fscrypt.git/filesystem/filesystem.go, branch v0.3.2 Go tool for managing Linux filesystem encryption filesystem: remove an outdated comment 2022-02-06T19:06:36+00:00 Eric Biggers ebiggers@google.com 2022-02-06T18:32:34+00:00 93fb59a5411e201ee8e220853c44a98df5e55c55 






filesystem: store mountpoint in link files as a fallback
2021-12-23T04:46:16+00:00

Eric Biggers
ebiggers@google.com

2021-12-23T04:46:16+00:00

5ae7da4ee6582099de5d1b14733f8d58f4dc2816

Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>".  These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.

To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n".  When following a link, try the UUID
first, and if it doesn't work try the PATH.  While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".

An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor.  I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems.  And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.

Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).

Fixes https://github.com/google/fscrypt/issues/311





Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>".  These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.

To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n".  When following a link, try the UUID
first, and if it doesn't work try the PATH.  While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".

An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor.  I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems.  And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.

Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).

Fixes https://github.com/google/fscrypt/issues/311







filesystem: avoid accessing irrelevant filesystems
2021-12-20T16:24:15+00:00

Eric Biggers
ebiggers@google.com

2021-12-20T04:17:20+00:00

d0b9e2c995beb13c70a1549923df482ff773f09b

Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems.  This has two
benefits.  First, it avoids the printing of annoying warnings like:

	pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied

Second, it avoids long delays or side effects on some filesystems.

To do this, introduce an allowlist of filesystem types that fscrypt will
recognize.  I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.





Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems.  This has two
benefits.  First, it avoids the printing of annoying warnings like:

	pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied

Second, it avoids long delays or side effects on some filesystems.

To do this, introduce an allowlist of filesystem types that fscrypt will
recognize.  I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.







Set owner of login protectors to correct user
2021-12-20T03:44:59+00:00

Eric Biggers
ebiggers@google.com

2021-12-20T03:19:25+00:00

4c7c6631cc5a27cc6b4431f5ad3805a2d624c5f5

When the root user creates a login protector for a non-root user, make
sure to chown() the protector file to make it owned by the user.
Without this, the protector cannot be updated by the user, which causes
it to get out of sync if the user changes their login passphrase.

Fixes https://github.com/google/fscrypt/issues/319





When the root user creates a login protector for a non-root user, make
sure to chown() the protector file to make it owned by the user.
Without this, the protector cannot be updated by the user, which causes
it to get out of sync if the user changes their login passphrase.

Fixes https://github.com/google/fscrypt/issues/319







filesystem: improve errors
2020-05-09T22:21:31+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:52:07+00:00

66fb4c557644ba2c37951a7568c06c47a6c718a7

Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them.  Then make
these errors show much better suggestions.

Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context.  Fix backwards
wrapping in lots of cases.

Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.





Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them.  Then make
these errors show much better suggestions.

Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context.  Fix backwards
wrapping in lots of cases.

Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.







actions/policy: improve errors
2020-05-09T22:21:31+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:52:07+00:00

209a2d1419ea575fd316bd9975fb63e40cce7a77

ErrMissingPolicyMetadata:
	Include the mount, directory path, and metadata path.  Also move
	the explanation into actions/ since it doesn't refer to any CLI
	command.

ErrPolicyMetadataMismatch:
	Include a lot more information.  Also start checking for
	consistency of the policy key descriptors, not just the
	encryption options.  Add a test for this.

ErrDifferentFilesystem:
	Include the mountpoints.

ErrOnlyProtector:
	Clarify the message and include the protector descriptor.

ErrAlreadyProtected:
ErrNotProtected:
	Include the policy and protector descriptors.

ErrAccessDeniedPossiblyV2:
	Make it slightly clearer what failed.  Also move the explanation
	into actions/ since it doesn't refer to any CLI command.





ErrMissingPolicyMetadata:
	Include the mount, directory path, and metadata path.  Also move
	the explanation into actions/ since it doesn't refer to any CLI
	command.

ErrPolicyMetadataMismatch:
	Include a lot more information.  Also start checking for
	consistency of the policy key descriptors, not just the
	encryption options.  Add a test for this.

ErrDifferentFilesystem:
	Include the mountpoints.

ErrOnlyProtector:
	Clarify the message and include the protector descriptor.

ErrAlreadyProtected:
ErrNotProtected:
	Include the policy and protector descriptors.

ErrAccessDeniedPossiblyV2:
	Make it slightly clearer what failed.  Also move the explanation
	into actions/ since it doesn't refer to any CLI command.







cmd/fscrypt: add FSCRYPT_CONSISTENT_OUTPUT environmental variable
2020-05-09T21:04:47+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:04:47+00:00

5716215ceae3ab8b49a7b2ba410cb51a82c3176b

Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time.  The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.





Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time.  The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.







Allow fscrypt to work in containers (#213)
2020-04-17T03:43:48+00:00

Eric Biggers
ebiggers@google.com

2020-04-17T03:43:48+00:00

fe860934c793276100b7a60ebbb9325a2cfd910d

Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem.  This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.

See findMainMount() for details about the algorithm used.

Resolves https://github.com/google/fscrypt/issues/211




Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem.  This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.

See findMainMount() for details about the algorithm used.

Resolves https://github.com/google/fscrypt/issues/211






filesystem: don't overwrite existing protector links
2020-01-28T18:45:52+00:00

Eric Biggers
ebiggers@google.com

2020-01-28T04:16:35+00:00

07d744068d437b09d7a07975e88e18440f5db2f3

When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist.  Instead, if it already
exists and points to the mount, just use it.  If it already exists and
points to the wrong place, return an error.

Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.





When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist.  Instead, if it already
exists and points to the mount, just use it.  If it already exists and
points to the wrong place, return an error.

Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.







filesystem: handle bind mounts properly
2019-10-30T16:21:59+00:00

Eric Biggers
ebiggers@google.com

2019-10-29T07:33:54+00:00

dbafdbaa9b0767f71affaf15fb8c626f64e27122

Currently, fscrypt treats bind mounts as separate filesystems.  This is
broken because fscrypt will look for a directory's encryption policy in
different places depending on which mount it's accessed through.  This
forces users to create an fscrypt metadata directory at every bind
mount, and to copy fscrypt metadata around between mounts.

Fix this by storing fscrypt metadata only at the root of the filesystem.

To accomplish this:

- Make mountsByDevice store only a single Mount per filesystem, rather
  than multiple.  For this Mount, choose a mount of the full filesystem
  if available, preferably a read-write mount.  If the filesystem has
  only bind mounts, store a nil entry in mountsByDevice so we can show a
  proper error message later.

- Change FindMount() and GetMount() to look up the Mount by device
  number rather than by path, so that they don't return different Mounts
  depending on which path is used.

- Change AllFilesystems() to not return bind mounts.

- Due to the above changes, the mountsByPath map is no longer needed
  outside of loadMountInfo().  So make it a local variable there.

Resolves https://github.com/google/fscrypt/issues/59





Currently, fscrypt treats bind mounts as separate filesystems.  This is
broken because fscrypt will look for a directory's encryption policy in
different places depending on which mount it's accessed through.  This
forces users to create an fscrypt metadata directory at every bind
mount, and to copy fscrypt metadata around between mounts.

Fix this by storing fscrypt metadata only at the root of the filesystem.

To accomplish this:

- Make mountsByDevice store only a single Mount per filesystem, rather
  than multiple.  For this Mount, choose a mount of the full filesystem
  if available, preferably a read-write mount.  If the filesystem has
  only bind mounts, store a nil entry in mountsByDevice so we can show a
  proper error message later.

- Change FindMount() and GetMount() to look up the Mount by device
  number rather than by path, so that they don't return different Mounts
  depending on which path is used.

- Change AllFilesystems() to not return bind mounts.

- Due to the above changes, the mountsByPath map is no longer needed
  outside of loadMountInfo().  So make it a local variable there.

Resolves https://github.com/google/fscrypt/issues/59