| Age | Commit message (Collapse) | Author |
|---|
|
Running `crypto.PassphraseHash` in a loop allocates a lot of memory.
Golang is not always prudent about collecting the garbage from previous
runs, resulting in a OOM error on memory-pressured systems.
With a `maxMemoryBytes` of 128 MiB, this change reduces the maximum
resident memory for `fscrypt setup` to 141 MiB (was perviously 405 MiB)
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
On systems with high memory pressure, using half of the entire RAM for
hashing can result in fscrypt getting OOM killed.
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
Root can read all files, so this test fails when running as root.
Skip it instead.
Resolves https://github.com/google/fscrypt/issues/288
|
|
When building pam_fscrypt.so, specify -buildmode=c-shared after
$(GO_FLAGS) so that it overrides any user-specified buildmode.
This is needed to allow -buildmode=pie to be specified in GO_FLAGS if
the packager wants to build fscrypt as a position-independent executable
(e.g. following https://wiki.archlinux.org/title/Go_package_guidelines).
Previously, trying to do this caused pam_fscrypt.so to be incorrectly
built as an executable rather than as a shared library.
|
|
Fix word mismatch in usage and description of metadata create policy
command.
|
|
The golang.org/x/crypto/ssh/terminal package is deprecated and merely a
wrapper around golang.org/x/term. Thus, use the latter directly.
|
|
This allows non Ubuntu distributions to opt out from the installation
of Ubuntu-specific PAM files.
|
|
|
|
Stop generating and uploading coverage in CI
|
|
This avoids duplicate CI checks
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
This is currently broken, and we don't really use the findings.
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
pam_fscrypt: eliminate unnecessary options and improve documentation
|
|
Make some more corrections:
- pam-config-framework isn't actually Ubuntu-specific but actually
applies to Debian and any Debian derivative.
- The pam-config-framework file is indeed installed by `make install`,
just not into the correct location.
- On Debian (and Debian derivatives), the PAM configuration isn't
actually part of the 'fscrypt' package but rather 'libpam-fscrypt'.
- Clarify where to add the pam_fscrypt.so session hook.
|
|
There are several mentions of pam_fscrypt handling unlocking
directories. Make sure to mention locking alongside this.
|
|
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook. The
Debian/Ubuntu pam-config-framework config file has it too.
Make locking the default behavior, since this is what everyone wants.
Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.
(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful. So for
simplicity, leave it out for now.)
|
|
Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems). It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.
Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring). If so, it drops caches; otherwise it doesn't. This
supersedes the "drop_caches" option, which won't do anything anymore.
|
|
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.
Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.
After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
|
|
In GitHub Workflows, apparently running 'apt-get update' before 'apt-get
install' is sometimes needed, and it doesn't hurt to always do it.
|
|
|
|
Update #272
|
|
|
|
Workflow names are case-sensitive
Signed-off-by: Joe Richey <joerichey@google.com>
|
|
travis-ci.org is being shut down, so switch to GitHub Actions.
It should be mostly equivalent, but I did drop functionality in a couple
cases:
- Publishing release binaries. I don't think providing Linux binaries
is useful, since people build their own anyway. So I left this out.
- Build and testing on ppc64le. GitHub Actions only natively supports
x86. I tried uraimo/run-on-arch-action, which uses Docker and QEMU
user-mode emulation, but the fscrypt tests can't be run because
QEMU user-mode emulation doesn't support all the needed system calls.
|
|
Otherwise the cli tests fail when executed from GitHub Actions.
|
|
|
|
Now that Travis CI supports a version of Ubuntu that has a kernel that
supports v2 encryption policies, upgrade to it and enable the cli tests.
|
|
Set the terminal to raw mode *before* printing the prompt.
Otherwise the user (or the automated test) might enter the
passphrase before the terminal gets put into raw mode.
This is needed for some of the CLI tests to pass reliably in Travis CI.
|
|
Apparently, on some distros 'su' doesn't preserve $PATH. So, manually
export it in the command. Also, ensure that the shell stays as bash.
This is needed for some of the CLI tests to pass in Travis CI.
|
|
On an "incompletely locked" directory, isDirUnlockedHeuristic() is
supposed to return true, but on Linux v5.10-rc1 and later it returns
false since now creating a subdirectory fails rather than succeeds.
This change was intentional, so make isDirUnlockedHeuristic() apply a
second heuristic too: also return true if any filenames in the directory
don't appear to be valid no-key names.
This fixes cli-tests/t_v1_encrypt on Linux v5.10-rc1 and later.
|
|
|
|
|
|
Ubuntu's PAM configuration framework only recognizes files in /usr, not
/usr/local. So for installs from source, unfortunately we have to
recommend installing to /usr, despite this not being conventional.
Resolves https://github.com/google/fscrypt/issues/240
|
|
|
|
Adjust status message for v1 policies unlocked by another user and fix cli-tests/t_v1_policy
|
|
When 'fscrypt status DIR' detects that a v1-encrypted directory is still
usable but its key seems to be absent, it shows the status as
"Unlocked: Partially (incompletely locked)". But actually it can also
be the case that the directory is unlocked by another user. Adjust the
status message accordingly.
This commit also fixes cli-tests/t_v1_policy.
|
|
The test user's user keyring is still linked into root's user keyring at
the end of the test. This is making the test flaky, as there is a
failure that only occurs the first time it is run. Fix the test to
restore the initial state. This makes it consistently fail (to be fixed
by the next commit).
|
|
* cmd/fscrypt: fix 32-bit build
* travis.yml: build 32-bit binary
|
|
statfs.Bsize actually has platform-dependent type, despite the Go
documentation listing it as int64. Fix the build for 32-bit platforms
by casting it to int64.
Resolves https://github.com/google/fscrypt/issues/233
|
|
Don't let people check in code that breaks 32-bit builds.
Update https://github.com/google/fscrypt/issues/233
|
|
|
|
Use %q, in case the paths contain whitespace. Also clean the directory
path to remove trailing slashes before appending the ".new" suffix.
|
|
Update https://github.com/google/fscrypt/issues/220
|
|
Explicitly mention that "fscrypt" here means the userspace tool, not the
kernel part. Also write `fscrypt` in code font to emphasize this.
|
|
|
|
Update https://github.com/google/fscrypt/issues/220
|
|
Update https://github.com/google/fscrypt/issues/220
|
|
This fixes link error with gcc 10 which defaults to -fno-common
|
|
Improve error messages and suggestions
|
|
In checkEncryptable(), check whether the directory is already encrypted
before checking whether it's empty.
Also improve the error message for when a directory is nonempty.
Finally, translate keyring.ErrKeyAddedByOtherUsers and
keyring.ErrKeyFilesOpen into errors which include the directory.
|
|
This isn't actually a valid error since crypto.NewKeyFromReader()
handles re-allocating the buffer to a larger size if it fills up.
|
