fscrypt.git/cmd/fscrypt/commands.go, branch v0.3.0 Go tool for managing Linux filesystem encryption cmd/fscrypt: fix isDirUnlockedHeuristic() on latest kernels 2020-11-07T22:49:02+00:00 Eric Biggers ebiggers@google.com 2020-11-07T22:20:45+00:00 b68d603854bb38f59e77963d61ca25d92b945589 On an "incompletely locked" directory, isDirUnlockedHeuristic() is supposed to return true, but on Linux v5.10-rc1 and later it returns false since now creating a subdirectory fails rather than succeeds. This change was intentional, so make isDirUnlockedHeuristic() apply a second heuristic too: also return true if any filenames in the directory don't appear to be valid no-key names. This fixes cli-tests/t_v1_encrypt on Linux v5.10-rc1 and later. 
On an "incompletely locked" directory, isDirUnlockedHeuristic() is
supposed to return true, but on Linux v5.10-rc1 and later it returns
false since now creating a subdirectory fails rather than succeeds.
This change was intentional, so make isDirUnlockedHeuristic() apply a
second heuristic too: also return true if any filenames in the directory
don't appear to be valid no-key names.

This fixes cli-tests/t_v1_encrypt on Linux v5.10-rc1 and later.
Fix nil error issue, Resolves https://github.com/google/fscrypt/issues/242 2020-08-09T16:15:24+00:00 bitcodr bitcodr@gmail.com 2020-08-07T05:34:34+00:00 5e85ae0d4e695b2d54c97cbb15e51ae4adb646a2 






cmd/fscrypt: improve errors
2020-05-09T22:21:31+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:52:07+00:00

181600d6327ed34a3f62eda0dd03a6d2ae49e5f9

In checkEncryptable(), check whether the directory is already encrypted
before checking whether it's empty.

Also improve the error message for when a directory is nonempty.

Finally, translate keyring.ErrKeyAddedByOtherUsers and
keyring.ErrKeyFilesOpen into errors which include the directory.





In checkEncryptable(), check whether the directory is already encrypted
before checking whether it's empty.

Also improve the error message for when a directory is nonempty.

Finally, translate keyring.ErrKeyAddedByOtherUsers and
keyring.ErrKeyFilesOpen into errors which include the directory.







filesystem: improve errors
2020-05-09T22:21:31+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:52:07+00:00

66fb4c557644ba2c37951a7568c06c47a6c718a7

Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them.  Then make
these errors show much better suggestions.

Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context.  Fix backwards
wrapping in lots of cases.

Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.





Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them.  Then make
these errors show much better suggestions.

Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context.  Fix backwards
wrapping in lots of cases.

Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.







metadata: improve errors
2020-05-09T22:21:31+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:52:07+00:00

fbc161a77962fe64e3caad80efb535d28d8c1f74

ErrBadOwners:
	Rename to ErrDirectoryNotOwned for clarity, move it from
	cmd/fscrypt/ to metadata/ where it better belongs, and improve
	the message.

ErrEncrypted:
	Rename to ErrAlreadyEncrypted for clarity, and include the path.

ErrNotEncrypted:
	Include the path.

ErrBadEncryptionOptions:
	Include the path and bad options.

ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
	Don't wrap with "get encryption policy %s", in preparation for
	wrapping these with filesystem-level context instead.

Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls.  Make it very clear how we're handling the errors
from each ioctl.





ErrBadOwners:
	Rename to ErrDirectoryNotOwned for clarity, move it from
	cmd/fscrypt/ to metadata/ where it better belongs, and improve
	the message.

ErrEncrypted:
	Rename to ErrAlreadyEncrypted for clarity, and include the path.

ErrNotEncrypted:
	Include the path.

ErrBadEncryptionOptions:
	Include the path and bad options.

ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
	Don't wrap with "get encryption policy %s", in preparation for
	wrapping these with filesystem-level context instead.

Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls.  Make it very clear how we're handling the errors
from each ioctl.







Try to detect incomplete locking of v1-encrypted directory
2020-05-09T22:16:13+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:17:17+00:00

de51add609bc74b7247ec4776bd694abbea24a45

'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.

Instead, implement a heuristic where we check whether a subdirectory can
be created.  If yes, then the directory must not be fully locked.

Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.

Resolves https://github.com/google/fscrypt/issues/215





'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.

Instead, implement a heuristic where we check whether a subdirectory can
be created.  If yes, then the directory must not be fully locked.

Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.

Resolves https://github.com/google/fscrypt/issues/215







cmd/fscrypt: add FSCRYPT_ROOT_MNT environmental variable
2020-05-09T21:04:47+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:04:47+00:00

8ff53630f1cc90ae23835e9571f9096e211dce67

Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable.  The CLI tests need
this to avoid touching the real "/".





Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable.  The CLI tests need
this to avoid touching the real "/".







Simplify choosing the key description prefix
2020-03-23T20:20:27+00:00

Eric Biggers
ebiggers@google.com

2020-03-18T04:10:58+00:00

ae886a89f541a74255c9a41f7fa504a82ee6413e

There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt".  So, let's do that.

Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.

Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones.  The corresponding protobuf field
number and name are reserved.  We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice.  If
anyone does, they should just stop specifying the option.

Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.





There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt".  So, let's do that.

Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.

Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones.  The corresponding protobuf field
number and name are reserved.  We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice.  If
anyone does, they should just stop specifying the option.

Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.







cmd/fscrypt/commands: allow disabling recovery passphrase (#193)
2020-01-30T03:27:10+00:00

Eric Biggers
ebiggers@google.com

2020-01-30T03:27:10+00:00

c4fa1f4ccb407f44dfabf91d1214f06c277a1b9f

While it's important to generate a recovery passphrase in the linked
protector case to avoid data loss if the system is reinstalled, some
people really don't want it (even though it can be safely ignored as it
almost certainly has far more entropy than the login passphrase).

As a compromise, prompt for y/n before generating it, with default y.
Also, to allow disabling the recovery passphrase during noninteractive
use, add a --no-recovery command-line option.

Update https://github.com/google/fscrypt/issues/186




While it's important to generate a recovery passphrase in the linked
protector case to avoid data loss if the system is reinstalled, some
people really don't want it (even though it can be safely ignored as it
almost certainly has far more entropy than the login passphrase).

As a compromise, prompt for y/n before generating it, with default y.
Also, to allow disabling the recovery passphrase during noninteractive
use, add a --no-recovery command-line option.

Update https://github.com/google/fscrypt/issues/186






cmd/fscrypt/commands: clean up properly when encryptPath() fails
2020-01-28T18:45:52+00:00

Eric Biggers
ebiggers@google.com

2020-01-28T04:16:35+00:00

5c08edd521deadd36bec36662d30681b01253d62

Move the deferred locking and deletion of the policy on failure to the
correct places, so that it's done in all failure cases, including in the
case where adding the recovery protector fails.

Also make the recovery protector be locked and deleted on failure.

Finally, put all the code to do deferred deprovisioning of the policy in
the same place: right after it's provisioned.





Move the deferred locking and deletion of the policy on failure to the
correct places, so that it's done in all failure cases, including in the
case where adding the recovery protector fails.

Also make the recovery protector be locked and deleted on failure.

Finally, put all the code to do deferred deprovisioning of the policy in
the same place: right after it's provisioned.