| Age | Commit message (Collapse) | Author |
|---|
|
Add back the mountsByPath map, which indexes all Mounts by mountpoint.
This is needed again.
To avoid confusion, also rename two local variables named mountsByPath.
mountsByPath won't contain nil entries, so also make AllFilesystems()
use it instead of mountsByDevice. This shouldn't change its behavior.
Update https://github.com/google/fscrypt/issues/339
|
|
cli-tests: fix broken test
|
|
I'm not sure how this passed the GitHub checks.
|
|
filesystem: store mountpoint in link files as a fallback
|
|
cmd/fscrypt: don't load protector in remove-protector-from-policy
|
|
Make remove-protector-from-policy work even if the protector cannot be
loaded (for example, due to having been deleted already).
Fixes https://github.com/google/fscrypt/issues/258
Fixes https://github.com/google/fscrypt/issues/272
|
|
|
|
Currently, linked protectors use filesystem link files of the form
"UUID=<uuid>". These links get broken if the filesystem's UUID changes,
e.g. due to the filesystem being re-created even if the ".fscrypt"
directory is backed up and restored.
To prevent links from being broken (in most cases), start storing the
mountpoint path in the link files too, in the form
"UUID=<uuid>\nPATH=<path>\n". When following a link, try the UUID
first, and if it doesn't work try the PATH. While it's possible that
the path changed too, for login protectors (the usual use case of linked
protectors) this won't be an issue as the path will always be "/".
An alternative solution would be to fall back to scanning all
filesystems for the needed protector descriptor. I decided not to do
that, since relying on a global scan doesn't seem to be a good design.
It wouldn't scale to large numbers of filesystems, it could cross
security boundaries, and it would make it possible for adding a new
filesystem to break fscrypt on existing filesystems. And if a global
scan was an acceptable way to find protectors during normal use, then
there would be no need for link files in the first place.
Note: this change is backwards compatible (i.e., fscrypt will continue
to recognize old link files) but not forwards-compatible (i.e., previous
versions of fscrypt won't recognize new link files).
Fixes https://github.com/google/fscrypt/issues/311
|
|
context_text: remove pre-existing test.conf
|
|
This fixes a test failure in the case where test.conf gets left over.
|
|
Fix a few typos
|
|
|
|
pam_fscrypt: warn user if OLDAUTHTOK not given in chauthtok
|
|
If someone runs 'passwd USER' as root, the user is assigned a new login
passphrase without their fscrypt login protector being updated. Detect
this case and show a warning message using pam_info().
Fixes https://github.com/google/fscrypt/issues/273
|
|
README: elaborate on alternatives and threat model
|
|
Fixes https://github.com/google/fscrypt/issues/318
|
|
"Linux filesystem encryption" sounds too vague. Write "Linux native
filesystem encryption" instead.
|
|
filesystem: avoid accessing irrelevant filesystems
|
|
Forbid 'fscrypt setup' on filesystems that aren't expected to support
encryption (other than the root filesystem), and skip looking for
fscrypt metadata directories on such filesystems. This has two
benefits. First, it avoids the printing of annoying warnings like:
pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied
pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied
pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied
pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied
Second, it avoids long delays or side effects on some filesystems.
To do this, introduce an allowlist of filesystem types that fscrypt will
recognize. I wanted to avoid doing this, since this list will need to
be updated in the future, but I don't see a better solution.
|
|
Set owner of login protectors to correct user
|
|
README: document issue with ssh ChallengeResponseAuthentication
|
|
pam: avoid compiler warning in copyIntoSecret()
|
|
When the root user creates a login protector for a non-root user, make
sure to chown() the protector file to make it owned by the user.
Without this, the protector cannot be updated by the user, which causes
it to get out of sync if the user changes their login passphrase.
Fixes https://github.com/google/fscrypt/issues/319
|
|
gcc 11 enabled -Wmaybe-uninitialized by default. It causes a
false-positive warning in copyIntoSecret() because gcc doesn't
understand that mlock() is special and doesn't read from the memory.
Just initialize the memory to avoid this warning.
|
|
Update https://github.com/google/fscrypt/issues/321
Update https://github.com/google/fscrypt/issues/324
|
|
cmd/fscrypt: read key from stdin in non-interactive shell
|
|
Fixes #123
|
|
|
|
As per the feedback at https://github.com/google/fscrypt/issues/115
where users didn't understand that the recovery passphrase is important,
restore the original behavior where recovery passphrase generation
happens automatically without a prompt. This applies to the case where
'fscrypt encrypt' is using a login protector on a non-root filesystem.
However, leave the --no-recovery option so that the recovery passphrase
can still be disabled if the user really wants to. Also, clarify the
information provided about the recovery passphrase.
Update https://github.com/google/fscrypt/issues/115
|
|
README: mention LTS kernel versions with symlink bug fix
|
|
Resolves https://github.com/google/fscrypt/issues/305
|
|
In Linux 5.15, the no-key name format is changing again; see
https://git.kernel.org/linus/ba47b515f5940603. isPossibleNoKeyName()
sometimes doesn't recognize the new no-key names. Update it accordingly
to recognize all possible no-key names.
Note: isPossibleNoKeyName() is only used as a heuristic to check whether
a v1-encrypted directory is incompletely locked or not. Therefore, it's
not too important whether it works. However, this change is needed for
cli-tests/t_v1_policy to pass.
|
|
These confuse the latest version of shellcheck into thinking that
functions which take no arguments actually take arguments, which
triggers a bunch of warnings like "Use func "$@" if function's $1 should
mean script's $1", which causes 'make lint' to fail. These checks
aren't too useful, so just remove them.
|
|
Update https://github.com/google/fscrypt/issues/115
|
|
Readme updates
|
|
|
|
Capitalize the first word only, and don't use periods.
|
|
Resolves https://github.com/google/fscrypt/issues/51
Resolves https://github.com/google/fscrypt/issues/115
|
|
A lot of people are already using fscrypt, so in practice we haven't
been breaking backwards compatibility and aren't going to. Just remove
the scary-sounding "Note about stability".
|
|
These would still be nice to add. However, the mention of them in the
README is misleading because people reading it might come away with the
impression that there is currently no way to back up fscrypt metadata or
to recover directories -- which isn't true. (The fscrypt metadata is
just a directory which can be backed up like any other directory. And
'fscrypt encrypt' already offers to generate a recovery passphrase when
the directory and protector are on different filesystems.)
Just remove this note; it doesn't really add any value.
|
|
Updates to the troubleshooting documentation
|
|
Update https://github.com/google/fscrypt/issues/305
|
|
Clarify some of the troubleshooting documentation.
|
|
|
|
Inspired by https://reddit.com/r/linuxquestions/comments/n75dv4
|
|
Fixes https://github.com/google/fscrypt/issues/194
Update https://github.com/google/fscrypt/issues/100
|
|
Fix the GRUB detection logic to take into account that
MOUNTPOINT/boot/grub might not be on the same filesystem as MOUNTPOINT,
due to MOUNTPOINT/boot being another mountpoint. The warning is only
appropriate when GRUB is installed on the same filesystem that
encryption is going to be enabled on.
|
|
Rename the troubleshooting section "Can't log in with ssh even when
user's encrypted home directory is unlocked" to the more general "Some
processes can't access unlocked encrypted files", and rewrite it to
provide clearer directions for how to fix the problem by upgrading
encrypted directories to policy version 2.
Also add a related section "Users can access other users' unlocked
encrypted files" which covers the reverse "issue", i.e. people expecting
some processes to *not* be able to access unlocked encrypted files.
Fixes https://github.com/google/fscrypt/issues/248
|
|
Update https://github.com/google/fscrypt/issues/273
|
|
Only use 1/8 of the system RAM and run the Garbage Collector in the timing loop
|
