there were some changes to ecryptfs in 4.4.14. The Announcement from GKH says:

Quote:

Jann Horn (3):
ecryptfs: forbid opening files without mmap handler

Patch to ecryptfs see below. I am not a kernel or C programmer, so I can't tell what went wrong.

Do I need to change something to my mount command or is this a bug?

Code:

--- a/fs/ecryptfs/kthread.c
+++ b/fs/ecryptfs/kthread.c
@@ -25,6 +25,7 @@
 #include <linux/slab.h>
 #include <linux/wait.h>
 #include <linux/mount.h>
+#include <linux/file.h>
 #include "ecryptfs_kernel.h"

 struct ecryptfs_open_req {
@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
        flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
        (*lower_file) = dentry_open(&req.path, flags, cred);
        if (!IS_ERR(*lower_file))
-               goto out;
+               goto have_file;
        if ((flags & O_ACCMODE) == O_RDONLY) {
                rc = PTR_ERR((*lower_file));
                goto out;
@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
        mutex_unlock(&ecryptfs_kthread_ctl.mux);
        wake_up(&ecryptfs_kthread_ctl.wait);
        wait_for_completion(&req.done);
-       if (IS_ERR(*lower_file))
+       if (IS_ERR(*lower_file)) {
                rc = PTR_ERR(*lower_file);
+               goto out;
+       }
+have_file:
+       if ((*lower_file)->f_op->mmap == NULL) {
+               fput(*lower_file);
+               *lower_file = NULL;
+               rc = -EMEDIUMTYPE;
+       }
 out:
        return rc;
 }

haary · 06-27-2016, 10:02 AM

Did some more testing - decrypted and encrypted the users home directory again with kernel 4.4.14 and the tool ecryptfs-migrate-home. Used ecryptfs-mount-private as the user. The mount itself works. The directory is still not accessible.

However, I can access single files if I type the name (tab completition of bash doesn't work), e.g. 'cat /home/user/foo/bar' works, but 'ls /home/user/foo/ gives the error "Wrong medium type".

It really seems to be a bug. What is the best way to report it upstream?

haary · 06-27-2016, 01:25 PM

Tested it with another machine with Slackware64 and current ecryptfs-util - same result.
Reported the issue to the ecryptfs mailing list: http://thread.gmane.org/gmane.comp.f...fs.general/878.

I will test tomorrow, if this happens on other distros with kernel 4.4.14, where PAM is used, as well. Strange, that there are no other reports about this issue yet.

haary · 06-28-2016, 04:03 AM

I confirmed, that this bug also appears on Arch Linux (which has PAM and systemd) using their provided linux-lts kernel 4.4.14. However, using the provided default kernel on Arch, which is 4.6.3 and has the same patch to ecryptfs applied as 4.4.14, the error doesn't occur and one can access an ecryptfs mounted directory perfectly normal.

So it seems, that kernel 4.4.14, and perhaps other still maintained LTS kernels where this patch was applied (4.1.27, 3.18.36, 3.14.73) are affected. As for kernel 3.10.x - which is the default kernel in Slackware 14.1 - I can't find the ecryptfs related entry in the changelog of the latest release 3.10.102.

Meanwhile it was stated at the ecryptfs mailing list, that the backported version of the patch needs to be adjusted. So, stay tuned for kernel 4.4.15.

volkerdi · 06-30-2016, 01:10 PM

Since I'd rather release Slackware 14.2 with a completely vanilla kernel (and 4.4.15 doesn't seem to be coming soon), I've put the proposed upstream patch for this issue in source/k/, and built packages in /testing/packages containing a fixed ecryptfs kernel module.

haary · 07-01-2016, 12:50 PM

Quote:

Originally Posted by volkerdi

Since I'd rather release Slackware 14.2 with a completely vanilla kernel (and 4.4.15 doesn't seem to be coming soon), I've put the proposed upstream patch for this issue in source/k/, and built packages in /testing/packages containing a fixed ecryptfs kernel module.

Sorry, but it didn't work for me. I installed kernel-module-ecryptfs-4.4.14-x86_64-1.txz, even rebooted, but still getting the error "wrong medium type".

Three possibilities:

* I am doing something wrong
* The module in the package still isn't patched
* The patch doesn't work

I will rebuild the whole kernel with the patch applied to see if the patch does work at all.

haary · 07-01-2016, 03:17 PM

Rebuilt the kernel on 64bit with the patch applied. Still "wrong medium type" error when accessing directories. It seems that the patch did not work as expected.

haary · 07-01-2016, 04:22 PM

It seems, that the patch is malformed - the guys from Manjaro ran into the same issue:

https://forum.manjaro.org/t/kenel-4-...ne-2016/5001/9

https://github.com/manjaro/packages-...be0bf1eacf6628

I will test with corrected patch applied.

haary · 07-01-2016, 04:43 PM

Confirmed - the patch at source/k/linux-4.4.14.ecryptfs.regression.diff is malformed, therefore it doesn't work.
Correct patch is attached. With this, ecryptfs works as expected again.

dr.s · 07-01-2016, 04:58 PM

Quote:

Originally Posted by haary

Confirmed - the patch at source/k/linux-4.4.14.ecryptfs.regression.diff is malformed, therefore it doesn't work.
Correct patch is attached. With this, ecryptfs works as expected again.

You might want to mark this thread as solved so others can benefit from your solution.

haary · 07-02-2016, 11:15 AM

If you are affected: ConnochaetOS slack-n-free repo provides kernel images with fixed ecryptfs kernel modules 32bit 64bit

haary · 08-11-2016, 03:04 AM

Meanwhile kernel 4.4.17 is released where this issue is finally fixed. All users of ecryptfs should upgrade to this kernel.