diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-03-17 21:10:58 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-03-23 13:20:27 -0700 |
| commit | 8d71383bc08478313c221c8ab20e8902de1bb28b (patch) | |
| tree | c0287582a34ddf992c09d6f2bbaf07fe85b2199f /actions/policy.go | |
| parent | c123f5a24de5a25185653de8e6f970184fde035d (diff) | |
Improve error message when unlocking v2 policy is unsupported
If trying to unlock a v2-encrypted directory fails because the kernel
lacks support for v2 policies, show a better error message. This can
happen if someone downgrades their kernel or tries to access encrypted
directories on removable storage from a computer with an older kernel.
Detecting this case is difficult since all we have to go with is EACCES
when opening the directory. Implement a heuristic where if get EACCES,
we actually have read access to the directory, and the kernel doesn't
support v2 policies, we show the improved error message.
Before:
# fscrypt unlock dir
[ERROR] fscrypt unlock: open dir: permission denied
After:
# fscrypt unlock dir
[ERROR] fscrypt unlock: open dir: permission denied
This may be caused by the directory using a v2 encryption policy and
the current kernel not supporting it. If indeed the case, then this
directory can only be used on kernel v5.4 and later. You can create
directories accessible on older kernels by changing policy_version to
1 in /etc/fscrypt.conf.
Diffstat (limited to 'actions/policy.go')
| -rw-r--r-- | actions/policy.go | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/actions/policy.go b/actions/policy.go index b7fe5a6..3baad72 100644 --- a/actions/policy.go +++ b/actions/policy.go @@ -22,6 +22,7 @@ package actions import ( "fmt" "log" + "os" "github.com/golang/protobuf/proto" "github.com/pkg/errors" @@ -41,6 +42,7 @@ var ( ErrOnlyProtector = errors.New("cannot remove the only protector for a policy") ErrAlreadyProtected = errors.New("policy already protected by protector") ErrNotProtected = errors.New("policy not protected by protector") + ErrAccessDeniedPossiblyV2 = errors.New("permission denied") ) // PurgeAllPolicies removes all policy keys on the filesystem from the kernel @@ -152,6 +154,15 @@ func GetPolicyFromPath(ctx *Context, path string) (*Policy, error) { // the path, and the data we get from the mountpoint. pathData, err := metadata.GetPolicy(path) if err != nil { + // On kernels that don't support v2 encryption policies, trying + // to open a directory with a v2 policy simply gave EACCES. This + // is ambiguous with other errors, but try to detect this case + // and show a better error message. + if os.IsPermission(err) && + filesystem.HaveReadAccessTo(path) && + !keyring.IsFsKeyringSupported(ctx.Mount) { + return nil, errors.Wrapf(ErrAccessDeniedPossiblyV2, "open %s", path) + } return nil, err } descriptor := pathData.KeyDescriptor |