fscrypt.git/metadata, branch v0.3.4 Go tool for managing Linux filesystem encryption Increase checks for invalid HashingCosts 2022-12-04T22:36:56+00:00 Joe Richey joerichey@google.com 2022-08-27T07:32:56+00:00 9d96413911725504aaf4f4f1b00d492ae21282de Signed-off-by: Joe Richey <joerichey@google.com> [ebiggers: moved the new checks from PassphraseHash to CheckValidity] Signed-off-by: Eric Biggers <ebiggers@google.com> 
Signed-off-by: Joe Richey <joerichey@google.com>
[ebiggers: moved the new checks from PassphraseHash to CheckValidity]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Add truncation_fixed field to HashingCosts 2022-12-04T22:36:56+00:00 Joe Richey joerichey@google.com 2022-08-27T06:40:44+00:00 7ae302aa0dba1d1ea4bbeffae1917792722460c8 This allows us to fix the bug where Parallelism is inadvertantly truncated to 8 bits in a backwards compatible way. Signed-off-by: Joe Richey <joerichey@google.com> 
This allows us to fix the bug where Parallelism is inadvertantly
truncated to 8 bits in a backwards compatible way.

Signed-off-by: Joe Richey <joerichey@google.com>
Update file comment 2022-12-04T22:36:56+00:00 Joe Richey joerichey@google.com 2022-08-27T06:35:33+00:00 30c4e497c609f0244cc9f98bc004c13a324c9f54 We now create the `*pb.go` files via the makefile instead of though `go generate`. Signed-off-by: Joe Richey <joerichey@google.com> 
We now create the `*pb.go` files via the makefile instead of though
`go generate`.

Signed-off-by: Joe Richey <joerichey@google.com>
Stop using deprecated package io/ioutil 2022-12-04T22:07:39+00:00 Eric Biggers ebiggers@google.com 2022-12-04T21:27:43+00:00 02875cef9010633b6689cfd1e2ceec9107b756b4 Since Go 1.16 (which recently became the minimum supported Go version for this project), the package io/ioutil is deprecated in favor of equivalent functionality in the io and os packages. staticcheck warns about this. Address all the warnings by switching to the non-deprecated replacement functions. 
Since Go 1.16 (which recently became the minimum supported Go version
for this project), the package io/ioutil is deprecated in favor of
equivalent functionality in the io and os packages.  staticcheck warns
about this.  Address all the warnings by switching to the non-deprecated
replacement functions.
Add support for AES_256_HCTR2 filenames encryption 2022-10-20T03:45:51+00:00 Eric Biggers ebiggers@google.com 2022-10-18T17:02:50+00:00 632d66d6fddfa9fd0a279a1811ced1efc567be29 Support for AES_256_HCTR2 filenames encryption was added in kernel version 6.0. The kernel doesn't yet support AES_256_HCTR2 for contents encryption. 
Support for AES_256_HCTR2 filenames encryption was added in kernel
version 6.0.  The kernel doesn't yet support AES_256_HCTR2 for contents
encryption.
Ignore JSON whitespace in tests (#364) 2022-08-27T07:44:21+00:00 Joseph Richey joerichey@google.com 2022-08-27T07:44:21+00:00 5d9198ff97c2fc600743d57719dd6b1d77bc6d3c Follow up to #362 Protojson randomly inserts whitespace to indicate that the output is unstable, breaking out tests. To fix this, compact the output before comparison. Signed-off-by: Joe Richey <joerichey@google.com> Signed-off-by: Joe Richey <joerichey@google.com> 
Follow up to #362

Protojson randomly inserts whitespace to indicate that the output is
unstable, breaking out tests. To fix this, compact the output before
comparison.

Signed-off-by: Joe Richey <joerichey@google.com>

Signed-off-by: Joe Richey <joerichey@google.com>
 fsync set policy ioctls 2022-08-23T16:35:43+00:00 Marcel Lauhoff marcel.lauhoff@suse.com 2022-08-12T12:45:29+00:00 75cf58070a87aecfdad295ee50d048603d1916ed Split policyIoctl into setPolicyIoctl and getPolicyIoctl. Add a os.Sync() call to setPolicyIoctl. Policy ioctls are not necessary durable on return. For example, on ext4 (ref: fs/ext4/crypto.c: ext4_set_context) they are not. This may lead to a filesystem containing fscrypt metadata (in .fscrypt), but without the policy applied on an encrypted directory. Example: Snapshotting a mounted ext4 filesystem on Ceph RBD right after setting the policy. While subject to timing, with high probability the snapshot will not have the policy set. Calling fsync fixes this. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com> 
Split policyIoctl into setPolicyIoctl and getPolicyIoctl. Add a
os.Sync() call to setPolicyIoctl.

Policy ioctls are not necessary durable on return. For example, on
ext4 (ref: fs/ext4/crypto.c: ext4_set_context) they are not. This may
lead to a filesystem containing fscrypt metadata (in .fscrypt), but
without the policy applied on an encrypted directory.

Example:
Snapshotting a mounted ext4 filesystem on Ceph RBD right after
setting the policy. While subject to timing, with high probability the
snapshot will not have the policy set. Calling fsync fixes this.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Switch to google.golang.org/protobuf/proto 2022-04-09T06:38:01+00:00 Eric Biggers ebiggers@google.com 2022-04-09T06:16:59+00:00 ca7a84b8aea203025acbda193f78ea98946236b5 github.com/golang/protobuf/proto has been deprecated in favor of google.golang.org/protobuf/proto, so migrate to the non-deprecated one. 
github.com/golang/protobuf/proto has been deprecated in favor of
google.golang.org/protobuf/proto, so migrate to the non-deprecated one.
Strictly validate metadata file ownership by default 2022-02-23T20:35:04+00:00 Eric Biggers ebiggers@google.com 2022-02-23T20:35:04+00:00 74e870b7bd1585b4b509da47e0e75db66336e576 The metadata validation checks introduced by the previous commits are good, but to reduce the attack surface it would be much better to avoid reading and parsing files owned by other users in the first place. There are some possible use cases for users sharing fscrypt metadata files, but I think that for the vast majority of users it is unneeded and just opens up attack surface. Thus, make fscrypt (and pam_fscrypt) not process policies or protectors owned by other users by default. Specifically, * If fscrypt or pam_fscrypt is running as a non-root user, only policies and protectors owned by the user or by root can be used. * If fscrypt is running as root, any policy or protector can be used. (This is to match user expectations -- starting a sudo session should gain rights, not remove rights.) * If pam_fscrypt is running as root, only policies and protectors owned by root can be used. Note that this only applies when the root user themselves has an fscrypt login protector, which is rare. Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which allows restoring the old behavior for anyone who really needs it. 
The metadata validation checks introduced by the previous commits are
good, but to reduce the attack surface it would be much better to avoid
reading and parsing files owned by other users in the first place.

There are some possible use cases for users sharing fscrypt metadata
files, but I think that for the vast majority of users it is unneeded
and just opens up attack surface.  Thus, make fscrypt (and pam_fscrypt)
not process policies or protectors owned by other users by default.
Specifically,

   * If fscrypt or pam_fscrypt is running as a non-root user, only
     policies and protectors owned by the user or by root can be used.

   * If fscrypt is running as root, any policy or protector can be used.
     (This is to match user expectations -- starting a sudo session
     should gain rights, not remove rights.)

   * If pam_fscrypt is running as root, only policies and protectors
     owned by root can be used.  Note that this only applies when the
     root user themselves has an fscrypt login protector, which is rare.

Add an option 'allow_cross_user_metadata' to /etc/fscrypt.conf which
allows restoring the old behavior for anyone who really needs it.
Avoid using the word "whitelist" 2021-01-25T19:38:55+00:00 Eric Biggers ebiggers@google.com 2021-01-25T19:12:01+00:00 634f57465048c698381513cdc2ee205d4f04e538