actions: Simplify the callback mechanism

This commit makes the callbacks for getting keys easier to understand.
Functions which need keys now take a KeyFunc callback. This callback
contains a ProtectorInfo parameter (basically a read-only version of
metadata.ProtectorData) and a boolean which indicates if the call is
being retried. The documentation is also updated to say which functions
will retry the KeyFunc.

For selecting a protector, there is now an OptionFunc callback which
takes a slice of ProtectorOptions. A ProtectorOption is a ProtectorInfo
along with additional information about a linked filesystem (if
applicable).

This commit also adds in methods for getting the protector options for a
specific filesystem or policy. It also adds a function for getting the
policy descriptor for a specific path.

Change-Id: I41e0d94ffd44e7166b0c5cf1b5d18437960bdf90

2 files changed, 13 insertions, 20 deletions

diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go
index 2141fb8..a3a2880 100644
--- a/crypto/crypto_test.go
+++ b/crypto/crypto_test.go
@@ -236,7 +236,7 @@ func TestKeyLargeResize(t *testing.T) {
 
 // Adds and removes a key with various services.
 func TestAddRemoveKeys(t *testing.T) {
-	for _, service := range []string{ServiceDefault, ServiceExt4, ServiceF2FS} {
+	for _, service := range []string{DefaultService, "ext4:", "f2fs:"} {
 		if err := InsertPolicyKey(fakeValidPolicyKey, fakeValidDescriptor, service); err != nil {
 			t.Error(err)
 		}
@@ -248,12 +248,12 @@ func TestAddRemoveKeys(t *testing.T) {
 
 // Makes sure a key fails with bad descriptor, policy, or service
 func TestBadAddKeys(t *testing.T) {
-	if InsertPolicyKey(fakeInvalidPolicyKey, fakeValidDescriptor, ServiceDefault) == nil {
-		RemovePolicyKey(fakeValidDescriptor, ServiceDefault)
+	if InsertPolicyKey(fakeInvalidPolicyKey, fakeValidDescriptor, DefaultService) == nil {
+		RemovePolicyKey(fakeValidDescriptor, DefaultService)
 		t.Error("InsertPolicyKey should fail with bad policy key")
 	}
-	if InsertPolicyKey(fakeValidPolicyKey, fakeInvalidDescriptor, ServiceDefault) == nil {
-		RemovePolicyKey(fakeInvalidDescriptor, ServiceDefault)
+	if InsertPolicyKey(fakeValidPolicyKey, fakeInvalidDescriptor, DefaultService) == nil {
+		RemovePolicyKey(fakeInvalidDescriptor, DefaultService)
 		t.Error("InsertPolicyKey should fail with bad descriptor")
 	}
 	if InsertPolicyKey(fakeValidPolicyKey, fakeValidDescriptor, "ext4") == nil {
diff --git a/crypto/key.go b/crypto/key.go
index bd69b2d..852b213 100644
--- a/crypto/key.go
+++ b/crypto/key.go
@@ -36,18 +36,17 @@ import (
 	"fscrypt/util"
 )
 
-// Service Prefixes for keyring keys. As of kernel v4.8, all filesystems
-// supporting encryption will use FS_KEY_DESC_PREFIX to indicate that a key in
-// the keyring should be used with filesystem encryption. However, we also
-// include the older service prefixes for legacy compatibility.
 const (
-	ServiceDefault = unix.FS_KEY_DESC_PREFIX
-	// ServiceExt4 was used before v4.8 for ext4 filesystem encryption.
-	ServiceExt4 = "ext4:"
-	// ServiceExt4 was used before v4.6 for F2FS filesystem encryption.
-	ServiceF2FS = "f2fs:"
+	// DefaultService is the service which should be used for all encryption
+	// keys unless not possible for legacy reasons. For ext4 systems before
+	// v4.8 and f2fs systems before v4.6, filesystem specific services must
+	// be used (these legacy services will still work with later kernels).
+	DefaultService = unix.FS_KEY_DESC_PREFIX
 	// keyType is always logon as required by filesystem encryption
 	keyType = "logon"
+	// Keys need to readable and writable, but hidden from other processes.
+	keyProtection = unix.PROT_READ | unix.PROT_WRITE
+	keyMmapFlags  = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS
 )
 
 /*
@@ -93,12 +92,6 @@ type Key struct {
 	data []byte
 }
 
-const (
-	// Keys need to readable and writable, but hidden from other processes.
-	keyProtection = unix.PROT_READ | unix.PROT_WRITE
-	keyMmapFlags  = unix.MAP_PRIVATE | unix.MAP_ANONYMOUS
-)
-
 // newBlankKey constructs a blank key of a specified length and returns an error
 // if we are unable to allocate or lock the necessary memory.
 func newBlankKey(length int) (*Key, error) {