fscrypt.git/filesystem/mountpoint_test.go, branch v0.3.2 Go tool for managing Linux filesystem encryption filesystem: fall back to path-only links if UUID cannot be determined 2022-01-27T07:22:55+00:00 Eric Biggers ebiggers@google.com 2022-01-19T07:43:35+00:00 c2fb96c60d7678110bca14ff0a213243bd97cb08 This is needed to allow creating protector links to btrfs filesystems. Update https://github.com/google/fscrypt/issues/339 
This is needed to allow creating protector links to btrfs filesystems.

Update https://github.com/google/fscrypt/issues/339
filesystem: add back the mountsByPath map 2022-01-19T19:12:37+00:00 Eric Biggers ebiggers@google.com 2022-01-19T07:43:35+00:00 bf17c3e80daa975ac15d6146964ca294327d8fd9 Add back the mountsByPath map, which indexes all Mounts by mountpoint. This is needed again. To avoid confusion, also rename two local variables named mountsByPath. mountsByPath won't contain nil entries, so also make AllFilesystems() use it instead of mountsByDevice. This shouldn't change its behavior. Update https://github.com/google/fscrypt/issues/339 
Add back the mountsByPath map, which indexes all Mounts by mountpoint.
This is needed again.

To avoid confusion, also rename two local variables named mountsByPath.

mountsByPath won't contain nil entries, so also make AllFilesystems()
use it instead of mountsByDevice.  This shouldn't change its behavior.

Update https://github.com/google/fscrypt/issues/339
filesystem: store mountpoint in link files as a fallback 2021-12-23T04:46:16+00:00 Eric Biggers ebiggers@google.com 2021-12-23T04:46:16+00:00 5ae7da4ee6582099de5d1b14733f8d58f4dc2816 Currently, linked protectors use filesystem link files of the form "UUID=<uuid>". These links get broken if the filesystem's UUID changes, e.g. due to the filesystem being re-created even if the ".fscrypt" directory is backed up and restored. To prevent links from being broken (in most cases), start storing the mountpoint path in the link files too, in the form "UUID=<uuid>\nPATH=<path>\n". When following a link, try the UUID first, and if it doesn't work try the PATH. While it's possible that the path changed too, for login protectors (the usual use case of linked protectors) this won't be an issue as the path will always be "/". An alternative solution would be to fall back to scanning all filesystems for the needed protector descriptor. I decided not to do that, since relying on a global scan doesn't seem to be a good design. It wouldn't scale to large numbers of filesystems, it could cross security boundaries, and it would make it possible for adding a new filesystem to break fscrypt on existing filesystems. And if a global scan was an acceptable way to find protectors during normal use, then there would be no need for link files in the first place. Note: this change is backwards compatible (i.e., fscrypt will continue to recognize old link files) but not forwards-compatible (i.e., previous versions of fscrypt won't recognize new link files). Fixes https://github.com/google/fscrypt/issues/311 
Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>".  These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.

To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n".  When following a link, try the UUID
first, and if it doesn't work try the PATH.  While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".

An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor.  I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems.  And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.

Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).

Fixes https://github.com/google/fscrypt/issues/311
Allow fscrypt to work in containers (#213) 2020-04-17T03:43:48+00:00 Eric Biggers ebiggers@google.com 2020-04-17T03:43:48+00:00 fe860934c793276100b7a60ebbb9325a2cfd910d Update the /proc/self/mountinfo parsing code to allow selecting a Mount with Subtree != "/", i.e. a Mount not of the full filesystem. This is needed to allow fscrypt to work in containers, where the root of the filesystem may not be mounted. See findMainMount() for details about the algorithm used. Resolves https://github.com/google/fscrypt/issues/211 
Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem.  This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.

See findMainMount() for details about the algorithm used.

Resolves https://github.com/google/fscrypt/issues/211
 Allow filesystem links to contain leading/trailing whitespace 2019-11-27T19:07:38+00:00 Eric Biggers ebiggers@google.com 2019-11-27T19:07:38+00:00 2a45549820a4e364d000ac62362d2feafbb0b3c1 To make manually editing linked protectors slightly more user-friendly, automatically strip any leading or trailing whitespace. E.g. treat "UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as "UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb". Update https://github.com/google/fscrypt/issues/115 
To make manually editing linked protectors slightly more user-friendly,
automatically strip any leading or trailing whitespace.  E.g. treat
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb".

Update https://github.com/google/fscrypt/issues/115
filesystem: add unit tests for loadMountInfo() 2019-10-30T16:25:38+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:33:54+00:00 e71c5e4f70632b99a08d127b35e80a9e291e1938 Add a version of loadMountInfo() that takes an io.Reader parameter to allow injecting a custom mountinfo file, then add some unit tests. 
Add a version of loadMountInfo() that takes an io.Reader parameter to
allow injecting a custom mountinfo file, then add some unit tests.
Small fixes so "make lint" doesn't complain. 2017-07-18T06:16:00+00:00 Joe Richey joerichey@google.com joerichey@google.com 2017-07-18T06:16:00+00:00 744dbff34969ef612b219cde5b8f116f3ae3d26f 






Change error handling to new package
2017-06-28T21:06:52+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-06-21T16:52:40+00:00

77b226a90ef70b77ca556830528c013a23b01e57

This commit changes the error handing for the crypto, filesystem,
metadata, pam, and util packages to use the error handling library
github.com/pkg/errors. This means elimination of the FSError type, an
increased use of wrapping errors (as opposed to logging), switching
on the Cause() of an error (as opposed to its value), and improving our
integration tests involving TEST_FILESYSTEM_ROOT.

This commit also fixes a few bugs with the keyring code to ensure that
our {Find|Remove|Insert}PolicyKey functions are always operating on the
same keyring. The check for filesystem support has been moved from the
filesystem package to the metadata package. Finally, the API for the
filesystem package has been slightly modified:
	* filesystem.AllFilesystems() now returns all the filesystems in
	  sorted order
	* certain path methods are now public

O_SYNC is also removed for writing the metadata. We don't get that much
from syncing the metadata, as the actual file data could also be
corrupted by and IO error. The sync operation is also occasionally very
slow (~3 seconds) and can be unfriendly to battery life.

Change-Id: I392c2655141714b16dfdbc84ac09780072be2cf0





This commit changes the error handing for the crypto, filesystem,
metadata, pam, and util packages to use the error handling library
github.com/pkg/errors. This means elimination of the FSError type, an
increased use of wrapping errors (as opposed to logging), switching
on the Cause() of an error (as opposed to its value), and improving our
integration tests involving TEST_FILESYSTEM_ROOT.

This commit also fixes a few bugs with the keyring code to ensure that
our {Find|Remove|Insert}PolicyKey functions are always operating on the
same keyring. The check for filesystem support has been moved from the
filesystem package to the metadata package. Finally, the API for the
filesystem package has been slightly modified:
	* filesystem.AllFilesystems() now returns all the filesystems in
	  sorted order
	* certain path methods are now public

O_SYNC is also removed for writing the metadata. We don't get that much
from syncing the metadata, as the actual file data could also be
corrupted by and IO error. The sync operation is also occasionally very
slow (~3 seconds) and can be unfriendly to battery life.

Change-Id: I392c2655141714b16dfdbc84ac09780072be2cf0







filesystem: change support detection and bug-fixes
2017-06-16T05:32:35+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-06-01T00:52:15+00:00

67879f7a69e2040f2266d81ba239324534e24405

Instead of checking if the filesystem type is correct, we now detect if
a filesystem supports encryption by trying to read a policy on its root
directory. The error returned tells us if there is support or not.

This commit also fixes a bug in the use libblkid. Throughout all of
fscrypt, cannonicalizePath() is used before any path comparison or
lookup. However, the canonical device path in the blkid cache may differ
from our idea of a canonical path. Additional blkid functions are needed
to perform the necessary translation. This is noted in the documentation
of makeLink().

Finally, this commit makes a few API changes. AllSupporedFilesystems()
now returns an error, and a GetProtector() method now replaces the
GetLinkedProtector() and GetEitherProtector() methods. A PathSorter has
also been added so Mounts can be sorted in a reliable order.

Change-Id: I664f46fafd1483ebecb743c061b03d708b3233a4





Instead of checking if the filesystem type is correct, we now detect if
a filesystem supports encryption by trying to read a policy on its root
directory. The error returned tells us if there is support or not.

This commit also fixes a bug in the use libblkid. Throughout all of
fscrypt, cannonicalizePath() is used before any path comparison or
lookup. However, the canonical device path in the blkid cache may differ
from our idea of a canonical path. Additional blkid functions are needed
to perform the necessary translation. This is noted in the documentation
of makeLink().

Finally, this commit makes a few API changes. AllSupporedFilesystems()
now returns an error, and a GetProtector() method now replaces the
GetLinkedProtector() and GetEitherProtector() methods. A PathSorter has
also been added so Mounts can be sorted in a reliable order.

Change-Id: I664f46fafd1483ebecb743c061b03d708b3233a4







filesystem: creating the directories and files
2017-05-31T19:40:13+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-05-24T01:45:58+00:00

f4f4f606718497a2f660cdb737b812e035f55311

This commit adds in the filesystem subpackage. The goal of this package
is to provide and interface for adding to and removing from the metadata
storage for a given filesystem. This is primarily done in filesystem.go.
To facilitate this functionality, mountpoint.go exposes an interface for
querying the system about the current mounted filesystems and their
information. Note that this operation is done with a lazy loading
mechanism.

To refer to other filesystems, we use link files that can be parsed by
libblkid. The README is also updated to account for this new dependancy.

This package uses the FSError type under the hood so that error messages
will include the filesystem name, but callers can still check for
specific error instances.

Change-Id: I74fe4e84b8e3a5b73f1337c35307ffe0bf7cdea9





This commit adds in the filesystem subpackage. The goal of this package
is to provide and interface for adding to and removing from the metadata
storage for a given filesystem. This is primarily done in filesystem.go.
To facilitate this functionality, mountpoint.go exposes an interface for
querying the system about the current mounted filesystems and their
information. Note that this operation is done with a lazy loading
mechanism.

To refer to other filesystems, we use link files that can be parsed by
libblkid. The README is also updated to account for this new dependancy.

This package uses the FSError type under the hood so that error messages
will include the filesystem name, but callers can still check for
specific error instances.

Change-Id: I74fe4e84b8e3a5b73f1337c35307ffe0bf7cdea9