pam_fscrypt: update to handle filesystem keyring

FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root
for v1 policy keys, so update the PAM module to re-acquire root
privileges while provisioning/deprovisioning policies that need this.

Also, only set up the user keyring if it will actually be used.

1 files changed, 12 insertions, 8 deletions

diff --git a/pam/pam.go b/pam/pam.go
index ece6bda..54a60e2 100644
--- a/pam/pam.go
+++ b/pam/pam.go
@@ -34,7 +34,6 @@ import (
 	"os/user"
 	"unsafe"
 
-	"github.com/google/fscrypt/keyring"
 	"github.com/google/fscrypt/security"
 )
 
@@ -128,26 +127,31 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) {
 	return data, nil
 }
 
-// StartAsPamUser sets the effective privileges to that of the PAM user, and
-// configures the PAM user's keyrings to be properly linked.
+// StartAsPamUser sets the effective privileges to that of the PAM user.
 func (h *Handle) StartAsPamUser() error {
-	if _, err := keyring.UserKeyringID(h.PamUser, true); err != nil {
-		log.Printf("Setting up keyrings in PAM: %v", err)
-	}
 	userPrivs, err := security.UserPrivileges(h.PamUser)
 	if err != nil {
 		return err
 	}
-	if h.origPrivs, err = security.ProcessPrivileges(); err != nil {
+	origPrivs, err := security.ProcessPrivileges()
+	if err != nil {
+		return err
+	}
+	if err = security.SetProcessPrivileges(userPrivs); err != nil {
 		return err
 	}
-	return security.SetProcessPrivileges(userPrivs)
+	h.origPrivs = origPrivs
+	return nil
 }
 
 // StopAsPamUser restores the original privileges that were running the
 // PAM module (this is usually root).
 func (h *Handle) StopAsPamUser() error {
+	if h.origPrivs == nil {
+		return nil
+	}
 	err := security.SetProcessPrivileges(h.origPrivs)
+	h.origPrivs = nil
 	if err != nil {
 		log.Print(err)
 	}