diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-05-09 14:17:17 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-05-09 15:16:13 -0700 |
| commit | de51add609bc74b7247ec4776bd694abbea24a45 (patch) | |
| tree | b5f304a4ecc101a5410bb2274d129dbc7dad6441 /actions/policy.go | |
| parent | fb99b37a05696db4ceabb793e5f16727ec854ed1 (diff) | |
Try to detect incomplete locking of v1-encrypted directory
'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.
Instead, implement a heuristic where we check whether a subdirectory can
be created. If yes, then the directory must not be fully locked.
Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.
Resolves https://github.com/google/fscrypt/issues/215
Diffstat (limited to 'actions/policy.go')
| -rw-r--r-- | actions/policy.go | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/actions/policy.go b/actions/policy.go index 3baad72..6c2aa51 100644 --- a/actions/policy.go +++ b/actions/policy.go @@ -417,12 +417,6 @@ func (policy *Policy) IsProvisionedByTargetUser() bool { return policy.GetProvisioningStatus() == keyring.KeyPresent } -// IsFullyDeprovisioned returns true if the policy has been fully deprovisioned, -// including by all users and with all files protected by it having been closed. -func (policy *Policy) IsFullyDeprovisioned() bool { - return policy.GetProvisioningStatus() == keyring.KeyAbsent -} - // Provision inserts the Policy key into the kernel keyring. This allows reading // and writing of files encrypted with this directory. Requires unlocked Policy. func (policy *Policy) Provision() error { @@ -435,14 +429,15 @@ func (policy *Policy) Provision() error { // Deprovision removes the Policy key from the kernel keyring. This prevents // reading and writing to the directory --- unless the target keyring is a user -// keyring, in which case caches must be dropped too. +// keyring, in which case caches must be dropped too. If the Policy key was +// already removed, returns keyring.ErrKeyNotPresent. func (policy *Policy) Deprovision(allUsers bool) error { return keyring.RemoveEncryptionKey(policy.Descriptor(), policy.Context.getKeyringOptions(), allUsers) } // NeedsUserKeyring returns true if Provision and Deprovision for this policy -// will use a user keyring, not a filesystem keyring. +// will use a user keyring (deprecated), not a filesystem keyring. func (policy *Policy) NeedsUserKeyring() bool { return policy.Version() == 1 && !policy.Context.Config.GetUseFsKeyringForV1Policies() } |