diff options
| author | Eric Biggers <ebiggers@google.com> | 2021-12-19 22:17:20 -0600 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2021-12-20 10:24:15 -0600 |
| commit | d0b9e2c995beb13c70a1549923df482ff773f09b (patch) | |
| tree | b8d89c0ee0a18aa38b0a5df1d06ab6037f8c2190 /cli-tests | |
| parent | 1014b61a6a054b5c82b2be82e13d8ce28befba45 (diff) | |
filesystem: avoid accessing irrelevant filesystems
Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems. This has two
benefits. First, it avoids the printing of annoying warnings like:
pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied
Second, it avoids long delays or side effects on some filesystems.
To do this, introduce an allowlist of filesystem types that fscrypt will
recognize. I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.
Diffstat (limited to 'cli-tests')
| -rw-r--r-- | cli-tests/t_not_supported.out | 4 | ||||
| -rwxr-xr-x | cli-tests/t_not_supported.sh | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/cli-tests/t_not_supported.out b/cli-tests/t_not_supported.out index ecee56a..68e0897 100644 --- a/cli-tests/t_not_supported.out +++ b/cli-tests/t_not_supported.out @@ -1,8 +1,8 @@ # Mount tmpfs -# Create fscrypt metadata on tmpfs -Metadata directories created at "MNT/.fscrypt". +# Try to create fscrypt metadata on tmpfs +[ERROR] fscrypt setup: filesystem type tmpfs is not supported for fscrypt setup # Try to encrypt a directory on tmpfs [ERROR] fscrypt encrypt: This kernel doesn't support encryption on tmpfs diff --git a/cli-tests/t_not_supported.sh b/cli-tests/t_not_supported.sh index 53a096a..9ff90e1 100755 --- a/cli-tests/t_not_supported.sh +++ b/cli-tests/t_not_supported.sh @@ -9,8 +9,8 @@ _print_header "Mount tmpfs" umount "$MNT" mount tmpfs -t tmpfs -o size=128m "$MNT" -_print_header "Create fscrypt metadata on tmpfs" -fscrypt setup "$MNT" +_print_header "Try to create fscrypt metadata on tmpfs" +_expect_failure "fscrypt setup '$MNT'" _print_header "Try to encrypt a directory on tmpfs" mkdir "$MNT/dir" |