Merge pull request #37 from google/keyring

crypto: Switch from session to user keyring
google · Aug 15, 2017 · b4d51e0 · b4d51e0
2 parents 1281987 + 5e8dfc1
commit b4d51e0
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 35 deletions.
diff --git a/actions/policy.go b/actions/policy.go
@@ -365,7 +365,7 @@ func (policy *Policy) Apply(path string) error {
 // IsProvisioned returns a boolean indicating if the policy has its key in the
 // keyring, meaning files and directories using this policy are accessible.
 func (policy *Policy) IsProvisioned() bool {
-	_, _, err := crypto.FindPolicyKey(policy.Description())
+	_, err := crypto.FindPolicyKey(policy.Description())
 	return err == nil
 }
 

diff --git a/crypto/crypto.go b/crypto/crypto.go
@@ -63,10 +63,9 @@ var (
 	ErrGetrandomFail  = util.SystemError("getrandom() failed")
 	ErrKeyAlloc       = util.SystemError("could not allocate memory for key")
 	ErrKeyFree        = util.SystemError("could not free memory of key")
-	ErrKeyringLocate  = util.SystemError("could not locate the session keyring")
-	ErrKeyringInsert  = util.SystemError("could not insert key into the session keyring")
+	ErrKeyringInsert  = util.SystemError("could not insert key into the keyring")
 	ErrKeyringSearch  = errors.New("could not find key with descriptor")
-	ErrKeyringDelete  = util.SystemError("could not delete key from the session keyring")
+	ErrKeyringDelete  = util.SystemError("could not delete key from the keyring")
 )
 
 // panicInputLength panics if "name" has invalid length (expected != actual)

diff --git a/crypto/key.go b/crypto/key.go
@@ -49,6 +49,9 @@ const (
 	// v4.8 and f2fs systems before v4.6, filesystem specific services must
 	// be used (these legacy services will still work with later kernels).
 	DefaultService = unix.FS_KEY_DESC_PREFIX
+	// KeyringID is the keyring that fscrypt's keys will be added to. Currently it
+	// is the user keyring to avoid hitting systemd/issues/5715.
+	KeyringID = unix.KEY_SPEC_USER_KEYRING
 	// keyType is always logon as required by filesystem encryption
 	keyType = "logon"
 	// Keys need to readable and writable, but hidden from other processes.
@@ -249,30 +252,12 @@ func NewFixedLengthKeyFromReader(reader io.Reader, length int) (*Key, error) {
 	return key, nil
 }
 
-// getKeyring returns the id of the session keyring, or the id of the user
-// session keyring if session keyring does not exist. We cannot directly use
-// KEY_SPEC_SESSION_KEYRING, as that will make a new session keyring if one does
-// not exist, which will be garbage collected when the process terminates.
-func getKeyring() (int, error) {
-	keyringID, err := unix.KeyctlGetKeyringID(unix.KEY_SPEC_SESSION_KEYRING, false)
-	log.Printf("unix.KeyctlGetKeyringID(KEY_SPEC_SESSION_KEYRING) = %d, %v", keyringID, err)
-	if err != nil {
-		return 0, errors.Wrap(ErrKeyringLocate, err.Error())
-	}
-	return keyringID, nil
-}
-
 // FindPolicyKey tries to locate a policy key in the kernel keyring with the
 // provided description. The keyring and key ids are returned if we can find the
 // key. An error is returned if the key does not exist.
-func FindPolicyKey(description string) (keyringID, keyID int, err error) {
-	keyringID, err = getKeyring()
-	if err != nil {
-		return
-	}
-
-	keyID, err = unix.KeyctlSearch(keyringID, keyType, description, 0)
-	log.Printf("unix.KeyctlSearch(%d, %s, %s) = %d, %v", keyringID, keyType, description, keyID, err)
+func FindPolicyKey(description string) (keyID int, err error) {
+	keyID, err = unix.KeyctlSearch(KeyringID, keyType, description, 0)
+	log.Printf("unix.KeyctlSearch(%d, %s, %s) = %d, %v", KeyringID, keyType, description, keyID, err)
 	if err != nil {
 		err = errors.Wrap(ErrKeyringSearch, err.Error())
 	}
@@ -282,13 +267,13 @@ func FindPolicyKey(description string) (keyringID, keyID int, err error) {
 // RemovePolicyKey tries to remove a policy key from the kernel keyring with the
 // provided description. An error is returned if the key does not exist.
 func RemovePolicyKey(description string) error {
-	keyringID, keyID, err := FindPolicyKey(description)
+	keyID, err := FindPolicyKey(description)
 	if err != nil {
 		return err
 	}
 
-	_, err = unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, keyringID, 0, 0)
-	log.Printf("unix.KeyctlUnlink(%d, %d) = %v", keyID, keyringID, err)
+	_, err = unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, KeyringID, 0, 0)
+	log.Printf("unix.KeyctlUnlink(%d, %d) = %v", keyID, KeyringID, err)
 	if err != nil {
 		return errors.Wrap(ErrKeyringDelete, err.Error())
 	}
@@ -316,14 +301,9 @@ func InsertPolicyKey(key *Key, description string) error {
 	fscryptKey.Size = metadata.PolicyKeyLen
 	copy(fscryptKey.Raw[:], key.data)
 
-	keyringID, err := getKeyring()
-	if err != nil {
-		return err
-	}
-
-	keyID, err := unix.AddKey(keyType, description, payload.data, keyringID)
+	keyID, err := unix.AddKey(keyType, description, payload.data, KeyringID)
 	log.Printf("unix.AddKey(%s, %s, <payload>, %d) = %d, %v",
-		keyType, description, keyringID, keyID, err)
+		keyType, description, KeyringID, keyID, err)
 	if err != nil {
 		return errors.Wrap(ErrKeyringInsert, err.Error())
 	}