fscrypt.git/filesystem/mountpoint.go, branch v0.3.2 Go tool for managing Linux filesystem encryption filesystem: fall back to path-only links if UUID cannot be determined 2022-01-27T07:22:55+00:00 Eric Biggers ebiggers@google.com 2022-01-19T07:43:35+00:00 c2fb96c60d7678110bca14ff0a213243bd97cb08 This is needed to allow creating protector links to btrfs filesystems. Update https://github.com/google/fscrypt/issues/339 
This is needed to allow creating protector links to btrfs filesystems.

Update https://github.com/google/fscrypt/issues/339
filesystem: make FindMount() fall back to search by path 2022-01-27T07:22:55+00:00 Eric Biggers ebiggers@google.com 2022-01-19T07:43:35+00:00 51c421d91172e87df30bd344b3fd3142bc388718 This is needed to make FindMount() work on btrfs filesystems. Update https://github.com/google/fscrypt/issues/339 
This is needed to make FindMount() work on btrfs filesystems.

Update https://github.com/google/fscrypt/issues/339
filesystem: add back the mountsByPath map 2022-01-19T19:12:37+00:00 Eric Biggers ebiggers@google.com 2022-01-19T07:43:35+00:00 bf17c3e80daa975ac15d6146964ca294327d8fd9 Add back the mountsByPath map, which indexes all Mounts by mountpoint. This is needed again. To avoid confusion, also rename two local variables named mountsByPath. mountsByPath won't contain nil entries, so also make AllFilesystems() use it instead of mountsByDevice. This shouldn't change its behavior. Update https://github.com/google/fscrypt/issues/339 
Add back the mountsByPath map, which indexes all Mounts by mountpoint.
This is needed again.

To avoid confusion, also rename two local variables named mountsByPath.

mountsByPath won't contain nil entries, so also make AllFilesystems()
use it instead of mountsByDevice.  This shouldn't change its behavior.

Update https://github.com/google/fscrypt/issues/339
filesystem: store mountpoint in link files as a fallback 2021-12-23T04:46:16+00:00 Eric Biggers ebiggers@google.com 2021-12-23T04:46:16+00:00 5ae7da4ee6582099de5d1b14733f8d58f4dc2816 Currently, linked protectors use filesystem link files of the form "UUID=<uuid>". These links get broken if the filesystem's UUID changes, e.g. due to the filesystem being re-created even if the ".fscrypt" directory is backed up and restored. To prevent links from being broken (in most cases), start storing the mountpoint path in the link files too, in the form "UUID=<uuid>\nPATH=<path>\n". When following a link, try the UUID first, and if it doesn't work try the PATH. While it's possible that the path changed too, for login protectors (the usual use case of linked protectors) this won't be an issue as the path will always be "/". An alternative solution would be to fall back to scanning all filesystems for the needed protector descriptor. I decided not to do that, since relying on a global scan doesn't seem to be a good design. It wouldn't scale to large numbers of filesystems, it could cross security boundaries, and it would make it possible for adding a new filesystem to break fscrypt on existing filesystems. And if a global scan was an acceptable way to find protectors during normal use, then there would be no need for link files in the first place. Note: this change is backwards compatible (i.e., fscrypt will continue to recognize old link files) but not forwards-compatible (i.e., previous versions of fscrypt won't recognize new link files). Fixes https://github.com/google/fscrypt/issues/311 
Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>".  These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.

To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n".  When following a link, try the UUID
first, and if it doesn't work try the PATH.  While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".

An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor.  I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems.  And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.

Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).

Fixes https://github.com/google/fscrypt/issues/311
filesystem: improve errors 2020-05-09T22:21:31+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:52:07+00:00 66fb4c557644ba2c37951a7568c06c47a6c718a7 Introduce filesystem.ErrEncryptionNotEnabled and filesystem.ErrEncryptionNotSupported which include the Mount as context, and translate the corresponding metadata/ errors into them. Then make these errors show much better suggestions. Also replace lots of other filesystem/ errors with either custom types or with unnamed one-off errors that include more context. Fix backwards wrapping in lots of cases. Finally, don't include the mountpoint in places where it's not useful, like OS-level errors that already include the path. 
Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them.  Then make
these errors show much better suggestions.

Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context.  Fix backwards
wrapping in lots of cases.

Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.
Allow fscrypt to work in containers (#213) 2020-04-17T03:43:48+00:00 Eric Biggers ebiggers@google.com 2020-04-17T03:43:48+00:00 fe860934c793276100b7a60ebbb9325a2cfd910d Update the /proc/self/mountinfo parsing code to allow selecting a Mount with Subtree != "/", i.e. a Mount not of the full filesystem. This is needed to allow fscrypt to work in containers, where the root of the filesystem may not be mounted. See findMainMount() for details about the algorithm used. Resolves https://github.com/google/fscrypt/issues/211 
Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem.  This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.

See findMainMount() for details about the algorithm used.

Resolves https://github.com/google/fscrypt/issues/211
 filesystem: remove canonicalizePath() (#185) 2020-01-23T21:41:42+00:00 ebiggers ebiggers@google.com 2020-01-23T21:41:42+00:00 f2eb79fb5fb10275c014b55c13e28ff02d3b70a8 canonicalizePath() is now only used by an error path in getMountFromLink(), which we can make use getDeviceName() instead. 
canonicalizePath() is now only used by an error path in
getMountFromLink(), which we can make use getDeviceName() instead.
 Allow filesystem links to contain leading/trailing whitespace 2019-11-27T19:07:38+00:00 Eric Biggers ebiggers@google.com 2019-11-27T19:07:38+00:00 2a45549820a4e364d000ac62362d2feafbb0b3c1 To make manually editing linked protectors slightly more user-friendly, automatically strip any leading or trailing whitespace. E.g. treat "UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as "UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb". Update https://github.com/google/fscrypt/issues/115 
To make manually editing linked protectors slightly more user-friendly,
automatically strip any leading or trailing whitespace.  E.g. treat
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb".

Update https://github.com/google/fscrypt/issues/115
filesystem: add unit tests for loadMountInfo() 2019-10-30T16:25:38+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:33:54+00:00 e71c5e4f70632b99a08d127b35e80a9e291e1938 Add a version of loadMountInfo() that takes an io.Reader parameter to allow injecting a custom mountinfo file, then add some unit tests. 
Add a version of loadMountInfo() that takes an io.Reader parameter to
allow injecting a custom mountinfo file, then add some unit tests.
filesystem: handle bind mounts properly 2019-10-30T16:21:59+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:33:54+00:00 dbafdbaa9b0767f71affaf15fb8c626f64e27122 Currently, fscrypt treats bind mounts as separate filesystems. This is broken because fscrypt will look for a directory's encryption policy in different places depending on which mount it's accessed through. This forces users to create an fscrypt metadata directory at every bind mount, and to copy fscrypt metadata around between mounts. Fix this by storing fscrypt metadata only at the root of the filesystem. To accomplish this: - Make mountsByDevice store only a single Mount per filesystem, rather than multiple. For this Mount, choose a mount of the full filesystem if available, preferably a read-write mount. If the filesystem has only bind mounts, store a nil entry in mountsByDevice so we can show a proper error message later. - Change FindMount() and GetMount() to look up the Mount by device number rather than by path, so that they don't return different Mounts depending on which path is used. - Change AllFilesystems() to not return bind mounts. - Due to the above changes, the mountsByPath map is no longer needed outside of loadMountInfo(). So make it a local variable there. Resolves https://github.com/google/fscrypt/issues/59 
Currently, fscrypt treats bind mounts as separate filesystems.  This is
broken because fscrypt will look for a directory's encryption policy in
different places depending on which mount it's accessed through.  This
forces users to create an fscrypt metadata directory at every bind
mount, and to copy fscrypt metadata around between mounts.

Fix this by storing fscrypt metadata only at the root of the filesystem.

To accomplish this:

- Make mountsByDevice store only a single Mount per filesystem, rather
  than multiple.  For this Mount, choose a mount of the full filesystem
  if available, preferably a read-write mount.  If the filesystem has
  only bind mounts, store a nil entry in mountsByDevice so we can show a
  proper error message later.

- Change FindMount() and GetMount() to look up the Mount by device
  number rather than by path, so that they don't return different Mounts
  depending on which path is used.

- Change AllFilesystems() to not return bind mounts.

- Due to the above changes, the mountsByPath map is no longer needed
  outside of loadMountInfo().  So make it a local variable there.

Resolves https://github.com/google/fscrypt/issues/59