diff options
| -rw-r--r-- | actions/context.go | 8 | ||||
| -rw-r--r-- | cmd/fscrypt/format.go | 13 | ||||
| -rw-r--r-- | crypto/crypto.go | 22 | ||||
| -rw-r--r-- | crypto/crypto_test.go | 4 | ||||
| -rw-r--r-- | crypto/rand.go | 3 | ||||
| -rw-r--r-- | filesystem/filesystem.go | 38 | ||||
| -rw-r--r-- | filesystem/mountpoint.go | 19 | ||||
| -rw-r--r-- | metadata/config.go | 6 | ||||
| -rw-r--r-- | pam/login.go | 2 | ||||
| -rw-r--r-- | pam_fscrypt/pam_fscrypt.go | 1 | ||||
| -rw-r--r-- | security/privileges.go | 4 |
11 files changed, 65 insertions, 55 deletions
diff --git a/actions/context.go b/actions/context.go index ac3f6d3..4253de2 100644 --- a/actions/context.go +++ b/actions/context.go @@ -22,10 +22,10 @@ // All of the actions include a significant amount of logging, so that good // output can be provided for cmd/fscrypt's verbose mode. // The top-level actions currently include: -// - Creating a new config file -// - Creating a context on which to perform actions -// - Creating, unlocking, and modifying Protectors -// - Creating, unlocking, and modifying Policies +// - Creating a new config file +// - Creating a context on which to perform actions +// - Creating, unlocking, and modifying Protectors +// - Creating, unlocking, and modifying Policies package actions import ( diff --git a/cmd/fscrypt/format.go b/cmd/fscrypt/format.go index 28cc22d..21253ad 100644 --- a/cmd/fscrypt/format.go +++ b/cmd/fscrypt/format.go @@ -82,8 +82,10 @@ type prettyFlag interface { } // How a flag should appear on the command line. We have two formats: -// --name -// --name=ARG_NAME +// +// --name +// --name=ARG_NAME +// // The ARG_NAME appears if the prettyFlag's GetArgName() method returns a // non-empty string. The returned string from shortDisplay() does not include // any leading or trailing whitespace. @@ -96,13 +98,12 @@ func shortDisplay(f prettyFlag) string { // How our flags should appear when displaying their usage. An example would be: // -// --help Prints help screen for commands and subcommands. +// --help Prints help screen for commands and subcommands. // // If a default is specified, then it is appended to the usage. Example: // -// --time=TIME Calibrate passphrase hashing to take the -// specified amount of TIME (default: 1s) -// +// --time=TIME Calibrate passphrase hashing to take the +// specified amount of TIME (default: 1s) func longDisplay(f prettyFlag, defaultString ...string) string { usage := f.GetUsage() if len(defaultString) > 0 { diff --git a/crypto/crypto.go b/crypto/crypto.go index edc4ed7..6a719dd 100644 --- a/crypto/crypto.go +++ b/crypto/crypto.go @@ -18,17 +18,17 @@ */ // Package crypto manages all the cryptography for fscrypt. This includes: -// 1. Key management (key.go) -// - Securely holding keys in memory -// - Making recovery keys -// 2. Randomness (rand.go) -// 3. Cryptographic algorithms (crypto.go) -// - encryption (AES256-CTR) -// - authentication (SHA256-based HMAC) -// - key stretching (SHA256-based HKDF) -// - key wrapping/unwrapping (Encrypt then MAC) -// - passphrase-based key derivation (Argon2id) -// - key descriptor computation (double SHA512, or HKDF-SHA512) +// 1. Key management (key.go) +// - Securely holding keys in memory +// - Making recovery keys +// 2. Randomness (rand.go) +// 3. Cryptographic algorithms (crypto.go) +// - encryption (AES256-CTR) +// - authentication (SHA256-based HMAC) +// - key stretching (SHA256-based HKDF) +// - key wrapping/unwrapping (Encrypt then MAC) +// - passphrase-based key derivation (Argon2id) +// - key descriptor computation (double SHA512, or HKDF-SHA512) package crypto import ( diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go index f98c643..1fa5a0c 100644 --- a/crypto/crypto_test.go +++ b/crypto/crypto_test.go @@ -64,7 +64,9 @@ func fakePassphraseKey() (*Key, error) { // Values for test cases pulled from argon2 command line tool. // To generate run: -// echo "password" | argon2 "aaaaaaaaaaaaaaaa" -id -t <t> -m <m> -p <p> -l 32 +// +// echo "password" | argon2 "aaaaaaaaaaaaaaaa" -id -t <t> -m <m> -p <p> -l 32 +// // where costs.Time = <t>, costs.Memory = 2^<m>, and costs.Parallelism = <p>. type hashTestCase struct { costs *metadata.HashingCosts diff --git a/crypto/rand.go b/crypto/rand.go index 7d1e55b..527f841 100644 --- a/crypto/rand.go +++ b/crypto/rand.go @@ -30,7 +30,8 @@ import ( // the operating system has insufficient randomness, the buffer creation will // fail. This is an improvement over Go's built-in crypto/rand which will still // return bytes if the system has insufficiency entropy. -// See: https://github.com/golang/go/issues/19274 +// +// See: https://github.com/golang/go/issues/19274 // // While this syscall was only introduced in Kernel v3.17, it predates the // introduction of filesystem encryption, so it introduces no additional diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go index ee6c983..9829435 100644 --- a/filesystem/filesystem.go +++ b/filesystem/filesystem.go @@ -21,15 +21,15 @@ // Package filesystem deals with the structure of the files on disk used to // store the metadata for fscrypt. Specifically, this package includes: -// 1. mountpoint management (mountpoint.go) -// - querying existing mounted filesystems -// - getting filesystems from a UUID -// - finding the filesystem for a specific path -// 2. metadata organization (filesystem.go) -// - setting up a mounted filesystem for use with fscrypt -// - adding/querying/deleting metadata -// - making links to other filesystems' metadata -// - following links to get data from other filesystems +// 1. mountpoint management (mountpoint.go) +// - querying existing mounted filesystems +// - getting filesystems from a UUID +// - finding the filesystem for a specific path +// 2. metadata organization (filesystem.go) +// - setting up a mounted filesystem for use with fscrypt +// - adding/querying/deleting metadata +// - making links to other filesystems' metadata +// - following links to get data from other filesystems package filesystem import ( @@ -195,6 +195,7 @@ func (err *ErrProtectorNotFound) Error() string { var SortDescriptorsByLastMtime = false // Mount contains information for a specific mounted filesystem. +// // Path - Absolute path where the directory is mounted // FilesystemType - Type of the mounted filesystem, e.g. "ext4" // Device - Device for filesystem (empty string if we cannot find one) @@ -210,8 +211,9 @@ var SortDescriptorsByLastMtime = false // setup first. Specifically, the directories created look like: // <mountpoint> // └── .fscrypt -// ├── policies -// └── protectors +// +// ├── policies +// └── protectors // // These "policies" and "protectors" directories will contain files that are // the corresponding metadata structures for policies and protectors. The public @@ -723,13 +725,13 @@ func (m *Mount) addMetadata(path string, md metadata.Metadata, owner *user.User) // considering that it could be a malicious file created to cause a // denial-of-service. Specifically, the following checks are done: // -// - It must be a regular file, not another type of file like a symlink or FIFO. -// (Symlinks aren't bad by themselves, but given that a malicious user could -// point one to absolutely anywhere, and there is no known use case for the -// metadata files themselves being symlinks, it seems best to disallow them.) -// - It must have a reasonable size (<= maxMetadataFileSize). -// - If trustedUser is non-nil, then the file must be owned by the given user -// or by root. +// - It must be a regular file, not another type of file like a symlink or FIFO. +// (Symlinks aren't bad by themselves, but given that a malicious user could +// point one to absolutely anywhere, and there is no known use case for the +// metadata files themselves being symlinks, it seems best to disallow them.) +// - It must have a reasonable size (<= maxMetadataFileSize). +// - If trustedUser is non-nil, then the file must be owned by the given user +// or by root. // // Take care to avoid TOCTOU (time-of-check-time-of-use) bugs when doing these // tests. Notably, we must open the file before checking the file type, as the diff --git a/filesystem/mountpoint.go b/filesystem/mountpoint.go index 0abae06..ae432bf 100644 --- a/filesystem/mountpoint.go +++ b/filesystem/mountpoint.go @@ -106,6 +106,7 @@ func getDeviceName(num DeviceNumber) string { // Parse one line of /proc/self/mountinfo. // // The line contains the following space-separated fields: +// // [0] mount ID // [1] parent ID // [2] major:minor @@ -184,11 +185,11 @@ func addUncontainedSubtreesRecursive(dst map[string]bool, // preferably a read-write mount. However, that doesn't work in containers // where the "/" subtree might not be mounted. Here's a real-world example: // -// mnt.Subtree mnt.Path -// ----------- -------- -// /var/lib/lxc/base/rootfs / -// /var/cache/pacman/pkg /var/cache/pacman/pkg -// /srv/repo/x86_64 /srv/http/x86_64 +// mnt.Subtree mnt.Path +// ----------- -------- +// /var/lib/lxc/base/rootfs / +// /var/cache/pacman/pkg /var/cache/pacman/pkg +// /srv/repo/x86_64 /srv/http/x86_64 // // In this case, all mnt.Subtree are independent. To handle this case, we must // choose the Mount whose mnt.Path contains the others, i.e. the first one. @@ -199,10 +200,10 @@ func addUncontainedSubtreesRecursive(dst map[string]bool, // needed to correctly handle bind mounts. For example, in the following case, // the first Mount should be chosen: // -// mnt.Subtree mnt.Path -// ----------- -------- -// /foo /foo -// /foo/dir /dir +// mnt.Subtree mnt.Path +// ----------- -------- +// /foo /foo +// /foo/dir /dir // // To solve this, we divide the mounts into non-overlapping trees of mnt.Path. // Then, we choose one of these trees which contains (exactly or via path diff --git a/metadata/config.go b/metadata/config.go index 1d93d74..65fd7b5 100644 --- a/metadata/config.go +++ b/metadata/config.go @@ -21,9 +21,9 @@ // Package metadata contains all of the on disk structures. // These structures are defined in metadata.proto. The package also // contains functions for manipulating these structures, specifically: -// * Reading and Writing the Config file to disk -// * Getting and Setting Policies for directories -// * Reasonable defaults for a Policy's EncryptionOptions +// - Reading and Writing the Config file to disk +// - Getting and Setting Policies for directories +// - Reasonable defaults for a Policy's EncryptionOptions package metadata import ( diff --git a/pam/login.go b/pam/login.go index 527b10d..e4f8f83 100644 --- a/pam/login.go +++ b/pam/login.go @@ -51,6 +51,7 @@ var ( // userInput is run when the callback needs some input from the user. We prompt // the user for information and return their answer. A return value of nil // indicates an error occurred. +// //export userInput func userInput(prompt *C.char) *C.char { fmt.Print(C.GoString(prompt)) @@ -65,6 +66,7 @@ func userInput(prompt *C.char) *C.char { // passphraseInput is run when the callback needs a passphrase from the user. We // pass along the tokenToCheck without prompting. A return value of nil // indicates an error occurred. +// //export passphraseInput func passphraseInput(prompt *C.char) *C.char { log.Printf("getting secret data for PAM: %q", C.GoString(prompt)) diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 2daff89..15066c1 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -403,6 +403,7 @@ func pam_sm_authenticate(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) } // pam_sm_setcred needed because we use pam_sm_authenticate. +// //export pam_sm_setcred func pam_sm_setcred(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS diff --git a/security/privileges.go b/security/privileges.go index 5bdd43c..fe8668d 100644 --- a/security/privileges.go +++ b/security/privileges.go @@ -18,8 +18,8 @@ */ // Package security manages: -// - Cache clearing (cache.go) -// - Privilege manipulation (privileges.go) +// - Cache clearing (cache.go) +// - Privilege manipulation (privileges.go) package security // Use the libc versions of setreuid, setregid, and setgroups instead of the |