fscrypt.git, branch master Go tool for managing Linux filesystem encryption cmd/fscrypt: mention --unlock-with in protector error hint 2026-04-15T06:31:20+00:00 alliasgher alliasgher123@gmail.com 2026-04-14T09:58:37+00:00 9e4a9a1ff155ee3c4b27b74a8261414f3c338bdd The error hint for ErrSpecifyProtector only referenced --protector, but for the unlock command the correct flag is --unlock-with. Mention both flags so users are pointed to the right one. Fixes #439 Signed-off-by: alliasgher <alliasgher123@gmail.com> 
The error hint for ErrSpecifyProtector only referenced --protector,
but for the unlock command the correct flag is --unlock-with. Mention
both flags so users are pointed to the right one.

Fixes #439

Signed-off-by: alliasgher <alliasgher123@gmail.com>
recovery: add O_NOFOLLOW|O_EXCL to prevent symlink-following in recovery file creation 2026-04-15T06:30:23+00:00 Karan Kurani karankurani3k@gmail.com 2026-04-13T18:02:12+00:00 2dee71cdc2a7bccead530a42dfd10736e8de45a9 WriteRecoveryInstructions() opens the recovery README with os.OpenFile using O_WRONLY|O_CREATE without O_NOFOLLOW. When fscrypt encrypt runs as root, this allows a local attacker to place a symlink at the recovery file path, causing root to write through the symlink and then fchown the target file to the attacker. Adding O_EXCL|O_NOFOLLOW aligns with the existing security pattern in filesystem.go:608 and filesystem.go:747. 
WriteRecoveryInstructions() opens the recovery README with os.OpenFile
using O_WRONLY|O_CREATE without O_NOFOLLOW. When fscrypt encrypt runs
as root, this allows a local attacker to place a symlink at the recovery
file path, causing root to write through the symlink and then fchown the
target file to the attacker. Adding O_EXCL|O_NOFOLLOW aligns with the
existing security pattern in filesystem.go:608 and filesystem.go:747.
Add support for cgroup limits (#443) 2026-03-26T21:19:14+00:00 Michele Bertasi 405934+mbrt@users.noreply.github.com 2026-03-26T21:19:14+00:00 298ed2a6c44cde90b4262b884169c53b8deda508 * Add cgroup package * Refactor procGgroup * Add testdata generation * Add v1 testdata generation * Move scripts around * Add integration test in CI * Remove cgroup v1 * Move to cgroup struct * Remove half-core test as it's redundant 
* Add cgroup package

* Refactor procGgroup

* Add testdata generation

* Add v1 testdata generation

* Move scripts around

* Add integration test in CI

* Remove cgroup v1

* Move to cgroup struct

* Remove half-core test as it's redundant
 build(deps): bump golang.org/x/crypto (#435) 2025-11-20T05:33:30+00:00 dependabot[bot] 49699333+dependabot[bot]@users.noreply.github.com 2025-11-20T05:33:30+00:00 ea916da7fa9844cc3da608e75510f478c7b09f7d Bumps the go_modules group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.41.0 to 0.45.0 - [Commits](https://github.com/golang/crypto/compare/v0.41.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: direct:production dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 
Bumps the go_modules group with 1 update in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `golang.org/x/crypto` from 0.41.0 to 0.45.0
- [Commits](https://github.com/golang/crypto/compare/v0.41.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 v0.3.6 2025-11-04T22:08:18+00:00 Eric Biggers ebiggers@google.com 2025-11-04T22:07:41+00:00 37b292434bbb79b2b145a6ede9d53dadacb6870e 






Upgrade github.com/urfave/cli
2025-11-04T21:53:45+00:00

Eric Biggers
ebiggers@google.com

2025-11-04T21:48:32+00:00

6be6c2d10b6d4e30787038910ce9fd2ce70723b8

Ran the following commands, using Go 1.23.12:

    go get github.com/urfave/cli
    go mod tidy





Ran the following commands, using Go 1.23.12:

    go get github.com/urfave/cli
    go mod tidy







Upgrade golang.org/x/tools
2025-11-04T21:53:45+00:00

Eric Biggers
ebiggers@google.com

2025-11-04T21:47:35+00:00

f0b0cdcb0b6008f6e6e05c0cbeaa126c089d026c

Ran the following commands, using Go 1.23.12:

    go get golang.org/x/tools@v0.36.0
    go mod tidy

... where v0.36.0 is the latest version that supports Go 1.23.





Ran the following commands, using Go 1.23.12:

    go get golang.org/x/tools@v0.36.0
    go mod tidy

... where v0.36.0 is the latest version that supports Go 1.23.







Upgrade honnef.co/go/tools
2025-11-04T21:53:45+00:00

Eric Biggers
ebiggers@google.com

2025-11-04T21:46:13+00:00

41d29b0d5dd474f1ba34747dc535ebee583fa0e7

Ran the following commands, using Go 1.23.12:

    go get honnef.co/go/tools
    go mod tidy





Ran the following commands, using Go 1.23.12:

    go get honnef.co/go/tools
    go mod tidy







Upgrade google.golang.org/protobuf
2025-11-04T21:53:37+00:00

Eric Biggers
ebiggers@google.com

2025-11-04T21:44:04+00:00

38ec4ee5af9dd31d6b81721439fcdf9a30f4a9cd

Ran the following commands, using Go 1.23.12:

    go get google.golang.org/protobuf
    go mod tidy
    make gen





Ran the following commands, using Go 1.23.12:

    go get google.golang.org/protobuf
    go mod tidy
    make gen







Upgrade golang.org/x/crypto
2025-11-04T21:45:49+00:00

Eric Biggers
ebiggers@google.com

2025-11-04T21:43:13+00:00

b90a1aec52acbc6df2ec24726574254ec0e666e1

Ran the following commands, using Go 1.23.12:

    go get golang.org/x/crypto@v0.41.0
    go mod tidy

... where v0.41.0 is the latest version that supports Go 1.23.





Ran the following commands, using Go 1.23.12:

    go get golang.org/x/crypto@v0.41.0
    go mod tidy

... where v0.41.0 is the latest version that supports Go 1.23.