fscrypt.git, branch v0.3.0 Go tool for managing Linux filesystem encryption Release version v0.3.0 (#282) 2021-03-31T23:19:39+00:00 Eric Biggers ebiggers@google.com 2021-03-31T23:19:39+00:00 dad0c1158455dcfd9acbd219a04ef348bf454332 






Merge pull request #283 from google/coverage
2021-03-31T23:08:48+00:00

Joseph Richey
joerichey@google.com

2021-03-31T23:08:48+00:00

2578a1afaf58712ea3c54eb51f86594455c4cafa

Stop generating and uploading coverage in CI




Stop generating and uploading coverage in CI






Only run CI on master branch and PRs to master
2021-03-31T23:00:16+00:00

Joe Richey
joerichey@google.com

2021-03-31T23:00:16+00:00

c3bb6c7d9304894a35a2229f4ceda76f745fc264

This avoids duplicate CI checks

Signed-off-by: Joe Richey <joerichey@google.com>





This avoids duplicate CI checks

Signed-off-by: Joe Richey <joerichey@google.com>







Stop generating and uploading coverage in CI
2021-03-31T22:55:39+00:00

Joe Richey
joerichey@google.com

2021-03-31T22:46:18+00:00

2fa66887a238311a026f44b40ec1b1d876ec3cfd

This is currently broken, and we don't really use the findings.

Signed-off-by: Joe Richey <joerichey@google.com>





This is currently broken, and we don't really use the findings.

Signed-off-by: Joe Richey <joerichey@google.com>







Merge pull request #281 from ebiggers/pam_fscrypt-updates
2021-03-09T09:27:42+00:00

Joseph Richey
joerichey@google.com

2021-03-09T09:27:42+00:00

177de25ee64d13c71935ed3a1ec543f97a5d3741

pam_fscrypt: eliminate unnecessary options and improve documentation




pam_fscrypt: eliminate unnecessary options and improve documentation






README: improve PAM configuration documentation (again)
2021-03-08T23:20:08+00:00

Eric Biggers
ebiggers@google.com

2021-03-08T23:20:08+00:00

36d7ec1c2ddd367865a7438b8c602ad37fb229e8

Make some more corrections:

- pam-config-framework isn't actually Ubuntu-specific but actually
  applies to Debian and any Debian derivative.

- The pam-config-framework file is indeed installed by `make install`,
  just not into the correct location.

- On Debian (and Debian derivatives), the PAM configuration isn't
  actually part of the 'fscrypt' package but rather 'libpam-fscrypt'.

- Clarify where to add the pam_fscrypt.so session hook.





Make some more corrections:

- pam-config-framework isn't actually Ubuntu-specific but actually
  applies to Debian and any Debian derivative.

- The pam-config-framework file is indeed installed by `make install`,
  just not into the correct location.

- On Debian (and Debian derivatives), the PAM configuration isn't
  actually part of the 'fscrypt' package but rather 'libpam-fscrypt'.

- Clarify where to add the pam_fscrypt.so session hook.







README: make it clear that pam_fscrypt also handles locking
2021-03-08T23:20:08+00:00

Eric Biggers
ebiggers@google.com

2021-03-08T23:20:08+00:00

cf19ab80b0eb24859494b3c12a43873d8eec3d73

There are several mentions of pam_fscrypt handling unlocking
directories.  Make sure to mention locking alongside this.





There are several mentions of pam_fscrypt handling unlocking
directories.  Make sure to mention locking alongside this.







pam_fscrypt: make "lock_policies" the default behavior
2021-03-08T23:20:08+00:00

Eric Biggers
ebiggers@google.com

2021-03-08T23:20:08+00:00

b7e898f01bcae17174fcd928599d0d933655db9b

All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook.  The
Debian/Ubuntu pam-config-framework config file has it too.

Make locking the default behavior, since this is what everyone wants.

Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.

(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful.  So for
simplicity, leave it out for now.)





All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook.  The
Debian/Ubuntu pam-config-framework config file has it too.

Make locking the default behavior, since this is what everyone wants.

Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.

(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful.  So for
simplicity, leave it out for now.)







pam_fscrypt: decide cache dropping behavior automatically
2021-03-08T23:20:08+00:00

Eric Biggers
ebiggers@google.com

2021-03-08T23:20:08+00:00

28e4999ebd9221a71488d715d9f1182b494216d8

Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems).  It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.

Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring).  If so, it drops caches; otherwise it doesn't.  This
supersedes the "drop_caches" option, which won't do anything anymore.





Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems).  It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.

Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring).  If so, it drops caches; otherwise it doesn't.  This
supersedes the "drop_caches" option, which won't do anything anymore.







pam_fscrypt/config: prioritise over other session modules
2021-03-03T18:06:13+00:00

Robert McQueen
rob@endlessos.org

2021-03-03T11:34:55+00:00

90a96e4473ae7bcf61a97f25fc67a9a953187f56

Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.

Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.

After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).





Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.

Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.

After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).