fscrypt.git/pam_fscrypt/pam_fscrypt.go, branch v0.3.4 Go tool for managing Linux filesystem encryption pam_fscrypt: filter out irrelevant policies earlier 2022-12-04T21:05:00+00:00 Eric Biggers ebiggers@google.com 2022-12-03T06:13:01+00:00 5373b314473b08f13372ab55b551738307a85fbd If a session is opened for a user twice and the second doesn't have the AUTHTOK data, pam_fscrypt prints an error message that says it failed to unlock a protector because AUTHTOK data is missing. This is misleading because the protector and its associated policies were already unlocked by the first session. To avoid this, move the check for whether the policy is provisioned or not into policiesUsingProtector(). Also do the same for CloseSession. 
If a session is opened for a user twice and the second doesn't have the
AUTHTOK data, pam_fscrypt prints an error message that says it failed to
unlock a protector because AUTHTOK data is missing.  This is misleading
because the protector and its associated policies were already unlocked
by the first session.

To avoid this, move the check for whether the policy is provisioned or
not into policiesUsingProtector().  Also do the same for CloseSession.
Make pam_fscrypt.so support the unlock_only option 2022-10-20T03:47:57+00:00 Eric Biggers ebiggers@google.com 2022-10-18T17:12:02+00:00 295c503a77f53b87305bba310e37cbdd9b516936 Now that it's been requested by users, bring back the "unlock_only" option, which was originally proposed as part of https://github.com/google/fscrypt/pull/281 but was dropped in the final version of that pull request. Resolves https://github.com/google/fscrypt/issues/357 
Now that it's been requested by users, bring back the "unlock_only"
option, which was originally proposed as part of
https://github.com/google/fscrypt/pull/281 but was dropped in the final
version of that pull request.

Resolves https://github.com/google/fscrypt/issues/357
Try to detect process being forked during PAM transaction 2022-04-17T05:37:20+00:00 Eric Biggers ebiggers@google.com 2022-04-17T05:31:32+00:00 f0c1cae003dd216ba706d7ef14df83d311c82034 Update https://github.com/google/fscrypt/issues/350 
Update https://github.com/google/fscrypt/issues/350
pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok 2021-12-22T03:55:01+00:00 Eric Biggers ebiggers@google.com 2021-12-22T02:38:03+00:00 b7399903540c95e89f0ee427fed1de07301fbd93 If someone runs 'passwd USER' as root, the user is assigned a new login passphrase without their fscrypt login protector being updated. Detect this case and show a warning message using pam_info(). Fixes https://github.com/google/fscrypt/issues/273 
If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated.  Detect
this case and show a warning message using pam_info().

Fixes https://github.com/google/fscrypt/issues/273
pam_fscrypt: make "lock_policies" the default behavior 2021-03-08T23:20:08+00:00 Eric Biggers ebiggers@google.com 2021-03-08T23:20:08+00:00 b7e898f01bcae17174fcd928599d0d933655db9b All pam_fscrypt configuration guides that I'm aware of say to use the "lock_policies" option for the pam_fscrypt.so session hook. The Debian/Ubuntu pam-config-framework config file has it too. Make locking the default behavior, since this is what everyone wants. Existing configuration files that contain the "lock_policies" option will continue to work, but that option won't do anything anymore. (We could add an option "unlock_only" to restore the old default behavior, but it's not clear that it would be useful. So for simplicity, leave it out for now.) 
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook.  The
Debian/Ubuntu pam-config-framework config file has it too.

Make locking the default behavior, since this is what everyone wants.

Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.

(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful.  So for
simplicity, leave it out for now.)
pam_fscrypt: decide cache dropping behavior automatically 2021-03-08T23:20:08+00:00 Eric Biggers ebiggers@google.com 2021-03-08T23:20:08+00:00 28e4999ebd9221a71488d715d9f1182b494216d8 Configuring whether pam_fscrypt drops caches or not isn't really something the user should have to do, and it's also irrelevant for v2 encryption policies (the default on newer systems). It's better to have pam_fscrypt automatically decide whether it needs to drop caches or not. Do this by making pam_fscrypt check whether any encryption policy keys are being removed from a user keyring (rather than from a filesystem keyring). If so, it drops caches; otherwise it doesn't. This supersedes the "drop_caches" option, which won't do anything anymore. 
Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems).  It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.

Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring).  If so, it drops caches; otherwise it doesn't.  This
supersedes the "drop_caches" option, which won't do anything anymore.
cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock' 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 068879664efd8a0f983cbc3e8115571047fe9edd Allow root to provide the --all-users option to 'fscrypt lock' to force an encryption key to be removed from the filesystem (i.e., force an encrypted directory to be locked), even if other users have added it. To implement this option, we just need to use the FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than FS_IOC_REMOVE_ENCRYPTION_KEY. In theory this option could be implemented for the user keyrings case too, but it would be difficult and the user keyrings are being deprecated for fscrypt, so don't bother. 
Allow root to provide the --all-users option to 'fscrypt lock' to force
an encryption key to be removed from the filesystem (i.e., force an
encrypted directory to be locked), even if other users have added it.

To implement this option, we just need to use the
FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than
FS_IOC_REMOVE_ENCRYPTION_KEY.

In theory this option could be implemented for the user keyrings case
too, but it would be difficult and the user keyrings are being
deprecated for fscrypt, so don't bother.
Keyring support for v2 encryption policies 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 42e0dfe85ec7a75a2fa30c417d57eae60b5a881d Implement adding/removing v2 encryption policy keys to/from the kernel. The kernel requires that the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY be used for this. Root is not required. However, non-root support brings an extra complication: the kernel keeps track of which users have called FS_IOC_ADD_ENCRYPTION_KEY for the same key. FS_IOC_REMOVE_ENCRYPTION_KEY only works as one of these users, and it only removes the calling user's claim to the key; the key is only truly removed when the last claim is removed. Implement the following behavior: - 'fscrypt unlock' and pam_fscrypt add the key for the user, even if other user(s) have it added already. This behavior is needed so that another user can't remove the key out from under the user. - 'fscrypt lock' and pam_fscrypt remove the key for the user. However, if the key wasn't truly removed because other users still have it added, 'fscrypt lock' prints a warning. - 'fscrypt status' shows whether the directory is unlocked for anyone. 
Implement adding/removing v2 encryption policy keys to/from the kernel.
The kernel requires that the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and
FS_IOC_REMOVE_ENCRYPTION_KEY be used for this.  Root is not required.

However, non-root support brings an extra complication: the kernel keeps
track of which users have called FS_IOC_ADD_ENCRYPTION_KEY for the same
key.  FS_IOC_REMOVE_ENCRYPTION_KEY only works as one of these users, and
it only removes the calling user's claim to the key; the key is only
truly removed when the last claim is removed.

Implement the following behavior:

- 'fscrypt unlock' and pam_fscrypt add the key for the user, even if
  other user(s) have it added already.  This behavior is needed so that
  another user can't remove the key out from under the user.

- 'fscrypt lock' and pam_fscrypt remove the key for the user.  However,
  if the key wasn't truly removed because other users still have it
  added, 'fscrypt lock' prints a warning.

- 'fscrypt status' shows whether the directory is unlocked for anyone.
pam_fscrypt: update to handle filesystem keyring 2020-01-05T18:02:13+00:00 Eric Biggers ebiggers@google.com 2019-12-16T03:31:39+00:00 d0ac36dcea341ff000aca983dd80e7bef9fc30ec FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root for v1 policy keys, so update the PAM module to re-acquire root privileges while provisioning/deprovisioning policies that need this. Also, only set up the user keyring if it will actually be used. 
FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root
for v1 policy keys, so update the PAM module to re-acquire root
privileges while provisioning/deprovisioning policies that need this.

Also, only set up the user keyring if it will actually be used.
Fix various typos and grammatical errors (#141) 2019-09-09T02:46:59+00:00 ebiggers ebiggers@google.com 2019-09-09T02:46:59+00:00 6445dad7d66fa6a1867090fcd9602c98863649f6 These were found by a combination of manual review and a custom script that checks for common errors. Also removed an outdated sentence from the comment for setupBefore(). 
These were found by a combination of manual review and a custom script
that checks for common errors.

Also removed an outdated sentence from the comment for setupBefore().