martes, 19 de mayo de 2015

Building ecryptfs on Red Hat 7




Ecryptfs is NO LONGER SUPPORTED at Redhat 7.X

Anyway you can try this for fun!


Previous steps of this blog are described at this other blog:  Build a Red Hat 7 custom kernel

1. rhel7 has ecryptfs disabled in the config file, although the ecryptfs source code still in the kernel source directories structure.

# cat /boot/config-3.10.0-229.el7.x86_64 | grep ECRYPT
# CONFIG_ECRYPT_FS is not set
[root@localhost linux-3.10.0-229.1.2.el7]# md5sum fs/ecryptfs/*
b0b2198fb0d9a5b63203d014e436c12a fs/ecryptfs/crypto.c
10b5b2afb477d645a976ed5a425db6e5 fs/ecryptfs/debug.c
d93cc9c2bebf8d365c3295e410c8cc28 fs/ecryptfs/dentry.c
42ec82030d5e6688f55d961a3eaab962 fs/ecryptfs/ecryptfs_kernel.h
58614e45ce41110a15293eb7281a6825 fs/ecryptfs/file.c
96c2f720c685370e428c2cf0c6ef9956 fs/ecryptfs/inode.c
b491875a59037880dbb3869d73414902 fs/ecryptfs/Kconfig
583a15f5c15e51d59f3c9e6075144dcc fs/ecryptfs/keystore.c
720d1880946744a22f4661afc558a58f fs/ecryptfs/kthread.c
7d02e53411da2344f32d2cbaef87f38f fs/ecryptfs/main.c
f6306e09d0870d78453baeaf06192dd3 fs/ecryptfs/Makefile
7014db803b5b251fef4ff8b0a5b1231f fs/ecryptfs/messaging.c
9199e6035ca61f5b49920215a9c71e78 fs/ecryptfs/miscdev.c
96690eaf5e6e04c88bcb20537fe2b7bf fs/ecryptfs/mmap.c
4d17c980ac64d11ce54cba87c63843d2 fs/ecryptfs/read_write.c
3dda1f0792415e03f9031387fd5b6b66 fs/ecryptfs/super.c

[root@localhost linux-3.10.0-229.1.2.el7]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)

[root@localhost linux-3.10.0-229.1.2.el7]# uname -r
3.10.0-229.el7.x86_64

[root@localhost linux-3.10.0-229.1.2.el7]# pwd
/root/rpmbuild/SOURCES/linux/linux-3.10.0-229.1.2.el7


2. Rhel7 has ecryptfs disabled by default

r7_ecrypt.png

3. After enabling ecryptfs using "#make menuconfig" and trying to compile the kernel follow error is received:

[root@localhost linux-3.10.0-229.1.2.el7]# make
scripts/kconfig/conf --silentoldconfig Kconfig
make[1]: Nothing to be done for `all'.
make[1]: Nothing to be done for `relocs'.
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
make[1]: `arch/x86/purgatory/kexec-purgatory.c' is up to date.
CALL scripts/checksyscalls.sh
CC scripts/mod/devicetable-offsets.s
GEN scripts/mod/devicetable-offsets.h
HOSTCC scripts/mod/file2alias.o
HOSTLD scripts/mod/modpost
CHK include/generated/compile.h
make[3]: `arch/x86/realmode/rm/realmode.bin' is up to date.
CERTS kernel/x509_certificate_list
- Including cert /root/rpmbuild/SOURCES/linux/linux-3.10.0-229.1.2.el7/signing_key.x509
AS kernel/system_certificates.o
LD kernel/built-in.o
LD fs/ecryptfs/built-in.o
CC [M] fs/ecryptfs/dentry.o
CC [M] fs/ecryptfs/file.o
CC [M] fs/ecryptfs/inode.o
CC [M] fs/ecryptfs/main.o
fs/ecryptfs/main.c: In function ‘ecryptfs_mount’:
fs/ecryptfs/main.c:570:3: error: ‘struct super_block’ has no member named ‘s_stack_depth’
s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
^
fs/ecryptfs/main.c:570:38: error: ‘struct super_block’ has no member named ‘s_stack_depth’
s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
^
fs/ecryptfs/main.c:573:7: error: ‘struct super_block’ has no member named ‘s_stack_depth’
if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
^
make[2]: *** [fs/ecryptfs/main.o] Error 1
make[1]: *** [fs/ecryptfs] Error 2
make: *** [fs] Error 2
[root@localhost linux-3.10.0-229.1.2.el7]#



4. s_stack_depth is handled differently at redhat 7 and it is part of a new structure called super_block_wrapper

struct super_block {s_stack_depth
struct list_head s_list; /* Keep this first */
dev_t s_dev; /* search index; _not_ kdev_t */
unsigned char s_blocksize_bits;
unsigned long s_blocksize;
loff_t s_maxbytes; /* Max file size */
struct file_system_type *s_type;
const struct super_operations *s_op;
const struct dquot_operations *dq_op;
const struct quotactl_ops *s_qcop;
const struct export_operations *s_export_op;
unsigned long s_flags;
unsigned long s_magic;
struct dentry *s_root;
struct rw_semaphore s_umount;
int s_count;
atomic_t s_active;
#ifdef CONFIG_SECURITY
void *s_security;
#endif
const struct xattr_handler **s_xattr;
struct list_head s_inodes; /* all inodes */
struct hlist_bl_head s_anon; /* anonymous dentries for (nfs) exporting */
#ifdef __GENKSYMS__
#ifdef CONFIG_SMP
struct list_head __percpu *s_files;
#else
struct list_head s_files;
#endif
#else
#ifdef CONFIG_SMP
struct list_head __percpu *s_files_deprecated;
#else
struct list_head s_files_deprecated;
#endif
#endif
struct list_head s_mounts; /* list of mounts; _not_ for fs use */
/* s_dentry_lru, s_nr_dentry_unused protected by dcache.c lru locks */
struct list_head s_dentry_lru; /* unused dentry lru */
int s_nr_dentry_unused; /* # of dentry on lru */
/* s_inode_lru_lock protects s_inode_lru and s_nr_inodes_unused */
spinlock_t s_inode_lru_lock ____cacheline_aligned_in_smp;
struct list_head s_inode_lru; /* unused inode lru */
int s_nr_inodes_unused; /* # of inodes on lru */
struct block_device *s_bdev;
struct backing_dev_info *s_bdi;
struct mtd_info *s_mtd;
struct hlist_node s_instances;
struct quota_info s_dquot; /* Diskquota specific options */
struct sb_writers s_writers;
char s_id[32]; /* Informational name */
u8 s_uuid[16]; /* UUID */
void *s_fs_info; /* Filesystem private info */
unsigned int s_max_links;
fmode_t s_mode;
/* Granularity of c/m/atime in ns.
Cannot be worse than a second */
u32 s_time_gran;
/*
* The next field is for VFS *only*. No filesystems have any business
* even looking at it. You had been warned.
*/
struct mutex s_vfs_rename_mutex; /* Kludge */
/*
* Filesystem subtype. If non-empty the filesystem type field
* in /proc/mounts will be "type.subtype"
*/
/*
* Saved mount options for lazy filesystems using
* generic_show_options()
*/
char __rcu *s_options;
const struct dentry_operations *s_d_op; /* default d_op for dentries */
/*
* Saved pool identifier for cleancache (-1 means none)
*/
int cleancache_poolid;
struct shrinker s_shrink; /* per-sb shrinker handle */
/* Number of inodes with nlink == 0 but still referenced */
atomic_long_t s_remove_count;
/* Being remounted read-only */
int s_readonly_remount;
};

extern const unsigned super_block_wrapper_version;
struct super_block_wrapper {
struct super_block sb;
/* -- Wrapper version 0 -- */s_stack_depth is handled differently at redhat 7 and it is part of a new structure called super_block_wrapper
struct super_block {s_stack_depth
struct list_head s_list; /* Keep this first */
dev_t s_dev; /* search index; _not_ kdev_t */
unsigned char s_blocksize_bits;
unsigned long s_blocksize;
loff_t s_maxbytes; /* Max file size */
struct file_system_type *s_type;
const struct super_operations *s_op;
const struct dquot_operations *dq_op;
const struct quotactl_ops *s_qcop;
const struct export_operations *s_export_op;
unsigned long s_flags;
unsigned long s_magic;
struct dentry *s_root;
struct rw_semaphore s_umount;
int s_count;
atomic_t s_active;
#ifdef CONFIG_SECURITY
void *s_security;
#endif
const struct xattr_handler **s_xattr;
struct list_head s_inodes; /* all inodes */
struct hlist_bl_head s_anon; /* anonymous dentries for (nfs) exporting */
#ifdef __GENKSYMS__
#ifdef CONFIG_SMP
struct list_head __percpu *s_files;
#else
struct list_head s_files;
#endif
#else

/*
* Indicates how deep in a filesystem stack this SB is
*/
int s_stack_depth;regressoin
/* -- Wrapper version 1 -- */
};
static inline struct super_block_wrapper *get_sb_wrapper(struct super_block *sb,
unsigned version)
{
/* Make sure we get a link failure if this function is used against an
* older kernel that doesn't have the superblock wrapper.
*/
if (super_block_wrapper_version < version)
return NULL;
return container_of(sb, struct super_block_wrapper, sb);
}
static inline int *get_s_stack_depth(struct super_block *sb)
{
struct super_block_wrapper *wrapper = get_sb_wrapper(sb, 0);
return wrapper ? &wrapper->s_stack_depth : NULL;
}


5. To fix ecryptfs and build it in the kernel follow is the partial fix:
This is a fix that will not be proposed to upstream cause it is not compatible with other kernels; instead it is a patch to make ecryptfs work on Rhel7 only.

See the commented lines and the next one to it with the fix:
First declare an int pointer at the beginning of the function
static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags, const char *dev_name, void *raw_data)
int *s_stack_depth;

s->s_magic = ECRYPTFS_SUPER_MAGIC;
//s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
s_stack_depth = get_s_stack_depth(path.dentry->d_sb);
rc = -EINVAL;
//if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
if ( *s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
goto out_free;
}

then you can execute the #make
[root@localhost linux-3.10.0-229.1.2.el7]# make
make[1]: Nothing to be done for `all'.
make[1]: Nothing to be done for `relocs'.
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
make[1]: `arch/x86/purgatory/kexec-purgatory.c' is up to date.
CALL scripts/checksyscalls.sh
CC scripts/mod/devicetable-offsets.s
GEN scripts/mod/devicetable-offsets.h
HOSTCC scripts/mod/file2alias.o
HOSTLD scripts/mod/modpost
CHK include/generated/compile.h
make[3]: `arch/x86/realmode/rm/realmode.bin' is up to date.
CC [M] fs/ecryptfs/main.o
LD [M] fs/ecryptfs/ecryptfs.o
CHK include/generated/uapi/linux/version.h
make[2]: Nothing to be done for `all'.
make[2]: Nothing to be done for `relocs'.
TEST posttest
Succeed: decoded and checked 1636136 instructions
TEST posttest
arch/x86/tools/insn_sanity: Success: decoded and checked 1000000 random instructions with 0 errors (seed:0x734ad41f)
Kernel: arch/x86/boot/bzImage is ready (#2)
Building modules, stage 2.
MODPOST 2186 modules
CC fs/ecryptfs/ecryptfs.mod.o
LD [M] fs/ecryptfs/ecryptfs.ko
[root@localhost linux-3.10.0-229.1.2.el7]# make modules
make[1]: Nothing to be done for `all'.
make[1]: Nothing to be done for `relocs'.
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
make[1]: `arch/x86/purgatory/kexec-purgatory.c' is up to date.
CALL scripts/checksyscalls.sh
CC scripts/mod/devicetable-offsets.s
GEN scripts/mod/devicetable-offsets.h
HOSTCC scripts/mod/file2alias.o
HOSTLD scripts/mod/modpost
Building modules, stage 2. 
MODPOST 2183 modules
[root@localhost linux-3.10.0-229.1.2.el7]#


6. After reviewing the modinfo and loading the module with insmod, there are some error messags on the dmesg:

# modinfo /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
filename: /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
license: GPL
description: eCryptfs
author: Michael A. Halcrow <mhalcrow@us.ibm.com>
alias: fs-ecryptfs
rhelversion: 7.1
srcversion: EE0A8CEA8D02FDE3FB63A2B
depends: 
intree: Y
vermagic: 3.10.0 SMP mod_unload modversions 
parm: ecryptfs_verbosity:Initial verbosity level (0 or 1; defaults to 0, which is Quiet) (int)
parm: ecryptfs_message_buf_len:Number of message buffer elements (uint)
parm: ecryptfs_message_wait_timeout:Maximum number of seconds that an operation will sleep while waiting for a message response from userspace (long)
parm: ecryptfs_number_of_users:An estimate of the number of concurrent users of eCryptfs (uint)

# insmod /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
# lsmod | grep ecr
ecryptfs 85424 0

dmesg:
[61759.528990] ecryptfs: no symbol version for module_layout
[65012.599355] ecryptfs: module verification failed: signature and/or required key missing - tainting kernel

# mount -t ecryptfs /mnt/t1 /mnt/t1
mount: wrong fs type, bad option, bad superblock on /mnt/t1,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so.
The mount fails with a -22 error. wrong parameters:

[65575.109585] Error parsing options; rc = [-22]

7. Now we need to install ecryptfs utils and its dependencies:

# wget http://sourceforge.net/projects/ecryptfs/files/latest/download?source=files
# mv download\?source\=files ecryptfs-utils-61.tar.gz
# tar -xvf ecryptfs-utils-61.tar.gz 
# cd ecryptfs-utils-61
# yum install libgcrypt -y
# yum install libgcrypt-devel -y
# yum install keyutils -y
# yum install keyutils-devel -y
# yum install keyutils-libs -y
# yum install keyutils-libs-devel -y
# yum install pam
# yum install pam-devel -y
# ./configure 
# ./configure --prefix=/usr
# make
# make install
#ldconfig
# setenforce 0

then try:

[root@localhost ecryptfs-utils-61]# mount -t ecryptfs /mnt/t1 /mnt/t1
Passphrase: 
Select cipher: regressoin
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
Selection [aes]: 
Select key bytes: 
1) 16
2) 32
3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.
ecryptfs_sig=5143317d91ad1a8f

Although there is an error, ecryptfs can be mounted and a basic regression test works.

[root@localhost ecryptfs-utils-61]# mount
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=499292k,nr_inodes=124823,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,seclabel,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
configfs on /sys/kernel/config type configfs (rw,relatime)
/dev/mapper/rhel-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=33,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel)
mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel)
/dev/sda1 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
/mnt/t1 on /mnt/t1 type ecryptfs (rw,relatime,ecryptfs_sig=5143317d91ad1a8f,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)

[root@localhost ecryptfs-utils-61]# vi /mnt/t1/file.txt

[root@localhost ecryptfs-utils-61]# cat /mnt/t1/file.txt 
This is the content file

[root@localhost ecryptfs-utils-61]# umount /mnt/t1

[root@localhost ecryptfs-utils-61]# cat /mnt/t1/file.txt
��A�)���"3DUfw`����e�� ���

8. warnings on the dmesg:
[260412.494550] Mount on filesystem of type eCryptfs explicitly disallowed due to known incompatibilities
[260412.508406] Reading sb failed; rc = [-22]
[root@localhost ~]#


There are still some warnings that need to be fixed, however a quick ecryptfs regression test works as described in step7.


Enjoy!
P.S.  This should be the official ecryptfs flag

lunes, 18 de mayo de 2015

Listing missed whitelist kernel module symbols on Red Hat 7

This is short but useful:

This example looks for the symbols of ecryptfs:

NOTE: It is assumed that the ecryptfs module was build and  ecryptfs.ko file exist. I will write later how to build ecryptfs.

1. Install the kabi-whitelists

[root@localhost linux-3.10.0-229.1.2.el7]# yum install kernel-abi-whitelists
Loaded plugins: product-id, subscription-manager
rhel-7-server-eus-rpms                                                       | 2.9 kB  00:00:00    
rhel-7-server-rpms                                                           | 3.7 kB  00:00:00    
rhel-7-server-rt-beta-rpms                                                   | 3.3 kB  00:00:00    
rhel-7-server-rt-rpms                                                        | 3.3 kB  00:00:00    
rhel-ha-for-rhel-7-server-eus-rpms                                           | 2.9 kB  00:00:00    
rhel-ha-for-rhel-7-server-rpms                                               | 3.7 kB  00:00:00    
rhel-rs-for-rhel-7-server-eus-rpms                                           | 2.9 kB  00:00:00    
rhel-rs-for-rhel-7-server-rpms                                               | 3.7 kB  00:00:00    
rhel-sap-for-rhel-7-server-rpms                                              | 3.5 kB  00:00:00    
Resolving Dependencies
--> Running transaction check
---> Package kernel-abi-whitelists.noarch 0:3.10.0-229.4.2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                    Arch        Version                   Repository                   Size
====================================================================================================
Installing:
 kernel-abi-whitelists      noarch      3.10.0-229.4.2.el7        rhel-7-server-eus-rpms      1.4 M

Transaction Summary
====================================================================================================
Install  1 Package

Total download size: 1.4 M
Installed size: 56 k
Is this ok [y/d/N]: y
Downloading packages:
kernel-abi-whitelists-3.10.0-229.4.2.el7.noarch.rpm                          | 1.4 MB  00:00:02    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : kernel-abi-whitelists-3.10.0-229.4.2.el7.noarch                                  1/1
  Verifying  : kernel-abi-whitelists-3.10.0-229.4.2.el7.noarch                                  1/1

Installed:
  kernel-abi-whitelists.noarch 0:3.10.0-229.4.2.el7                                                

Complete!

2.-  Download the kabi_check.py file from http://people.redhat.com/jcm/el6/dup/docs/scripts/rhel6_kabi_check.py  ; this is for rhel6 but works too for rhel7. In this ecample I renamed it to kabi_check.py


[root@localhost linux-3.10.0-229.1.2.el7]# find / -name *abi*
/root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/kabi_check.py

3.- Locate the directory where the whitelists where installed:

[root@localhost linux-3.10.0-229.1.2.el7]# ls /lib/modules/kabi-
kabi-current/ kabi-rhel70/  kabi-rhel71/

4.- I am checking aganst rhel71:

[root@localhost linux-3.10.0-229.1.2.el7]# python kabi_check.py -w /lib/modules/kabi-rhel71/kabi_whitelist_x86_64 /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
Red Hat Enterprise Linux 6 ABI Checker
--------------------------------------

ABI Checker version: 2.0

Module:    /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
Kernel:    3.10.0-229.el7.x86_64
Whitelist: /lib/modules/kabi-rhel71/kabi_whitelist_x86_64 (package kabi-whitelists is not installed
)

WARNING: The following symbols are used by your module
WARNING: and are not on the ABI whitelist.

symbol: generic_fillattr
symbol: clear_nlink
symbol: d_instantiate
symbol: clear_inode
symbol: vfs_setxattr
symbol: notify_change
symbol: grab_cache_page_write_begin
symbol: crypto_alloc_base
symbol: vfs_getattr
symbol: vfs_rename
symbol: lookup_one_len
symbol: generic_file_splice_read
symbol: kfree_put_link
symbol: init_special_inode
symbol: unregister_filesystem
symbol: kzfree
symbol: d_make_root
symbol: generic_readlink
symbol: set_freezable
symbol: do_sync_write
symbol: read_cache_page
symbol: iput
symbol: sg_init_one
symbol: fsstack_copy_attr_all
symbol: register_filesystem
symbol: vfs_unlink
symbol: kmem_cache_alloc_trace
symbol: path_put
symbol: inode_change_ok
symbol: __fentry__
symbol: vfs_mkdir
symbol: crypto_destroy_tfm
symbol: __refrigerator
symbol: inode_newsize_ok
symbol: d_drop
symbol: bdi_setup_and_register
symbol: unlock_new_inode
symbol: do_sync_read
symbol: __stack_chk_fail
symbol: truncate_inode_pages_final
symbol: fs_kobj
symbol: key_type_encrypted
symbol: generic_file_mmap
symbol: __free_pages
symbol: atomic_dec_and_mutex_lock
symbol: mntput
symbol: inode_init_once
symbol: key_put
symbol: fput
symbol: set_nlink
symbol: lock_rename
symbol: warn_slowpath_null
symbol: wait_on_sync_kiocb
symbol: sget
symbol: sysfs_create_group
symbol: d_rehash
symbol: freezing_slow_path
symbol: current_task
symbol: default_llseek
symbol: from_kuid
symbol: crypto_alloc_ablkcipher
symbol: kern_path
symbol: kernel_read
symbol: key_validate
symbol: unlock_rename
symbol: vfs_rmdir
symbol: kobject_create_and_add
symbol: truncate_setsize
symbol: sysfs_remove_group
symbol: generic_file_aio_write
symbol: vfs_symlink
symbol: igrab
symbol: generic_read_dir
symbol: vfs_fsync
symbol: vfs_mknod
symbol: init_user_ns
symbol: dentry_open
symbol: match_token
symbol: seq_printf
symbol: dput
symbol: generic_file_aio_read
symbol: lockref_get
symbol: deactivate_locked_super
symbol: touch_atime
symbol: filemap_write_and_wait
symbol: system_freezing_cnt
symbol: vfs_link
symbol: dget_parent
symbol: key_type_user
symbol: kill_anon_super
symbol: iget5_locked
symbol: inode_permission
symbol: vfs_readdir
symbol: mntget
symbol: __mark_inode_dirty
symbol: generic_file_llseek
symbol: make_bad_inode
symbol: kernel_stack
symbol: set_anon_super
symbol: sg_init_table
symbol: fsstack_copy_inode_size
symbol: kernel_write
symbol: alloc_pages_current
symbol: request_key
symbol: vfs_create

[root@localhost linux-3.10.0-229.1.2.el7]#


Enjoy!
P.S. Ok, I have no time to find a new flag :/ going to a meeting.

lunes, 11 de mayo de 2015

Build a Red Hat 7 custom kernel

Red Hat 7.

1.-Download and install redhat 7 binaries ISO

2.-Register and suscribe your license with redhat using

[root@localhost linux-3.10.0-229.1.2.el7]# subscription-manager register --username=USER@domain.com --password=PASSWORD
The system has been registered with ID: f85af162-7d22-5a8b-ac98-05ada827659b
[root@localhost linux-3.10.0-229.1.2.el7]# subscription-manager attach --auto


Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed



3.- Download the latest redhat kernel source code from https://access.redhat.com/
or https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.1/x86_64/packages

4.- Scp it to your redhat installation:
# scp Downloads/kernel-3.10.0-229.1.2.el7.src.rpm  root@172.19.8.215:/root/

5.- install the kernel-source
#rpm -ivh kernel-3.10.0-229.1.2.el7.src.rpm

6.- Verify it was installed:
# rpm -qa kernel
kernel-3.10.0-229.el7.x86_64

7.- Install build dependencies
yum groupinstall "Development Tools"
yum install ncurses-devel
yum install ncurses-devel
yum install unifdef
yum install bc

8.- Go to the directory  /root/rpmbuild/SOURCES/ and untar the source code file
cd /root/rpmbuild/SOURCES/
# cd /root/rpmbuild/SOURCES/
# tar -xvf linux-3.10.0-229.1.2.el7.tar.xz

9.- Go to the source code directory:
# cd /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7

9.- Prepare the build config

#make menuconfig
    NOTE: Select the default option and <save> it as ".config" (no quotes), then go to <exit>

Then run ..
#make
#make modules
#make modules install
(If there is an error like a directory doen't exist just create it with mkdir)
#make install

Enjoy!
The come and take it flag was created during the American revolution then used in the Texan revolution.


Configuring the IP on RedHat 7 in a virtualbox VM

Ok, this is only a note of few steps.

1.- Shutdown the VM
2.- Go to you VM Settings -> Network and set Bridge Adapter / wlan0
3.- Start the VM
4.- once logged in execute 'dhclient' without parameters
5.- Verify that the ip address was assigned:


[root@localhost ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:fa:da:f9 brd ff:ff:ff:ff:ff:ff
    inet 172.19.8.222/22 brd 172.19.8.255 scope global dynamic enp0s3
       valid_lft 86177sec preferred_lft 86177sec
    inet6 fe80::a00:27ff:fefa:daf9/64 scope link
       valid_lft forever preferred_lft forever
[root@localhost ~]#


Enjoy!
P.D. No flags this time.

jueves, 30 de abril de 2015

How-to: Install Cloudera Navigator Encrypt 3.7.0 on SUSE 11 SP2 and SP3



Original post can be found at: hhttp://blog.cloudera.com/blog/2015/04/how-to-install-cloudera-navigator-encrypt-3-7-0-on-suse-11-sp2-and-sp3/


--------------------------------------------------------------------------------------------------------------


How-to: Install Cloudera Navigator Encrypt 3.7.0 on SUSE 11 SP2 and SP3

Installing Cloudera Navigator Encrypt on SUSE is a one-off process, but we have you covered with this how-to.
Cloudera Navigator Encrypt, which is integrated with Cloudera Navigator governance software, provides massively scalable, high-performance encryption for critical Apache Hadoop data. It leverages industry-standard AES-256 encryption and provides a transparent layer between the application and filesystem. Navigator Encrypt also includes process-based access controls, allowing authorized Hadoop processes to access encrypted data, while simultaneously preventing admins or super-users like root from accessing data that they don’t need to see.
Navigator Encrypt is distributed in two different packages: the kernel module, and the binaries (cli commands) and configuration files. Current supported distributions are debian-7-x64, rhel-5-x64, rhel-6-x64, sles-11-x64, ubuntu-12.04-x64, and ubuntu-14.04-x64. As SUSE has a specific way to build and distribute RPMs for any external kernel module, this post explains how to install Navigator Encrypt 3.7.0 specifically on SLES 11 SP2 and SP3.

Understanding KMPs

For nearly all platforms, the traditional way to install Navigator Encrypt and its kernel module is to issue:
or any package manager equivalent. In these cases, the Navigator Encrypt kernel module uses dkms to build the kernel module at installation time.
This strategy doesn’t work with SUSE, however, which doesn’t support dkms and which handles external kernel modules in a unique manner. Because the process to build the kernel module manually is tedious, the easiest way to install the kernel module is by distributing it already built.
Fortunately, SUSE provides a build tool (openSUSE Build Service, or OBS) that creates RPM packages containing the pre-built kernel module; this tool is free and can be found at build.opensuse.org. A SUSE package created with this tool is called a kernel module package (KMP). (To learn more about how to build KMPs, see the openSUSE build service user guide.)
For KMP names, SUSE recommends using a naming convention based on the company name and a short package name (example: cloudera-zncryptfs-kmp-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm). To clarify which packages belong to SP2 and SP3, Cloudera has renamed the KMP by adding “SPx” to the package name, as in:cloudera-zncryptfs-kmp-SP2-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm.
KMPs are designed to maintain compatibility among all kernel versions for a specific SUSE version (SP2, SP3, etc.). SUSE assures us that if there is a kernel upgrade the kABI symbols will not change; those symbols will have the same symbol version (checksum) for all the kernels supported for a specific SUSE Version (SP2, for example). Thus the same installed kernel module will work after the upgrade without the need to rebuild or upgrade it.
A Navigator Encrypt kernel module only needs to be re-installed when there is an upgrade from SP2 to SP3. The reason for that re-install is that the SP2 cloudera-zncryptfs kernel module is incompatible with SP3—instead, you would need to install the SP3 cloudera-zncryptfs KMP.
Navigator Encrypt for SUSE doesn’t have an implicit dependency on the zncrypt-kernel-module anymore, so it has to be installed independently and based on the kernel where it is going to run. Cloudera packages are named to make it easy to know which version to use; for example, the package cloudera-zncryptfs-kmp-SP2-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm corresponds to SP2 and cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-10.2.x86_64.rpm corresponds to SP3.
SUSE also maintains a list of supported kernels and their versions that you can use to verify compatibility between the KMP version and your installed kernel. Just select the service pack that interests you and then click on the “Kernel:” drop-down list to see all the kernels. (Note: the latest SP3 kernel update used slightly different numbers for i586 vs. x86_64 architectures. The update released for i586 was 3.0.101-0.42.1, and the update released for x86_64 was 3.0.101-0.46.1. This is why you see both in the list. Anyway, for an SP3 kernel x86_x64, you will never see a 3.0.101-0.42.1 version. Navigator Encrypt only supports x86_64.)
Cloudera is a SUSE partner and thus cloudera-zncryptfs is part of the Solid Driver Program, ensuring kernel driver compatibility. To check if the SUSE kernel is tainted, look at the variable:
where 0 means the kernel is not tainted. However, because cloudera-zncryptfs is a supported kernel module, a tainted kernel is tagged with a specific value:
(To learn more about a tainted kernel here.)
When looking at the kernel module info, you will also see that it has a tag identifying the support as external to SUSE (“supported:  external”).
Currently, Navigator Encrypt supports SUSE 11 SP2 and SP3. (SLES 11 SP1 is not supported, nor is SLES 12.) The Cloudera stable repo for SUSE/OpenSUSE can be found at here.
Here is a list of cloudera-zncryptfs KMPs built for SP2:
cloudera-zncryptfs-kmp-SP2-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm
cloudera-zncryptfs-kmp-SP2-xen-3.4.2_3.0.13_0.27-15.1.x86_64.rpm    
cloudera-zncryptfs-kmp-SP2-ec2-3.4.2_3.0.13_0.27-15.1.x86_64.rpm    
And here is a list of cloudera-zncryptfs KMPs built for SP3:
cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-10.2.x86_64.rpm
cloudera-zncryptfs-kmp-SP3-xen-3.4.2_3.0.76_0.11-10.2.x86_64.rpm 
cloudera-zncryptfs-kmp-SP3-ec2-3.4.2_3.0.76_0.11-10.2.x86_64.rpm
What flavor is your kernel? It mostly depends on your hardware. Learn more about kernel flavors here.

Installation Process

Identify the cloudera-zncryptfs KMPs that you will install for SP2 or SP3. You also need to identify the flavor.
Add the cloudera archive as specified in the Navigator Encrypt user guide:
In this example, we are installing Navigator Encrypt for SLES 11 SP3. Let’s install its corresponding KMP:
(Note: The previous command-line example is for the build revision number 14.13. That number might change, so please check the stable repo for the newest build.)
zncryptfs.ko is installed at /lib/modules/3.0.76-0.11-default/updates/zncryptfs.ko and it becomes a weak-update of your current kernel module.
Current kernel module in this example is:
The weak-update has now a symlink to the kernel module installed:
This is a good moment to check for the modinfo of our installed kernel module:
Our module is now ready to work on our installed kernel. Next, we can install the Navigator Encrypt binaries:
You can register Navigator Encrypt against a Key Trustee server:
SUSE has a flag that allows external kernel modules to load. Set this flag to 1 as specified in the user guide:
If you don’t do that, you won’t be able to prepare any mount point, and a message like the following will appear:
Then, prepare a first mount point:
Verify that it is actually mounted:
A quick encryption test adding a universal rule can be done:
Congratulations, you have just installed Navigator Encrypt on SLES 11 SP3!
Alex Gonzalez is a Software Engineer at Cloudera.

P.D. You can have yor own miniature f