diff options
| author | Eric Biggers <ebiggers@google.com> | 2021-12-22 22:46:16 -0600 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2021-12-22 22:46:16 -0600 |
| commit | 5ae7da4ee6582099de5d1b14733f8d58f4dc2816 (patch) | |
| tree | a2fd322f6e829fa5718507d510c9db17bf4131c1 /filesystem/mountpoint_test.go | |
| parent | 6ec8ee00398c435aba7cbb68f8246c1772e12908 (diff) | |
filesystem: store mountpoint in link files as a fallback
Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>". These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.
To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n". When following a link, try the UUID
first, and if it doesn't work try the PATH. While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".
An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor. I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems. And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.
Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).
Fixes https://github.com/google/fscrypt/issues/311
Diffstat (limited to 'filesystem/mountpoint_test.go')
| -rw-r--r-- | filesystem/mountpoint_test.go | 68 |
1 files changed, 65 insertions, 3 deletions
diff --git a/filesystem/mountpoint_test.go b/filesystem/mountpoint_test.go index 633ff94..6600d87 100644 --- a/filesystem/mountpoint_test.go +++ b/filesystem/mountpoint_test.go @@ -373,14 +373,14 @@ func TestLoadAmbiguousMounts(t *testing.T) { } } -// Test making a filesystem link (i.e. "UUID=...") and following it, and test -// that leading and trailing whitespace in the link is ignored. +// Test making a filesystem link and following it, and test that leading and +// trailing whitespace in the link is ignored. func TestGetMountFromLink(t *testing.T) { mnt, err := getTestMount(t) if err != nil { t.Skip(err) } - link, err := makeLink(mnt, uuidToken) + link, err := makeLink(mnt) if err != nil { t.Fatal(err) } @@ -405,6 +405,68 @@ func TestGetMountFromLink(t *testing.T) { } } +// Test that old filesystem links that contain a UUID only still work. +func TestGetMountFromLegacyLink(t *testing.T) { + mnt, err := getTestMount(t) + if err != nil { + t.Skip(err) + } + uuid, err := mnt.getFilesystemUUID() + if uuid == "" || err != nil { + t.Fatal("Can't get UUID of test filesystem") + } + + link := fmt.Sprintf("UUID=%s", uuid) + linkedMnt, err := getMountFromLink(link) + if err != nil { + t.Fatal(err) + } + if linkedMnt != mnt { + t.Fatal("Link doesn't point to the same Mount") + } +} + +// Test that if the UUID in a filesystem link doesn't work, then the PATH is +// used instead, and vice versa. +func TestGetMountFromLinkFallback(t *testing.T) { + mnt, err := getTestMount(t) + if err != nil { + t.Skip(err) + } + badUUID := "00000000-0000-0000-0000-000000000000" + badPath := "/NONEXISTENT_MOUNT" + goodUUID, err := mnt.getFilesystemUUID() + if goodUUID == "" || err != nil { + t.Fatal("Can't get UUID of test filesystem") + } + + // only PATH valid (should succeed) + link := fmt.Sprintf("UUID=%s\nPATH=%s\n", badUUID, mnt.Path) + linkedMnt, err := getMountFromLink(link) + if err != nil { + t.Fatal(err) + } + if linkedMnt != mnt { + t.Fatal("Link doesn't point to the same Mount") + } + + // only UUID valid (should succeed) + link = fmt.Sprintf("UUID=%s\nPATH=%s\n", goodUUID, badPath) + if linkedMnt, err = getMountFromLink(link); err != nil { + t.Fatal(err) + } + if linkedMnt != mnt { + t.Fatal("Link doesn't point to the same Mount") + } + + // neither valid (should fail) + link = fmt.Sprintf("UUID=%s\nPATH=%s\n", badUUID, badPath) + linkedMnt, err = getMountFromLink(link) + if linkedMnt != nil || err == nil { + t.Fatal("Following a bad link succeeded") + } +} + // Benchmarks how long it takes to update the mountpoint data func BenchmarkLoadFirst(b *testing.B) { for n := 0; n < b.N; n++ { |