From d0b9e2c995beb13c70a1549923df482ff773f09b Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 19 Dec 2021 22:17:20 -0600 Subject: filesystem: avoid accessing irrelevant filesystems Forbid 'fscrypt setup' on filesystems that aren't expected to support encryption (other than the root filesystem), and skip looking for fscrypt metadata directories on such filesystems. This has two benefits. First, it avoids the printing of annoying warnings like: pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied Second, it avoids long delays or side effects on some filesystems. To do this, introduce an allowlist of filesystem types that fscrypt will recognize. I wanted to avoid doing this, since this list will need to be updated in the future, but I don't see a better solution. --- cli-tests/t_not_supported.out | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'cli-tests/t_not_supported.out') diff --git a/cli-tests/t_not_supported.out b/cli-tests/t_not_supported.out index ecee56a..68e0897 100644 --- a/cli-tests/t_not_supported.out +++ b/cli-tests/t_not_supported.out @@ -1,8 +1,8 @@ # Mount tmpfs -# Create fscrypt metadata on tmpfs -Metadata directories created at "MNT/.fscrypt". +# Try to create fscrypt metadata on tmpfs +[ERROR] fscrypt setup: filesystem type tmpfs is not supported for fscrypt setup # Try to encrypt a directory on tmpfs [ERROR] fscrypt encrypt: This kernel doesn't support encryption on tmpfs -- cgit v1.2.3