From 4e0230bdbc9cf893099919170a10e44f84422747 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 27 Jan 2020 20:16:35 -0800 Subject: actions/recovery: revert protector if it can't be added to policy Ensure that a failed AddRecoveryPassphrase() doesn't leave around an unneeded protector file. --- actions/recovery.go | 1 + 1 file changed, 1 insertion(+) (limited to 'actions') diff --git a/actions/recovery.go b/actions/recovery.go index 32d0030..1c55ec5 100644 --- a/actions/recovery.go +++ b/actions/recovery.go @@ -78,6 +78,7 @@ func AddRecoveryPassphrase(policy *Policy, dirname string) (*crypto.Key, *Protec seq++ } if err := policy.AddProtector(recoveryProtector); err != nil { + recoveryProtector.Revert() return nil, nil, err } return passphrase, recoveryProtector, nil -- cgit v1.2.3 From 07d744068d437b09d7a07975e88e18440f5db2f3 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 27 Jan 2020 20:16:35 -0800 Subject: filesystem: don't overwrite existing protector links When adding a protector to a policy, don't unconditionally overwrite the protector link, because it may already exist. Instead, if it already exists and points to the mount, just use it. If it already exists and points to the wrong place, return an error. Also add a bool to the return value of AddLinkedProtector() so that callers can check whether the link was newly created or not. --- actions/policy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'actions') diff --git a/actions/policy.go b/actions/policy.go index 41e108e..9d644c1 100644 --- a/actions/policy.go +++ b/actions/policy.go @@ -315,7 +315,7 @@ func (policy *Policy) AddProtector(protector *Protector) error { // to it on the policy's filesystem. if policy.Context.Mount != protector.Context.Mount { log.Printf("policy on %s\n protector on %s\n", policy.Context.Mount, protector.Context.Mount) - err := policy.Context.Mount.AddLinkedProtector( + _, err := policy.Context.Mount.AddLinkedProtector( protector.Descriptor(), protector.Context.Mount) if err != nil { return err -- cgit v1.2.3 From 2d7229eb2a97c845d73a65ff9dd3368056c255a6 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 27 Jan 2020 20:16:35 -0800 Subject: actions/policy: revert new protector links on failure Ensure that when an encryption policy is reverted (e.g. due to encryptPath() failing after the policy was created), we also delete any new protector links that were created for the policy, as this is not handled by the logic that reverts new protectors. --- actions/policy.go | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) (limited to 'actions') diff --git a/actions/policy.go b/actions/policy.go index 9d644c1..b7fe5a6 100644 --- a/actions/policy.go +++ b/actions/policy.go @@ -79,10 +79,11 @@ func PurgeAllPolicies(ctx *Context) error { // allow encrypted files to be accessed). As with the key struct, a Policy // should be wiped after use. type Policy struct { - Context *Context - data *metadata.PolicyData - key *crypto.Key - created bool + Context *Context + data *metadata.PolicyData + key *crypto.Key + created bool + newLinkedProtectors []string } // CreatePolicy creates a Policy protected by given Protector and stores the @@ -208,9 +209,13 @@ func (policy *Policy) Version() int64 { return policy.data.Options.PolicyVersion } -// Destroy removes a policy from the filesystem. The internal key should still -// be wiped with Lock(). +// Destroy removes a policy from the filesystem. It also removes any new +// protector links that were created for the policy. This does *not* wipe the +// policy's internal key from memory; use Lock() to do that. func (policy *Policy) Destroy() error { + for _, protectorDescriptor := range policy.newLinkedProtectors { + policy.Context.Mount.RemoveProtector(protectorDescriptor) + } return policy.Context.Mount.RemovePolicy(policy.Descriptor()) } @@ -315,11 +320,15 @@ func (policy *Policy) AddProtector(protector *Protector) error { // to it on the policy's filesystem. if policy.Context.Mount != protector.Context.Mount { log.Printf("policy on %s\n protector on %s\n", policy.Context.Mount, protector.Context.Mount) - _, err := policy.Context.Mount.AddLinkedProtector( + isNewLink, err := policy.Context.Mount.AddLinkedProtector( protector.Descriptor(), protector.Context.Mount) if err != nil { return err } + if isNewLink { + policy.newLinkedProtectors = append(policy.newLinkedProtectors, + protector.Descriptor()) + } } else { log.Printf("policy and protector both on %q", policy.Context.Mount) } -- cgit v1.2.3