Random changesext4

13 files changed, 120 insertions, 86 deletions

diff --git a/actions/config.go b/actions/config.go
index 81f6e4f..1b78af8 100644
--- a/actions/config.go
+++ b/actions/config.go
@@ -73,10 +73,11 @@ func CreateConfigFile(target time.Duration, useLegacy bool) error {
 	}
 	defer configFile.Close()
 
-	config := &metadata.Config{
-		Source:  metadata.DefaultSource,
-		Options: metadata.DefaultOptions,
-	}
+	// config := &metadata.Config{
+	// 	Source:  metadata.DefaultSource,
+	// 	Options: metadata.DefaultOptions,
+	// }
+	config := &metadata.Config{Options: &metadata.EncryptionOptions{}}
 	if useLegacy {
 		config.Compatibility = LegacyConfig
 		log.Printf("Using %q compatibility option\n", LegacyConfig)
diff --git a/cmd/errors.go b/cmd/errors.go
index c67c0f1..6c78912 100644
--- a/cmd/errors.go
+++ b/cmd/errors.go
@@ -24,8 +24,6 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
-
-	"github.com/google/fscrypt/util"
 )
 
 // Common errors used across tools
@@ -33,7 +31,6 @@ var (
 	ErrUnknownVersion = errors.New("unknown version (missing version tag)")
 	ErrCanceled       = errors.New("operation canceled by user")
 	ErrMustForce      = errors.New("operation must be forced")
-	ErrNotRoot        = errors.New("operation must be run as root")
 )
 
 // Error return codes
@@ -73,14 +70,6 @@ func CheckExpectedArgs(ctx *Context, expectedArgs int, atMost bool) error {
 	return UsageError(message)
 }
 
-// CheckIfRoot returns an error if the current user is not the root user.
-func CheckIfRoot() error {
-	if id := util.CurrentUserID(); id != 0 {
-		return errors.Wrapf(ErrNotRoot, "user %s", util.GetUser(id).Username)
-	}
-	return nil
-}
-
 // CheckRequiredFlags returns a UsageError if all of the required flags are not
 // set. Only StringFlags are currently supported.
 func CheckRequiredFlags(flags []*StringFlag) error {
diff --git a/cmd/fscrypt/fscrypt.go b/cmd/fscrypt/fscrypt.go
index 2054193..c696545 100644
--- a/cmd/fscrypt/fscrypt.go
+++ b/cmd/fscrypt/fscrypt.go
@@ -63,7 +63,7 @@ var baseFlags = []cmd.Flag{cmd.VerboseFlag, cmd.QuietFlag, cmd.HelpFlag}
 var fscryptCommand = cmd.Command{
 	Title: "manage linux filesystem encryption",
 	UsageLines: []string{
-		fmt.Sprintf("<command> [arguments] [options] [%s|%s]",
+		fmt.Sprintf("<command> [arguments] [options] [%s | %s]",
 			cmd.VerboseFlag, cmd.QuietFlag),
 		cmd.VersionUsage,
 	},
@@ -77,7 +77,7 @@ var setupCommand = &cmd.Command{
 	Name:  "setup",
 	Title: "setup a system/filesystem to use fscrypt",
 	UsageLines: []string{
-		fmt.Sprintf("[options]"),
+		fmt.Sprintf("[%s] [%]"),
 		fmt.Sprintf("%s [%s]", unusedMountpointArg, cmd.ForceFlag),
 	},
 	Arguments:    []*cmd.Argument{unusedMountpointArg},
diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go
index a421783..9620c88 100644
--- a/cmd/fscrypt/setup.go
+++ b/cmd/fscrypt/setup.go
@@ -49,7 +49,7 @@ func createGlobalConfig(path string) error {
 		return err
 	}
 
-	fmt.Fprintln(cmd.Output, "Customizing passphrase hashing difficulty for this system...")
+	fmt.Fprintln(cmd.Output, "Customizing passphrase hashing difficulty for this system ...")
 	err = actions.CreateConfigFile(timeTargetFlag.Value, legacyFlag.Value)
 	if err != nil {
 		return err
diff --git a/crypto/crypto.go b/crypto/crypto.go
index a85d345..818ef9b 100644
--- a/crypto/crypto.go
+++ b/crypto/crypto.go
@@ -57,7 +57,7 @@ import (
 // Crypto error values
 var (
 	ErrBadAuth        = errors.New("key authentication check failed")
-	ErrNegitiveLength = errors.New("keys cannot have negative lengths")
+	ErrNegativeLength = errors.New("keys cannot have negative lengths")
 	ErrRecoveryCode   = errors.New("invalid recovery code")
 	ErrGetrandomFail  = util.SystemError("getrandom() failed")
 	ErrKeyAlloc       = util.SystemError("could not allocate memory for key")
diff --git a/metadata/metadata.pb.go b/metadata/metadata.pb.go
index 558e8f2..cac4755 100644
--- a/metadata/metadata.pb.go
+++ b/metadata/metadata.pb.go
@@ -37,6 +37,7 @@ const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
 type SourceType int32
 
 const (
+	SourceType_none              SourceType = 0
 	SourceType_default           SourceType = 0
 	SourceType_pam_passphrase    SourceType = 1
 	SourceType_custom_passphrase SourceType = 2
@@ -44,12 +45,14 @@ const (
 )
 
 var SourceType_name = map[int32]string{
-	0: "default",
+	0: "none",
+	// Duplicate value: 0: "default",
 	1: "pam_passphrase",
 	2: "custom_passphrase",
 	3: "raw_key",
 }
 var SourceType_value = map[string]int32{
+	"none":              0,
 	"default":           0,
 	"pam_passphrase":    1,
 	"custom_passphrase": 2,
@@ -192,7 +195,7 @@ func (m *ProtectorData) GetSource() SourceType {
 	if m != nil {
 		return m.Source
 	}
-	return SourceType_default
+	return SourceType_none
 }
 
 func (m *ProtectorData) GetName() string {
@@ -337,7 +340,7 @@ func (m *Config) GetSource() SourceType {
 	if m != nil {
 		return m.Source
 	}
-	return SourceType_default
+	return SourceType_none
 }
 
 func (m *Config) GetHashCosts() *HashingCosts {
@@ -376,46 +379,46 @@ func init() {
 func init() { proto.RegisterFile("metadata/metadata.proto", fileDescriptor0) }
 
 var fileDescriptor0 = []byte{
-	// 642 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x94, 0xed, 0x6a, 0xdb, 0x3c,
-	0x14, 0xc7, 0x1f, 0xdb, 0x69, 0xd2, 0x9c, 0xbc, 0x3c, 0xae, 0xda, 0x75, 0x66, 0xfb, 0x12, 0xbc,
-	0x0d, 0xca, 0x28, 0x1d, 0xcd, 0xe8, 0xd8, 0x60, 0x0c, 0xb6, 0xb4, 0xec, 0xa5, 0x94, 0x75, 0x4a,
-	0xe8, 0x36, 0x18, 0x04, 0xd5, 0x56, 0x1b, 0x51, 0xdb, 0x12, 0x96, 0x42, 0xf0, 0xb7, 0xdd, 0xc3,
-	0xee, 0x61, 0x97, 0xb0, 0x8b, 0xd8, 0x55, 0x0d, 0xc9, 0xb1, 0xe3, 0xb4, 0x50, 0xb2, 0x7d, 0x31,
-	0x47, 0x7f, 0x49, 0xe7, 0x7f, 0xf4, 0x93, 0x8e, 0xe1, 0x6e, 0x4c, 0x15, 0x09, 0x89, 0x22, 0x4f,
-	0x8a, 0x60, 0x4f, 0xa4, 0x5c, 0x71, 0xb4, 0x5e, 0x8c, 0xfd, 0x6f, 0xd0, 0x7e, 0x47, 0xe4, 0x84,
-	0x25, 0x97, 0x03, 0x2e, 0x95, 0x44, 0x08, 0x6a, 0x8a, 0xc5, 0xd4, 0xb3, 0x7b, 0xd6, 0x8e, 0x83,
-	0x4d, 0x8c, 0xb6, 0xa1, 0x1e, 0xd3, 0x98, 0xa7, 0x99, 0xe7, 0x18, 0x75, 0x3e, 0x42, 0x3d, 0x68,
-	0x09, 0x92, 0x92, 0x28, 0xa2, 0x11, 0x93, 0xb1, 0x57, 0x33, 0x93, 0x55, 0xc9, 0xff, 0x0a, 0xdd,
-	0xcf, 0x29, 0x11, 0x82, 0x86, 0xc7, 0x34, 0x3b, 0x24, 0x8a, 0xa0, 0x2e, 0xd8, 0xef, 0xcf, 0x3c,
-	0xab, 0x67, 0xed, 0xb4, 0xb1, 0xcd, 0xce, 0xd0, 0x03, 0xe8, 0xd0, 0x24, 0x48, 0x33, 0xa1, 0x68,
-	0x38, 0xbe, 0xa2, 0x99, 0x31, 0x6e, 0xe3, 0x76, 0x29, 0x1e, 0xd3, 0x4c, 0x17, 0x35, 0x89, 0x49,
-	0x60, 0xec, 0xdb, 0xd8, 0xc4, 0xfe, 0x0f, 0x1b, 0x3a, 0xa7, 0x29, 0x57, 0x34, 0x50, 0x3c, 0x35,
-	0xa9, 0xf7, 0x61, 0x4b, 0x14, 0xc2, 0x38, 0xa4, 0x32, 0x48, 0x99, 0x50, 0x3c, 0x35, 0x66, 0x4d,
-	0xbc, 0x59, 0xce, 0x1d, 0x96, 0x53, 0x68, 0x17, 0xea, 0x92, 0x4f, 0xd3, 0x20, 0x3f, 0x6f, 0xb7,
-	0xbf, 0xb5, 0x57, 0x82, 0x1a, 0x1a, 0x7d, 0x94, 0x09, 0x8a, 0xe7, 0x6b, 0x74, 0x19, 0x09, 0x89,
-	0xa9, 0x29, 0xa3, 0x89, 0x4d, 0x8c, 0x76, 0x61, 0x2d, 0xd0, 0xe0, 0xcc, 0xe9, 0x5b, 0xfd, 0xed,
-	0x45, 0x82, 0x2a, 0x56, 0x9c, 0x2f, 0xd2, 0x19, 0x24, 0x89, 0x94, 0xb7, 0x96, 0x1f, 0x44, 0xc7,
-	0xc8, 0x05, 0x67, 0xca, 0x42, 0xaf, 0x6e, 0xe8, 0xe9, 0x10, 0xbd, 0x80, 0xd6, 0x2c, 0xa7, 0x66,
-	0x88, 0x34, 0x4c, 0x66, 0x6f, 0x91, 0x79, 0x19, 0x29, 0x86, 0x59, 0x39, 0xf6, 0x7f, 0xda, 0xb0,
-	0x71, 0x94, 0xa3, 0x63, 0x3c, 0xf9, 0x68, 0xbe, 0x12, 0x79, 0xd0, 0x10, 0x24, 0x0c, 0x59, 0x72,
-	0x69, 0x60, 0x38, 0xb8, 0x18, 0xa2, 0x97, 0xb0, 0x1e, 0xf0, 0x44, 0xd1, 0x44, 0xc9, 0x39, 0x82,
-	0xde, 0xc2, 0xe7, 0x46, 0xa2, 0xbd, 0x13, 0x1e, 0x52, 0x5c, 0xee, 0x40, 0xaf, 0xa0, 0x79, 0xc1,
-	0x22, 0xaa, 0x41, 0x48, 0x43, 0x65, 0x95, 0xed, 0x8b, 0x2d, 0x7e, 0x06, 0x35, 0x2d, 0xa1, 0x16,
-	0x34, 0x42, 0x7a, 0x41, 0xa6, 0x91, 0x72, 0xff, 0x43, 0xff, 0x43, 0xeb, 0xf5, 0xd1, 0x70, 0xdc,
-	0x3f, 0x78, 0x36, 0xfe, 0x32, 0x1a, 0xba, 0x56, 0x55, 0x78, 0x3b, 0x38, 0x71, 0xed, 0xaa, 0x30,
-	0x78, 0x33, 0x70, 0x9d, 0x25, 0x61, 0x34, 0x74, 0x6b, 0x85, 0xb0, 0xdf, 0x7f, 0x6e, 0x56, 0xac,
-	0x2d, 0x09, 0xa3, 0xa1, 0x5b, 0xf7, 0xbf, 0x5b, 0xe0, 0xce, 0x39, 0x9e, 0xf2, 0x88, 0x05, 0x99,
-	0x7e, 0x67, 0xff, 0xf0, 0x82, 0xae, 0xdd, 0x95, 0xfd, 0x17, 0x77, 0xf5, 0xcb, 0x02, 0xc8, 0xbd,
-	0xcd, 0xf3, 0x7d, 0x04, 0xdd, 0x2b, 0x9a, 0xdd, 0xb4, 0xed, 0x5c, 0xd1, 0xac, 0x62, 0x78, 0x00,
-	0x0d, 0x9e, 0xe3, 0x9c, 0x9b, 0xdd, 0xbf, 0x85, 0x38, 0x2e, 0xd6, 0xa2, 0x0f, 0xb0, 0x59, 0xd4,
-	0x29, 0x8c, 0xa7, 0x2e, 0x57, 0x5f, 0x9a, 0xb3, 0xd3, 0xea, 0xdf, 0xbb, 0x51, 0x6f, 0xc9, 0x04,
-	0x6f, 0xcc, 0xae, 0x29, 0xd2, 0xff, 0x6d, 0x41, 0x7d, 0xc0, 0x93, 0x0b, 0x76, 0x59, 0x69, 0x20,
-	0x6b, 0x85, 0x06, 0x3a, 0x00, 0x98, 0x10, 0x39, 0x19, 0xe7, 0x1d, 0x63, 0xdf, 0xda, 0x31, 0x4d,
-	0xbd, 0x32, 0xff, 0x27, 0x3d, 0x84, 0x4e, 0xc0, 0x63, 0x41, 0x14, 0x3b, 0x67, 0x11, 0x53, 0xd9,
-	0xbc, 0x01, 0x97, 0xc5, 0x2a, 0x98, 0xda, 0xea, 0x60, 0x1e, 0x7f, 0x02, 0x58, 0x54, 0xba, 0xfc,
-	0x12, 0x11, 0x74, 0x05, 0x89, 0xc7, 0x82, 0x48, 0x29, 0x26, 0x29, 0x91, 0xd4, 0xb5, 0xd0, 0x1d,
-	0xd8, 0x08, 0xa6, 0x52, 0xf1, 0x25, 0xd9, 0xd6, 0xfb, 0x52, 0x32, 0xd3, 0x4c, 0x5d, 0xe7, 0xbc,
-	0x6e, 0x7e, 0xb2, 0x4f, 0xff, 0x04, 0x00, 0x00, 0xff, 0xff, 0x99, 0x65, 0x0d, 0x45, 0x7f, 0x05,
-	0x00, 0x00,
+	// 651 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x94, 0xdd, 0x6a, 0xdb, 0x30,
+	0x14, 0xc7, 0x6b, 0x27, 0x4d, 0x9a, 0x93, 0x8f, 0xb9, 0x6a, 0xd7, 0x99, 0xee, 0x26, 0x78, 0x1b,
+	0x94, 0x51, 0x3a, 0x9a, 0xd1, 0xb1, 0xc1, 0x18, 0x6c, 0x69, 0xd9, 0x47, 0x29, 0x2b, 0x4a, 0xe8,
+	0x36, 0x18, 0x18, 0xd5, 0x56, 0x1b, 0x51, 0xdb, 0x12, 0x96, 0x42, 0xf0, 0xdd, 0xde, 0x61, 0xef,
+	0xb0, 0x47, 0xd8, 0x43, 0xec, 0xa9, 0x86, 0xe4, 0xd8, 0x71, 0x5a, 0x28, 0xdd, 0x6e, 0xcc, 0xd1,
+	0x5f, 0xd2, 0xf9, 0x1f, 0xfd, 0xa4, 0x63, 0x78, 0x10, 0x53, 0x45, 0x42, 0xa2, 0xc8, 0xb3, 0x22,
+	0xd8, 0x13, 0x29, 0x57, 0x1c, 0xad, 0x15, 0x63, 0xef, 0x3b, 0x74, 0x3e, 0x10, 0x39, 0x61, 0xc9,
+	0xe5, 0x90, 0x4b, 0x25, 0x11, 0x82, 0xba, 0x62, 0x31, 0x75, 0xed, 0xbe, 0xb5, 0x53, 0xc3, 0x26,
+	0x46, 0x5b, 0xd0, 0x88, 0x69, 0xcc, 0xd3, 0xcc, 0xad, 0x19, 0x75, 0x3e, 0x42, 0x7d, 0x68, 0x0b,
+	0x92, 0x92, 0x28, 0xa2, 0x11, 0x93, 0xb1, 0x5b, 0x37, 0x93, 0x55, 0xc9, 0xfb, 0x06, 0xbd, 0x2f,
+	0x29, 0x11, 0x82, 0x86, 0xc7, 0x34, 0x3b, 0x24, 0x8a, 0xa0, 0x1e, 0xd8, 0x1f, 0xcf, 0x5c, 0xab,
+	0x6f, 0xed, 0x74, 0xb0, 0xcd, 0xce, 0xd0, 0x23, 0xe8, 0xd2, 0x24, 0x48, 0x33, 0xa1, 0x68, 0xe8,
+	0x5f, 0xd1, 0xcc, 0x18, 0x77, 0x70, 0xa7, 0x14, 0x8f, 0x69, 0xa6, 0x8b, 0x9a, 0xc4, 0x24, 0x30,
+	0xf6, 0x1d, 0x6c, 0x62, 0xef, 0xa7, 0x0d, 0xdd, 0xd3, 0x94, 0x2b, 0x1a, 0x28, 0x9e, 0x9a, 0xd4,
+	0xfb, 0xb0, 0x29, 0x0a, 0xc1, 0x0f, 0xa9, 0x0c, 0x52, 0x26, 0x14, 0x4f, 0x8d, 0x59, 0x0b, 0x6f,
+	0x94, 0x73, 0x87, 0xe5, 0x14, 0xda, 0x85, 0x86, 0xe4, 0xd3, 0x34, 0xc8, 0xcf, 0xdb, 0x1b, 0x6c,
+	0xee, 0x95, 0xa0, 0x46, 0x46, 0x1f, 0x67, 0x82, 0xe2, 0xf9, 0x1a, 0x5d, 0x46, 0x42, 0x62, 0x6a,
+	0xca, 0x68, 0x61, 0x13, 0xa3, 0x5d, 0x58, 0x0d, 0x34, 0x38, 0x73, 0xfa, 0xf6, 0x60, 0x6b, 0x91,
+	0xa0, 0x8a, 0x15, 0xe7, 0x8b, 0x74, 0x06, 0x49, 0x22, 0xe5, 0xae, 0xe6, 0x07, 0xd1, 0x31, 0x72,
+	0xa0, 0x36, 0x65, 0xa1, 0xdb, 0x30, 0xf4, 0x74, 0x88, 0x5e, 0x41, 0x7b, 0x96, 0x53, 0x33, 0x44,
+	0x9a, 0x26, 0xb3, 0xbb, 0xc8, 0xbc, 0x8c, 0x14, 0xc3, 0xac, 0x1c, 0x7b, 0xbf, 0x6c, 0x58, 0x3f,
+	0xca, 0xd1, 0x31, 0x9e, 0x7c, 0x36, 0x5f, 0x89, 0x5c, 0x68, 0x0a, 0x12, 0x86, 0x2c, 0xb9, 0x34,
+	0x30, 0x6a, 0xb8, 0x18, 0xa2, 0xd7, 0xb0, 0x16, 0xf0, 0x44, 0xd1, 0x44, 0xc9, 0x39, 0x82, 0xfe,
+	0xc2, 0xe7, 0x46, 0xa2, 0xbd, 0x13, 0x1e, 0x52, 0x5c, 0xee, 0x40, 0x6f, 0xa0, 0x75, 0xc1, 0x22,
+	0xaa, 0x41, 0x48, 0x43, 0xe5, 0x2e, 0xdb, 0x17, 0x5b, 0xbc, 0x0c, 0xea, 0x5a, 0x42, 0x6d, 0x68,
+	0x86, 0xf4, 0x82, 0x4c, 0x23, 0xe5, 0xac, 0xa0, 0x7b, 0xd0, 0x7e, 0x7b, 0x34, 0xf2, 0x07, 0x07,
+	0x2f, 0xfc, 0xaf, 0xe3, 0x91, 0x63, 0x55, 0x85, 0xf7, 0xc3, 0x13, 0xc7, 0xae, 0x0a, 0xc3, 0x77,
+	0x43, 0xa7, 0xb6, 0x24, 0x8c, 0x47, 0x4e, 0xbd, 0x10, 0xf6, 0x07, 0x2f, 0xcd, 0x8a, 0xd5, 0x25,
+	0x61, 0x3c, 0x72, 0x1a, 0xde, 0x0f, 0x0b, 0x9c, 0x39, 0xc7, 0x53, 0x1e, 0xb1, 0x20, 0xd3, 0xef,
+	0xec, 0x3f, 0x5e, 0xd0, 0xb5, 0xbb, 0xb2, 0xff, 0xe1, 0xae, 0x7e, 0x5b, 0x00, 0xb9, 0xb7, 0x79,
+	0xbe, 0x4f, 0xa0, 0x77, 0x45, 0xb3, 0x9b, 0xb6, 0xdd, 0x2b, 0x9a, 0x55, 0x0c, 0x0f, 0xa0, 0xc9,
+	0x73, 0x9c, 0x73, 0xb3, 0x87, 0xb7, 0x10, 0xc7, 0xc5, 0x5a, 0xf4, 0x09, 0x36, 0x8a, 0x3a, 0x85,
+	0xf1, 0xd4, 0xe5, 0xea, 0x4b, 0xab, 0xed, 0xb4, 0x07, 0xdb, 0x37, 0xea, 0x2d, 0x99, 0xe0, 0xf5,
+	0xd9, 0x35, 0x45, 0x7a, 0x7f, 0x2c, 0x68, 0x0c, 0x79, 0x72, 0xc1, 0x2e, 0x2b, 0x0d, 0x64, 0xdd,
+	0xa1, 0x81, 0x0e, 0x00, 0x26, 0x44, 0x4e, 0xfc, 0xbc, 0x63, 0xec, 0x5b, 0x3b, 0xa6, 0xa5, 0x57,
+	0xe6, 0xff, 0xa4, 0xc7, 0xd0, 0x0d, 0x78, 0x2c, 0x88, 0x62, 0xe7, 0x2c, 0x62, 0x2a, 0x9b, 0x37,
+	0xe0, 0xb2, 0x58, 0x05, 0x53, 0xbf, 0x3b, 0x98, 0xa7, 0x3e, 0xc0, 0xa2, 0x52, 0xb4, 0x06, 0xf5,
+	0x84, 0x27, 0xd4, 0x59, 0x59, 0x7e, 0x93, 0x08, 0x7a, 0x82, 0xc4, 0xbe, 0x20, 0x52, 0x8a, 0x49,
+	0x4a, 0x24, 0x75, 0x2c, 0x74, 0x1f, 0xd6, 0x83, 0xa9, 0x54, 0x7c, 0x49, 0xb6, 0xf5, 0xbe, 0x94,
+	0xcc, 0x34, 0x5d, 0xa7, 0xb6, 0x6d, 0x3b, 0xd6, 0x79, 0xc3, 0xfc, 0x72, 0x9f, 0xff, 0x0d, 0x00,
+	0x00, 0xff, 0xff, 0xf8, 0xd5, 0x1e, 0x01, 0x8d, 0x05, 0x00, 0x00,
 }
diff --git a/metadata/metadata.proto b/metadata/metadata.proto
index 5e1b9dd..af7c646 100644
--- a/metadata/metadata.proto
+++ b/metadata/metadata.proto
@@ -39,7 +39,7 @@ message WrappedKeyData {
 
 // Specifies the method in which an outside secret is obtained for a Protector
 enum SourceType {
-  default = 0;
+  none = 0;
   pam_passphrase = 1;
   custom_passphrase = 2;
   raw_key = 3;
diff --git a/security/cache.go b/security/cache.go
index d0c60b1..2713ddd 100644
--- a/security/cache.go
+++ b/security/cache.go
@@ -1,3 +1,5 @@
+// +build linux
+
 /*
  * cache.go - Handles cache clearing and management.
  *
@@ -30,7 +32,7 @@ import (
 // dentries. This has the effect of making encrypted directories whose keys are
 // not present no longer accessible. Requires root privileges.
 func DropFilesystemCache() error {
-	// Dirty reclaimible inodes must be synced so that they will be freed.
+	// Dirty reclaimable inodes must be synced so that they will be freed.
 	log.Print("syncing changes to filesystem")
 	unix.Sync()
 
@@ -43,7 +45,7 @@ func DropFilesystemCache() error {
 	defer file.Close()
 	// "2" just frees the reclaimable inodes and dentries, the associated
 	// pages to these inodes will be freed. We do not need to free the
-	// entire pagecache (as this will severly impact performance).
+	// entire pagecache (as this will servery impact performance).
 	_, err = file.WriteString("2")
 	return err
 }
diff --git a/security/keyring.go b/security/keyring.go
index 7ce163e..492e0f4 100644
--- a/security/keyring.go
+++ b/security/keyring.go
@@ -1,3 +1,5 @@
+// +build linux
+
 /*
  * privileges.go - Handles inserting/removing into user keyrings.
  *
diff --git a/security/policy.go b/security/policy.go
new file mode 100644
index 0000000..77707ca
--- /dev/null
+++ b/security/policy.go
@@ -0,0 +1,24 @@
+// +build linux

+

+/*

+ * policy.go - Handles kernel encryption policies.

+ *

+ * Copyright 2017 Google Inc.

+ * Author: Joe Richey (joerichey@google.com)

+ *

+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not

+ * use this file except in compliance with the License. You may obtain a copy of

+ * the License at

+ *

+ *     http://www.apache.org/licenses/LICENSE-2.0

+ *

+ * Unless required by applicable law or agreed to in writing, software

+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

+ * License for the specific language governing permissions and limitations under

+ * the License.

+ */

+

+type Policy struct {

+	

+}
\ No newline at end of file
diff --git a/security/privileges.go b/security/privileges.go
index 7d69da9..24f4daf 100644
--- a/security/privileges.go
+++ b/security/privileges.go
@@ -1,3 +1,5 @@
+// +build linux
+
 /*
  * privileges.go - Functions for managing users and privileges.
  *
diff --git a/util/errors.go b/util/errors.go
index f10569e..f0b9403 100644
--- a/util/errors.go
+++ b/util/errors.go
@@ -28,6 +28,28 @@ import (
 	"github.com/pkg/errors"
 )
 
+var (
+	// ErrNotRoot indicates the action is restricted to the superuser.
+	ErrNotRoot = errors.New("only root can perform this action")
+	// ErrSkipIntegration indicates integration tests shouldn't be run.
+	ErrSkipIntegration = errors.New("skipping integration test")
+)
+
+// testEnvVarName is the name on an environment variable that should be set to
+// an empty mountpoint. This is only used for integration tests. If not set,
+// integration tests are skipped.
+var testEnvVarName = "TEST_FILESYSTEM_ROOT"
+
+// TestRoot returns a the root of a filesystem specified by testEnvVarName. This
+// function is only used for integration tests.
+func TestRoot() (string, error) {
+	path := os.Getenv(testEnvVarName)
+	if path == "" {
+		return "", ErrSkipIntegration
+	}
+	return path, nil
+}
+
 // ErrReader wraps an io.Reader, passing along calls to Read() until a read
 // fails. Then, the error is stored, and all subsequent calls to Read() do
 // nothing. This allows you to write code which has many subsequent reads and
@@ -114,22 +136,3 @@ func NeverError(err error) {
 		log.Panicf("NeverError() check failed: %v", err)
 	}
 }
-
-var (
-	// testEnvVarName is the name on an environment variable that should be
-	// set to an empty mountpoint. This is only used for integration tests.
-	// If not set, integration tests are skipped.
-	testEnvVarName = "TEST_FILESYSTEM_ROOT"
-	// ErrSkipIntegration indicates integration tests shouldn't be run.
-	ErrSkipIntegration = errors.New("skipping integration test")
-)
-
-// TestRoot returns a the root of a filesystem specified by testEnvVarName. This
-// function is only used for integration tests.
-func TestRoot() (string, error) {
-	path := os.Getenv(testEnvVarName)
-	if path == "" {
-		return "", ErrSkipIntegration
-	}
-	return path, nil
-}
diff --git a/util/users.go b/util/users.go
index 92affa8..49abd32 100644
--- a/util/users.go
+++ b/util/users.go
@@ -48,3 +48,11 @@ func GetUser(uid int) *user.User {
 func CurrentUser() *user.User {
 	return GetUser(CurrentUserID())
 }
+
+// CheckIfRoot returns ErrNotRoot if the current user is not the root user.
+func CheckIfRoot() error {
+	if id := CurrentUserID(); id != 0 {
+		return ErrNotRoot
+	}
+	return nil
+}