fscrypt.git/filesystem, branch sshd-bug-workaround Go tool for managing Linux filesystem encryption filesystem: avoid accessing irrelevant filesystems 2021-12-20T16:24:15+00:00 Eric Biggers ebiggers@google.com 2021-12-20T04:17:20+00:00 d0b9e2c995beb13c70a1549923df482ff773f09b Forbid 'fscrypt setup' on filesystems that aren't expected to support encryption (other than the root filesystem), and skip looking for fscrypt metadata directories on such filesystems. This has two benefits. First, it avoids the printing of annoying warnings like: pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied Second, it avoids long delays or side effects on some filesystems. To do this, introduce an allowlist of filesystem types that fscrypt will recognize. I wanted to avoid doing this, since this list will need to be updated in the future, but I don't see a better solution. 
Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems.  This has two
benefits.  First, it avoids the printing of annoying warnings like:

	pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
	pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
	pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied

Second, it avoids long delays or side effects on some filesystems.

To do this, introduce an allowlist of filesystem types that fscrypt will
recognize.  I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.
Set owner of login protectors to correct user 2021-12-20T03:44:59+00:00 Eric Biggers ebiggers@google.com 2021-12-20T03:19:25+00:00 4c7c6631cc5a27cc6b4431f5ad3805a2d624c5f5 When the root user creates a login protector for a non-root user, make sure to chown() the protector file to make it owned by the user. Without this, the protector cannot be updated by the user, which causes it to get out of sync if the user changes their login passphrase. Fixes https://github.com/google/fscrypt/issues/319 
When the root user creates a login protector for a non-root user, make
sure to chown() the protector file to make it owned by the user.
Without this, the protector cannot be updated by the user, which causes
it to get out of sync if the user changes their login passphrase.

Fixes https://github.com/google/fscrypt/issues/319
filesystem: skip TestHaveReadAccessTo() when running as root 2021-05-12T21:43:41+00:00 Eric Biggers ebiggers@google.com 2021-05-12T20:28:30+00:00 e479779a7f39e66d3f76673f18308906e817be02 Root can read all files, so this test fails when running as root. Skip it instead. Resolves https://github.com/google/fscrypt/issues/288 
Root can read all files, so this test fails when running as root.
Skip it instead.

Resolves https://github.com/google/fscrypt/issues/288
filesystem: improve errors 2020-05-09T22:21:31+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:52:07+00:00 66fb4c557644ba2c37951a7568c06c47a6c718a7 Introduce filesystem.ErrEncryptionNotEnabled and filesystem.ErrEncryptionNotSupported which include the Mount as context, and translate the corresponding metadata/ errors into them. Then make these errors show much better suggestions. Also replace lots of other filesystem/ errors with either custom types or with unnamed one-off errors that include more context. Fix backwards wrapping in lots of cases. Finally, don't include the mountpoint in places where it's not useful, like OS-level errors that already include the path. 
Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them.  Then make
these errors show much better suggestions.

Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context.  Fix backwards
wrapping in lots of cases.

Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.
actions/policy: improve errors 2020-05-09T22:21:31+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:52:07+00:00 209a2d1419ea575fd316bd9975fb63e40cce7a77 ErrMissingPolicyMetadata: Include the mount, directory path, and metadata path. Also move the explanation into actions/ since it doesn't refer to any CLI command. ErrPolicyMetadataMismatch: Include a lot more information. Also start checking for consistency of the policy key descriptors, not just the encryption options. Add a test for this. ErrDifferentFilesystem: Include the mountpoints. ErrOnlyProtector: Clarify the message and include the protector descriptor. ErrAlreadyProtected: ErrNotProtected: Include the policy and protector descriptors. ErrAccessDeniedPossiblyV2: Make it slightly clearer what failed. Also move the explanation into actions/ since it doesn't refer to any CLI command. 
ErrMissingPolicyMetadata:
	Include the mount, directory path, and metadata path.  Also move
	the explanation into actions/ since it doesn't refer to any CLI
	command.

ErrPolicyMetadataMismatch:
	Include a lot more information.  Also start checking for
	consistency of the policy key descriptors, not just the
	encryption options.  Add a test for this.

ErrDifferentFilesystem:
	Include the mountpoints.

ErrOnlyProtector:
	Clarify the message and include the protector descriptor.

ErrAlreadyProtected:
ErrNotProtected:
	Include the policy and protector descriptors.

ErrAccessDeniedPossiblyV2:
	Make it slightly clearer what failed.  Also move the explanation
	into actions/ since it doesn't refer to any CLI command.
cmd/fscrypt: add FSCRYPT_CONSISTENT_OUTPUT environmental variable 2020-05-09T21:04:47+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:04:47+00:00 5716215ceae3ab8b49a7b2ba410cb51a82c3176b Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause policies and protectors to sorted by last modification time. The CLI tests need this to make the output of 'fscrypt' ordered in a consistent way with regard to the operations performed. 
Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time.  The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.
Allow fscrypt to work in containers (#213) 2020-04-17T03:43:48+00:00 Eric Biggers ebiggers@google.com 2020-04-17T03:43:48+00:00 fe860934c793276100b7a60ebbb9325a2cfd910d Update the /proc/self/mountinfo parsing code to allow selecting a Mount with Subtree != "/", i.e. a Mount not of the full filesystem. This is needed to allow fscrypt to work in containers, where the root of the filesystem may not be mounted. See findMainMount() for details about the algorithm used. Resolves https://github.com/google/fscrypt/issues/211 
Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem.  This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.

See findMainMount() for details about the algorithm used.

Resolves https://github.com/google/fscrypt/issues/211
 Improve error message when unlocking v2 policy is unsupported 2020-03-23T20:20:27+00:00 Eric Biggers ebiggers@google.com 2020-03-18T04:10:58+00:00 8d71383bc08478313c221c8ab20e8902de1bb28b If trying to unlock a v2-encrypted directory fails because the kernel lacks support for v2 policies, show a better error message. This can happen if someone downgrades their kernel or tries to access encrypted directories on removable storage from a computer with an older kernel. Detecting this case is difficult since all we have to go with is EACCES when opening the directory. Implement a heuristic where if get EACCES, we actually have read access to the directory, and the kernel doesn't support v2 policies, we show the improved error message. Before: # fscrypt unlock dir [ERROR] fscrypt unlock: open dir: permission denied After: # fscrypt unlock dir [ERROR] fscrypt unlock: open dir: permission denied This may be caused by the directory using a v2 encryption policy and the current kernel not supporting it. If indeed the case, then this directory can only be used on kernel v5.4 and later. You can create directories accessible on older kernels by changing policy_version to 1 in /etc/fscrypt.conf. 
If trying to unlock a v2-encrypted directory fails because the kernel
lacks support for v2 policies, show a better error message.  This can
happen if someone downgrades their kernel or tries to access encrypted
directories on removable storage from a computer with an older kernel.

Detecting this case is difficult since all we have to go with is EACCES
when opening the directory.  Implement a heuristic where if get EACCES,
we actually have read access to the directory, and the kernel doesn't
support v2 policies, we show the improved error message.

Before:

  # fscrypt unlock dir
  [ERROR] fscrypt unlock: open dir: permission denied

After:

  # fscrypt unlock dir
  [ERROR] fscrypt unlock: open dir: permission denied

  This may be caused by the directory using a v2 encryption policy and
  the current kernel not supporting it. If indeed the case, then this
  directory can only be used on kernel v5.4 and later. You can create
  directories accessible on older kernels by changing policy_version to
  1 in /etc/fscrypt.conf.
filesystem: don't overwrite existing protector links 2020-01-28T18:45:52+00:00 Eric Biggers ebiggers@google.com 2020-01-28T04:16:35+00:00 07d744068d437b09d7a07975e88e18440f5db2f3 When adding a protector to a policy, don't unconditionally overwrite the protector link, because it may already exist. Instead, if it already exists and points to the mount, just use it. If it already exists and points to the wrong place, return an error. Also add a bool to the return value of AddLinkedProtector() so that callers can check whether the link was newly created or not. 
When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist.  Instead, if it already
exists and points to the mount, just use it.  If it already exists and
points to the wrong place, return an error.

Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.
filesystem: remove canonicalizePath() (#185) 2020-01-23T21:41:42+00:00 ebiggers ebiggers@google.com 2020-01-23T21:41:42+00:00 f2eb79fb5fb10275c014b55c13e28ff02d3b70a8 canonicalizePath() is now only used by an error path in getMountFromLink(), which we can make use getDeviceName() instead. 
canonicalizePath() is now only used by an error path in
getMountFromLink(), which we can make use getDeviceName() instead.