From 151e8965fa3a9c8f65e316430f9df0fa763fb02d Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Tue, 15 Aug 2017 18:11:29 -0700 Subject: cmd/fscrypt: purge command now clears cache --- actions/context.go | 11 +++++++---- actions/policy.go | 9 +++++---- 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'actions') diff --git a/actions/context.go b/actions/context.go index fb25b54..7e4b64b 100644 --- a/actions/context.go +++ b/actions/context.go @@ -31,9 +31,10 @@ package actions import ( "log" + "golang.org/x/sys/unix" + "github.com/pkg/errors" - "github.com/google/fscrypt/crypto" "github.com/google/fscrypt/filesystem" "github.com/google/fscrypt/metadata" ) @@ -101,8 +102,10 @@ func (ctx *Context) checkContext() error { } // getService returns the keyring service for this context. We use the presence -// of the LegacyConfig flag to determine if we should use the legacy services -// (which are necessary for kernels before v4.8). +// of the LegacyConfig flag to determine if we should use the legacy services. +// For ext4 systems before v4.8 and f2fs systems before v4.6, filesystem +// specific services must be used (these legacy services will still work with +// later kernels). func (ctx *Context) getService() string { // For legacy configurations, we may need non-standard services if ctx.Config.HasCompatibilityOption(LegacyConfig) { @@ -111,7 +114,7 @@ func (ctx *Context) getService() string { return ctx.Mount.Filesystem + ":" } } - return crypto.DefaultService + return unix.FS_KEY_DESC_PREFIX } // getProtectorOption returns the ProtectorOption for the protector on the diff --git a/actions/policy.go b/actions/policy.go index ceae573..bf1f593 100644 --- a/actions/policy.go +++ b/actions/policy.go @@ -29,6 +29,7 @@ import ( "github.com/google/fscrypt/crypto" "github.com/google/fscrypt/filesystem" "github.com/google/fscrypt/metadata" + "github.com/google/fscrypt/security" "github.com/google/fscrypt/util" ) @@ -56,10 +57,10 @@ func PurgeAllPolicies(ctx *Context) error { for _, policyDescriptor := range policies { service := ctx.getService() - err = crypto.RemovePolicyKey(service + policyDescriptor) + err = security.RemoveKey(service + policyDescriptor) switch errors.Cause(err) { - case nil, crypto.ErrKeyringSearch: + case nil, security.ErrKeyringSearch: // We don't care if the key has already been removed default: return err @@ -365,7 +366,7 @@ func (policy *Policy) Apply(path string) error { // IsProvisioned returns a boolean indicating if the policy has its key in the // keyring, meaning files and directories using this policy are accessible. func (policy *Policy) IsProvisioned() bool { - _, err := crypto.FindPolicyKey(policy.Description()) + _, err := security.FindKey(policy.Description()) return err == nil } @@ -381,7 +382,7 @@ func (policy *Policy) Provision() error { // Deprovision removes the Policy key from the kernel keyring. This prevents // reading and writing to the directory once the caches are cleared. func (policy *Policy) Deprovision() error { - return crypto.RemovePolicyKey(policy.Description()) + return security.RemoveKey(policy.Description()) } // commitData writes the Policy's current data to the filesystem. -- cgit v1.2.3