diff options
| author | Eric Biggers <ebiggers@google.com> | 2022-10-18 10:12:02 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers3@gmail.com> | 2022-10-19 20:47:57 -0700 |
| commit | 295c503a77f53b87305bba310e37cbdd9b516936 (patch) | |
| tree | b9a64df8dc907eb9924062994570b9f8f3118b88 /pam_fscrypt/pam_fscrypt.go | |
| parent | 632d66d6fddfa9fd0a279a1811ced1efc567be29 (diff) | |
Make pam_fscrypt.so support the unlock_only option
Now that it's been requested by users, bring back the "unlock_only"
option, which was originally proposed as part of
https://github.com/google/fscrypt/pull/281 but was dropped in the final
version of that pull request.
Resolves https://github.com/google/fscrypt/issues/357
Diffstat (limited to 'pam_fscrypt/pam_fscrypt.go')
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 04ca13c..bd6b04d 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -55,9 +55,12 @@ const ( debugFlag = "debug" // This option is accepted for compatibility with existing config files, - // but now we lock policies unconditionally and this option is a no-op. + // but now we lock policies by default and this option is a no-op. lockPoliciesFlag = "lock_policies" + // Only unlock directories, don't lock them. + unlockOnlyFlag = "unlock_only" + // This option is accepted for compatibility with existing config files, // but it no longer does anything. pam_fscrypt now drops caches if and // only if it is needed. (Usually it is not needed anymore, as the @@ -279,19 +282,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error { // Don't automatically drop privileges, since we may need them to // deprovision policies or to drop caches. - log.Print("locking policies protected with login protector") - needDropCaches, errLock := lockLoginPolicies(handle) - - var errCache error - if needDropCaches { - log.Print("dropping appropriate filesystem caches at session close") - errCache = security.DropFilesystemCache() - } + if !args[unlockOnlyFlag] { + log.Print("locking policies protected with login protector") + needDropCaches, errLock := lockLoginPolicies(handle) - if errLock != nil { - return errLock + var errCache error + if needDropCaches { + log.Print("dropping appropriate filesystem caches at session close") + errCache = security.DropFilesystemCache() + } + if errLock != nil { + return errLock + } + return errCache } - return errCache + return nil } // lockLoginPolicies deprovisions all policy keys that are protected by the |