diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-05-09 14:17:17 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-05-09 15:16:13 -0700 |
| commit | de51add609bc74b7247ec4776bd694abbea24a45 (patch) | |
| tree | b5f304a4ecc101a5410bb2274d129dbc7dad6441 /cli-tests/t_v1_policy.out | |
| parent | fb99b37a05696db4ceabb793e5f16727ec854ed1 (diff) | |
Try to detect incomplete locking of v1-encrypted directory
'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.
Instead, implement a heuristic where we check whether a subdirectory can
be created. If yes, then the directory must not be fully locked.
Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.
Resolves https://github.com/google/fscrypt/issues/215
Diffstat (limited to 'cli-tests/t_v1_policy.out')
| -rw-r--r-- | cli-tests/t_v1_policy.out | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/cli-tests/t_v1_policy.out b/cli-tests/t_v1_policy.out index 747cf81..0ff5219 100644 --- a/cli-tests/t_v1_policy.out +++ b/cli-tests/t_v1_policy.out @@ -96,3 +96,42 @@ Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" cat: MNT/dir/file: No such file or directory + +# Testing incompletely locking v1-encrypted directory +Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use. +Encrypted data removed from filesystem cache. +[ERROR] fscrypt lock: some files using the key are still open + +Directory was incompletely locked because some files are still open. These files +remain accessible. Try killing any processes using files in the directory, then +re-running 'fscrypt lock'. +"MNT/dir" is encrypted with fscrypt. + +Policy: desc1 +Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 +Unlocked: Partially (incompletely locked) + +Protected with 1 protector: +PROTECTOR LINKED DESCRIPTION +desc2 No custom protector "prot" +ext4 filesystem "MNT" has 1 protector and 1 policy + +PROTECTOR LINKED DESCRIPTION +desc2 No custom protector "prot" + +POLICY UNLOCKED PROTECTORS +desc1 No desc2 + +# Finishing locking v1-encrypted directory +Encrypted data removed from filesystem cache. +"MNT/dir" is now locked. +"MNT/dir" is encrypted with fscrypt. + +Policy: desc1 +Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 +Unlocked: No + +Protected with 1 protector: +PROTECTOR LINKED DESCRIPTION +desc2 No custom protector "prot" +cat: MNT/dir/file: No such file or directory |