fscrypt.git/keyring/fs_keyring.go, branch v0.3.6 Go tool for managing Linux filesystem encryption keyring: improve errors 2020-05-09T22:21:31+00:00 Eric Biggers ebiggers@google.com 2020-05-09T21:52:07+00:00 fb88d74f0335cdf8218bb8dfbaa03f23773318cf ErrAccessUserKeyring: Include the user, and fix the backwards wrapping. ErrSessionUserKeyring: Include the user. ErrKeyAdd: ErrKeyRemove: ErrKeySearch: ErrLinkUserKeyring: Replace these with one-off unnamed errors because they are never checked for, and this makes it easier for the callers to provide better messages, e.g. fixing the backwards wrapping. 
ErrAccessUserKeyring:
	Include the user, and fix the backwards wrapping.

ErrSessionUserKeyring:
	Include the user.

ErrKeyAdd:
ErrKeyRemove:
ErrKeySearch:
ErrLinkUserKeyring:
	Replace these with one-off unnamed errors because they are
	never checked for, and this makes it easier for the callers to
	provide better messages, e.g. fixing the backwards wrapping.
keyring: cast FS_IOC_REMOVE_ENCRYPTION_KEY to uintptr (#221) 2020-05-09T17:12:52+00:00 Filip Stanis fstanis@google.com 2020-05-05T01:48:26+00:00 c5764330ebc69f15b9bf13b94cfef45732864b5a Since v0.2.6, fscrypt only builds for 64-bit systems. E.g. trying to build on Raspbian fails with the following error: $ go get github.com/google/fscrypt/cmd/fscrypt # github.com/google/fscrypt/keyring go/src/github.com/google/fscrypt/keyring/fs_keyring.go:231:6: constant 3225445912 overflows int go/src/github.com/google/fscrypt/keyring/fs_keyring.go:235:7: constant 3225445913 overflows int Fix it by making the 'ioc' variable have type uintptr. [EB - removed the later cast to uintptr that became unnecessary, and added explanation to commit message.] 
Since v0.2.6, fscrypt only builds for 64-bit systems.  E.g. trying to
build on Raspbian fails with the following error:

  $ go get github.com/google/fscrypt/cmd/fscrypt
  # github.com/google/fscrypt/keyring
  go/src/github.com/google/fscrypt/keyring/fs_keyring.go:231:6: constant 3225445912 overflows int
  go/src/github.com/google/fscrypt/keyring/fs_keyring.go:235:7: constant 3225445913 overflows int

Fix it by making the 'ioc' variable have type uintptr.

[EB - removed the later cast to uintptr that became unnecessary, and
 added explanation to commit message.]
Improve error message when unlocking v2 policy is unsupported 2020-03-23T20:20:27+00:00 Eric Biggers ebiggers@google.com 2020-03-18T04:10:58+00:00 8d71383bc08478313c221c8ab20e8902de1bb28b If trying to unlock a v2-encrypted directory fails because the kernel lacks support for v2 policies, show a better error message. This can happen if someone downgrades their kernel or tries to access encrypted directories on removable storage from a computer with an older kernel. Detecting this case is difficult since all we have to go with is EACCES when opening the directory. Implement a heuristic where if get EACCES, we actually have read access to the directory, and the kernel doesn't support v2 policies, we show the improved error message. Before: # fscrypt unlock dir [ERROR] fscrypt unlock: open dir: permission denied After: # fscrypt unlock dir [ERROR] fscrypt unlock: open dir: permission denied This may be caused by the directory using a v2 encryption policy and the current kernel not supporting it. If indeed the case, then this directory can only be used on kernel v5.4 and later. You can create directories accessible on older kernels by changing policy_version to 1 in /etc/fscrypt.conf. 
If trying to unlock a v2-encrypted directory fails because the kernel
lacks support for v2 policies, show a better error message.  This can
happen if someone downgrades their kernel or tries to access encrypted
directories on removable storage from a computer with an older kernel.

Detecting this case is difficult since all we have to go with is EACCES
when opening the directory.  Implement a heuristic where if get EACCES,
we actually have read access to the directory, and the kernel doesn't
support v2 policies, we show the improved error message.

Before:

  # fscrypt unlock dir
  [ERROR] fscrypt unlock: open dir: permission denied

After:

  # fscrypt unlock dir
  [ERROR] fscrypt unlock: open dir: permission denied

  This may be caused by the directory using a v2 encryption policy and
  the current kernel not supporting it. If indeed the case, then this
  directory can only be used on kernel v5.4 and later. You can create
  directories accessible on older kernels by changing policy_version to
  1 in /etc/fscrypt.conf.
cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock' 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 068879664efd8a0f983cbc3e8115571047fe9edd Allow root to provide the --all-users option to 'fscrypt lock' to force an encryption key to be removed from the filesystem (i.e., force an encrypted directory to be locked), even if other users have added it. To implement this option, we just need to use the FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than FS_IOC_REMOVE_ENCRYPTION_KEY. In theory this option could be implemented for the user keyrings case too, but it would be difficult and the user keyrings are being deprecated for fscrypt, so don't bother. 
Allow root to provide the --all-users option to 'fscrypt lock' to force
an encryption key to be removed from the filesystem (i.e., force an
encrypted directory to be locked), even if other users have added it.

To implement this option, we just need to use the
FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than
FS_IOC_REMOVE_ENCRYPTION_KEY.

In theory this option could be implemented for the user keyrings case
too, but it would be difficult and the user keyrings are being
deprecated for fscrypt, so don't bother.
Keyring support for v2 encryption policies 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 42e0dfe85ec7a75a2fa30c417d57eae60b5a881d Implement adding/removing v2 encryption policy keys to/from the kernel. The kernel requires that the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY be used for this. Root is not required. However, non-root support brings an extra complication: the kernel keeps track of which users have called FS_IOC_ADD_ENCRYPTION_KEY for the same key. FS_IOC_REMOVE_ENCRYPTION_KEY only works as one of these users, and it only removes the calling user's claim to the key; the key is only truly removed when the last claim is removed. Implement the following behavior: - 'fscrypt unlock' and pam_fscrypt add the key for the user, even if other user(s) have it added already. This behavior is needed so that another user can't remove the key out from under the user. - 'fscrypt lock' and pam_fscrypt remove the key for the user. However, if the key wasn't truly removed because other users still have it added, 'fscrypt lock' prints a warning. - 'fscrypt status' shows whether the directory is unlocked for anyone. 
Implement adding/removing v2 encryption policy keys to/from the kernel.
The kernel requires that the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and
FS_IOC_REMOVE_ENCRYPTION_KEY be used for this.  Root is not required.

However, non-root support brings an extra complication: the kernel keeps
track of which users have called FS_IOC_ADD_ENCRYPTION_KEY for the same
key.  FS_IOC_REMOVE_ENCRYPTION_KEY only works as one of these users, and
it only removes the calling user's claim to the key; the key is only
truly removed when the last claim is removed.

Implement the following behavior:

- 'fscrypt unlock' and pam_fscrypt add the key for the user, even if
  other user(s) have it added already.  This behavior is needed so that
  another user can't remove the key out from under the user.

- 'fscrypt lock' and pam_fscrypt remove the key for the user.  However,
  if the key wasn't truly removed because other users still have it
  added, 'fscrypt lock' prints a warning.

- 'fscrypt status' shows whether the directory is unlocked for anyone.
keyring: support filesystem keyring with v1 encryption policies 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 6ffc9457945a9484d2757cc4b01de35426502d0a Linux v5.4 and later allows fscrypt keys to be added/removed directly to/from the filesystem via the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY. Among other benefits, these fix the key visibility problems that many users have been running into, where system services and containers can't access encrypted files. Allow the user to opt-in to using these new ioctls for their existing encrypted directories by setting in their /etc/fscrypt.conf: "use_fs_keyring_for_v1_policies": true Note that it can't really be on by default, since for v1 policies the ioctls require root, whereas user keyrings don't. I.e., setting this to true means that users will need to use 'sudo fscrypt unlock', not 'fscrypt unlock'. v2 policies won't have this restriction. 
Linux v5.4 and later allows fscrypt keys to be added/removed directly
to/from the filesystem via the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and
FS_IOC_REMOVE_ENCRYPTION_KEY.  Among other benefits, these fix the key
visibility problems that many users have been running into, where system
services and containers can't access encrypted files.

Allow the user to opt-in to using these new ioctls for their existing
encrypted directories by setting in their /etc/fscrypt.conf:

	"use_fs_keyring_for_v1_policies": true

Note that it can't really be on by default, since for v1 policies the
ioctls require root, whereas user keyrings don't.  I.e., setting this to
true means that users will need to use 'sudo fscrypt unlock', not
'fscrypt unlock'.  v2 policies won't have this restriction.