From c999f0b04c526a85d061a7461c0e4211e94f9fb7 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 9 Sep 2023 11:30:45 -0700 Subject: [PATCH 1/3] Adjust nested lists to prevent gofmt from flattening them The latest version of gofmt flattens the nested lists in comments in crypto.go and filesystem.go. According to https://go.dev/doc/comment#mistakes, "Go doc comments do not support nested lists". However, that page also mentions that a workaround is to use different list markers for each level. Do that. --- crypto/crypto.go | 6 +++--- filesystem/filesystem.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/crypto/crypto.go b/crypto/crypto.go index 1f64b38b..edc4ed71 100644 --- a/crypto/crypto.go +++ b/crypto/crypto.go @@ -18,11 +18,11 @@ */ // Package crypto manages all the cryptography for fscrypt. This includes: -// - Key management (key.go) +// 1. Key management (key.go) // - Securely holding keys in memory // - Making recovery keys -// - Randomness (rand.go) -// - Cryptographic algorithms (crypto.go) +// 2. Randomness (rand.go) +// 3. Cryptographic algorithms (crypto.go) // - encryption (AES256-CTR) // - authentication (SHA256-based HMAC) // - key stretching (SHA256-based HKDF) diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go index 0e1f0c82..ee6c9838 100644 --- a/filesystem/filesystem.go +++ b/filesystem/filesystem.go @@ -21,11 +21,11 @@ // Package filesystem deals with the structure of the files on disk used to // store the metadata for fscrypt. Specifically, this package includes: -// - mountpoint management (mountpoint.go) +// 1. mountpoint management (mountpoint.go) // - querying existing mounted filesystems // - getting filesystems from a UUID // - finding the filesystem for a specific path -// - metadata organization (filesystem.go) +// 2. metadata organization (filesystem.go) // - setting up a mounted filesystem for use with fscrypt // - adding/querying/deleting metadata // - making links to other filesystems' metadata From e663a3ee2287be77dcd44631b29147a1eddcb4f0 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 9 Sep 2023 11:30:45 -0700 Subject: [PATCH 2/3] Re-run 'make format' with latest version of gofmt --- actions/context.go | 8 ++++---- cmd/fscrypt/format.go | 13 +++++++------ crypto/crypto.go | 22 +++++++++++----------- crypto/crypto_test.go | 4 +++- crypto/rand.go | 3 ++- filesystem/filesystem.go | 38 ++++++++++++++++++++------------------ filesystem/mountpoint.go | 19 ++++++++++--------- metadata/config.go | 6 +++--- pam/login.go | 2 ++ pam_fscrypt/pam_fscrypt.go | 1 + security/privileges.go | 4 ++-- 11 files changed, 65 insertions(+), 55 deletions(-) diff --git a/actions/context.go b/actions/context.go index ac3f6d30..4253de22 100644 --- a/actions/context.go +++ b/actions/context.go @@ -22,10 +22,10 @@ // All of the actions include a significant amount of logging, so that good // output can be provided for cmd/fscrypt's verbose mode. // The top-level actions currently include: -// - Creating a new config file -// - Creating a context on which to perform actions -// - Creating, unlocking, and modifying Protectors -// - Creating, unlocking, and modifying Policies +// - Creating a new config file +// - Creating a context on which to perform actions +// - Creating, unlocking, and modifying Protectors +// - Creating, unlocking, and modifying Policies package actions import ( diff --git a/cmd/fscrypt/format.go b/cmd/fscrypt/format.go index 28cc22d0..21253ad5 100644 --- a/cmd/fscrypt/format.go +++ b/cmd/fscrypt/format.go @@ -82,8 +82,10 @@ type prettyFlag interface { } // How a flag should appear on the command line. We have two formats: -// --name -// --name=ARG_NAME +// +// --name +// --name=ARG_NAME +// // The ARG_NAME appears if the prettyFlag's GetArgName() method returns a // non-empty string. The returned string from shortDisplay() does not include // any leading or trailing whitespace. @@ -96,13 +98,12 @@ func shortDisplay(f prettyFlag) string { // How our flags should appear when displaying their usage. An example would be: // -// --help Prints help screen for commands and subcommands. +// --help Prints help screen for commands and subcommands. // // If a default is specified, then it is appended to the usage. Example: // -// --time=TIME Calibrate passphrase hashing to take the -// specified amount of TIME (default: 1s) -// +// --time=TIME Calibrate passphrase hashing to take the +// specified amount of TIME (default: 1s) func longDisplay(f prettyFlag, defaultString ...string) string { usage := f.GetUsage() if len(defaultString) > 0 { diff --git a/crypto/crypto.go b/crypto/crypto.go index edc4ed71..6a719ddd 100644 --- a/crypto/crypto.go +++ b/crypto/crypto.go @@ -18,17 +18,17 @@ */ // Package crypto manages all the cryptography for fscrypt. This includes: -// 1. Key management (key.go) -// - Securely holding keys in memory -// - Making recovery keys -// 2. Randomness (rand.go) -// 3. Cryptographic algorithms (crypto.go) -// - encryption (AES256-CTR) -// - authentication (SHA256-based HMAC) -// - key stretching (SHA256-based HKDF) -// - key wrapping/unwrapping (Encrypt then MAC) -// - passphrase-based key derivation (Argon2id) -// - key descriptor computation (double SHA512, or HKDF-SHA512) +// 1. Key management (key.go) +// - Securely holding keys in memory +// - Making recovery keys +// 2. Randomness (rand.go) +// 3. Cryptographic algorithms (crypto.go) +// - encryption (AES256-CTR) +// - authentication (SHA256-based HMAC) +// - key stretching (SHA256-based HKDF) +// - key wrapping/unwrapping (Encrypt then MAC) +// - passphrase-based key derivation (Argon2id) +// - key descriptor computation (double SHA512, or HKDF-SHA512) package crypto import ( diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go index f98c643e..1fa5a0c9 100644 --- a/crypto/crypto_test.go +++ b/crypto/crypto_test.go @@ -64,7 +64,9 @@ func fakePassphraseKey() (*Key, error) { // Values for test cases pulled from argon2 command line tool. // To generate run: -// echo "password" | argon2 "aaaaaaaaaaaaaaaa" -id -t -m -p

-l 32 +// +// echo "password" | argon2 "aaaaaaaaaaaaaaaa" -id -t -m -p

-l 32 +// // where costs.Time = , costs.Memory = 2^, and costs.Parallelism =

. type hashTestCase struct { costs *metadata.HashingCosts diff --git a/crypto/rand.go b/crypto/rand.go index 7d1e55bf..527f8410 100644 --- a/crypto/rand.go +++ b/crypto/rand.go @@ -30,7 +30,8 @@ import ( // the operating system has insufficient randomness, the buffer creation will // fail. This is an improvement over Go's built-in crypto/rand which will still // return bytes if the system has insufficiency entropy. -// See: https://github.com/golang/go/issues/19274 +// +// See: https://github.com/golang/go/issues/19274 // // While this syscall was only introduced in Kernel v3.17, it predates the // introduction of filesystem encryption, so it introduces no additional diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go index ee6c9838..98294358 100644 --- a/filesystem/filesystem.go +++ b/filesystem/filesystem.go @@ -21,15 +21,15 @@ // Package filesystem deals with the structure of the files on disk used to // store the metadata for fscrypt. Specifically, this package includes: -// 1. mountpoint management (mountpoint.go) -// - querying existing mounted filesystems -// - getting filesystems from a UUID -// - finding the filesystem for a specific path -// 2. metadata organization (filesystem.go) -// - setting up a mounted filesystem for use with fscrypt -// - adding/querying/deleting metadata -// - making links to other filesystems' metadata -// - following links to get data from other filesystems +// 1. mountpoint management (mountpoint.go) +// - querying existing mounted filesystems +// - getting filesystems from a UUID +// - finding the filesystem for a specific path +// 2. metadata organization (filesystem.go) +// - setting up a mounted filesystem for use with fscrypt +// - adding/querying/deleting metadata +// - making links to other filesystems' metadata +// - following links to get data from other filesystems package filesystem import ( @@ -195,6 +195,7 @@ func (err *ErrProtectorNotFound) Error() string { var SortDescriptorsByLastMtime = false // Mount contains information for a specific mounted filesystem. +// // Path - Absolute path where the directory is mounted // FilesystemType - Type of the mounted filesystem, e.g. "ext4" // Device - Device for filesystem (empty string if we cannot find one) @@ -210,8 +211,9 @@ var SortDescriptorsByLastMtime = false // setup first. Specifically, the directories created look like: // // └── .fscrypt -// ├── policies -// └── protectors +// +// ├── policies +// └── protectors // // These "policies" and "protectors" directories will contain files that are // the corresponding metadata structures for policies and protectors. The public @@ -723,13 +725,13 @@ func (m *Mount) addMetadata(path string, md metadata.Metadata, owner *user.User) // considering that it could be a malicious file created to cause a // denial-of-service. Specifically, the following checks are done: // -// - It must be a regular file, not another type of file like a symlink or FIFO. -// (Symlinks aren't bad by themselves, but given that a malicious user could -// point one to absolutely anywhere, and there is no known use case for the -// metadata files themselves being symlinks, it seems best to disallow them.) -// - It must have a reasonable size (<= maxMetadataFileSize). -// - If trustedUser is non-nil, then the file must be owned by the given user -// or by root. +// - It must be a regular file, not another type of file like a symlink or FIFO. +// (Symlinks aren't bad by themselves, but given that a malicious user could +// point one to absolutely anywhere, and there is no known use case for the +// metadata files themselves being symlinks, it seems best to disallow them.) +// - It must have a reasonable size (<= maxMetadataFileSize). +// - If trustedUser is non-nil, then the file must be owned by the given user +// or by root. // // Take care to avoid TOCTOU (time-of-check-time-of-use) bugs when doing these // tests. Notably, we must open the file before checking the file type, as the diff --git a/filesystem/mountpoint.go b/filesystem/mountpoint.go index 0abae06f..ae432bf1 100644 --- a/filesystem/mountpoint.go +++ b/filesystem/mountpoint.go @@ -106,6 +106,7 @@ func getDeviceName(num DeviceNumber) string { // Parse one line of /proc/self/mountinfo. // // The line contains the following space-separated fields: +// // [0] mount ID // [1] parent ID // [2] major:minor @@ -184,11 +185,11 @@ func addUncontainedSubtreesRecursive(dst map[string]bool, // preferably a read-write mount. However, that doesn't work in containers // where the "/" subtree might not be mounted. Here's a real-world example: // -// mnt.Subtree mnt.Path -// ----------- -------- -// /var/lib/lxc/base/rootfs / -// /var/cache/pacman/pkg /var/cache/pacman/pkg -// /srv/repo/x86_64 /srv/http/x86_64 +// mnt.Subtree mnt.Path +// ----------- -------- +// /var/lib/lxc/base/rootfs / +// /var/cache/pacman/pkg /var/cache/pacman/pkg +// /srv/repo/x86_64 /srv/http/x86_64 // // In this case, all mnt.Subtree are independent. To handle this case, we must // choose the Mount whose mnt.Path contains the others, i.e. the first one. @@ -199,10 +200,10 @@ func addUncontainedSubtreesRecursive(dst map[string]bool, // needed to correctly handle bind mounts. For example, in the following case, // the first Mount should be chosen: // -// mnt.Subtree mnt.Path -// ----------- -------- -// /foo /foo -// /foo/dir /dir +// mnt.Subtree mnt.Path +// ----------- -------- +// /foo /foo +// /foo/dir /dir // // To solve this, we divide the mounts into non-overlapping trees of mnt.Path. // Then, we choose one of these trees which contains (exactly or via path diff --git a/metadata/config.go b/metadata/config.go index 1d93d749..65fd7b52 100644 --- a/metadata/config.go +++ b/metadata/config.go @@ -21,9 +21,9 @@ // Package metadata contains all of the on disk structures. // These structures are defined in metadata.proto. The package also // contains functions for manipulating these structures, specifically: -// * Reading and Writing the Config file to disk -// * Getting and Setting Policies for directories -// * Reasonable defaults for a Policy's EncryptionOptions +// - Reading and Writing the Config file to disk +// - Getting and Setting Policies for directories +// - Reasonable defaults for a Policy's EncryptionOptions package metadata import ( diff --git a/pam/login.go b/pam/login.go index 527b10de..e4f8f836 100644 --- a/pam/login.go +++ b/pam/login.go @@ -51,6 +51,7 @@ var ( // userInput is run when the callback needs some input from the user. We prompt // the user for information and return their answer. A return value of nil // indicates an error occurred. +// //export userInput func userInput(prompt *C.char) *C.char { fmt.Print(C.GoString(prompt)) @@ -65,6 +66,7 @@ func userInput(prompt *C.char) *C.char { // passphraseInput is run when the callback needs a passphrase from the user. We // pass along the tokenToCheck without prompting. A return value of nil // indicates an error occurred. +// //export passphraseInput func passphraseInput(prompt *C.char) *C.char { log.Printf("getting secret data for PAM: %q", C.GoString(prompt)) diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go index 2daff897..15066c1a 100644 --- a/pam_fscrypt/pam_fscrypt.go +++ b/pam_fscrypt/pam_fscrypt.go @@ -403,6 +403,7 @@ func pam_sm_authenticate(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) } // pam_sm_setcred needed because we use pam_sm_authenticate. +// //export pam_sm_setcred func pam_sm_setcred(pamh unsafe.Pointer, flags, argc C.int, argv **C.char) C.int { return C.PAM_SUCCESS diff --git a/security/privileges.go b/security/privileges.go index 5bdd43c5..fe8668d6 100644 --- a/security/privileges.go +++ b/security/privileges.go @@ -18,8 +18,8 @@ */ // Package security manages: -// - Cache clearing (cache.go) -// - Privilege manipulation (privileges.go) +// - Cache clearing (cache.go) +// - Privilege manipulation (privileges.go) package security // Use the libc versions of setreuid, setregid, and setgroups instead of the From b928729b995fbbc007e47ec39a111ef059fcb29c Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 9 Sep 2023 11:30:45 -0700 Subject: [PATCH 3/3] mountpoint_test: skip TestLoadSourceDevice if loop0 doesn't exist Probably resolves https://github.com/google/fscrypt/issues/382 --- filesystem/mountpoint_test.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/filesystem/mountpoint_test.go b/filesystem/mountpoint_test.go index 43b5a0d4..f06219c1 100644 --- a/filesystem/mountpoint_test.go +++ b/filesystem/mountpoint_test.go @@ -17,10 +17,9 @@ * the License. */ -// Note: these tests assume the existence of some well-known directories and -// devices: /mnt, /home, /tmp, and /dev/loop0. This is because the mountpoint -// loading code only retains mountpoints on valid directories, and only retains -// device names for valid device nodes. +// Note: these tests assume the existence of some well-known directories: /mnt, +// /home, and /tmp. This is because the mountpoint loading code only retains +// mountpoints on valid directories. package filesystem @@ -100,6 +99,11 @@ func TestLoadMountInfoBasic(t *testing.T) { // Test that Mount.Device is set to the mountpoint's source device if // applicable, otherwise it is set to the empty string. func TestLoadSourceDevice(t *testing.T) { + // The mountinfo parser ignores devices that don't exist. For the valid + // device, try /dev/loop0. If it doesn't exist, skip the test. + if _, err := os.Stat("/dev/loop0"); err != nil { + t.Skip("/dev/loop0 does not exist, skipping test") + } var mountinfo = ` 15 0 7:0 / / rw shared:1 - foo /dev/loop0 rw,data=ordered 31 15 0:27 / /tmp rw,nosuid,nodev shared:17 - tmpfs tmpfs rw