pam_fscrypt: update to handle filesystem keyring

FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root for v1 policy keys, so update the PAM module to re-acquire root privileges while provisioning/deprovisioning policies that need this. Also, only set up the user keyring if it will actually be used.
author: Eric Biggers <ebiggers@google.com> 2019-12-15 19:31:39 -0800
committer: Eric Biggers <ebiggers@google.com> 2020-01-05 10:02:13 -0800
commit: d0ac36dcea341ff000aca983dd80e7bef9fc30ec (patch)
tree: 673eef073fd0646bbc16bc088a315d0dfe68dfb7 /actions
parent: 0829eb74863bd279ae012779e52040ecc7f7178e (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/actions/policy.go b/actions/policy.go
index 2d8c521..b9cd88c 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -412,6 +412,12 @@ func (policy *Policy) NeedsUserKeyring() bool {
 	return !policy.Context.Config.GetUseFsKeyringForV1Policies()
 }
 
+// NeedsRootToProvision returns true if Provision and Deprovision will require
+// root for this policy in the current configuration.
+func (policy *Policy) NeedsRootToProvision() bool {
+	return policy.Context.Config.GetUseFsKeyringForV1Policies()
+}
+
 // commitData writes the Policy's current data to the filesystem.
 func (policy *Policy) commitData() error {
 	return policy.Context.Mount.AddPolicy(policy.data)
author	Eric Biggers <ebiggers@google.com>	2019-12-15 19:31:39 -0800
committer	Eric Biggers <ebiggers@google.com>	2020-01-05 10:02:13 -0800
commit	d0ac36dcea341ff000aca983dd80e7bef9fc30ec (patch)
tree	673eef073fd0646bbc16bc088a315d0dfe68dfb7 /actions
parent	0829eb74863bd279ae012779e52040ecc7f7178e (diff)