fscrypt.git/metadata/policy.go, branch v0.3.6 Go tool for managing Linux filesystem encryption Provide better error message when given a locked regular file 2023-12-12T03:33:48+00:00 Eric Biggers ebiggers@google.com 2023-12-09T22:36:03+00:00 a6c5029cd114cd27cc59024e968feb4765e5323d Since opening an encrypted regular file that is locked fails with ENOKEY, getting the encryption policy of such a file is not possible. As a result, 'fscrypt status' and 'fscrypt lock' fail on such files. Provide a better error message that tries to explain what is going on. Resolves https://github.com/google/fscrypt/issues/393 
Since opening an encrypted regular file that is locked fails with
ENOKEY, getting the encryption policy of such a file is not possible.
As a result, 'fscrypt status' and 'fscrypt lock' fail on such files.
Provide a better error message that tries to explain what is going on.

Resolves https://github.com/google/fscrypt/issues/393
fsync set policy ioctls 2022-08-23T16:35:43+00:00 Marcel Lauhoff marcel.lauhoff@suse.com 2022-08-12T12:45:29+00:00 75cf58070a87aecfdad295ee50d048603d1916ed Split policyIoctl into setPolicyIoctl and getPolicyIoctl. Add a os.Sync() call to setPolicyIoctl. Policy ioctls are not necessary durable on return. For example, on ext4 (ref: fs/ext4/crypto.c: ext4_set_context) they are not. This may lead to a filesystem containing fscrypt metadata (in .fscrypt), but without the policy applied on an encrypted directory. Example: Snapshotting a mounted ext4 filesystem on Ceph RBD right after setting the policy. While subject to timing, with high probability the snapshot will not have the policy set. Calling fsync fixes this. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com> 
Split policyIoctl into setPolicyIoctl and getPolicyIoctl. Add a
os.Sync() call to setPolicyIoctl.

Policy ioctls are not necessary durable on return. For example, on
ext4 (ref: fs/ext4/crypto.c: ext4_set_context) they are not. This may
lead to a filesystem containing fscrypt metadata (in .fscrypt), but
without the policy applied on an encrypted directory.

Example:
Snapshotting a mounted ext4 filesystem on Ceph RBD right after
setting the policy. While subject to timing, with high probability the
snapshot will not have the policy set. Calling fsync fixes this.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Avoid using the word "whitelist" 2021-01-25T19:38:55+00:00 Eric Biggers ebiggers@google.com 2021-01-25T19:12:01+00:00 634f57465048c698381513cdc2ee205d4f04e538 






metadata: improve errors
2020-05-09T22:21:31+00:00

Eric Biggers
ebiggers@google.com

2020-05-09T21:52:07+00:00

fbc161a77962fe64e3caad80efb535d28d8c1f74

ErrBadOwners:
	Rename to ErrDirectoryNotOwned for clarity, move it from
	cmd/fscrypt/ to metadata/ where it better belongs, and improve
	the message.

ErrEncrypted:
	Rename to ErrAlreadyEncrypted for clarity, and include the path.

ErrNotEncrypted:
	Include the path.

ErrBadEncryptionOptions:
	Include the path and bad options.

ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
	Don't wrap with "get encryption policy %s", in preparation for
	wrapping these with filesystem-level context instead.

Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls.  Make it very clear how we're handling the errors
from each ioctl.





ErrBadOwners:
	Rename to ErrDirectoryNotOwned for clarity, move it from
	cmd/fscrypt/ to metadata/ where it better belongs, and improve
	the message.

ErrEncrypted:
	Rename to ErrAlreadyEncrypted for clarity, and include the path.

ErrNotEncrypted:
	Include the path.

ErrBadEncryptionOptions:
	Include the path and bad options.

ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
	Don't wrap with "get encryption policy %s", in preparation for
	wrapping these with filesystem-level context instead.

Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls.  Make it very clear how we're handling the errors
from each ioctl.







Metadata support for v2 encryption policies
2020-01-05T18:02:13+00:00

Eric Biggers
ebiggers@google.com

2019-12-16T03:31:39+00:00

2b25de6d445faefc28629603dd754aec9f744e60

Linux v5.4 and later supports v2 encryption policies.  These have
several advantages over v1 encryption policies:

- Their encryption keys can be added/removed to/from the filesystem by
  non-root users, thus gaining the benefits of the filesystem keyring
  while also retaining support for non-root use.

- They use a more standard, secure, and flexible key derivation
  function.  Because of this, some future kernel-level fscrypt features
  will be implemented for v2 policies only.

- They prevent a denial-of-service attack where a user could associate
  the wrong key with another user's encrypted files.

Prepare the fscrypt tool to support v2 encryption policies by:

- Adding a policy_version field to the EncryptionOptions, i.e. to the
  config file and to the policy metadata files.

- Using the kernel-specified algorithm to compute the key descriptor for
  v2 policies.

- Handling setting and getting v2 policies.

Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.





Linux v5.4 and later supports v2 encryption policies.  These have
several advantages over v1 encryption policies:

- Their encryption keys can be added/removed to/from the filesystem by
  non-root users, thus gaining the benefits of the filesystem keyring
  while also retaining support for non-root use.

- They use a more standard, secure, and flexible key derivation
  function.  Because of this, some future kernel-level fscrypt features
  will be implemented for v2 policies only.

- They prevent a denial-of-service attack where a user could associate
  the wrong key with another user's encrypted files.

Prepare the fscrypt tool to support v2 encryption policies by:

- Adding a policy_version field to the EncryptionOptions, i.e. to the
  config file and to the policy metadata files.

- Using the kernel-specified algorithm to compute the key descriptor for
  v2 policies.

- Handling setting and getting v2 policies.

Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.







Use latest fscrypt declarations from sys/unix
2019-11-27T19:28:14+00:00

Eric Biggers
ebiggers@google.com

2019-11-27T19:28:14+00:00

82d01438a66212ce802721397a62c18a0b71b7ea

Use the new name for fscrypt constants and structures which have been
given a new name.

Also use the named constant for the DIRECT_KEY fscrypt policy flag.

No change in behavior.  This is just preparing for future work.





Use the new name for fscrypt constants and structures which have been
given a new name.

Also use the named constant for the DIRECT_KEY fscrypt policy flag.

No change in behavior.  This is just preparing for future work.







Add support for the Adiantum encryption mode
2019-01-15T02:43:25+00:00

Eric Biggers
ebiggers@google.com

2019-01-15T02:43:25+00:00

5f06ede200fb390aafb7831c8c944ddd677be023

Add Adiantum support to the fscrypt userspace tool.  Supported in the
kernel since v5.0-rc1, Adiantum is a length-preserving encryption mode
based primarily on XChaCha12.  It is fast even on CPUs without AES
instructions.  Unlike XTS it is also a wide-block encryption mode.
Adiantum is supported for both contents and filenames encryption.

For Adiantum encryption policies, also make the fscrypt tool provide the
new DIRECT_KEY flag, which further improves performance by requesting
that all files be encrypted directly with the policy key.  This takes
advantage of Adiantum's support for long tweaks.

See the kernel commit "fscrypt: add Adiantum support"
(https://git.kernel.org/torvalds/c/8094c3ceb21ad938) for more details.





Add Adiantum support to the fscrypt userspace tool.  Supported in the
kernel since v5.0-rc1, Adiantum is a length-preserving encryption mode
based primarily on XChaCha12.  It is fast even on CPUs without AES
instructions.  Unlike XTS it is also a wide-block encryption mode.
Adiantum is supported for both contents and filenames encryption.

For Adiantum encryption policies, also make the fscrypt tool provide the
new DIRECT_KEY flag, which further improves performance by requesting
that all files be encrypted directly with the policy key.  This takes
advantage of Adiantum's support for long tweaks.

See the kernel commit "fscrypt: add Adiantum support"
(https://git.kernel.org/torvalds/c/8094c3ceb21ad938) for more details.







Go 1.11 gofmt updatae
2018-08-30T10:54:52+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2018-08-30T10:54:52+00:00

3c4664d603fb288b70938a00b05437ce8b2d0e64












vet: eliminate unnecessary shadowing
2018-02-12T07:56:49+00:00

Joseph Richey
joerichey94@gmail.com

2018-02-12T07:56:49+00:00

69630f37fcebe894b15872148bd8b2496806b60c

Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.





Running "go vet -shadow ./..." finds all places where a variable might
be incorrectly or unnecessarily shadowed. This fixes some of them.







Finalize import paths and documentation
2017-06-28T22:15:21+00:00

Joe Richey joerichey@google.com
joerichey@google.com

2017-06-28T20:57:55+00:00

2c52eca8727df744d093703bbcbd87fc39d57d30

This commit changes all the internal import paths from `fscrypt/foo` to
`github.com/google/fscrypt/foo` so that it can be built once we release
externaly. The documentation in README.md is updated accordingly.

Also, the README has a note noting that we do not make any guarantees
about project stability before 1.0 (when it ships with Ubuntu).

Change-Id: I6ba86e442c74057c8a06ba32a42e17f94833e280





This commit changes all the internal import paths from `fscrypt/foo` to
`github.com/google/fscrypt/foo` so that it can be built once we release
externaly. The documentation in README.md is updated accordingly.

Also, the README has a note noting that we do not make any guarantees
about project stability before 1.0 (when it ships with Ubuntu).

Change-Id: I6ba86e442c74057c8a06ba32a42e17f94833e280