Eric Biggers [Mon, 8 Mar 2021 23:20:08 +0000 (15:20 -0800)]
pam_fscrypt: make "lock_policies" the default behavior
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook. The
Debian/Ubuntu pam-config-framework config file has it too.
Make locking the default behavior, since this is what everyone wants.
Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.
(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful. So for
simplicity, leave it out for now.)
Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems). It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.
Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring). If so, it drops caches; otherwise it doesn't. This
supersedes the "drop_caches" option, which won't do anything anymore.
Robert McQueen [Wed, 3 Mar 2021 11:34:55 +0000 (11:34 +0000)]
pam_fscrypt/config: prioritise over other session modules
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.
Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.
After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
Eric Biggers [Sat, 21 Nov 2020 23:29:26 +0000 (15:29 -0800)]
Switch from Travis CI to GitHub Actions
travis-ci.org is being shut down, so switch to GitHub Actions.
It should be mostly equivalent, but I did drop functionality in a couple
cases:
- Publishing release binaries. I don't think providing Linux binaries
is useful, since people build their own anyway. So I left this out.
- Build and testing on ppc64le. GitHub Actions only natively supports
x86. I tried uraimo/run-on-arch-action, which uses Docker and QEMU
user-mode emulation, but the fscrypt tests can't be run because
QEMU user-mode emulation doesn't support all the needed system calls.
Eric Biggers [Sun, 8 Nov 2020 04:30:51 +0000 (20:30 -0800)]
cmd/fscrypt: fix race condition in getPassphraseKey()
Set the terminal to raw mode *before* printing the prompt.
Otherwise the user (or the automated test) might enter the
passphrase before the terminal gets put into raw mode.
This is needed for some of the CLI tests to pass reliably in Travis CI.
Eric Biggers [Sat, 7 Nov 2020 22:20:45 +0000 (14:20 -0800)]
cmd/fscrypt: fix isDirUnlockedHeuristic() on latest kernels
On an "incompletely locked" directory, isDirUnlockedHeuristic() is
supposed to return true, but on Linux v5.10-rc1 and later it returns
false since now creating a subdirectory fails rather than succeeds.
This change was intentional, so make isDirUnlockedHeuristic() apply a
second heuristic too: also return true if any filenames in the directory
don't appear to be valid no-key names.
This fixes cli-tests/t_v1_encrypt on Linux v5.10-rc1 and later.
Eric Biggers [Fri, 7 Aug 2020 23:37:05 +0000 (16:37 -0700)]
README.md: recommend 'sudo make install PREFIX=/usr' on Ubuntu (#244)
Ubuntu's PAM configuration framework only recognizes files in /usr, not
/usr/local. So for installs from source, unfortunately we have to
recommend installing to /usr, despite this not being conventional.
Eric Biggers [Sat, 13 Jun 2020 17:06:15 +0000 (10:06 -0700)]
cmd/fscrypt: adjust status message for v1-encrypted dirs
When 'fscrypt status DIR' detects that a v1-encrypted directory is still
usable but its key seems to be absent, it shows the status as
"Unlocked: Partially (incompletely locked)". But actually it can also
be the case that the directory is unlocked by another user. Adjust the
status message accordingly.
Eric Biggers [Sat, 13 Jun 2020 17:06:15 +0000 (10:06 -0700)]
cli-tests/t_v1_policy: clean up user keyrings at end of test
The test user's user keyring is still linked into root's user keyring at
the end of the test. This is making the test flaky, as there is a
failure that only occurs the first time it is run. Fix the test to
restore the initial state. This makes it consistently fail (to be fixed
by the next commit).
Eric Biggers [Wed, 3 Jun 2020 00:17:54 +0000 (17:17 -0700)]
cmd/fscrypt: fix 32-bit build
statfs.Bsize actually has platform-dependent type, despite the Go
documentation listing it as int64. Fix the build for 32-bit platforms
by casting it to int64.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
filesystem: improve errors
Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them. Then make
these errors show much better suggestions.
Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context. Fix backwards
wrapping in lots of cases.
Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
metadata: improve errors
ErrBadOwners:
Rename to ErrDirectoryNotOwned for clarity, move it from
cmd/fscrypt/ to metadata/ where it better belongs, and improve
the message.
ErrEncrypted:
Rename to ErrAlreadyEncrypted for clarity, and include the path.
ErrNotEncrypted:
Include the path.
ErrBadEncryptionOptions:
Include the path and bad options.
ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
Don't wrap with "get encryption policy %s", in preparation for
wrapping these with filesystem-level context instead.
Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls. Make it very clear how we're handling the errors
from each ioctl.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
keyring: improve errors
ErrAccessUserKeyring:
Include the user, and fix the backwards wrapping.
ErrSessionUserKeyring:
Include the user.
ErrKeyAdd:
ErrKeyRemove:
ErrKeySearch:
ErrLinkUserKeyring:
Replace these with one-off unnamed errors because they are
never checked for, and this makes it easier for the callers to
provide better messages, e.g. fixing the backwards wrapping.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
crypto: improve errors
ErrKeyLock:
Rename to ErrMlockUlimit for clarity.
ErrGetrandomFail:
ErrKeyAlloc:
ErrKeyFree:
ErrNegativeLength:
Replace these with one-off unnamed errors because these were all
returned in only one place and were never checked for. Also
these were all either wrapped backwards or discarded an
underlying error, so fix that too.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
actions/policy: improve errors
ErrMissingPolicyMetadata:
Include the mount, directory path, and metadata path. Also move
the explanation into actions/ since it doesn't refer to any CLI
command.
ErrPolicyMetadataMismatch:
Include a lot more information. Also start checking for
consistency of the policy key descriptors, not just the
encryption options. Add a test for this.
ErrDifferentFilesystem:
Include the mountpoints.
ErrOnlyProtector:
Clarify the message and include the protector descriptor.
ErrAlreadyProtected:
ErrNotProtected:
Include the policy and protector descriptors.
ErrAccessDeniedPossiblyV2:
Make it slightly clearer what failed. Also move the explanation
into actions/ since it doesn't refer to any CLI command.
Eric Biggers [Sat, 9 May 2020 21:17:17 +0000 (14:17 -0700)]
keyring/user_keyring: switch to KEYCTL_UNLINK
KEYCTL_INVALIDATE has complicated semantics: it doesn't remove the key
from the keyring right away but rather marks it as being invalidated,
and then removes it asynchronously. This nondeterministically breaks
the heuristic I'm implementing to detect v1-encrypted directories being
incompletely locked.
Instead, switch to KEYCTL_UNLINK, which has simpler semantics.
Unfortunately, we can't actually make Travis CI run these tests yet because they need kernel v5.4 or later, and Travis CI doesn't support an Ubuntu version that has that yet. But for now, they can be run manually using make cli-test.
Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time. The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.
Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need
this to avoid touching the real "/".
Allow overriding the location of fscrypt.conf by setting the
FSCRYPT_CONF environmental variable. The CLI tests need this to avoid
touching the real /etc/fscrypt.conf.
Eric Biggers [Sat, 9 May 2020 19:54:37 +0000 (12:54 -0700)]
travis.yml: stop overriding e2fsprogs version (#222)
There's no longer a need to override the Ubuntu version that the
Travis CI builds install e2fsprogs from, since we now use
"dist: bionic", and e2fsprogs in Bionic supports encryption.
Filip Stanis [Tue, 5 May 2020 01:48:26 +0000 (02:48 +0100)]
keyring: cast FS_IOC_REMOVE_ENCRYPTION_KEY to uintptr (#221)
Since v0.2.6, fscrypt only builds for 64-bit systems. E.g. trying to
build on Raspbian fails with the following error:
$ go get github.com/google/fscrypt/cmd/fscrypt
# github.com/google/fscrypt/keyring
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:231:6: constant 3225445912 overflows int
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:235:7: constant 3225445913 overflows int
Fix it by making the 'ioc' variable have type uintptr.
[EB - removed the later cast to uintptr that became unnecessary, and
added explanation to commit message.]
Eric Biggers [Fri, 17 Apr 2020 03:43:48 +0000 (20:43 -0700)]
Allow fscrypt to work in containers (#213)
Update the /proc/self/mountinfo parsing code to allow selecting a Mount
with Subtree != "/", i.e. a Mount not of the full filesystem. This is
needed to allow fscrypt to work in containers, where the root of the
filesystem may not be mounted.
See findMainMount() for details about the algorithm used.
Joseph Richey [Mon, 23 Mar 2020 21:24:48 +0000 (14:24 -0700)]
cmd: Simplify "fscrypt --version" output (#207)
There's no need to include the build time, author, and copyright info
in the output of "fscrypt --version". This information is:
- Overly complex (the current string is hard to parse)
- Inaccurate (there are other authors than just me)
- Unnecessary (the Apache 2 license is for Source Code)
- Makes reproducible builds impossible
Eric Biggers [Wed, 18 Mar 2020 04:10:58 +0000 (21:10 -0700)]
README.md: update examples to use v2 policies
Since on new kernels v1 encryption policies are deprecated in favor of
v2, update the examples to show v2. This mostly just consists of
updating the output, as the commands are essentially the same with one
notable difference in 'fscrypt lock'.
Eric Biggers [Wed, 18 Mar 2020 04:10:58 +0000 (21:10 -0700)]
Improve error message when unlocking v2 policy is unsupported
If trying to unlock a v2-encrypted directory fails because the kernel
lacks support for v2 policies, show a better error message. This can
happen if someone downgrades their kernel or tries to access encrypted
directories on removable storage from a computer with an older kernel.
Detecting this case is difficult since all we have to go with is EACCES
when opening the directory. Implement a heuristic where if get EACCES,
we actually have read access to the directory, and the kernel doesn't
support v2 policies, we show the improved error message.
Before:
# fscrypt unlock dir
[ERROR] fscrypt unlock: open dir: permission denied
After:
# fscrypt unlock dir
[ERROR] fscrypt unlock: open dir: permission denied
This may be caused by the directory using a v2 encryption policy and
the current kernel not supporting it. If indeed the case, then this
directory can only be used on kernel v5.4 and later. You can create
directories accessible on older kernels by changing policy_version to
1 in /etc/fscrypt.conf.
Eric Biggers [Wed, 18 Mar 2020 04:10:58 +0000 (21:10 -0700)]
Improve error message when setting v2 policy is unsupported
If trying to encrypt a directory using a v2 policy fails due to the
kernel lacking support for v2 policies, show a better error message.
One way this can happen is if someone runs 'fscrypt setup' with a new
kernel and then downgrades to an old kernel.
Before:
# echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet
[ERROR] fscrypt encrypt: inappropriate ioctl for device: system error: could not add key to the keyring
After:
# echo -n hunter2 | fscrypt encrypt dir --source=custom_passphrase --name=foo --quiet
[ERROR] fscrypt encrypt: kernel is too old to support v2 encryption policies
v2 encryption policies are only supported by kernel version 5.4 and
later. Either use a newer kernel, or change policy_version to 1 in
/etc/fscrypt.conf.
Eric Biggers [Wed, 18 Mar 2020 04:10:58 +0000 (21:10 -0700)]
Create /etc/fscrypt.conf with policy_version 2 on kernel v5.4+
v2 encryption policies are now recommended, due to various security and
usability advantages over v1 policies. Many people have been running
into the usability problems with v1, so it's desirable to get people
onto v2 without having to manually opt-in.
Therefore, when 'fscrypt setup' creates /etc/fscrypt.conf, enable
policy_version 2 automatically if the kernel supports it.
I decided to go with this solution over the policy_version "auto" I
suggested originally because this way is simpler, it can still be
changed to "auto" later if desired, and "auto" might require changing
how we parse the config file (since currently the config file is mapped
directly to a protobuf where policy_version is an 'int' and is shared
with EncryptionOptions).
Eric Biggers [Wed, 18 Mar 2020 04:10:58 +0000 (21:10 -0700)]
Simplify choosing the key description prefix
There's no real need to allow users to choose the key description prefix
(a.k.a. the "service"), since on ext4 and f2fs we can just use "ext4"
and "f2fs" for compatibility with all kernels both old and new, and on
other filesystems we can just use "fscrypt". So, let's do that.
Since this removes the point of the "--legacy" option to 'fscrypt setup'
and the "compatibility" field in /etc/fscrypt.conf, remove those too.
Specifically, we start ignoring the "compatibility" in existing config
files and not writing it to new ones. The corresponding protobuf field
number and name are reserved. We stop accepting the "--legacy" option
at all, although since it was default true and there was no real reason
for anyone to change it to false, probably no one will notice. If
anyone does, they should just stop specifying the option.
Note that this change only affects user keyrings and thus only affects
v1 encryption policies, which are deprecated in favor of v2 anyway.
Eric Biggers [Sat, 22 Feb 2020 21:28:17 +0000 (13:28 -0800)]
Makefile: clean up installation commands (#201)
Improve the documentation for the installation-related Makefile
variables, and update the commands to remove the forward slash after
$(DESTDIR) in order to remove a duplicate forward slash and match the
recommended usage.
Anatol Pomozov [Wed, 19 Feb 2020 07:32:50 +0000 (23:32 -0800)]
Use DESTDIR for install prefix (#200)
DESTDIR has a well established purpose
https://www.gnu.org/prep/standards/html_node/DESTDIR.html
It is a suffix for all the files to be installed. And it is used by
package managers who installs the files into some $tmpdir before
creating a package.
Change the build commands to follow this convention.
Add BINDIR that does the same what previous did $DESTDIR.
While it's important to generate a recovery passphrase in the linked
protector case to avoid data loss if the system is reinstalled, some
people really don't want it (even though it can be safely ignored as it
almost certainly has far more entropy than the login passphrase).
As a compromise, prompt for y/n before generating it, with default y.
Also, to allow disabling the recovery passphrase during noninteractive
use, add a --no-recovery command-line option.
Eric Biggers [Tue, 28 Jan 2020 04:16:35 +0000 (20:16 -0800)]
actions/policy: revert new protector links on failure
Ensure that when an encryption policy is reverted (e.g. due to
encryptPath() failing after the policy was created), we also delete any
new protector links that were created for the policy, as this is not
handled by the logic that reverts new protectors.
When adding a protector to a policy, don't unconditionally overwrite the
protector link, because it may already exist. Instead, if it already
exists and points to the mount, just use it. If it already exists and
points to the wrong place, return an error.
Also add a bool to the return value of AddLinkedProtector() so that
callers can check whether the link was newly created or not.
Eric Biggers [Tue, 28 Jan 2020 04:16:35 +0000 (20:16 -0800)]
cmd/fscrypt/commands: clean up properly when encryptPath() fails
Move the deferred locking and deletion of the policy on failure to the
correct places, so that it's done in all failure cases, including in the
case where adding the recovery protector fails.
Also make the recovery protector be locked and deleted on failure.
Finally, put all the code to do deferred deprovisioning of the policy in
the same place: right after it's provisioned.
Eric Biggers [Tue, 28 Jan 2020 09:57:46 +0000 (01:57 -0800)]
cmd/fscrypt/setup: don't prompt to create /etc/fscrypt.conf (#190)
When 'fscrypt setup' sees that /etc/fscrypt.conf doesn't exist, don't
ask for confirmation before creating it. Just do it. This is the
normal use, and there's not a good reason to ask the user to confirm it.
Eric Biggers [Tue, 28 Jan 2020 03:24:30 +0000 (19:24 -0800)]
actions/recovery: ensure recovery passphrase is really custom_passphrase
If the login protector was just created by the same 'fscrypt encrypt'
command, then policy.Context.Config.Source will be pam_passphrase. This
needs to be overridden to custom_passphrase when creating the protector
for the recovery passphrase.
This fixes the following error:
fscrypt encrypt: login protectors do not need a name
projects / fscrypt.git / log