fscrypt.git/filesystem, branch v0.3.5 Go tool for managing Linux filesystem encryption mountpoint_test: skip TestLoadSourceDevice if loop0 doesn't exist 2023-09-09T18:30:45+00:00 Eric Biggers ebiggers@google.com 2023-09-09T18:30:45+00:00 b928729b995fbbc007e47ec39a111ef059fcb29c Probably resolves https://github.com/google/fscrypt/issues/382 
Probably resolves https://github.com/google/fscrypt/issues/382
Re-run 'make format' with latest version of gofmt 2023-09-09T18:30:45+00:00 Eric Biggers ebiggers@google.com 2023-09-09T18:30:45+00:00 e663a3ee2287be77dcd44631b29147a1eddcb4f0 






Adjust nested lists to prevent gofmt from flattening them
2023-09-09T18:30:45+00:00

Eric Biggers
ebiggers@google.com

2023-09-09T18:30:45+00:00

c999f0b04c526a85d061a7461c0e4211e94f9fb7

The latest version of gofmt flattens the nested lists in comments in
crypto.go and filesystem.go.  According to
https://go.dev/doc/comment#mistakes, "Go doc comments do not support
nested lists".  However, that page also mentions that a workaround is to
use different list markers for each level.  Do that.





The latest version of gofmt flattens the nested lists in comments in
crypto.go and filesystem.go.  According to
https://go.dev/doc/comment#mistakes, "Go doc comments do not support
nested lists".  However, that page also mentions that a workaround is to
use different list markers for each level.  Do that.







Stop using deprecated package io/ioutil
2022-12-04T22:07:39+00:00

Eric Biggers
ebiggers@google.com

2022-12-04T21:27:43+00:00

02875cef9010633b6689cfd1e2ceec9107b756b4

Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages.  staticcheck warns
about this.  Address all the warnings by switching to the non-deprecated
replacement functions.





Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages.  staticcheck warns
about this.  Address all the warnings by switching to the non-deprecated
replacement functions.







Merge pull request #354 from google/staticcheck-fix
2022-04-09T08:44:51+00:00

Joseph Richey
joerichey@google.com

2022-04-09T08:44:51+00:00

53dc5f37339f40e78cd0e91b358322cc9e589185

Upgrade dependencies to latest version




Upgrade dependencies to latest version






Switch to google.golang.org/protobuf/proto
2022-04-09T06:38:01+00:00

Eric Biggers
ebiggers@google.com

2022-04-09T06:16:59+00:00

ca7a84b8aea203025acbda193f78ea98946236b5

github.com/golang/protobuf/proto has been deprecated in favor of
google.golang.org/protobuf/proto, so migrate to the non-deprecated one.





github.com/golang/protobuf/proto has been deprecated in favor of
google.golang.org/protobuf/proto, so migrate to the non-deprecated one.







Add lustre to allowed filesystems and update documentation
2022-04-09T03:28:17+00:00

Eric Biggers
ebiggers@google.com

2022-04-09T03:08:42+00:00

8ac0e607c236e42df8943b9575da1579fe670b76












filesystem: create metadata files with mode 0600
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

06c989df4e31dd9f172f94fbd6243f49d4dd0b92

Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.





Currently, fscrypt policies and protectors are world readable, as they
are created with mode 0644.  While this can be nice for use cases where
users share these files, those use cases seem to be quite rare, and it's
not a great default security-wise since it exposes password hashes to
all users.  While fscrypt uses a very strong password hash algorithm, it
would still be best to follow the lead of /etc/shadow and keep this
information non-world-readable.

Therefore, start creating these files with mode 0600.

Of course, if users do actually want to share these files, they have the
option of simply chmod'ing them to a less restrictive mode.  An option
could also be added to make fscrypt use the old mode 0644; however, the
need for that is currently unclear.







filesystem: preserve metadata file permissions on updates
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

312bc381a3751e397995eeb2e63e66856912fafb

Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644.  However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.

In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.





Since fscrypt replaces metadata files rather than overwrites them (to
get atomicity), their owner will change to root if root makes a change.
That isn't too much of an issue when the files have mode 0644.  However,
it will become a much bigger issue when the files have mode 0600,
especially because existing files with mode 0644 would also get changed
to have mode 0600.

In preparation for this, start preserving the previous owner and mode of
policy and protector files when they are updated.







Make all new metadata files owned by user when needed
2022-02-23T20:35:04+00:00

Eric Biggers
ebiggers@google.com

2022-02-23T20:35:04+00:00

d4ce0b892cbe68db9f90f4015342e6a9069b079c

Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.





Since commit 4c7c6631cc5a ("Set owner of login protectors to correct
user"), login protectors are made owned by the user when root creates
one on a user's behalf.  That's good, but the same isn't true of other
files that get created at the same time:

- The policy protecting the directory
- The protector link file, if the policy is on a different filesystem
- The recovery protector, if the policy is on a different filesystem
- The recovery instructions file

In preparation for setting all metadata files to mode 0600, start making
all these files owned by the user in this scenario as well.