From 5e8dfc196020693d2a9dc809cf6bc87096ddc09f Mon Sep 17 00:00:00 2001 From: "Joe Richey joerichey@google.com" Date: Tue, 15 Aug 2017 12:06:11 -0700 Subject: [PATCH] crypto: Switch from session to user keyring --- actions/policy.go | 2 +- crypto/crypto.go | 5 ++--- crypto/key.go | 42 +++++++++++------------------------------- 3 files changed, 14 insertions(+), 35 deletions(-) diff --git a/actions/policy.go b/actions/policy.go index 946bdd46..ceae573d 100644 --- a/actions/policy.go +++ b/actions/policy.go @@ -365,7 +365,7 @@ func (policy *Policy) Apply(path string) error { // IsProvisioned returns a boolean indicating if the policy has its key in the // keyring, meaning files and directories using this policy are accessible. func (policy *Policy) IsProvisioned() bool { - _, _, err := crypto.FindPolicyKey(policy.Description()) + _, err := crypto.FindPolicyKey(policy.Description()) return err == nil } diff --git a/crypto/crypto.go b/crypto/crypto.go index e66b0dd3..b6368ce0 100644 --- a/crypto/crypto.go +++ b/crypto/crypto.go @@ -63,10 +63,9 @@ var ( ErrGetrandomFail = util.SystemError("getrandom() failed") ErrKeyAlloc = util.SystemError("could not allocate memory for key") ErrKeyFree = util.SystemError("could not free memory of key") - ErrKeyringLocate = util.SystemError("could not locate the session keyring") - ErrKeyringInsert = util.SystemError("could not insert key into the session keyring") + ErrKeyringInsert = util.SystemError("could not insert key into the keyring") ErrKeyringSearch = errors.New("could not find key with descriptor") - ErrKeyringDelete = util.SystemError("could not delete key from the session keyring") + ErrKeyringDelete = util.SystemError("could not delete key from the keyring") ) // panicInputLength panics if "name" has invalid length (expected != actual) diff --git a/crypto/key.go b/crypto/key.go index e440ca1a..1d9e72cb 100644 --- a/crypto/key.go +++ b/crypto/key.go @@ -49,6 +49,9 @@ const ( // v4.8 and f2fs systems before v4.6, filesystem specific services must // be used (these legacy services will still work with later kernels). DefaultService = unix.FS_KEY_DESC_PREFIX + // KeyringID is the keyring that fscrypt's keys will be added to. Currently it + // is the user keyring to avoid hitting systemd/issues/5715. + KeyringID = unix.KEY_SPEC_USER_KEYRING // keyType is always logon as required by filesystem encryption keyType = "logon" // Keys need to readable and writable, but hidden from other processes. @@ -249,30 +252,12 @@ func NewFixedLengthKeyFromReader(reader io.Reader, length int) (*Key, error) { return key, nil } -// getKeyring returns the id of the session keyring, or the id of the user -// session keyring if session keyring does not exist. We cannot directly use -// KEY_SPEC_SESSION_KEYRING, as that will make a new session keyring if one does -// not exist, which will be garbage collected when the process terminates. -func getKeyring() (int, error) { - keyringID, err := unix.KeyctlGetKeyringID(unix.KEY_SPEC_SESSION_KEYRING, false) - log.Printf("unix.KeyctlGetKeyringID(KEY_SPEC_SESSION_KEYRING) = %d, %v", keyringID, err) - if err != nil { - return 0, errors.Wrap(ErrKeyringLocate, err.Error()) - } - return keyringID, nil -} - // FindPolicyKey tries to locate a policy key in the kernel keyring with the // provided description. The keyring and key ids are returned if we can find the // key. An error is returned if the key does not exist. -func FindPolicyKey(description string) (keyringID, keyID int, err error) { - keyringID, err = getKeyring() - if err != nil { - return - } - - keyID, err = unix.KeyctlSearch(keyringID, keyType, description, 0) - log.Printf("unix.KeyctlSearch(%d, %s, %s) = %d, %v", keyringID, keyType, description, keyID, err) +func FindPolicyKey(description string) (keyID int, err error) { + keyID, err = unix.KeyctlSearch(KeyringID, keyType, description, 0) + log.Printf("unix.KeyctlSearch(%d, %s, %s) = %d, %v", KeyringID, keyType, description, keyID, err) if err != nil { err = errors.Wrap(ErrKeyringSearch, err.Error()) } @@ -282,13 +267,13 @@ func FindPolicyKey(description string) (keyringID, keyID int, err error) { // RemovePolicyKey tries to remove a policy key from the kernel keyring with the // provided description. An error is returned if the key does not exist. func RemovePolicyKey(description string) error { - keyringID, keyID, err := FindPolicyKey(description) + keyID, err := FindPolicyKey(description) if err != nil { return err } - _, err = unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, keyringID, 0, 0) - log.Printf("unix.KeyctlUnlink(%d, %d) = %v", keyID, keyringID, err) + _, err = unix.KeyctlInt(unix.KEYCTL_UNLINK, keyID, KeyringID, 0, 0) + log.Printf("unix.KeyctlUnlink(%d, %d) = %v", keyID, KeyringID, err) if err != nil { return errors.Wrap(ErrKeyringDelete, err.Error()) } @@ -316,14 +301,9 @@ func InsertPolicyKey(key *Key, description string) error { fscryptKey.Size = metadata.PolicyKeyLen copy(fscryptKey.Raw[:], key.data) - keyringID, err := getKeyring() - if err != nil { - return err - } - - keyID, err := unix.AddKey(keyType, description, payload.data, keyringID) + keyID, err := unix.AddKey(keyType, description, payload.data, KeyringID) log.Printf("unix.AddKey(%s, %s, , %d) = %d, %v", - keyType, description, keyringID, keyID, err) + keyType, description, KeyringID, keyID, err) if err != nil { return errors.Wrap(ErrKeyringInsert, err.Error()) }