| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Latest changes in kernel introduces changes in mounting parameters.
- nolock parameter is no longer used with cifs (before it was ignored)
- shortened user version of username is no longer valid (even though
it still in the codebase)
Tested:
Updated mount parameter list made CIFS mount possible again
Change-Id: I0f0ecb1f3cdb19144246340e5df12203648648f5
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Providing comma (,) in username can lead to inject some unappropriate
mount options. In opposite to password, username is not escaped by
kernel driver so we have to disallow such entries.
Tested:
Manually mounting CIFS share with comma
Change-Id: I20ff5089d04f07d7e6aa3190fe83babdd7acfe96
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Due to security reasons "user/username" has to be removed from the
information that is logged by application.
Sensitive data has been moved to "Debug"" level (lowest one) and default
one has moved one level up to "Info".
Also some important information allowing to catch basic errors has been
upgraded to "Info".
Tested:
Manually, mounting both Legacy mode remote types (HTTPs and CIFS) and
checking if journal for VirtualMedia service does not contain sensitive
information.
Change-Id: Ie6c3a79c94637e3632af76daf957e986b2dd3b6d
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
Mount function consumes mount parameters as coma delimited options. In
order to make it resistant to classic parameter injection each comma in
username or password parameter that user provides is escaped by second
comma character. This fix appiles such escaping for samba credentials.
Tested:
Tested by inserting media with password=smbpass,ver=1.0. Kernel does
not mount share, showing error appropriate to incorrect credentials:
intel-obmc kernel: CIFS: Status code returned 0xc000006d \
STATUS_LOGON_FAILURE
Change-Id: I3acb24a4b24e798e54e095c69e9c6ec3151e03d1
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
SMB share when mounted leaved a trace in journal with parameters passed
with mount command. Among others password and user name has been
included what raises security issue.
Tested:
Manually, SMB mount does not reveal share credentials in logs any more
Change-Id: I30abbe085620c95d42b19f19d94285a211024cf4
Signed-off-by: Czarnowski, Przemyslaw <przemyslaw.hawrylewicz.czarnowski@intel.com>
|
|
SMB 3.1.1 provides more secure authentication.
vers=3 is preferred over vers=3.0 as it automatically
negotiates 3.0 or 3.0.2 dialects, if available from server.
While the vers=3.0 uses only 3.0.
Fallback scheme:
try vers=3.1.1
if fails - try vers=3
if fails - unrecoverable error path
Tested:
Manually on ArcherCity. Mounting .iso image in legacy mode (smb),
using RedFish interface.
Change-Id: Ief224353079f1b7200011a00b8d5c482f57f844e
Signed-off-by: Anna Platash <anna.platash@intel.com>
|
|
- Previously machine did not handle AnyEvent correctly,
implementation in BaseState was always run
- Changing from ActiveState to ReadyState was bugged,
previously only one of event SubprocessStopped or UdevNotification
caused state change when it is required to wait for both
- Introduced longer timer when waiting for ReadyState during Eject and
ActiveState during Inject, because ndbkit can timeout during Eject and
it is required to complete before next inject can success.
- Added event notification when process is terminated
- Added resourcess classes to handle deletion and notifications
Signed-off-by: Krzysztof Grobelny <krzysztof.grobelny@intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
Change-Id: Ie914e650c2f15bd73cdc87582ea77a94997a3472
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
|
|
This change introduces new 'Mount' API argument - UNIX_FD for named pipe.
This named pipe is utilized to securely send secret data over D-Bus.
Currently data consists of null-terminated char buffers with username and
password.
Data on receiving side is encapsulated into classes whose role is to:
- keep secret as short-lived as possible
- erase secret from memory when it's not needed
- pass secrets (and format them) to another secure container with above
capabilities
New classes:
- Credentials: is a class encapsulating login and password. It zeroes them
at destruction.
- CredentialProvider: contains Credentials, specifies SecureBuffer, allows
to store credentials in SecureBuffer
- SecureBuffer: char vector which zeroes itself at destruction,
used to provision secret data
- VolatileFile: class creating temporary file with 'owner-only' permissions
in /tmp; at destruction overwrites it's contents with '*' and removes it
New behavior:
- when UNIX_FD is provided over D-Bus it's treated as open unix pipe. Data
is read from this pipe and stored securely into CredentialsProvider
- credentials are stored in applications inside CredentialsProvider object,
encapsulated by unique_ptr for as long as it's needed
- strings containing secrets are zeroed immediately after use
- VolatileFile is used to securely pass credentials to nbdkit curl plugin
instead of command line parameters.
Tested:
Manual and automated tests on WilsonCity platform:
- positive and negative tests for authentication on both CIFS and HTTPS
resources
- error injection (ill-formed data transfered over pipe, pipe broken etc.)
Change-Id: I608ae0380b8ad57110bc0939f71eb48604e7dc99
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
|
This change introduces integration of virtual-media application with
NBDKit. NBDKit is used here to connect to externally provided image on web
and expose NBD device internally in BMC for NBD subsystem (already
implemented in Proxy mode) to use.
'Mount' D-Bus call accepts 's imgUrl' and 'b rw'. Based on 's imgUrl'
prefix (https:// or smb://) proper mount type is attempted. 'b rw'
determines Read-Only mode for both USB Gadget and NBD stack.
When 'Mount' is called, virtual-media parses arguments, determines mounting
options and attempts to mount external share.
For SMB protocol native CIFS Linux module is used:
1) mount(8) call is used to mound provided CIFS share
2) NBDKit loads file on mounted filesystem and exposes NBD Server on
internal unix socket
3) Pre-existing code takes care of mouting gadget automatically
(connecting socket to /dev/nbdX and then /dev/nbdX to USB Gadget)
For HTTPS protocol provisioning is performed by NBDKit:
1) NBDKit connects to provided resource and exposes NBD Server on internal
unix socket
2) Pre-existing code takes care of mouting gadget automatically
(connecting socket to /dev/nbdX and then /dev/nbdX to USB Gadget)
Tested:
Manual and automated tests on WilsonCity platform:
- mounting and unmounting images over CIFS and HTTPS (single, multiple
at the same time etc)
- positive and negative tests for D-Bus calls
- ensuring proper information is exposed on D-Bus
Change-Id: Ia2b6e8c13603521063f5c94cdfdb06f2e872e9e7
Signed-off-by: Adrian Ambrożewicz <adrian.ambrozewicz@linux.intel.com>
Signed-off-by: Agata Olender <agata.olender@intel.com>
|
