diff options
| author | Eric Biggers <ebiggers@google.com> | 2022-12-02 22:13:01 -0800 |
|---|---|---|
| committer | Eric Biggers <ebiggers3@gmail.com> | 2022-12-04 13:05:00 -0800 |
| commit | 5373b314473b08f13372ab55b551738307a85fbd (patch) | |
| tree | b79ffbd54285e36ad1411b0f84416c2c884fc4af /pam_fscrypt/pam_fscrypt.go | |
| parent | 295c503a77f53b87305bba310e37cbdd9b516936 (diff) | |
pam_fscrypt: filter out irrelevant policies earlier
If a session is opened for a user twice and the second doesn't have the
AUTHTOK data, pam_fscrypt prints an error message that says it failed to
unlock a protector because AUTHTOK data is missing. This is misleading
because the protector and its associated policies were already unlocked
by the first session.
To avoid this, move the check for whether the policy is provisioned or
not into policiesUsingProtector(). Also do the same for CloseSession.
Diffstat (limited to 'pam_fscrypt/pam_fscrypt.go')
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index bd6b04d..2daff89 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -193,7 +193,7 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error { log.Printf("no protector to unlock: %s", err) return nil } - policies := policiesUsingProtector(protector) + policies := policiesUsingProtector(protector, false) if len(policies) == 0 { log.Print("no policies to unlock") return nil @@ -234,11 +234,6 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error { // We don't stop provisioning polices on error, we try all of them. for _, policy := range policies { - if policy.IsProvisionedByTargetUser() { - log.Printf("policy %s already provisioned by %v", - policy.Descriptor(), handle.PamUser.Username) - continue - } if err := policy.UnlockWithProtector(protector); err != nil { log.Printf("unlocking policy %s: %s", policy.Descriptor(), err) continue @@ -316,7 +311,7 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) { log.Printf("nothing to lock: %s", err) return needDropCaches, nil } - policies := policiesUsingProtector(protector) + policies := policiesUsingProtector(protector, true) if len(policies) == 0 { log.Print("no policies to lock") return needDropCaches, nil @@ -328,11 +323,6 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) { // We will try to deprovision all of the policies. for _, policy := range policies { - if !policy.IsProvisionedByTargetUser() { - log.Printf("policy %s not provisioned by %v", - policy.Descriptor(), handle.PamUser.Username) - continue - } if policy.NeedsUserKeyring() { needDropCaches = true } |