| Age | Commit message (Collapse) | Author |
|---|
|
The test user's user keyring is still linked into root's user keyring at
the end of the test. This is making the test flaky, as there is a
failure that only occurs the first time it is run. Fix the test to
restore the initial state. This makes it consistently fail (to be fixed
by the next commit).
|
|
* cmd/fscrypt: fix 32-bit build
* travis.yml: build 32-bit binary
|
|
statfs.Bsize actually has platform-dependent type, despite the Go
documentation listing it as int64. Fix the build for 32-bit platforms
by casting it to int64.
Resolves https://github.com/google/fscrypt/issues/233
|
|
Don't let people check in code that breaks 32-bit builds.
Update https://github.com/google/fscrypt/issues/233
|
|
|
|
Use %q, in case the paths contain whitespace. Also clean the directory
path to remove trailing slashes before appending the ".new" suffix.
|
|
Update https://github.com/google/fscrypt/issues/220
|
|
Explicitly mention that "fscrypt" here means the userspace tool, not the
kernel part. Also write `fscrypt` in code font to emphasize this.
|
|
|
|
Update https://github.com/google/fscrypt/issues/220
|
|
Update https://github.com/google/fscrypt/issues/220
|
|
This fixes link error with gcc 10 which defaults to -fno-common
|
|
Improve error messages and suggestions
|
|
In checkEncryptable(), check whether the directory is already encrypted
before checking whether it's empty.
Also improve the error message for when a directory is nonempty.
Finally, translate keyring.ErrKeyAddedByOtherUsers and
keyring.ErrKeyFilesOpen into errors which include the directory.
|
|
This isn't actually a valid error since crypto.NewKeyFromReader()
handles re-allocating the buffer to a larger size if it fills up.
|
|
Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them. Then make
these errors show much better suggestions.
Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context. Fix backwards
wrapping in lots of cases.
Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.
|
|
ErrBadOwners:
Rename to ErrDirectoryNotOwned for clarity, move it from
cmd/fscrypt/ to metadata/ where it better belongs, and improve
the message.
ErrEncrypted:
Rename to ErrAlreadyEncrypted for clarity, and include the path.
ErrNotEncrypted:
Include the path.
ErrBadEncryptionOptions:
Include the path and bad options.
ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
Don't wrap with "get encryption policy %s", in preparation for
wrapping these with filesystem-level context instead.
Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls. Make it very clear how we're handling the errors
from each ioctl.
|
|
ErrAccessUserKeyring:
Include the user, and fix the backwards wrapping.
ErrSessionUserKeyring:
Include the user.
ErrKeyAdd:
ErrKeyRemove:
ErrKeySearch:
ErrLinkUserKeyring:
Replace these with one-off unnamed errors because they are
never checked for, and this makes it easier for the callers to
provide better messages, e.g. fixing the backwards wrapping.
|
|
ErrKeyLock:
Rename to ErrMlockUlimit for clarity.
ErrGetrandomFail:
ErrKeyAlloc:
ErrKeyFree:
ErrNegativeLength:
Replace these with one-off unnamed errors because these were all
returned in only one place and were never checked for. Also
these were all either wrapped backwards or discarded an
underlying error, so fix that too.
|
|
ErrMissingPolicyMetadata:
Include the mount, directory path, and metadata path. Also move
the explanation into actions/ since it doesn't refer to any CLI
command.
ErrPolicyMetadataMismatch:
Include a lot more information. Also start checking for
consistency of the policy key descriptors, not just the
encryption options. Add a test for this.
ErrDifferentFilesystem:
Include the mountpoints.
ErrOnlyProtector:
Clarify the message and include the protector descriptor.
ErrAlreadyProtected:
ErrNotProtected:
Include the policy and protector descriptors.
ErrAccessDeniedPossiblyV2:
Make it slightly clearer what failed. Also move the explanation
into actions/ since it doesn't refer to any CLI command.
|
|
ErrProtectorName:
Rename to ErrLoginProtectorName for clarity, and include the
name and user.
ErrMissingProtectorName:
Include the correct protector source.
ErrDuplicateName:
Rename to ErrProtectorNameExists for clarity, and remove a level
of wrapping by including the name directly.
ErrDuplicateUID:
Rename to ErrLoginProtectorExists for clarity, and remove a
level of wrapping by including the user directly.
|
|
ErrBadConfig:
Fix backwards wrapping, include the bad config, and make it
clear that this is an internal error.
ErrBadConfigFile:
Fix backwards wrapping, include the config file location, and
adjust the suggestion slightly.
ErrConfigFileExists:
Include the config file location.
ErrNoConfigFile:
Include the config file location, and adjust the suggestion
slightly.
|
|
Allow the input text to contain "code blocks" denoted by lines beginning
with ">", e.g.:
Foo bar baz:
> echo foo
> echo bar
Instead of squashing these lines together, preserve the line breaks
between them and add indentation, e.g.:
Foo bar baz:
echo foo
echo bar
|
|
Try to detect incomplete locking of v1-encrypted directory
|
|
'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.
Instead, implement a heuristic where we check whether a subdirectory can
be created. If yes, then the directory must not be fully locked.
Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.
Resolves https://github.com/google/fscrypt/issues/215
|
|
KEYCTL_INVALIDATE has complicated semantics: it doesn't remove the key
from the keyring right away but rather marks it as being invalidated,
and then removes it asynchronously. This nondeterministically breaks
the heuristic I'm implementing to detect v1-encrypted directories being
incompletely locked.
Instead, switch to KEYCTL_UNLINK, which has simpler semantics.
Note that Android uses KEYCTL_UNLINK too.
|
|
Add tests for command-line interface
Add tests that directly test the fscrypt command-line tool.
See cli-tests/README.md for information about the test framework.
The following test scripts are included:
* t_change_passphrase
* t_encrypt_custom
* t_encrypt_login
* t_encrypt_raw_key
* t_encrypt
* t_lock
* t_not_enabled
* t_not_supported
* t_passphrase_hashing
* t_setup
* t_status
* t_unlock
* t_v1_policy_fs_keyring
* t_v1_policy
Unfortunately, we can't actually make Travis CI run these tests yet because they need kernel v5.4 or later, and Travis CI doesn't support an Ubuntu version that has that yet. But for now, they can be run manually using make cli-test.
|
|
Test using v1 encryption policies (deprecated) with
use_fs_keyring_for_v1_policies = true.
|
|
Test using v1 encryption policies (deprecated).
|
|
Test unlocking a directory.
|
|
Test getting global, filesystem, and unencrypted directory status when
the filesystem is or isn't set up for fscrypt.
|
|
Test 'fscrypt setup'.
|
|
Test that the passphrase hashing seems to take long enough.
|
|
Test that fscrypt fails when the filesystem doesn't support encryption.
|
|
Test that fscrypt fails when the filesystem doesn't have the encrypt
feature enabled. Then test enabling it.
|
|
Test locking a directory.
|
|
Test encrypting a directory using a raw_key protector.
|
|
Test encrypting a directory using a login (pam_passphrase) protector.
|
|
Test encrypting a directory using a custom_passphrase protector.
|
|
Add general tests for 'fscrypt encrypt'. For protector-specific tests,
see t_encrypt_custom, t_encrypt_login, and t_encrypt_raw_key.
|
|
Test changing the passphrase of a custom_passphrase protector.
|
|
Enforce that all the cli-test scripts pass 'shellcheck'.
|
|
Add a framework for writing automated tests of the fscrypt command-line
tool. See cli-tests/README.md for details.
|
|
Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time. The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.
|
|
Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need
this to avoid touching the real "/".
|
|
Allow overriding the location of fscrypt.conf by setting the
FSCRYPT_CONF environmental variable. The CLI tests need this to avoid
touching the real /etc/fscrypt.conf.
|
|
There's no longer a need to override the Ubuntu version that the
Travis CI builds install e2fsprogs from, since we now use
"dist: bionic", and e2fsprogs in Bionic supports encryption.
|
|
Since v0.2.6, fscrypt only builds for 64-bit systems. E.g. trying to
build on Raspbian fails with the following error:
$ go get github.com/google/fscrypt/cmd/fscrypt
# github.com/google/fscrypt/keyring
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:231:6: constant 3225445912 overflows int
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:235:7: constant 3225445913 overflows int
Fix it by making the 'ioc' variable have type uintptr.
[EB - removed the later cast to uintptr that became unnecessary, and
added explanation to commit message.]
|
|
Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem. This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.
See findMainMount() for details about the algorithm used.
Resolves https://github.com/google/fscrypt/issues/211
|
|
Signed-off-by: Joe Richey <joerichey@google.com>
|
