From d0b9e2c995beb13c70a1549923df482ff773f09b Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 19 Dec 2021 22:17:20 -0600 Subject: filesystem: avoid accessing irrelevant filesystems Forbid 'fscrypt setup' on filesystems that aren't expected to support encryption (other than the root filesystem), and skip looking for fscrypt metadata directories on such filesystems. This has two benefits. First, it avoids the printing of annoying warnings like: pam_fscrypt[75038]: stat /run/user/0/.fscrypt: permission denied pam_fscrypt[75038]: stat /run/user/0/.fscrypt/policies: permission denied pam_fscrypt[75038]: stat /run/user/0/.fscrypt/protectors: permission denied pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument pam_fscrypt[75038]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt: permission denied pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/policies: permission denied pam_fscrypt[75038]: stat /sys/fs/pstore/.fscrypt/protectors: permission denied Second, it avoids long delays or side effects on some filesystems. To do this, introduce an allowlist of filesystem types that fscrypt will recognize. I wanted to avoid doing this, since this list will need to be updated in the future, but I don't see a better solution. --- cli-tests/t_not_supported.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'cli-tests/t_not_supported.sh') diff --git a/cli-tests/t_not_supported.sh b/cli-tests/t_not_supported.sh index 53a096a..9ff90e1 100755 --- a/cli-tests/t_not_supported.sh +++ b/cli-tests/t_not_supported.sh @@ -9,8 +9,8 @@ _print_header "Mount tmpfs" umount "$MNT" mount tmpfs -t tmpfs -o size=128m "$MNT" -_print_header "Create fscrypt metadata on tmpfs" -fscrypt setup "$MNT" +_print_header "Try to create fscrypt metadata on tmpfs" +_expect_failure "fscrypt setup '$MNT'" _print_header "Try to encrypt a directory on tmpfs" mkdir "$MNT/dir" -- cgit v1.2.3