Eric Biggers [Mon, 13 Sep 2021 19:40:14 +0000 (12:40 -0700)]
README: remove note about stability
A lot of people are already using fscrypt, so in practice we haven't
been breaking backwards compatibility and aren't going to. Just remove
the scary-sounding "Note about stability".
Eric Biggers [Mon, 13 Sep 2021 19:40:14 +0000 (12:40 -0700)]
README: remove note about planned commands
These would still be nice to add. However, the mention of them in the
README is misleading because people reading it might come away with the
impression that there is currently no way to back up fscrypt metadata or
to recover directories -- which isn't true. (The fscrypt metadata is
just a directory which can be backed up like any other directory. And
'fscrypt encrypt' already offers to generate a recovery passphrase when
the directory and protector are on different filesystems.)
Just remove this note; it doesn't really add any value.
Eric Biggers [Sun, 27 Jun 2021 20:13:10 +0000 (13:13 -0700)]
cmd/fscrypt: fix detection of GRUB installation
Fix the GRUB detection logic to take into account that
MOUNTPOINT/boot/grub might not be on the same filesystem as MOUNTPOINT,
due to MOUNTPOINT/boot being another mountpoint. The warning is only
appropriate when GRUB is installed on the same filesystem that
encryption is going to be enabled on.
Eric Biggers [Thu, 10 Jun 2021 04:21:22 +0000 (21:21 -0700)]
README: improve troubleshooting tips for unlocked encrypted files
Rename the troubleshooting section "Can't log in with ssh even when
user's encrypted home directory is unlocked" to the more general "Some
processes can't access unlocked encrypted files", and rewrite it to
provide clearer directions for how to fix the problem by upgrading
encrypted directories to policy version 2.
Also add a related section "Users can access other users' unlocked
encrypted files" which covers the reverse "issue", i.e. people expecting
some processes to *not* be able to access unlocked encrypted files.
Joe Richey [Mon, 24 May 2021 10:42:01 +0000 (03:42 -0700)]
Run the Garbage Collector in the timing loop
Running `crypto.PassphraseHash` in a loop allocates a lot of memory.
Golang is not always prudent about collecting the garbage from previous
runs, resulting in a OOM error on memory-pressured systems.
With a `maxMemoryBytes` of 128 MiB, this change reduces the maximum
resident memory for `fscrypt setup` to 141 MiB (was perviously 405 MiB)
Eric Biggers [Thu, 6 May 2021 05:09:26 +0000 (22:09 -0700)]
Specify -buildmode=c-shared after GO_FLAGS rather than before
When building pam_fscrypt.so, specify -buildmode=c-shared after
$(GO_FLAGS) so that it overrides any user-specified buildmode.
This is needed to allow -buildmode=pie to be specified in GO_FLAGS if
the packager wants to build fscrypt as a position-independent executable
(e.g. following https://wiki.archlinux.org/title/Go_package_guidelines).
Previously, trying to do this caused pam_fscrypt.so to be incorrectly
built as an executable rather than as a shared library.
Eric Biggers [Mon, 8 Mar 2021 23:20:08 +0000 (15:20 -0800)]
pam_fscrypt: make "lock_policies" the default behavior
All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook. The
Debian/Ubuntu pam-config-framework config file has it too.
Make locking the default behavior, since this is what everyone wants.
Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.
(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful. So for
simplicity, leave it out for now.)
Configuring whether pam_fscrypt drops caches or not isn't really
something the user should have to do, and it's also irrelevant for v2
encryption policies (the default on newer systems). It's better to have
pam_fscrypt automatically decide whether it needs to drop caches or not.
Do this by making pam_fscrypt check whether any encryption policy keys
are being removed from a user keyring (rather than from a filesystem
keyring). If so, it drops caches; otherwise it doesn't. This
supersedes the "drop_caches" option, which won't do anything anymore.
Robert McQueen [Wed, 3 Mar 2021 11:34:55 +0000 (11:34 +0000)]
pam_fscrypt/config: prioritise over other session modules
Services launched by systemd user sessions on Debian / Ubuntu systems
are often not able to access the home directory, because there is no
guarantee / requirement that pam_fscrypt is sequenced before
pam_systemd.
Although this pam-config mechanism is Debian-specific, the config file
is provided here upstream and unmodified in Debian. Raising the
priority here so that it's always ordered ahead of pam_systemd will
solve issues such as https://github.com/google/fscrypt/issues/270,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964951 and
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1889416.
After a survey of pam-config files available in Debian bullseye, the
value of 100 was chosen as it appears after most other plugins that
could be involved in more explicit homedir configuration (eg pam_mount
at 128) but before those which seem unlikely to work without a home
directory (eg pam_ssh at 64).
Eric Biggers [Sat, 21 Nov 2020 23:29:26 +0000 (15:29 -0800)]
Switch from Travis CI to GitHub Actions
travis-ci.org is being shut down, so switch to GitHub Actions.
It should be mostly equivalent, but I did drop functionality in a couple
cases:
- Publishing release binaries. I don't think providing Linux binaries
is useful, since people build their own anyway. So I left this out.
- Build and testing on ppc64le. GitHub Actions only natively supports
x86. I tried uraimo/run-on-arch-action, which uses Docker and QEMU
user-mode emulation, but the fscrypt tests can't be run because
QEMU user-mode emulation doesn't support all the needed system calls.
Eric Biggers [Sun, 8 Nov 2020 04:30:51 +0000 (20:30 -0800)]
cmd/fscrypt: fix race condition in getPassphraseKey()
Set the terminal to raw mode *before* printing the prompt.
Otherwise the user (or the automated test) might enter the
passphrase before the terminal gets put into raw mode.
This is needed for some of the CLI tests to pass reliably in Travis CI.
Eric Biggers [Sat, 7 Nov 2020 22:20:45 +0000 (14:20 -0800)]
cmd/fscrypt: fix isDirUnlockedHeuristic() on latest kernels
On an "incompletely locked" directory, isDirUnlockedHeuristic() is
supposed to return true, but on Linux v5.10-rc1 and later it returns
false since now creating a subdirectory fails rather than succeeds.
This change was intentional, so make isDirUnlockedHeuristic() apply a
second heuristic too: also return true if any filenames in the directory
don't appear to be valid no-key names.
This fixes cli-tests/t_v1_encrypt on Linux v5.10-rc1 and later.
Eric Biggers [Fri, 7 Aug 2020 23:37:05 +0000 (16:37 -0700)]
README.md: recommend 'sudo make install PREFIX=/usr' on Ubuntu (#244)
Ubuntu's PAM configuration framework only recognizes files in /usr, not
/usr/local. So for installs from source, unfortunately we have to
recommend installing to /usr, despite this not being conventional.
Eric Biggers [Sat, 13 Jun 2020 17:06:15 +0000 (10:06 -0700)]
cmd/fscrypt: adjust status message for v1-encrypted dirs
When 'fscrypt status DIR' detects that a v1-encrypted directory is still
usable but its key seems to be absent, it shows the status as
"Unlocked: Partially (incompletely locked)". But actually it can also
be the case that the directory is unlocked by another user. Adjust the
status message accordingly.
Eric Biggers [Sat, 13 Jun 2020 17:06:15 +0000 (10:06 -0700)]
cli-tests/t_v1_policy: clean up user keyrings at end of test
The test user's user keyring is still linked into root's user keyring at
the end of the test. This is making the test flaky, as there is a
failure that only occurs the first time it is run. Fix the test to
restore the initial state. This makes it consistently fail (to be fixed
by the next commit).
Eric Biggers [Wed, 3 Jun 2020 00:17:54 +0000 (17:17 -0700)]
cmd/fscrypt: fix 32-bit build
statfs.Bsize actually has platform-dependent type, despite the Go
documentation listing it as int64. Fix the build for 32-bit platforms
by casting it to int64.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
filesystem: improve errors
Introduce filesystem.ErrEncryptionNotEnabled and
filesystem.ErrEncryptionNotSupported which include the Mount as context,
and translate the corresponding metadata/ errors into them. Then make
these errors show much better suggestions.
Also replace lots of other filesystem/ errors with either custom types
or with unnamed one-off errors that include more context. Fix backwards
wrapping in lots of cases.
Finally, don't include the mountpoint in places where it's not useful,
like OS-level errors that already include the path.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
metadata: improve errors
ErrBadOwners:
Rename to ErrDirectoryNotOwned for clarity, move it from
cmd/fscrypt/ to metadata/ where it better belongs, and improve
the message.
ErrEncrypted:
Rename to ErrAlreadyEncrypted for clarity, and include the path.
ErrNotEncrypted:
Include the path.
ErrBadEncryptionOptions:
Include the path and bad options.
ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
Don't wrap with "get encryption policy %s", in preparation for
wrapping these with filesystem-level context instead.
Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls. Make it very clear how we're handling the errors
from each ioctl.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
keyring: improve errors
ErrAccessUserKeyring:
Include the user, and fix the backwards wrapping.
ErrSessionUserKeyring:
Include the user.
ErrKeyAdd:
ErrKeyRemove:
ErrKeySearch:
ErrLinkUserKeyring:
Replace these with one-off unnamed errors because they are
never checked for, and this makes it easier for the callers to
provide better messages, e.g. fixing the backwards wrapping.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
crypto: improve errors
ErrKeyLock:
Rename to ErrMlockUlimit for clarity.
ErrGetrandomFail:
ErrKeyAlloc:
ErrKeyFree:
ErrNegativeLength:
Replace these with one-off unnamed errors because these were all
returned in only one place and were never checked for. Also
these were all either wrapped backwards or discarded an
underlying error, so fix that too.
Eric Biggers [Sat, 9 May 2020 21:52:07 +0000 (14:52 -0700)]
actions/policy: improve errors
ErrMissingPolicyMetadata:
Include the mount, directory path, and metadata path. Also move
the explanation into actions/ since it doesn't refer to any CLI
command.
ErrPolicyMetadataMismatch:
Include a lot more information. Also start checking for
consistency of the policy key descriptors, not just the
encryption options. Add a test for this.
ErrDifferentFilesystem:
Include the mountpoints.
ErrOnlyProtector:
Clarify the message and include the protector descriptor.
ErrAlreadyProtected:
ErrNotProtected:
Include the policy and protector descriptors.
ErrAccessDeniedPossiblyV2:
Make it slightly clearer what failed. Also move the explanation
into actions/ since it doesn't refer to any CLI command.
Eric Biggers [Sat, 9 May 2020 21:17:17 +0000 (14:17 -0700)]
keyring/user_keyring: switch to KEYCTL_UNLINK
KEYCTL_INVALIDATE has complicated semantics: it doesn't remove the key
from the keyring right away but rather marks it as being invalidated,
and then removes it asynchronously. This nondeterministically breaks
the heuristic I'm implementing to detect v1-encrypted directories being
incompletely locked.
Instead, switch to KEYCTL_UNLINK, which has simpler semantics.
Unfortunately, we can't actually make Travis CI run these tests yet because they need kernel v5.4 or later, and Travis CI doesn't support an Ubuntu version that has that yet. But for now, they can be run manually using make cli-test.
Allow setting FSCRYPT_CONSISTENT_OUTPUT=1 in the environment to cause
policies and protectors to sorted by last modification time. The CLI
tests need this to make the output of 'fscrypt' ordered in a consistent
way with regard to the operations performed.
Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need
this to avoid touching the real "/".
Allow overriding the location of fscrypt.conf by setting the
FSCRYPT_CONF environmental variable. The CLI tests need this to avoid
touching the real /etc/fscrypt.conf.
Eric Biggers [Sat, 9 May 2020 19:54:37 +0000 (12:54 -0700)]
travis.yml: stop overriding e2fsprogs version (#222)
There's no longer a need to override the Ubuntu version that the
Travis CI builds install e2fsprogs from, since we now use
"dist: bionic", and e2fsprogs in Bionic supports encryption.
Filip Stanis [Tue, 5 May 2020 01:48:26 +0000 (02:48 +0100)]
keyring: cast FS_IOC_REMOVE_ENCRYPTION_KEY to uintptr (#221)
Since v0.2.6, fscrypt only builds for 64-bit systems. E.g. trying to
build on Raspbian fails with the following error:
$ go get github.com/google/fscrypt/cmd/fscrypt
# github.com/google/fscrypt/keyring
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:231:6: constant 3225445912 overflows int
go/src/github.com/google/fscrypt/keyring/fs_keyring.go:235:7: constant 3225445913 overflows int
Fix it by making the 'ioc' variable have type uintptr.
[EB - removed the later cast to uintptr that became unnecessary, and
added explanation to commit message.]
projects / fscrypt.git / log