From 5e8dfc196020693d2a9dc809cf6bc87096ddc09f Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Tue, 15 Aug 2017 12:06:11 -0700 Subject: crypto: Switch from session to user keyring --- crypto/key.go | 42 +++++++++++------------------------------- 1 file changed, 11 insertions(+), 31 deletions(-) (limited to 'crypto/key.go') diff --git a/crypto/key.go b/crypto/key.go index e440ca1..1d9e72c 100644 --- a/crypto/key.go +++ b/crypto/key.go @@ -49,6 +49,9 @@ const ( // v4.8 and f2fs systems before v4.6, filesystem specific services must // be used (these legacy services will still work with later kernels). DefaultService = unix.FS_KEY_DESC_PREFIX + // KeyringID is the keyring that fscrypt's keys will be added to. Currently it + // is the user keyring to avoid hitting systemd/issues/5715. + KeyringID = unix.KEY_SPEC_USER_KEYRING // keyType is always logon as required by filesystem encryption keyType = "logon" // Keys need to readable and writable, but hidden from other processes. @@ -249,30 +252,12 @@ func NewFixedLengthKeyFromReader(reader io.Reader, length int) (*Key, error) { return key, nil } -// getKeyring returns the id of the session keyring, or the id of the user -// session keyring if session keyring does not exist. We cannot directly use -// KEY_SPEC_SESSION_KEYRING, as that will make a new session keyring if one does -// not exist, which will be garbage collected when the process terminates. -func getKeyring() (int, error) { - keyringID, err := unix.KeyctlGetKeyringID(unix.KEY_SPEC_SESSION_KEYRING, false) - log.Printf("unix.KeyctlGetKeyringID(KEY_SPEC_SESSION_KEYRING) = %d, %v", keyringID, err) - if err != nil { - return 0, errors.Wrap(ErrKeyringLocate, err.Error()) - } - return keyringID, nil -} - // FindPolicyKey tries to locate a policy key in the kernel keyring with the // provided description. The keyring and key ids are returned if we can find the // key. An error is returned if the key does not exist. -func FindPolicyKey(description string) (keyringID, keyID int, err error) { - keyringID, err = getKeyring() - if err != nil { - return - } - - keyID, err = unix.KeyctlSearch(keyringID, keyType, description, 0) - log.Printf("unix.KeyctlSearch(%d, %s, %s) = %d, %v", keyringID, keyType, description, keyID, err) +func FindPolicyKey(description string) (keyID int, err error) { + keyID, err = unix.KeyctlSearch(KeyringID, keyType, description, 0) + log.Printf("unix.KeyctlSearch(%d, %s, %s) = %d, %v", KeyringID, keyType, description, keyID, err) if err != nil { err = errors.Wrap(ErrKeyringSearch, err.Error()) } @@ -282,13 +267,13 @@ func FindPolicyKey(description string) (keyringID, keyID int, err error) { // RemovePolicyKey tries to remove a policy key from the kernel keyring with the // provided description. An error is returned if the key does not exist. func RemovePolicyKey(description string) error { - keyringID, keyID, err := FindPolicyKey(description) + keyID, err := FindPolicyKey(description) if err != nil { return err } - _, err = unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, keyringID, 0, 0) - log.Printf("unix.KeyctlUnlink(%d, %d) = %v", keyID, keyringID, err) + _, err = unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, KeyringID, 0, 0) + log.Printf("unix.KeyctlUnlink(%d, %d) = %v", keyID, KeyringID, err) if err != nil { return errors.Wrap(ErrKeyringDelete, err.Error()) } @@ -316,14 +301,9 @@ func InsertPolicyKey(key *Key, description string) error { fscryptKey.Size = metadata.PolicyKeyLen copy(fscryptKey.Raw[:], key.data) - keyringID, err := getKeyring() - if err != nil { - return err - } - - keyID, err := unix.AddKey(keyType, description, payload.data, keyringID) + keyID, err := unix.AddKey(keyType, description, payload.data, KeyringID) log.Printf("unix.AddKey(%s, %s, , %d) = %d, %v", - keyType, description, keyringID, keyID, err) + keyType, description, KeyringID, keyID, err) if err != nil { return errors.Wrap(ErrKeyringInsert, err.Error()) } -- cgit v1.2.3