From 8ff53630f1cc90ae23835e9571f9096e211dce67 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 9 May 2020 14:04:47 -0700 Subject: [PATCH] cmd/fscrypt: add FSCRYPT_ROOT_MNT environmental variable Allow overriding the mountpoint where login protectors are stored by setting the FSCRYPT_ROOT_MNT environmental variable. The CLI tests need this to avoid touching the real "/". --- actions/protector.go | 4 ++++ cmd/fscrypt/commands.go | 5 +++-- cmd/fscrypt/fscrypt.go | 3 +++ cmd/fscrypt/protector.go | 14 ++++++++------ pam_fscrypt/run_fscrypt.go | 3 ++- 5 files changed, 20 insertions(+), 9 deletions(-) diff --git a/actions/protector.go b/actions/protector.go index 4bd7c15..dab9c27 100644 --- a/actions/protector.go +++ b/actions/protector.go @@ -30,6 +30,10 @@ import ( "github.com/google/fscrypt/util" ) +// LoginProtectorMountpoint is the mountpoint where login protectors are stored. +// This can be overridden by the user of this package. +var LoginProtectorMountpoint = "/" + // Errors relating to Protectors var ( ErrProtectorName = errors.New("login protectors do not need a name") diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go index f84102e..ec75584 100644 --- a/cmd/fscrypt/commands.go +++ b/cmd/fscrypt/commands.go @@ -73,12 +73,13 @@ func setupAction(c *cli.Context) error { if err := createGlobalConfig(c.App.Writer, actions.ConfigFileLocation); err != nil { return newExitError(c, err) } - if err := setupFilesystem(c.App.Writer, "/"); err != nil { + if err := setupFilesystem(c.App.Writer, actions.LoginProtectorMountpoint); err != nil { if errors.Cause(err) != filesystem.ErrAlreadySetup { return newExitError(c, err) } fmt.Fprintf(c.App.Writer, - "Skipping creating /.fscrypt because it already exists.\n") + "Skipping creating %s because it already exists.\n", + filepath.Join(actions.LoginProtectorMountpoint, ".fscrypt")) } case 1: // Case (2) - filesystem setup diff --git a/cmd/fscrypt/fscrypt.go b/cmd/fscrypt/fscrypt.go index 069cc96..bbe16bb 100644 --- a/cmd/fscrypt/fscrypt.go +++ b/cmd/fscrypt/fscrypt.go @@ -46,6 +46,9 @@ func main() { if conffile := os.Getenv("FSCRYPT_CONF"); conffile != "" { actions.ConfigFileLocation = conffile } + if rootmnt := os.Getenv("FSCRYPT_ROOT_MNT"); rootmnt != "" { + actions.LoginProtectorMountpoint = rootmnt + } // Create our command line application app := cli.NewApp() diff --git a/cmd/fscrypt/protector.go b/cmd/fscrypt/protector.go index 25f1984..6d35d9e 100644 --- a/cmd/fscrypt/protector.go +++ b/cmd/fscrypt/protector.go @@ -51,8 +51,10 @@ func createProtectorFromContext(ctx *actions.Context) (*actions.Protector, error // We only want to create new login protectors on the root filesystem. // So we make a new context if necessary. - if ctx.Config.Source == metadata.SourceType_pam_passphrase && ctx.Mount.Path != "/" { - log.Printf("creating login protector on %q instead of %q", "/", ctx.Mount.Path) + if ctx.Config.Source == metadata.SourceType_pam_passphrase && + ctx.Mount.Path != actions.LoginProtectorMountpoint { + log.Printf("creating login protector on %q instead of %q", + actions.LoginProtectorMountpoint, ctx.Mount.Path) if ctx, err = modifiedContext(ctx); err != nil { return nil, err } @@ -84,7 +86,7 @@ func expandedProtectorOptions(ctx *actions.Context) ([]*actions.ProtectorOption, } // Do nothing different if we are at the root, or cannot load the root. - if ctx.Mount.Path == "/" { + if ctx.Mount.Path == actions.LoginProtectorMountpoint { return options, nil } if ctx, err = modifiedContext(ctx); err != nil { @@ -117,10 +119,10 @@ func expandedProtectorOptions(ctx *actions.Context) ([]*actions.ProtectorOption, return options, nil } -// modifiedContext returns a copy of ctx with the mountpoint replaced by that of -// the root filesystem. +// modifiedContext returns a copy of ctx with the mountpoint replaced by +// LoginProtectorMountpoint. func modifiedContext(ctx *actions.Context) (*actions.Context, error) { - mnt, err := filesystem.GetMount("/") + mnt, err := filesystem.GetMount(actions.LoginProtectorMountpoint) if err != nil { return nil, err } diff --git a/pam_fscrypt/run_fscrypt.go b/pam_fscrypt/run_fscrypt.go index 3d0acb1..ef7ff92 100644 --- a/pam_fscrypt/run_fscrypt.go +++ b/pam_fscrypt/run_fscrypt.go @@ -132,7 +132,8 @@ func setupLogging(args map[string]bool) io.Writer { // one exists. This protector descriptor (if found) will be cached in the pam // data, under descriptorLabel. func loginProtector(handle *pam.Handle) (*actions.Protector, error) { - ctx, err := actions.NewContextFromMountpoint("/", handle.PamUser) + ctx, err := actions.NewContextFromMountpoint(actions.LoginProtectorMountpoint, + handle.PamUser) if err != nil { return nil, err } -- 2.39.5