cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock'

Allow root to provide the --all-users option to 'fscrypt lock' to force an encryption key to be removed from the filesystem (i.e., force an encrypted directory to be locked), even if other users have added it. To implement this option, we just need to use the FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than FS_IOC_REMOVE_ENCRYPTION_KEY. In theory this option could be implemented for the user keyrings case too, but it would be difficult and the user keyrings are being deprecated for fscrypt, so don't bother.
author: Eric Biggers <ebiggers@google.com> 2019-12-15 19:31:39 -0800
committer: Eric Biggers <ebiggers@google.com> 2020-01-05 10:02:13 -0800
commit: 068879664efd8a0f983cbc3e8115571047fe9edd (patch)
tree: 51019d4d215c2c61b848b2aeaf7b2027952e65e8 /cmd/fscrypt/errors.go
parent: 42e0dfe85ec7a75a2fa30c417d57eae60b5a881d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
index ba9ec7a..5239155 100644
--- a/cmd/fscrypt/errors.go
+++ b/cmd/fscrypt/errors.go
@@ -103,7 +103,8 @@ func getErrorSuggestions(err error) string {
 			re-running 'fscrypt lock'.`
 	case keyring.ErrKeyAddedByOtherUsers:
 		return `Directory couldn't be fully locked because other user(s)
-			have unlocked it.`
+			have unlocked it. If you want to force the directory to
+			be locked, use 'sudo fscrypt lock --all-users DIR'.`
 	case keyring.ErrSessionUserKeying:
 		return `This is usually the result of a bad PAM configuration.
 			Either correct the problem in your PAM stack, enable
author	Eric Biggers <ebiggers@google.com>	2019-12-15 19:31:39 -0800
committer	Eric Biggers <ebiggers@google.com>	2020-01-05 10:02:13 -0800
commit	068879664efd8a0f983cbc3e8115571047fe9edd (patch)
tree	51019d4d215c2c61b848b2aeaf7b2027952e65e8 /cmd/fscrypt/errors.go
parent	42e0dfe85ec7a75a2fa30c417d57eae60b5a881d (diff)