Merge 82d0143 into 10bbfcb

actions/context.go

@@ -142,7 +142,7 @@ func (ctx *Context) getService() string {
 			return ctx.Mount.FilesystemType + ":"
 		}
 	}
-	return unix.FS_KEY_DESC_PREFIX
+	return unix.FSCRYPT_KEY_DESC_PREFIX
 }
 
 // getProtectorOption returns the ProtectorOption for the protector on the

crypto/crypto_test.go

@@ -56,7 +56,7 @@ var (
 	fakeValidDescriptor = "0123456789abcdef"
 	fakeSalt            = bytes.Repeat([]byte{'a'}, metadata.SaltLen)
 	fakePassword        = []byte("password")
-	defaultService      = unix.FS_KEY_DESC_PREFIX
+	defaultService      = unix.FSCRYPT_KEY_DESC_PREFIX
 
 	fakeValidPolicyKey, _   = makeKey(42, metadata.PolicyKeyLen)
 	fakeInvalidPolicyKey, _ = makeKey(42, metadata.PolicyKeyLen-1)

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad
 	golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529
 	golang.org/x/lint v0.0.0-20190930215403-16217165b5de
-	golang.org/x/sys v0.0.0-20190412213103-97732733099d
+	golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2
 	golang.org/x/tools v0.0.0-20191025023517-2077df36852e
 	honnef.co/go/tools v0.0.1-2019.2.3
 )

go.sum

@@ -30,6 +30,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2 h1:/J2nHFg1MTqaRLFO7M+J78ASNsJoz3r0cvHBPQ77fsE=
+golang.org/x/sys v0.0.0-20191127021746-63cb32ae39b2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=

metadata/constants.go

@@ -28,15 +28,15 @@ import (
 // Lengths for our keys, buffers, and strings used in fscrypt.
 const (
 	// DescriptorLen is the length of all Protector and Policy descriptors.
-	DescriptorLen = 2 * unix.FS_KEY_DESCRIPTOR_SIZE
+	DescriptorLen = 2 * unix.FSCRYPT_KEY_DESCRIPTOR_SIZE
 	// We always use 256-bit keys internally (compared to 512-bit policy keys).
 	InternalKeyLen = 32
 	IVLen          = 16
 	SaltLen        = 16
 	// We use SHA256 for the HMAC, and len(HMAC) == len(hash size).
 	HMACLen = sha256.Size
 	// PolicyKeyLen is the length of all keys passed directly to the Keyring
-	PolicyKeyLen = unix.FS_MAX_KEY_SIZE
+	PolicyKeyLen = unix.FSCRYPT_MAX_KEY_SIZE
 )
 
 var (

metadata/metadata.proto

@@ -63,7 +63,7 @@ message ProtectorData {
 message EncryptionOptions {
   int64 padding = 1;
 
-  // Type of encryption; should match declarations of unix.FS_ENCRYPTION_MODE
+  // Type of encryption; should match declarations of unix.FSCRYPT_MODE
   enum Mode {
     default = 0;
     AES_256_XTS = 1;

metadata/policy.go

@@ -46,7 +46,7 @@ var (
 // pointers and file descriptors to the IOCTL syscall. This function also takes
 // some of the unclear errors returned by the syscall and translates then into
 // more specific error strings.
-func policyIoctl(file *os.File, request uintptr, policy *unix.FscryptPolicy) error {
+func policyIoctl(file *os.File, request uintptr, policy *unix.FscryptPolicyV1) error {
 	// The returned errno value can sometimes give strange errors, so we
 	// return encryption specific errors.
 	_, _, errno := unix.Syscall(unix.SYS_IOCTL, file.Fd(), request, uintptr(unsafe.Pointer(policy)))
@@ -68,11 +68,11 @@ func policyIoctl(file *os.File, request uintptr, policy *unix.FscryptPolicy) err
 	}
 }
 
-// Maps EncryptionOptions.Padding <-> FscryptPolicy.Flags
+// Maps EncryptionOptions.Padding <-> FSCRYPT_POLICY_FLAGS
 var (
 	paddingArray = []int64{4, 8, 16, 32}
-	flagsArray   = []int64{unix.FS_POLICY_FLAGS_PAD_4, unix.FS_POLICY_FLAGS_PAD_8,
-		unix.FS_POLICY_FLAGS_PAD_16, unix.FS_POLICY_FLAGS_PAD_32}
+	flagsArray   = []int64{unix.FSCRYPT_POLICY_FLAGS_PAD_4, unix.FSCRYPT_POLICY_FLAGS_PAD_8,
+		unix.FSCRYPT_POLICY_FLAGS_PAD_16, unix.FSCRYPT_POLICY_FLAGS_PAD_32}
 )
 
 // GetPolicy returns the Policy data for the given directory or file (includes
@@ -85,13 +85,13 @@ func GetPolicy(path string) (*PolicyData, error) {
 	}
 	defer file.Close()
 
-	var policy unix.FscryptPolicy
+	var policy unix.FscryptPolicyV1
 	if err = policyIoctl(file, unix.FS_IOC_GET_ENCRYPTION_POLICY, &policy); err != nil {
 		return nil, errors.Wrapf(err, "get encryption policy %s", path)
 	}
 
 	// Convert the padding flag into an amount of padding
-	paddingFlag := int64(policy.Flags & unix.FS_POLICY_FLAGS_PAD_MASK)
+	paddingFlag := int64(policy.Flags & unix.FSCRYPT_POLICY_FLAGS_PAD_MASK)
 
 	// This lookup should always succeed
 	padding, ok := util.Lookup(paddingFlag, flagsArray, paddingArray)
@@ -147,12 +147,11 @@ func SetPolicy(path string, data *PolicyData) error {
 	}
 
 	if shouldUseDirectKeyFlag(data.Options) {
-		// TODO: use unix.FS_POLICY_FLAG_DIRECT_KEY here once available
-		flags |= 0x4
+		flags |= unix.FSCRYPT_POLICY_FLAG_DIRECT_KEY
 	}
 
-	policy := unix.FscryptPolicy{
-		Version:                   0, // Version must always be zero
+	policy := unix.FscryptPolicyV1{
+		Version:                   unix.FSCRYPT_POLICY_V1,
 		Contents_encryption_mode:  uint8(data.Options.Contents),
 		Filenames_encryption_mode: uint8(data.Options.Filenames),
 		Flags:                     uint8(flags),
@@ -189,7 +188,7 @@ func CheckSupport(path string) error {
 	defer file.Close()
 
 	// On supported directories, giving a bad policy will return EINVAL
-	badPolicy := unix.FscryptPolicy{
+	badPolicy := unix.FscryptPolicyV1{
 		Version:                   math.MaxUint8,
 		Contents_encryption_mode:  math.MaxUint8,
 		Filenames_encryption_mode: math.MaxUint8,