Copy the GitHub release notes into a NEWS.md file so that the release notes are included in the actual git repo. This way, they aren't hidden away in GitHub, where they require an internet connection to access and will be lost if GitHub ever goes away. This also makes the release notes be properly versioned; GitHub allows past release notes to be edited, and there doesn't seem to be any record of what changed. Finally, this allows packages to install the release notes into /usr/share/doc/$pkgname/, as is the usual convention.
Now that it's been requested by users, bring back the "unlock_only" option, which was originally proposed as part of https://github.com/google/fscrypt/pull/281 but was dropped in the final version of that pull request. Resolves https://github.com/google/fscrypt/issues/357
Support for AES_256_HCTR2 filenames encryption was added in kernel version 6.0. The kernel doesn't yet support AES_256_HCTR2 for contents encryption.
Bump up the required Go version to 1.16 so that we can assume that Go modules are enabled by default. Go 1.16 is the latest end-of-life release, so this makes it so that we support the latest end-of-life release (1.16), the current maintainance release (1.17), the current release (1.18), and future releases. This the same approach we took when we last bumped up the required Go version. Also update the ci.yml file to test with these versions.
Currently, fscrypt policies and protectors are world readable, as they are created with mode 0644. While this can be nice for use cases where users share these files, those use cases seem to be quite rare, and it's not a great default security-wise since it exposes password hashes to all users. While fscrypt uses a very strong password hash algorithm, it would still be best to follow the lead of /etc/shadow and keep this information non-world-readable. Therefore, start creating these files with mode 0600. Of course, if users do actually want to share these files, they have the option of simply chmod'ing them to a less restrictive mode. An option could also be added to make fscrypt use the old mode 0644; however, the need for that is currently unclear.
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.
There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,
* If fscrypt or pam_fscrypt is running as a non-root user, only
policies and protectors owned by the user or by root can be used.
* If fscrypt is running as root, any policy or protector can be used.
(This is to match user expectations -- starting a sudo session
should gain rights, not remove rights.)
* If pam_fscrypt is running as root, only policies and protectors
owned by root can be used. Note that this only applies when the
root user themselves has an fscrypt login protector, which is rare.
Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
World-writable directories are not appropriate for some systems, so offer a choice of single-user-writable and world-writable modes, with single-user-writable being the default. Add a new documentation section to help users decide which one to use.
Fixes https://github.com/google/fscrypt/issues/318