fscrypt: Determine best supported fscrypt policy on node init

Currently fscrypt supports policies version 1 and 2. 2 is the best
choice and was the only choice prior to this commit. This adds support
for kernels < 5.4, by selecting policy version 1 there.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
This commit is contained in:
Marcel Lauhoff 2022-08-12 17:06:48 +02:00 committed by mergify[bot]
parent dd0e1988c0
commit a52314356e

View File

@ -47,6 +47,17 @@ const (
encryptionPassphraseSize = 64 encryptionPassphraseSize = 64
) )
var policyV2Support = []util.KernelVersion{
{
Version: 5,
PatchLevel: 4,
SubLevel: 0,
ExtraVersion: 0,
Distribution: "",
Backport: false,
},
}
func AppendEncyptedSubdirectory(dir string) string { func AppendEncyptedSubdirectory(dir string) string {
return path.Join(dir, FscryptSubdir) return path.Join(dir, FscryptSubdir)
} }
@ -266,10 +277,30 @@ func IsDirectoryUnlocked(directoryPath, filesystem string) error {
return nil return nil
} }
func getBestPolicyVersion() (int64, error) {
// fetch the current running kernel info
release, err := util.GetKernelVersion()
if err != nil {
return 0, fmt.Errorf("fetching current kernel version failed: %w", err)
}
switch {
case util.CheckKernelSupport(release, policyV2Support):
return 2, nil
default:
return 1, nil
}
}
// InitializeNode performs once per nodeserver initialization // InitializeNode performs once per nodeserver initialization
// required by the fscrypt library. Creates /etc/fscrypt.conf. // required by the fscrypt library. Creates /etc/fscrypt.conf.
func InitializeNode(ctx context.Context) error { func InitializeNode(ctx context.Context) error {
err := fscryptactions.CreateConfigFile(FscryptHashingTimeTarget, 2) policyVersion, err := getBestPolicyVersion()
if err != nil {
return fmt.Errorf("fscrypt node init failed to determine best policy version: %w", err)
}
err = fscryptactions.CreateConfigFile(FscryptHashingTimeTarget, policyVersion)
if err != nil { if err != nil {
existsError := &fscryptactions.ErrConfigFileExists{} existsError := &fscryptactions.ErrConfigFileExists{}
if errors.As(err, &existsError) { if errors.As(err, &existsError) {