pam_fscrypt: decide cache dropping behavior automatically

Configuring whether pam_fscrypt drops caches or not isn't really something the user should have to do, and it's also irrelevant for v2 encryption policies (the default on newer systems). It's better to have pam_fscrypt automatically decide whether it needs to drop caches or not. Do this by making pam_fscrypt check whether any encryption policy keys are being removed from a user keyring (rather than from a filesystem keyring). If so, it drops caches; otherwise it doesn't. This supersedes the "drop_caches" option, which won't do anything anymore.
author: Eric Biggers <ebiggers@google.com> 2021-03-08 15:20:08 -0800
committer: Eric Biggers <ebiggers@google.com> 2021-03-08 15:20:08 -0800
commit: 28e4999ebd9221a71488d715d9f1182b494216d8 (patch)
tree: e4361f539537b9b7c37d331388db5ab908cd25e6 /pam_fscrypt/config
parent: 90a96e4473ae7bcf61a97f25fc67a9a953187f56 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/pam_fscrypt/config b/pam_fscrypt/config
index 9b2eb8f..d2fbf68 100644
--- a/pam_fscrypt/config
+++ b/pam_fscrypt/config
@@ -7,7 +7,7 @@ Auth-Final:
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session-Final:
-	optional	PAM_INSTALL_PATH drop_caches lock_policies
+	optional	PAM_INSTALL_PATH lock_policies
 Password-Type: Additional
 Password-Final:
 	optional	PAM_INSTALL_PATH
author	Eric Biggers <ebiggers@google.com>	2021-03-08 15:20:08 -0800
committer	Eric Biggers <ebiggers@google.com>	2021-03-08 15:20:08 -0800
commit	28e4999ebd9221a71488d715d9f1182b494216d8 (patch)
tree	e4361f539537b9b7c37d331388db5ab908cd25e6 /pam_fscrypt/config
parent	90a96e4473ae7bcf61a97f25fc67a9a953187f56 (diff)