From 295c503a77f53b87305bba310e37cbdd9b516936 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Tue, 18 Oct 2022 10:12:02 -0700 Subject: Make pam_fscrypt.so support the unlock_only option Now that it's been requested by users, bring back the "unlock_only" option, which was originally proposed as part of https://github.com/google/fscrypt/pull/281 but was dropped in the final version of that pull request. Resolves https://github.com/google/fscrypt/issues/357 --- pam_fscrypt/pam_fscrypt.go | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'pam_fscrypt') diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 04ca13c..bd6b04d 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -55,9 +55,12 @@ const ( debugFlag = "debug" // This option is accepted for compatibility with existing config files, - // but now we lock policies unconditionally and this option is a no-op. + // but now we lock policies by default and this option is a no-op. lockPoliciesFlag = "lock_policies" + // Only unlock directories, don't lock them. + unlockOnlyFlag = "unlock_only" + // This option is accepted for compatibility with existing config files, // but it no longer does anything. pam_fscrypt now drops caches if and // only if it is needed. (Usually it is not needed anymore, as the @@ -279,19 +282,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error { // Don't automatically drop privileges, since we may need them to // deprovision policies or to drop caches. - log.Print("locking policies protected with login protector") - needDropCaches, errLock := lockLoginPolicies(handle) - - var errCache error - if needDropCaches { - log.Print("dropping appropriate filesystem caches at session close") - errCache = security.DropFilesystemCache() - } + if !args[unlockOnlyFlag] { + log.Print("locking policies protected with login protector") + needDropCaches, errLock := lockLoginPolicies(handle) - if errLock != nil { - return errLock + var errCache error + if needDropCaches { + log.Print("dropping appropriate filesystem caches at session close") + errCache = security.DropFilesystemCache() + } + if errLock != nil { + return errLock + } + return errCache } - return errCache + return nil } // lockLoginPolicies deprovisions all policy keys that are protected by the -- cgit v1.2.3