| Age | Commit message (Collapse) | Author |
|---|
|
This fixes a CI failure, caused by goimports changing how it formats the
imports.
|
|
Due to a goimports update, 'make format' is now changing metadata.pb.go.
But this fix can't be committed because this file is generated by
'make gen'.
Fix this by not formatting generated files.
|
|
Resolves https://github.com/google/fscrypt/issues/124
|
|
Resolves https://github.com/google/fscrypt/issues/117
Resolves https://github.com/google/fscrypt/issues/127
|
|
Resolves https://github.com/google/fscrypt/issues/58
|
|
Resolves https://github.com/google/fscrypt/issues/132
|
|
Fixes CI issues
|
|
Install pam modules/configs to the right location
|
|
|
|
Per the FHS, manually installed programs should go under /usr/local.
This change also makes it easier to change the global installation
prefix. For example, package managers should set PREFIX=/usr
|
|
Add support for the Adiantum encryption mode
|
|
Makefile: migrate from megacheck to staticcheck
|
|
This fixes travis issues as well as moving us off of deprecated tooling
|
|
Add Adiantum support to the fscrypt userspace tool. Supported in the
kernel since v5.0-rc1, Adiantum is a length-preserving encryption mode
based primarily on XChaCha12. It is fast even on CPUs without AES
instructions. Unlike XTS it is also a wide-block encryption mode.
Adiantum is supported for both contents and filenames encryption.
For Adiantum encryption policies, also make the fscrypt tool provide the
new DIRECT_KEY flag, which further improves performance by requesting
that all files be encrypted directly with the policy key. This takes
advantage of Adiantum's support for long tweaks.
See the kernel commit "fscrypt: add Adiantum support"
(https://git.kernel.org/torvalds/c/8094c3ceb21ad938) for more details.
|
|
Makefile: use a specific protoc-gen-go version
|
|
'make gen' no longer works because it uses the git version of
protoc-gen-go, which is no longer compatible with the latest released
version of github.com/golang/protobuf/proto, which we're using. Freeze
the protoc-gen-go version so that it keeps working.
|
|
README: fix "Debain" typo
|
|
|
|
feat(spell-check): add make command for spell check.
|
|
* Remove spelling mistakes in the repository
* Add travis script to check for typos.
* Add command to Makefile to check for typos.
* Fixes #71
|
|
Use Go Modules and support Go 1.11 building
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Release: v0.2.4
|
|
|
|
Cleanup privilege dropping/raising in pam_fscrypt
|
|
|
|
This change makes sure that, when we set the ruid and euid in order to
get the user keyring linked into the current process keyring, we will
always be able to reverse these changes (using a suid of 0).
This fixes an issue where "su <user>" would result in a system error
when called by an unprivileged user. It also explains exactly how and
why we are making these privilege changes.
|
|
This change makes sure after dropping then elevating privileges for a
process, the euid, guid, and groups are all the same as they were
originally. This significantly simplifies the privilege logic.
This fixes CVE-2018-6558, which allowed an unprivleged user to gain
membership in the root group (gid 0) due to the groups not being
properly reset in the process.
|
|
Fix Travis to only use Go 1.10
|
|
|
|
|
|
Use proper sizes when casting to Go slice
|
|
Addresses most of the issues in #101.
The following commands now succeed:
GOARCH=mips go build github.com/google/fscrypt/util
GOARCH=mipsle go build github.com/google/fscrypt/util
|
|
security: drop and regain privileges in all threads
|
|
pam: return error when PAM info item is unset
|
|
After enabling pam_fscrypt for "session" and creating a directory
protected with a login protector, I was no longer able to log in as that
user. The problem is that the Go runtime is creating threads after
pam_fscrypt drops privileges, but pam_fscrypt is not re-acquiring
privileges on those threads because the Go wrappers for setreuid(),
setregid(), and setgroups() in the "sys/unix" package are using the raw
syscalls which operate on the calling thread only.
This violates glibc's assumption that all threads have the same uids and
gids, causing it to abort() the process when a later module in the PAM
stack (pam_mail in my case) tries to drop privileges using the glibc
functions.
Fix it by dropping and regaining privileges using the glibc functions
rather than the "sys/unix" functions.
This also avoids any possibility that privileges could be changed in a
thread other than the "main" one for pam_fscrypt, since the Go runtime
does not guarantee which OS-level thread runs what.
It would be nice to also exit all Go worker threads before returning
from pam_fscrypt, but the Go runtime doesn't seem to support that.
|
|
pam_fscrypt is crashing with a segfault in copyIntoSecret() when using
Ctrl-C to interrupt a 'sudo' prompt. It is dereferencing a NULL pointer
that is supposed point to the PAM_AUTHTOK item. The problem is that the
Go code assumes pam_get_item() returns a non-success status if the item
is unset, when actually it sets the data pointer to NULL and returns
PAM_SUCCESS.
Fix it by making pam.Handle.GetItem() return an error in that case.
|
|
Also clarifies some other minor points.
|
|
According to:
https://www.gnu.org/software/coreutils/manual/html_node/arch-invocation.html
the arch command isn't portable, so we switch to uname.
|
|
Protoc: https://github.com/google/protobuf/blob/a711e3d5b4ee1dd7f9d21197dca8432a5819a64e/protoc-artifacts/build-protoc.sh#L82-L83
Go: https://github.com/golang/sys/blob/37707fdb30a5b38865cfb95e5aab41707daec7fd/unix/linux/mkall.go#L43-L79
|
|
Using "arch" instead of "go env GOARCH" is more standard and doesn't
generate a warning on "sudo make install".
|
