From 462d166d5355d33a05271d24de4d52f30dd62f67 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 15 Dec 2019 19:31:39 -0800 Subject: Add keyring package In preparation for introducing support for the new filesystem-level keyrings, move the existing user keyring management code from security/keyring.go and crypto/crypto.go into a new package, 'keyring'. This package provides functions AddEncryptionKey, RemoveEncryptionKey, and GetEncryptionKeyStatus which delegate to either the filesystem keyring (added by a later patch) or to the user keyring. This provides a common interface to both types of keyrings, to the extent possible. --- pam/pam.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'pam/pam.go') diff --git a/pam/pam.go b/pam/pam.go index c48dd13..ece6bda 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -34,6 +34,7 @@ import ( "os/user" "unsafe" + "github.com/google/fscrypt/keyring" "github.com/google/fscrypt/security" ) @@ -130,7 +131,7 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) { // StartAsPamUser sets the effective privileges to that of the PAM user, and // configures the PAM user's keyrings to be properly linked. func (h *Handle) StartAsPamUser() error { - if _, err := security.UserKeyringID(h.PamUser, true); err != nil { + if _, err := keyring.UserKeyringID(h.PamUser, true); err != nil { log.Printf("Setting up keyrings in PAM: %v", err) } userPrivs, err := security.UserPrivileges(h.PamUser) -- cgit v1.2.3 From d0ac36dcea341ff000aca983dd80e7bef9fc30ec Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sun, 15 Dec 2019 19:31:39 -0800 Subject: pam_fscrypt: update to handle filesystem keyring FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY require root for v1 policy keys, so update the PAM module to re-acquire root privileges while provisioning/deprovisioning policies that need this. Also, only set up the user keyring if it will actually be used. --- pam/pam.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'pam/pam.go') diff --git a/pam/pam.go b/pam/pam.go index ece6bda..54a60e2 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -34,7 +34,6 @@ import ( "os/user" "unsafe" - "github.com/google/fscrypt/keyring" "github.com/google/fscrypt/security" ) @@ -128,26 +127,31 @@ func (h *Handle) GetItem(i Item) (unsafe.Pointer, error) { return data, nil } -// StartAsPamUser sets the effective privileges to that of the PAM user, and -// configures the PAM user's keyrings to be properly linked. +// StartAsPamUser sets the effective privileges to that of the PAM user. func (h *Handle) StartAsPamUser() error { - if _, err := keyring.UserKeyringID(h.PamUser, true); err != nil { - log.Printf("Setting up keyrings in PAM: %v", err) - } userPrivs, err := security.UserPrivileges(h.PamUser) if err != nil { return err } - if h.origPrivs, err = security.ProcessPrivileges(); err != nil { + origPrivs, err := security.ProcessPrivileges() + if err != nil { + return err + } + if err = security.SetProcessPrivileges(userPrivs); err != nil { return err } - return security.SetProcessPrivileges(userPrivs) + h.origPrivs = origPrivs + return nil } // StopAsPamUser restores the original privileges that were running the // PAM module (this is usually root). func (h *Handle) StopAsPamUser() error { + if h.origPrivs == nil { + return nil + } err := security.SetProcessPrivileges(h.origPrivs) + h.origPrivs = nil if err != nil { log.Print(err) } -- cgit v1.2.3