Affected by GO-2024-2468 and 4 other vulnerabilities

GO-2024-2468: snapd Race Condition vulnerability in github.com/snapcore/snapd

GO-2024-2906: CVE-2024-5138 in github.com/snapcore/snapd

GO-2024-3007: snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd

GO-2024-3008: snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd

GO-2024-3009: snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd

backend

package

v0.0.0-...-80568f1 Latest Latest Go to latest Published: Feb 21, 2025 License: GPL-3.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/snapcore/snapd

Documentation ¶

Index ¶

Variables
func BootChainsFileUnder(rootdir string) string
func MockRunFDESetupHook(f fde.RunSetupHookFunc) (restore func())
func MockSecbootBuildPCRProtectionProfile(...) (restore func())
func MockSecbootProvisionTPM(f func(mode secboot.TPMProvisionMode, lockoutAuthFile string) error) (restore func())
func MockSecbootResealKeys(f func(params *secboot.ResealKeysParams) error) (restore func())
func MockSecbootSealKeys(...) (restore func())
func MockSecbootSealKeysWithFDESetupHook(f func(runHook fde.RunSetupHookFunc, keys []secboot.SealKeyRequest, ...) error) (restore func())
func RecoveryBootChainsFileUnder(rootdir string) string
func ResealKeyForBootChains(manager FDEStateManager, method device.SealingMethod, rootdir string, ...) error
func ResealKeysForSignaturesDBUpdate(manager FDEStateManager, method device.SealingMethod, rootdir string, ...) error
type FDEStateManager
type SealingParameters

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	RunFDESetupHook fde.RunSetupHookFunc = func(req *fde.SetupRequest) ([]byte, error) {
		return nil, fmt.Errorf("internal error: RunFDESetupHook not set yet")
	}
)

Hook functions setup by devicestate to support device-specific full disk encryption implementations. The state must be locked when these functions are called.

Functions ¶

func BootChainsFileUnder ¶

func BootChainsFileUnder(rootdir string) string

func MockRunFDESetupHook ¶

func MockRunFDESetupHook(f fde.RunSetupHookFunc) (restore func())

func MockSecbootBuildPCRProtectionProfile ¶

func MockSecbootBuildPCRProtectionProfile(f func(modelParams []*secboot.SealKeyModelParams) (secboot.SerializedPCRProfile, error)) (restore func())

func MockSecbootProvisionTPM ¶

func MockSecbootProvisionTPM(f func(mode secboot.TPMProvisionMode, lockoutAuthFile string) error) (restore func())

TODO:FDEM: move those to export_test.go once we have split tests.

func MockSecbootResealKeys ¶

func MockSecbootResealKeys(f func(params *secboot.ResealKeysParams) error) (restore func())

MockSecbootResealKeys is only useful in testing. Note that this is a very low level call and may need significant environment setup.

func MockSecbootSealKeys ¶

func MockSecbootSealKeys(f func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) ([]byte, error)) (restore func())

func MockSecbootSealKeysWithFDESetupHook ¶

func MockSecbootSealKeysWithFDESetupHook(f func(runHook fde.RunSetupHookFunc, keys []secboot.SealKeyRequest, params *secboot.SealKeysWithFDESetupHookParams) error) (restore func())

func RecoveryBootChainsFileUnder ¶

func RecoveryBootChainsFileUnder(rootdir string) string

func ResealKeyForBootChains ¶

func ResealKeyForBootChains(manager FDEStateManager, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error

ResealKeyForBootChains reseals disk encryption keys with the given bootchains.

func ResealKeysForSignaturesDBUpdate ¶

func ResealKeysForSignaturesDBUpdate(
	manager FDEStateManager, method device.SealingMethod, rootdir string,
	params *boot.ResealKeyForBootChainsParams, dbUpdate []byte,
) error

ResealKeysForSignaturesDBUpdate reseals disk encryption keys for the provided boot chains and an optional signature DB update

Types ¶

type FDEStateManager ¶

type FDEStateManager interface {
	// Update will update the sealing parameters for a give role.
	Update(role string, containerRole string, parameters *SealingParameters) error
	// Get returns the current parameters for a given role. If parameters exist for that role, it will return nil without error.
	Get(role string, containerRole string) (parameters *SealingParameters, err error)
	// Unlock notifies the manager that the state can be unlocked and returns a function to relock it.
	Unlock() (relock func())
}

FDEStateManager represents an interface for a manager that can store a state for sealing parameters.

type SealingParameters ¶

type SealingParameters struct {
	BootModes     []string
	Models        []secboot.ModelForSealing
	TpmPCRProfile []byte
}

SealingParameters contains the parameters that may be used for sealing. It should be the same as fdestate.KeyslotRoleParameters. However we cannot import it. See documentation for that type.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL