From 32c9be59a2485ef44ac4b3accc2f102cf2eb5a39 Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Tue, 22 Aug 2017 12:52:41 -0700 Subject: [PATCH] security: Moved cache dropping function --- cmd/fscrypt/commands.go | 4 ++-- security/cache.go | 41 +++++++++++++++++++++++++++++++++++++++++ security/privileges.go | 1 + util/util.go | 17 ----------------- 4 files changed, 44 insertions(+), 19 deletions(-) create mode 100644 security/cache.go diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index e6c7f9a..3e8bc98 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -33,7 +33,7 @@ import ( "github.com/google/fscrypt/actions" "github.com/google/fscrypt/filesystem" "github.com/google/fscrypt/metadata" - "github.com/google/fscrypt/util" + "github.com/google/fscrypt/security" ) // Setup is a command which can to global or per-filesystem initialization. @@ -371,7 +371,7 @@ func purgeAction(c *cli.Context) error { fmt.Fprintf(c.App.Writer, "Policies purged for %q.\n", ctx.Mount.Path) if dropCachesFlag.Value { - if err = util.DropInodeCache(); err != nil { + if err = security.DropInodeCache(); err != nil { return newExitError(c, err) } fmt.Fprintf(c.App.Writer, "Global inode cache cleared.\n") diff --git a/security/cache.go b/security/cache.go new file mode 100644 index 0000000..7002014 --- /dev/null +++ b/security/cache.go @@ -0,0 +1,41 @@ +/* + * cache.go - Handles cache clearing and management. + * + * Copyright 2017 Google Inc. + * Author: Joe Richey (joerichey@google.com) + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + +package security + +import ( + "log" + "os" +) + +// DropInodeCache instructs the kernel to clear the global cache of inodes and +// dentries. This has the effect of making encrypted directories whose keys +// are not present no longer accessible. Requires root privileges. +func DropInodeCache() error { + log.Print("dropping page caches") + // See: https://www.kernel.org/doc/Documentation/sysctl/vm.txt + file, err := os.OpenFile("/proc/sys/vm/drop_caches", os.O_WRONLY|os.O_SYNC, 0) + if err != nil { + return err + } + defer file.Close() + // "2" just clears the inodes and dentries + _, err = file.WriteString("2") + return err +} diff --git a/security/privileges.go b/security/privileges.go index f6e8098..aff41a7 100644 --- a/security/privileges.go +++ b/security/privileges.go @@ -18,6 +18,7 @@ */ // Package security manages: +// - Cache clearing (cache.go) // - Keyring Operations (keyring.go) // - Privilege manipulation (privileges.go) // - Maintaining the link between the root and user keyrings. diff --git a/util/util.go b/util/util.go index acdc3fc..14d23e2 100644 --- a/util/util.go +++ b/util/util.go @@ -25,7 +25,6 @@ package util import ( "bufio" - "log" "math" "os" "unsafe" @@ -98,19 +97,3 @@ func ReadLine() (string, error) { scanner.Scan() return scanner.Text(), scanner.Err() } - -// DropInodeCache instructs the kernel to clear the global cache of inodes and -// dentries. This has the effect of making encrypted directories whose keys -// are not present no longer accessible. Requires root privileges. -func DropInodeCache() error { - log.Print("dropping page caches") - // See: https://www.kernel.org/doc/Documentation/sysctl/vm.txt - file, err := os.OpenFile("/proc/sys/vm/drop_caches", os.O_WRONLY|os.O_SYNC, 0) - if err != nil { - return err - } - defer file.Close() - // "2" just clears the inodes and dentries - _, err = file.WriteString("2") - return err -} -- 2.39.5