cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock'

Allow root to provide the --all-users option to 'fscrypt lock' to force
an encryption key to be removed from the filesystem (i.e., force an
encrypted directory to be locked), even if other users have added it.

To implement this option, we just need to use the
FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than
FS_IOC_REMOVE_ENCRYPTION_KEY.

In theory this option could be implemented for the user keyrings case
too, but it would be difficult and the user keyrings are being
deprecated for fscrypt, so don't bother.

1 files changed, 3 insertions, 3 deletions

diff --git a/actions/policy.go b/actions/policy.go
index f448620..41e108e 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -56,7 +56,7 @@ func PurgeAllPolicies(ctx *Context) error {
 	}
 
 	for _, policyDescriptor := range policies {
-		err = keyring.RemoveEncryptionKey(policyDescriptor, ctx.getKeyringOptions())
+		err = keyring.RemoveEncryptionKey(policyDescriptor, ctx.getKeyringOptions(), false)
 		switch errors.Cause(err) {
 		case nil, keyring.ErrKeyNotPresent:
 			// We don't care if the key has already been removed
@@ -416,9 +416,9 @@ func (policy *Policy) Provision() error {
 // Deprovision removes the Policy key from the kernel keyring. This prevents
 // reading and writing to the directory --- unless the target keyring is a user
 // keyring, in which case caches must be dropped too.
-func (policy *Policy) Deprovision() error {
+func (policy *Policy) Deprovision(allUsers bool) error {
 	return keyring.RemoveEncryptionKey(policy.Descriptor(),
-		policy.Context.getKeyringOptions())
+		policy.Context.getKeyringOptions(), allUsers)
 }
 
 // NeedsUserKeyring returns true if Provision and Deprovision for this policy