From c21b967b1cd1aac299ad047f92921fbec450add8 Mon Sep 17 00:00:00 2001 From: NymanRobin Date: Wed, 8 May 2024 12:58:38 +0300 Subject: [PATCH] cephfs: upgrade fscrypt version to fix concurrency issue In older versions of fscrypt there is a race condition when multiple encrypted cephfs instances are deployed simultaneously. Signed-off-by: NymanRobin (cherry picked from commit 3073409695df75c2add5b326ada9b34b74467e59) --- go.mod | 5 ++- go.sum | 11 ++++++ .../google/fscrypt/actions/context.go | 8 ++-- .../google/fscrypt/actions/policy.go | 5 ++- .../google/fscrypt/crypto/crypto.go | 22 +++++------ .../github.com/google/fscrypt/crypto/rand.go | 3 +- .../google/fscrypt/filesystem/filesystem.go | 38 ++++++++++--------- .../google/fscrypt/filesystem/mountpoint.go | 19 +++++----- .../google/fscrypt/metadata/config.go | 6 +-- .../google/fscrypt/metadata/metadata.pb.go | 2 +- .../google/fscrypt/metadata/policy.go | 13 +++++++ .../google/fscrypt/security/privileges.go | 4 +- vendor/modules.txt | 12 +++++- 13 files changed, 94 insertions(+), 54 deletions(-) diff --git a/go.mod b/go.mod index 502d91bfdf6..1cd7c4839c6 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/csi-addons/spec v0.2.1-0.20230606140122-d20966d2e444 github.com/gemalto/kmip-go v0.0.10 github.com/golang/protobuf v1.5.4 - github.com/google/fscrypt v0.3.4 + github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec github.com/google/uuid v1.6.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect @@ -57,6 +57,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/ansel1/merry v1.6.2 // indirect github.com/ansel1/merry/v2 v2.0.1 // indirect @@ -73,6 +74,7 @@ require ( github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/client9/misspell v0.3.4 // indirect github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect @@ -146,6 +148,7 @@ require ( github.com/spf13/cobra v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect + github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad // indirect go.etcd.io/etcd/api/v3 v3.5.10 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect go.etcd.io/etcd/client/v3 v3.5.10 // indirect diff --git a/go.sum b/go.sum index cbf0c5133f2..1de7f905650 100644 --- a/go.sum +++ b/go.sum @@ -785,6 +785,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 h1:DzHpqpoJVaC github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ= @@ -880,6 +882,7 @@ github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -1122,6 +1125,8 @@ github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulN github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/fscrypt v0.3.4 h1:XGSVMIsQFooj82aRRfYn3JpgU/4fOTnzXPnjhxC8uH8= github.com/google/fscrypt v0.3.4/go.mod h1:BRpw7vaeDitXGRvXa281i/ivQszAdBIiUYDWHjVTkcs= +github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec h1:bXRTgu+1I882EvvYVEUwehBVahYfqeX9Qqb9eUyPs/g= +github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec/go.mod h1:HyY8Z/kUPrnIKAwuhjrn2tSTM5/s9zfRRTqRMG0mHks= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= @@ -1632,6 +1637,7 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk= github.com/urfave/cli v1.22.5/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad h1:W0LEBv82YCGEtcmPA3uNZBI33/qF//HAAs3MawDjRa0= github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad/go.mod h1:Hy8o65+MXnS6EwGElrSRjUzQDLXreJlzYLlWiHtt8hM= github.com/xhit/go-str2duration v1.2.0/go.mod h1:3cPSlfZlUHVlneIVfePFWcJZsuwf+P1v2SRTV4cUmp4= github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= @@ -1781,6 +1787,8 @@ golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2F golang.org/x/exp v0.0.0-20220827204233-334a2380cb91 h1:tnebWN09GYg9OLPss1KXj8txwZc6X6uMr6VFdcGNbHw= golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= +golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a h1:Jw5wfR+h9mnIYH+OtGT2im5wV1YGGDora5vTv/aa5bE= +golang.org/x/exp/typeparams v0.0.0-20221208152030-732eee02a75a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk= golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -1828,6 +1836,7 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -2592,6 +2601,8 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= honnef.co/go/tools v0.3.0/go.mod h1:vlRD9XErLMGT+mDuofSr0mMMquscM/1nQqtRSsh6m70= +honnef.co/go/tools v0.4.5 h1:YGD4H+SuIOOqsyoLOpZDWcieM28W47/zRO7f+9V3nvo= +honnef.co/go/tools v0.4.5/go.mod h1:GUV+uIBCLpdf0/v6UhHHG/yzI/z6qPskBeQCjcNB96k= k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI= diff --git a/vendor/github.com/google/fscrypt/actions/context.go b/vendor/github.com/google/fscrypt/actions/context.go index ac3f6d30455..4253de22b23 100644 --- a/vendor/github.com/google/fscrypt/actions/context.go +++ b/vendor/github.com/google/fscrypt/actions/context.go @@ -22,10 +22,10 @@ // All of the actions include a significant amount of logging, so that good // output can be provided for cmd/fscrypt's verbose mode. // The top-level actions currently include: -// - Creating a new config file -// - Creating a context on which to perform actions -// - Creating, unlocking, and modifying Protectors -// - Creating, unlocking, and modifying Policies +// - Creating a new config file +// - Creating a context on which to perform actions +// - Creating, unlocking, and modifying Protectors +// - Creating, unlocking, and modifying Policies package actions import ( diff --git a/vendor/github.com/google/fscrypt/actions/policy.go b/vendor/github.com/google/fscrypt/actions/policy.go index c621725628a..d745f8be63e 100644 --- a/vendor/github.com/google/fscrypt/actions/policy.go +++ b/vendor/github.com/google/fscrypt/actions/policy.go @@ -24,6 +24,7 @@ import ( "log" "os" "os/user" + "reflect" "github.com/pkg/errors" "google.golang.org/protobuf/proto" @@ -452,7 +453,7 @@ func (policy *Policy) AddProtector(protector *Protector) error { // If the protector is on a different filesystem, we need to add a link // to it on the policy's filesystem. - if policy.Context.Mount != protector.Context.Mount { + if !reflect.DeepEqual(policy.Context.Mount, protector.Context.Mount) { log.Printf("policy on %s\n protector on %s\n", policy.Context.Mount, protector.Context.Mount) ownerIfCreating, err := getOwnerOfMetadataForProtector(protector) if err != nil { @@ -525,7 +526,7 @@ func (policy *Policy) RemoveProtector(protectorDescriptor string) error { func (policy *Policy) Apply(path string) error { if pathMount, err := filesystem.FindMount(path); err != nil { return err - } else if pathMount != policy.Context.Mount { + } else if !reflect.DeepEqual(pathMount, policy.Context.Mount) { return &ErrDifferentFilesystem{policy.Context.Mount, pathMount} } diff --git a/vendor/github.com/google/fscrypt/crypto/crypto.go b/vendor/github.com/google/fscrypt/crypto/crypto.go index 1f64b38bbd5..6a719ddd0c0 100644 --- a/vendor/github.com/google/fscrypt/crypto/crypto.go +++ b/vendor/github.com/google/fscrypt/crypto/crypto.go @@ -18,17 +18,17 @@ */ // Package crypto manages all the cryptography for fscrypt. This includes: -// - Key management (key.go) -// - Securely holding keys in memory -// - Making recovery keys -// - Randomness (rand.go) -// - Cryptographic algorithms (crypto.go) -// - encryption (AES256-CTR) -// - authentication (SHA256-based HMAC) -// - key stretching (SHA256-based HKDF) -// - key wrapping/unwrapping (Encrypt then MAC) -// - passphrase-based key derivation (Argon2id) -// - key descriptor computation (double SHA512, or HKDF-SHA512) +// 1. Key management (key.go) +// - Securely holding keys in memory +// - Making recovery keys +// 2. Randomness (rand.go) +// 3. Cryptographic algorithms (crypto.go) +// - encryption (AES256-CTR) +// - authentication (SHA256-based HMAC) +// - key stretching (SHA256-based HKDF) +// - key wrapping/unwrapping (Encrypt then MAC) +// - passphrase-based key derivation (Argon2id) +// - key descriptor computation (double SHA512, or HKDF-SHA512) package crypto import ( diff --git a/vendor/github.com/google/fscrypt/crypto/rand.go b/vendor/github.com/google/fscrypt/crypto/rand.go index 7d1e55bf03b..527f84102f3 100644 --- a/vendor/github.com/google/fscrypt/crypto/rand.go +++ b/vendor/github.com/google/fscrypt/crypto/rand.go @@ -30,7 +30,8 @@ import ( // the operating system has insufficient randomness, the buffer creation will // fail. This is an improvement over Go's built-in crypto/rand which will still // return bytes if the system has insufficiency entropy. -// See: https://github.com/golang/go/issues/19274 +// +// See: https://github.com/golang/go/issues/19274 // // While this syscall was only introduced in Kernel v3.17, it predates the // introduction of filesystem encryption, so it introduces no additional diff --git a/vendor/github.com/google/fscrypt/filesystem/filesystem.go b/vendor/github.com/google/fscrypt/filesystem/filesystem.go index 0e1f0c82241..98294358511 100644 --- a/vendor/github.com/google/fscrypt/filesystem/filesystem.go +++ b/vendor/github.com/google/fscrypt/filesystem/filesystem.go @@ -21,15 +21,15 @@ // Package filesystem deals with the structure of the files on disk used to // store the metadata for fscrypt. Specifically, this package includes: -// - mountpoint management (mountpoint.go) -// - querying existing mounted filesystems -// - getting filesystems from a UUID -// - finding the filesystem for a specific path -// - metadata organization (filesystem.go) -// - setting up a mounted filesystem for use with fscrypt -// - adding/querying/deleting metadata -// - making links to other filesystems' metadata -// - following links to get data from other filesystems +// 1. mountpoint management (mountpoint.go) +// - querying existing mounted filesystems +// - getting filesystems from a UUID +// - finding the filesystem for a specific path +// 2. metadata organization (filesystem.go) +// - setting up a mounted filesystem for use with fscrypt +// - adding/querying/deleting metadata +// - making links to other filesystems' metadata +// - following links to get data from other filesystems package filesystem import ( @@ -195,6 +195,7 @@ func (err *ErrProtectorNotFound) Error() string { var SortDescriptorsByLastMtime = false // Mount contains information for a specific mounted filesystem. +// // Path - Absolute path where the directory is mounted // FilesystemType - Type of the mounted filesystem, e.g. "ext4" // Device - Device for filesystem (empty string if we cannot find one) @@ -210,8 +211,9 @@ var SortDescriptorsByLastMtime = false // setup first. Specifically, the directories created look like: // // └── .fscrypt -// ├── policies -// └── protectors +// +// ├── policies +// └── protectors // // These "policies" and "protectors" directories will contain files that are // the corresponding metadata structures for policies and protectors. The public @@ -723,13 +725,13 @@ func (m *Mount) addMetadata(path string, md metadata.Metadata, owner *user.User) // considering that it could be a malicious file created to cause a // denial-of-service. Specifically, the following checks are done: // -// - It must be a regular file, not another type of file like a symlink or FIFO. -// (Symlinks aren't bad by themselves, but given that a malicious user could -// point one to absolutely anywhere, and there is no known use case for the -// metadata files themselves being symlinks, it seems best to disallow them.) -// - It must have a reasonable size (<= maxMetadataFileSize). -// - If trustedUser is non-nil, then the file must be owned by the given user -// or by root. +// - It must be a regular file, not another type of file like a symlink or FIFO. +// (Symlinks aren't bad by themselves, but given that a malicious user could +// point one to absolutely anywhere, and there is no known use case for the +// metadata files themselves being symlinks, it seems best to disallow them.) +// - It must have a reasonable size (<= maxMetadataFileSize). +// - If trustedUser is non-nil, then the file must be owned by the given user +// or by root. // // Take care to avoid TOCTOU (time-of-check-time-of-use) bugs when doing these // tests. Notably, we must open the file before checking the file type, as the diff --git a/vendor/github.com/google/fscrypt/filesystem/mountpoint.go b/vendor/github.com/google/fscrypt/filesystem/mountpoint.go index 0abae06f027..ae432bf126f 100644 --- a/vendor/github.com/google/fscrypt/filesystem/mountpoint.go +++ b/vendor/github.com/google/fscrypt/filesystem/mountpoint.go @@ -106,6 +106,7 @@ func getDeviceName(num DeviceNumber) string { // Parse one line of /proc/self/mountinfo. // // The line contains the following space-separated fields: +// // [0] mount ID // [1] parent ID // [2] major:minor @@ -184,11 +185,11 @@ func addUncontainedSubtreesRecursive(dst map[string]bool, // preferably a read-write mount. However, that doesn't work in containers // where the "/" subtree might not be mounted. Here's a real-world example: // -// mnt.Subtree mnt.Path -// ----------- -------- -// /var/lib/lxc/base/rootfs / -// /var/cache/pacman/pkg /var/cache/pacman/pkg -// /srv/repo/x86_64 /srv/http/x86_64 +// mnt.Subtree mnt.Path +// ----------- -------- +// /var/lib/lxc/base/rootfs / +// /var/cache/pacman/pkg /var/cache/pacman/pkg +// /srv/repo/x86_64 /srv/http/x86_64 // // In this case, all mnt.Subtree are independent. To handle this case, we must // choose the Mount whose mnt.Path contains the others, i.e. the first one. @@ -199,10 +200,10 @@ func addUncontainedSubtreesRecursive(dst map[string]bool, // needed to correctly handle bind mounts. For example, in the following case, // the first Mount should be chosen: // -// mnt.Subtree mnt.Path -// ----------- -------- -// /foo /foo -// /foo/dir /dir +// mnt.Subtree mnt.Path +// ----------- -------- +// /foo /foo +// /foo/dir /dir // // To solve this, we divide the mounts into non-overlapping trees of mnt.Path. // Then, we choose one of these trees which contains (exactly or via path diff --git a/vendor/github.com/google/fscrypt/metadata/config.go b/vendor/github.com/google/fscrypt/metadata/config.go index 1d93d749776..65fd7b52c07 100644 --- a/vendor/github.com/google/fscrypt/metadata/config.go +++ b/vendor/github.com/google/fscrypt/metadata/config.go @@ -21,9 +21,9 @@ // Package metadata contains all of the on disk structures. // These structures are defined in metadata.proto. The package also // contains functions for manipulating these structures, specifically: -// * Reading and Writing the Config file to disk -// * Getting and Setting Policies for directories -// * Reasonable defaults for a Policy's EncryptionOptions +// - Reading and Writing the Config file to disk +// - Getting and Setting Policies for directories +// - Reasonable defaults for a Policy's EncryptionOptions package metadata import ( diff --git a/vendor/github.com/google/fscrypt/metadata/metadata.pb.go b/vendor/github.com/google/fscrypt/metadata/metadata.pb.go index 6a335f949eb..8f3501681df 100644 --- a/vendor/github.com/google/fscrypt/metadata/metadata.pb.go +++ b/vendor/github.com/google/fscrypt/metadata/metadata.pb.go @@ -23,7 +23,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.28.0 +// protoc-gen-go v1.33.0 // protoc v3.6.1 // source: metadata/metadata.proto diff --git a/vendor/github.com/google/fscrypt/metadata/policy.go b/vendor/github.com/google/fscrypt/metadata/policy.go index 7831e53a669..fe6c38f3e20 100644 --- a/vendor/github.com/google/fscrypt/metadata/policy.go +++ b/vendor/github.com/google/fscrypt/metadata/policy.go @@ -28,6 +28,7 @@ import ( "os" "os/user" "strconv" + "syscall" "unsafe" "github.com/pkg/errors" @@ -85,6 +86,15 @@ func (err *ErrDirectoryNotOwned) Error() string { write access to the directory.`, err.Path, owner) } +// ErrLockedRegularFile indicates that the path is a locked regular file. +type ErrLockedRegularFile struct { + Path string +} + +func (err *ErrLockedRegularFile) Error() string { + return fmt.Sprintf("cannot operate on locked regular file %q", err.Path) +} + // ErrNotEncrypted indicates that the path is not encrypted. type ErrNotEncrypted struct { Path string @@ -164,6 +174,9 @@ func buildV2PolicyData(policy *unix.FscryptPolicyV2) *PolicyData { func GetPolicy(path string) (*PolicyData, error) { file, err := os.Open(path) if err != nil { + if err.(*os.PathError).Err == syscall.ENOKEY { + return nil, &ErrLockedRegularFile{path} + } return nil, err } defer file.Close() diff --git a/vendor/github.com/google/fscrypt/security/privileges.go b/vendor/github.com/google/fscrypt/security/privileges.go index 5bdd43c5d9a..fe8668d63f8 100644 --- a/vendor/github.com/google/fscrypt/security/privileges.go +++ b/vendor/github.com/google/fscrypt/security/privileges.go @@ -18,8 +18,8 @@ */ // Package security manages: -// - Cache clearing (cache.go) -// - Privilege manipulation (privileges.go) +// - Cache clearing (cache.go) +// - Privilege manipulation (privileges.go) package security // Use the libc versions of setreuid, setregid, and setgroups instead of the diff --git a/vendor/modules.txt b/vendor/modules.txt index 914a8b8f114..9def1124641 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -62,6 +62,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version github.com/AzureAD/microsoft-authentication-library-for-go/apps/public +# github.com/BurntSushi/toml v1.3.2 +## explicit; go 1.16 # github.com/IBM/keyprotect-go-client v0.12.2 ## explicit; go 1.15 github.com/IBM/keyprotect-go-client @@ -224,6 +226,8 @@ github.com/ceph/go-ceph/rbd/admin # github.com/cespare/xxhash/v2 v2.2.0 ## explicit; go 1.11 github.com/cespare/xxhash/v2 +# github.com/client9/misspell v0.3.4 +## explicit # github.com/container-storage-interface/spec v1.9.0 ## explicit; go 1.18 github.com/container-storage-interface/spec/lib/go/csi @@ -347,8 +351,8 @@ github.com/google/cel-go/interpreter github.com/google/cel-go/interpreter/functions github.com/google/cel-go/parser github.com/google/cel-go/parser/gen -# github.com/google/fscrypt v0.3.4 -## explicit; go 1.16 +# github.com/google/fscrypt v0.3.6-0.20240502174735-068b9f8f5dec +## explicit; go 1.18 github.com/google/fscrypt/actions github.com/google/fscrypt/crypto github.com/google/fscrypt/filesystem @@ -617,6 +621,8 @@ github.com/stoewer/go-strcase ## explicit; go 1.17 github.com/stretchr/testify/assert github.com/stretchr/testify/require +# github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad +## explicit # go.etcd.io/etcd/api/v3 v3.5.10 ## explicit; go 1.20 go.etcd.io/etcd/api/v3/authpb @@ -942,6 +948,8 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 +# honnef.co/go/tools v0.4.5 +## explicit; go 1.19 # k8s.io/api v0.29.3 => k8s.io/api v0.29.3 ## explicit; go 1.21 k8s.io/api/admission/v1