diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-05-09 14:17:17 -0700 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2020-05-09 15:16:13 -0700 |
| commit | de51add609bc74b7247ec4776bd694abbea24a45 (patch) | |
| tree | b5f304a4ecc101a5410bb2274d129dbc7dad6441 /cmd/fscrypt/status.go | |
| parent | fb99b37a05696db4ceabb793e5f16727ec854ed1 (diff) | |
Try to detect incomplete locking of v1-encrypted directory
'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.
Instead, implement a heuristic where we check whether a subdirectory can
be created. If yes, then the directory must not be fully locked.
Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.
Resolves https://github.com/google/fscrypt/issues/215
Diffstat (limited to 'cmd/fscrypt/status.go')
| -rw-r--r-- | cmd/fscrypt/status.go | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/cmd/fscrypt/status.go b/cmd/fscrypt/status.go index bf11495..40bb49e 100644 --- a/cmd/fscrypt/status.go +++ b/cmd/fscrypt/status.go @@ -66,8 +66,20 @@ func yesNoString(b bool) string { return "No" } -func policyUnlockedStatus(policy *actions.Policy) string { - switch policy.GetProvisioningStatus() { +func policyUnlockedStatus(policy *actions.Policy, path string) string { + status := policy.GetProvisioningStatus() + + // Due to a limitation in the old kernel API for fscrypt, for v1 + // policies using the user keyring that are incompletely locked we'll + // get KeyAbsent, not KeyAbsentButFilesBusy as expected. If we have a + // directory path, use a heuristic to try to detect whether it is still + // usable and thus the policy is actually incompletely locked. + if status == keyring.KeyAbsent && policy.NeedsUserKeyring() && + path != "" && isDirUnlockedHeuristic(path) { + status = keyring.KeyAbsentButFilesBusy + } + + switch status { case keyring.KeyPresent, keyring.KeyPresentButOnlyOtherUsers: return "Yes" case keyring.KeyAbsent: @@ -174,7 +186,8 @@ func writeFilesystemStatus(w io.Writer, ctx *actions.Context) error { continue } - fmt.Fprintf(t, "%s\t%s\t%s\n", descriptor, policyUnlockedStatus(policy), + fmt.Fprintf(t, "%s\t%s\t%s\n", descriptor, + policyUnlockedStatus(policy, ""), strings.Join(policy.ProtectorDescriptors(), ", ")) } return t.Flush() @@ -194,7 +207,7 @@ func writePathStatus(w io.Writer, path string) error { fmt.Fprintln(w) fmt.Fprintf(w, "Policy: %s\n", policy.Descriptor()) fmt.Fprintf(w, "Options: %s\n", policy.Options()) - fmt.Fprintf(w, "Unlocked: %s\n", policyUnlockedStatus(policy)) + fmt.Fprintf(w, "Unlocked: %s\n", policyUnlockedStatus(policy, path)) fmt.Fprintln(w) options := policy.ProtectorOptions() |