From 28e4999ebd9221a71488d715d9f1182b494216d8 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 8 Mar 2021 15:20:08 -0800 Subject: pam_fscrypt: decide cache dropping behavior automatically Configuring whether pam_fscrypt drops caches or not isn't really something the user should have to do, and it's also irrelevant for v2 encryption policies (the default on newer systems). It's better to have pam_fscrypt automatically decide whether it needs to drop caches or not. Do this by making pam_fscrypt check whether any encryption policy keys are being removed from a user keyring (rather than from a filesystem keyring). If so, it drops caches; otherwise it doesn't. This supersedes the "drop_caches" option, which won't do anything anymore. --- pam_fscrypt/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pam_fscrypt/config') diff --git a/pam_fscrypt/config b/pam_fscrypt/config index 9b2eb8f..d2fbf68 100644 --- a/pam_fscrypt/config +++ b/pam_fscrypt/config @@ -7,7 +7,7 @@ Auth-Final: Session-Type: Additional Session-Interactive-Only: yes Session-Final: - optional PAM_INSTALL_PATH drop_caches lock_policies + optional PAM_INSTALL_PATH lock_policies Password-Type: Additional Password-Final: optional PAM_INSTALL_PATH -- cgit v1.2.3 From b7e898f01bcae17174fcd928599d0d933655db9b Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 8 Mar 2021 15:20:08 -0800 Subject: pam_fscrypt: make "lock_policies" the default behavior All pam_fscrypt configuration guides that I'm aware of say to use the "lock_policies" option for the pam_fscrypt.so session hook. The Debian/Ubuntu pam-config-framework config file has it too. Make locking the default behavior, since this is what everyone wants. Existing configuration files that contain the "lock_policies" option will continue to work, but that option won't do anything anymore. (We could add an option "unlock_only" to restore the old default behavior, but it's not clear that it would be useful. So for simplicity, leave it out for now.) --- pam_fscrypt/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'pam_fscrypt/config') diff --git a/pam_fscrypt/config b/pam_fscrypt/config index d2fbf68..f83dab2 100644 --- a/pam_fscrypt/config +++ b/pam_fscrypt/config @@ -7,7 +7,7 @@ Auth-Final: Session-Type: Additional Session-Interactive-Only: yes Session-Final: - optional PAM_INSTALL_PATH lock_policies + optional PAM_INSTALL_PATH Password-Type: Additional Password-Final: optional PAM_INSTALL_PATH -- cgit v1.2.3