fscrypt.git/filesystem, branch v0.2.6 Go tool for managing Linux filesystem encryption filesystem: don't overwrite existing protector links 2020-01-28T18:45:52+00:00 Eric Biggers ebiggers@google.com 2020-01-28T04:16:35+00:00 07d744068d437b09d7a07975e88e18440f5db2f3 When adding a protector to a policy, don't unconditionally overwrite the protector link, because it may already exist. Instead, if it already exists and points to the mount, just use it. If it already exists and points to the wrong place, return an error. Also add a bool to the return value of AddLinkedProtector() so that callers can check whether the link was newly created or not. 
When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist.  Instead, if it already
exists and points to the mount, just use it.  If it already exists and
points to the wrong place, return an error.

Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.
filesystem: remove canonicalizePath() (#185) 2020-01-23T21:41:42+00:00 ebiggers ebiggers@google.com 2020-01-23T21:41:42+00:00 f2eb79fb5fb10275c014b55c13e28ff02d3b70a8 canonicalizePath() is now only used by an error path in getMountFromLink(), which we can make use getDeviceName() instead. 
canonicalizePath() is now only used by an error path in
getMountFromLink(), which we can make use getDeviceName() instead.
 Allow filesystem links to contain leading/trailing whitespace 2019-11-27T19:07:38+00:00 Eric Biggers ebiggers@google.com 2019-11-27T19:07:38+00:00 2a45549820a4e364d000ac62362d2feafbb0b3c1 To make manually editing linked protectors slightly more user-friendly, automatically strip any leading or trailing whitespace. E.g. treat "UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as "UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb". Update https://github.com/google/fscrypt/issues/115 
To make manually editing linked protectors slightly more user-friendly,
automatically strip any leading or trailing whitespace.  E.g. treat
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb".

Update https://github.com/google/fscrypt/issues/115
filesystem: add unit tests for loadMountInfo() 2019-10-30T16:25:38+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:33:54+00:00 e71c5e4f70632b99a08d127b35e80a9e291e1938 Add a version of loadMountInfo() that takes an io.Reader parameter to allow injecting a custom mountinfo file, then add some unit tests. 
Add a version of loadMountInfo() that takes an io.Reader parameter to
allow injecting a custom mountinfo file, then add some unit tests.
filesystem: handle bind mounts properly 2019-10-30T16:21:59+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:33:54+00:00 dbafdbaa9b0767f71affaf15fb8c626f64e27122 Currently, fscrypt treats bind mounts as separate filesystems. This is broken because fscrypt will look for a directory's encryption policy in different places depending on which mount it's accessed through. This forces users to create an fscrypt metadata directory at every bind mount, and to copy fscrypt metadata around between mounts. Fix this by storing fscrypt metadata only at the root of the filesystem. To accomplish this: - Make mountsByDevice store only a single Mount per filesystem, rather than multiple. For this Mount, choose a mount of the full filesystem if available, preferably a read-write mount. If the filesystem has only bind mounts, store a nil entry in mountsByDevice so we can show a proper error message later. - Change FindMount() and GetMount() to look up the Mount by device number rather than by path, so that they don't return different Mounts depending on which path is used. - Change AllFilesystems() to not return bind mounts. - Due to the above changes, the mountsByPath map is no longer needed outside of loadMountInfo(). So make it a local variable there. Resolves https://github.com/google/fscrypt/issues/59 
Currently, fscrypt treats bind mounts as separate filesystems.  This is
broken because fscrypt will look for a directory's encryption policy in
different places depending on which mount it's accessed through.  This
forces users to create an fscrypt metadata directory at every bind
mount, and to copy fscrypt metadata around between mounts.

Fix this by storing fscrypt metadata only at the root of the filesystem.

To accomplish this:

- Make mountsByDevice store only a single Mount per filesystem, rather
  than multiple.  For this Mount, choose a mount of the full filesystem
  if available, preferably a read-write mount.  If the filesystem has
  only bind mounts, store a nil entry in mountsByDevice so we can show a
  proper error message later.

- Change FindMount() and GetMount() to look up the Mount by device
  number rather than by path, so that they don't return different Mounts
  depending on which path is used.

- Change AllFilesystems() to not return bind mounts.

- Due to the above changes, the mountsByPath map is no longer needed
  outside of loadMountInfo().  So make it a local variable there.

Resolves https://github.com/google/fscrypt/issues/59
filesystem: make link handling more robust 2019-10-30T16:11:29+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:04:39+00:00 fe58e7236a3285e172733aeab0b136bec968ac4d The previous patch fixed making linked protectors to /dev/root, by setting Mount.Device to the real device node rather than /dev/root. That's good, but it also hints that the linked protector handling is unnecessarily fragile, as it relies on the device node name matching exactly. The Linux kernel allows the same device to have multiple device nodes, and path comparisons are slow and error-prone in general. Change it to compare the device number instead. 
The previous patch fixed making linked protectors to /dev/root, by
setting Mount.Device to the real device node rather than /dev/root.

That's good, but it also hints that the linked protector handling is
unnecessarily fragile, as it relies on the device node name matching
exactly.  The Linux kernel allows the same device to have multiple
device nodes, and path comparisons are slow and error-prone in general.

Change it to compare the device number instead.
filesystem: get correct device for kernel-mounted rootfs 2019-10-30T16:11:29+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:04:39+00:00 c7da2443d6ffa51727db09f8ef1df6aea8c7612c A root filesystem mounted via the kernel command line always has a source of "/dev/root", which isn't a real device node. This makes fscrypt think this filesystem doesn't have a source device, which breaks creating login passphrase-protected directories on other filesystems: fscrypt encrypt: filesystem /: no device for mount "/": system error: cannot create filesystem link This also makes 'fscrypt status' show a blank source device: MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT / ext4 supported Yes To fix this case, update loadMountInfo() to map the device number to the device name via sysfs rather than use the mount source field. 
A root filesystem mounted via the kernel command line always has a
source of "/dev/root", which isn't a real device node.  This makes
fscrypt think this filesystem doesn't have a source device, which breaks
creating login passphrase-protected directories on other filesystems:

    fscrypt encrypt: filesystem /: no device for mount "/": system error: cannot create filesystem link

This also makes 'fscrypt status' show a blank source device:

    MOUNTPOINT  DEVICE          FILESYSTEM  ENCRYPTION     FSCRYPT
    /                           ext4        supported      Yes

To fix this case, update loadMountInfo() to map the device number to the
device name via sysfs rather than use the mount source field.
filesystem: add device number utilities 2019-10-30T16:11:29+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:04:39+00:00 d9d2b32f9fa9e39b154b71b2abc9eda43d5aaa3c Add a utility type and functions for handling device numbers. 
Add a utility type and functions for handling device numbers.
filesystem: skip unnecessary mountpoint canonicalization 2019-10-30T16:11:29+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:04:39+00:00 c7b963bfa76b9541e01493d21fef3e3596ef9904 The kernel always shows mountpoints as absolute paths without symlinks, so there's no need to canonicalize them in userspace. 
The kernel always shows mountpoints as absolute paths without symlinks,
so there's no need to canonicalize them in userspace.
filesystem: switch to using /proc/self/mountinfo 2019-10-30T16:11:29+00:00 Eric Biggers ebiggers@google.com 2019-10-29T07:04:39+00:00 4eb1ea869703873f6f4192dcec5262f33a497fcb Change loadMountInfo() to load the mounts directly from /proc/self/mountinfo, rather than use the mntent.h C library calls. This is needed for correct handling of bind mounts and of "/dev/root", since /proc/self/mountinfo has extra fields which show the mounted subtree and the filesystem's device number. /proc/mounts lacks these fields, and the C library calls can't provide them. To start, this patch just switches to using /proc/self/mountinfo, without doing anything with the extra fields yet. As a bonus, this eliminates all C code in mountpoint.go. 
Change loadMountInfo() to load the mounts directly from
/proc/self/mountinfo, rather than use the mntent.h C library calls.

This is needed for correct handling of bind mounts and of "/dev/root",
since /proc/self/mountinfo has extra fields which show the mounted
subtree and the filesystem's device number.  /proc/mounts lacks these
fields, and the C library calls can't provide them.

To start, this patch just switches to using /proc/self/mountinfo,
without doing anything with the extra fields yet.

As a bonus, this eliminates all C code in mountpoint.go.