From d0ac36dcea341ff000aca983dd80e7bef9fc30ec Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sun, 15 Dec 2019 19:31:39 -0800
Subject: pam_fscrypt: update to handle filesystem keyring

FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root
for v1 policy keys, so update the PAM module to re-acquire root
privileges while provisioning/deprovisioning policies that need this.

Also, only set up the user keyring if it will actually be used.
---
 actions/policy.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'actions/policy.go')

diff --git a/actions/policy.go b/actions/policy.go
index 2d8c521..b9cd88c 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -412,6 +412,12 @@ func (policy *Policy) NeedsUserKeyring() bool {
 	return !policy.Context.Config.GetUseFsKeyringForV1Policies()
 }
 
+// NeedsRootToProvision returns true if Provision and Deprovision will require
+// root for this policy in the current configuration.
+func (policy *Policy) NeedsRootToProvision() bool {
+	return policy.Context.Config.GetUseFsKeyringForV1Policies()
+}
+
 // commitData writes the Policy's current data to the filesystem.
 func (policy *Policy) commitData() error {
 	return policy.Context.Mount.AddPolicy(policy.data)
-- 
cgit v1.2.3