| Age | Commit message (Collapse) | Author |
|---|
|
Linux v5.4 and later supports v2 encryption policies. These have
several advantages over v1 encryption policies:
- Their encryption keys can be added/removed to/from the filesystem by
non-root users, thus gaining the benefits of the filesystem keyring
while also retaining support for non-root use.
- They use a more standard, secure, and flexible key derivation
function. Because of this, some future kernel-level fscrypt features
will be implemented for v2 policies only.
- They prevent a denial-of-service attack where a user could associate
the wrong key with another user's encrypted files.
Prepare the fscrypt tool to support v2 encryption policies by:
- Adding a policy_version field to the EncryptionOptions, i.e. to the
config file and to the policy metadata files.
- Using the kernel-specified algorithm to compute the key descriptor for
v2 policies.
- Handling setting and getting v2 policies.
Actually adding/removing the keys for v2 policies to/from the kernel is
left for the next patch.
|
|
FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root
for v1 policy keys, so update the PAM module to re-acquire root
privileges while provisioning/deprovisioning policies that need this.
Also, only set up the user keyring if it will actually be used.
|
|
Don't force the user to provide a --user argument when running fscrypt
as root if they're doing something where the TargetUser isn't actually
needed, such as provisioning/deprovisioning a v1 encryption policy
to/from the filesystem keyring, or creating a non-login protector.
Also don't set up the user keyring (or check for it being set up) if it
won't actually be used.
Finally, if we'll be provisioning/deprovisioning a v1 encryption policy
to/from the filesystem keyring, make sure the command is running as
root, since the kernel requires this.
|
|
Add support for 'fscrypt lock'. This command "locks" a directory,
undoing 'fscrypt unlock'.
When the filesystem keyring is used, 'fscrypt lock' also detects when a
directory wasn't fully locked due to some files still being in-use. It
can then be run again later to try to finish locking the files.
|
|
Linux v5.4 and later allows fscrypt keys to be added/removed directly
to/from the filesystem via the new ioctls FS_IOC_ADD_ENCRYPTION_KEY and
FS_IOC_REMOVE_ENCRYPTION_KEY. Among other benefits, these fix the key
visibility problems that many users have been running into, where system
services and containers can't access encrypted files.
Allow the user to opt-in to using these new ioctls for their existing
encrypted directories by setting in their /etc/fscrypt.conf:
"use_fs_keyring_for_v1_policies": true
Note that it can't really be on by default, since for v1 policies the
ioctls require root, whereas user keyrings don't. I.e., setting this to
true means that users will need to use 'sudo fscrypt unlock', not
'fscrypt unlock'. v2 policies won't have this restriction.
|
|
In preparation for introducing support for the new filesystem-level
keyrings, move the existing user keyring management code from
security/keyring.go and crypto/crypto.go into a new package, 'keyring'.
This package provides functions AddEncryptionKey, RemoveEncryptionKey,
and GetEncryptionKeyStatus which delegate to either the filesystem
keyring (added by a later patch) or to the user keyring. This provides
a common interface to both types of keyrings, to the extent possible.
|
|
|
|
When userKeyringIDLookup() looks up a user keyring, it links it into the
process keyring to ensure that the process retains the "possessor
privileges" over the user keyring, then caches the user keyring's ID.
Unfortunately, this use of the process keyring randomly fails because Go
creates threads before even init() and main() are run, and then can run
code on them later. Since the kernel doesn't create the process keyring
until userspace requests it and the process keyring is actually a
per-thread property that's only inherited by new threads, different
threads in a Go process may see different process keyrings.
Fix this by removing the user keyring cache, switching from the process
keyring to the thread keyring, and using LockOSThread() to pin the
goroutine to an OS thread while needed to perform a keyring operation.
Resolves https://github.com/google/fscrypt/issues/176
|
|
Update the example output in the README to match reality.
Also make a few other updates to the examples to take into account that
'fscrypt purge' now drops caches by default, and that the root
filesystem doesn't need to support encryption if the encrypted
directories are being created on a different filesystem.
Resolves https://github.com/google/fscrypt/issues/62
|
|
README.md: remove obsolete warning about changing login passphrase
|
|
For some time now, fscrypt actually does re-wrap a user's login
protector when their login passphrase changes, provided that the PAM
configuration is correct. Remove the obsolete paragraph.
Update https://github.com/google/fscrypt/issues/51
|
|
Preserve empty lines rather than squashing them into a single space.
This allows having command descriptions that contain multiple
paragraphs. This also eliminates the need to have a special case for
ordered lists.
|
|
Refer to the target User as 'targetUser' rather than simply 'target'.
This will help avoid confusion when we add support for the filesystem
keyring, since then the Mount will also be a "target".
|
|
Use the new name for fscrypt constants and structures which have been
given a new name.
Also use the named constant for the DIRECT_KEY fscrypt policy flag.
No change in behavior. This is just preparing for future work.
|
|
Upgrade to get the new fscrypt declarations from Linux v5.4.
|
|
Saying "Your data can be protected with one of the following sources" is
ambiguous because it could be interpreted to mean that an encrypted
directory can only have one type of protector. In fact, an encrypted
directory can have multiple protectors, and they can be of any type.
Update https://github.com/google/fscrypt/issues/164
|
|
To make manually editing linked protectors slightly more user-friendly,
automatically strip any leading or trailing whitespace. E.g. treat
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb\n" the same as
"UUID=3a6d9a76-47f0-4f13-81bf-3332fbe984fb".
Update https://github.com/google/fscrypt/issues/115
|
|
Ensure that the environmental variable GO111MODULE is set to "on" when
running 'go get'. This fixes a CI failure with Go 1.11 and 1.12.
|
|
Add Code of Conduct
|
|
This project has always been under a CoC, but I forgot to incude the
file when creating the repo. See also: https://opensource.google/conduct/
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Store fscrypt metadata in only one place per filesystem, so that bind
mounts don't get their own metadata directories (which was ambiguous,
as the same file may be accessible via multiple mounts).
Also correctly set the source device for root filesystems mounted via
the kernel command line, and fix creating linked protectors to such
filesystems.
|
|
Add a version of loadMountInfo() that takes an io.Reader parameter to
allow injecting a custom mountinfo file, then add some unit tests.
|
|
Currently, fscrypt treats bind mounts as separate filesystems. This is
broken because fscrypt will look for a directory's encryption policy in
different places depending on which mount it's accessed through. This
forces users to create an fscrypt metadata directory at every bind
mount, and to copy fscrypt metadata around between mounts.
Fix this by storing fscrypt metadata only at the root of the filesystem.
To accomplish this:
- Make mountsByDevice store only a single Mount per filesystem, rather
than multiple. For this Mount, choose a mount of the full filesystem
if available, preferably a read-write mount. If the filesystem has
only bind mounts, store a nil entry in mountsByDevice so we can show a
proper error message later.
- Change FindMount() and GetMount() to look up the Mount by device
number rather than by path, so that they don't return different Mounts
depending on which path is used.
- Change AllFilesystems() to not return bind mounts.
- Due to the above changes, the mountsByPath map is no longer needed
outside of loadMountInfo(). So make it a local variable there.
Resolves https://github.com/google/fscrypt/issues/59
|
|
The previous patch fixed making linked protectors to /dev/root, by
setting Mount.Device to the real device node rather than /dev/root.
That's good, but it also hints that the linked protector handling is
unnecessarily fragile, as it relies on the device node name matching
exactly. The Linux kernel allows the same device to have multiple
device nodes, and path comparisons are slow and error-prone in general.
Change it to compare the device number instead.
|
|
A root filesystem mounted via the kernel command line always has a
source of "/dev/root", which isn't a real device node. This makes
fscrypt think this filesystem doesn't have a source device, which breaks
creating login passphrase-protected directories on other filesystems:
fscrypt encrypt: filesystem /: no device for mount "/": system error: cannot create filesystem link
This also makes 'fscrypt status' show a blank source device:
MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT
/ ext4 supported Yes
To fix this case, update loadMountInfo() to map the device number to the
device name via sysfs rather than use the mount source field.
|
|
Add a utility type and functions for handling device numbers.
|
|
The kernel always shows mountpoints as absolute paths without symlinks,
so there's no need to canonicalize them in userspace.
|
|
Change loadMountInfo() to load the mounts directly from
/proc/self/mountinfo, rather than use the mntent.h C library calls.
This is needed for correct handling of bind mounts and of "/dev/root",
since /proc/self/mountinfo has extra fields which show the mounted
subtree and the filesystem's device number. /proc/mounts lacks these
fields, and the C library calls can't provide them.
To start, this patch just switches to using /proc/self/mountinfo,
without doing anything with the extra fields yet.
As a bonus, this eliminates all C code in mountpoint.go.
|
|
Make it clearer that this function loads data into global data
structures, and doesn't return anything.
|
|
fscrypt doesn't currently do anything with the mount options, so remove
them from the Mount structure for now.
|
|
Make it clear that this refers to a type of filesystem such as "ext4",
rather than to a specific filesystem instance.
|
|
See: https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module
The tool code is never actually built, but the versions are still lock
in `go.mod` and `go.sum`. We can also simplify the Makefile.
|
|
As the Go community transitions to using the modules ecosystem,
we want to only support one way of managing dependencies.
So this change moves to only using Go modules for dependency management.
This means that our effective minimum Go version increases to Go 1.11.
To account for this, we also update:
- the documentation
- Makefile
- CI scripts
|
|
Simple optimization to reduce memory allocations and copying when appending.
|
|
If the user has set a restrictive umask, e.g. 0077, then
/etc/fscrypt.conf would be created without the world-readable bit set.
Fix it by overriding the umask when creating the file.
Resolves https://github.com/google/fscrypt/issues/151
|
|
filesystem: allow .fscrypt to be a symlink
|
|
This makes it easier to understand which code is actually invoked by the
command-line tool.
|
|
Support the case where the user has a read-only root filesystem (e.g.
with OSTree) and had previously created a symlink /.fscrypt pointing to
a writable location, so that login protectors can be created there.
Resolves https://github.com/google/fscrypt/issues/131
|
|
Make the global setup command also create the metadata directory at
/.fscrypt, since that's where login protectors are placed, even when the
actual encrypted directories are on a different filesystem.
Resolves https://github.com/google/fscrypt/issues/129
|
|
Also add go version attrubute to go.mod
|
|
Show the encryption options when running 'fscrypt status' on a
directory. E.g.:
Policy: 490515286453d3f7
Options: padding:32 contents:Adiantum filenames:Adiantum
Unlocked: Yes
|
|
* filesystem: ensure data is persisted before returning success
Sync the temporary file before renaming it, to ensure that after a
crash, the destination file isn't zero-length or otherwise incomplete.
Also sync the directory after the rename, to ensure the rename has been
persisted before returning success.
* filesystem: don't use fixed temporary file name
Using a fixed temporary file name in a world-writable sticky directory
is problematic since another user can create the file first.
Use ioutil.TempFile() to do it properly. It uses O_EXCL under the hood
to ensure the file is newly created.
|
|
These were found by a combination of manual review and a custom script
that checks for common errors.
Also removed an outdated sentence from the comment for setupBefore().
|
|
Add the tags file to .gitignore, for developers using
https://github.com/jstemmer/gotags.
|
|
Fix 'make format'-related CI failure
|
|
This fixes a CI failure, caused by goimports changing how it formats the
imports.
|
|
Due to a goimports update, 'make format' is now changing metadata.pb.go.
But this fix can't be committed because this file is generated by
'make gen'.
Fix this by not formatting generated files.
|
|
Resolves https://github.com/google/fscrypt/issues/124
|
|
Resolves https://github.com/google/fscrypt/issues/117
Resolves https://github.com/google/fscrypt/issues/127
|
|
Resolves https://github.com/google/fscrypt/issues/58
|
