cmd/fscrypt: add FSCRYPT_ROOT_MNT environmental variable

Allow overriding the mountpoint where login protectors are stored by
setting the FSCRYPT_ROOT_MNT environmental variable.  The CLI tests need
this to avoid touching the real "/".

3 files changed, 14 insertions, 8 deletions

diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index f84102e..ec75584 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -73,12 +73,13 @@ func setupAction(c *cli.Context) error {
 		if err := createGlobalConfig(c.App.Writer, actions.ConfigFileLocation); err != nil {
 			return newExitError(c, err)
 		}
-		if err := setupFilesystem(c.App.Writer, "/"); err != nil {
+		if err := setupFilesystem(c.App.Writer, actions.LoginProtectorMountpoint); err != nil {
 			if errors.Cause(err) != filesystem.ErrAlreadySetup {
 				return newExitError(c, err)
 			}
 			fmt.Fprintf(c.App.Writer,
-				"Skipping creating /.fscrypt because it already exists.\n")
+				"Skipping creating %s because it already exists.\n",
+				filepath.Join(actions.LoginProtectorMountpoint, ".fscrypt"))
 		}
 	case 1:
 		// Case (2) - filesystem setup
diff --git a/cmd/fscrypt/fscrypt.go b/cmd/fscrypt/fscrypt.go
index 069cc96..bbe16bb 100644
--- a/cmd/fscrypt/fscrypt.go
+++ b/cmd/fscrypt/fscrypt.go
@@ -46,6 +46,9 @@ func main() {
 	if conffile := os.Getenv("FSCRYPT_CONF"); conffile != "" {
 		actions.ConfigFileLocation = conffile
 	}
+	if rootmnt := os.Getenv("FSCRYPT_ROOT_MNT"); rootmnt != "" {
+		actions.LoginProtectorMountpoint = rootmnt
+	}
 
 	// Create our command line application
 	app := cli.NewApp()
diff --git a/cmd/fscrypt/protector.go b/cmd/fscrypt/protector.go
index 25f1984..6d35d9e 100644
--- a/cmd/fscrypt/protector.go
+++ b/cmd/fscrypt/protector.go
@@ -51,8 +51,10 @@ func createProtectorFromContext(ctx *actions.Context) (*actions.Protector, error
 
 	// We only want to create new login protectors on the root filesystem.
 	// So we make a new context if necessary.
-	if ctx.Config.Source == metadata.SourceType_pam_passphrase && ctx.Mount.Path != "/" {
-		log.Printf("creating login protector on %q instead of %q", "/", ctx.Mount.Path)
+	if ctx.Config.Source == metadata.SourceType_pam_passphrase &&
+		ctx.Mount.Path != actions.LoginProtectorMountpoint {
+		log.Printf("creating login protector on %q instead of %q",
+			actions.LoginProtectorMountpoint, ctx.Mount.Path)
 		if ctx, err = modifiedContext(ctx); err != nil {
 			return nil, err
 		}
@@ -84,7 +86,7 @@ func expandedProtectorOptions(ctx *actions.Context) ([]*actions.ProtectorOption,
 	}
 
 	// Do nothing different if we are at the root, or cannot load the root.
-	if ctx.Mount.Path == "/" {
+	if ctx.Mount.Path == actions.LoginProtectorMountpoint {
 		return options, nil
 	}
 	if ctx, err = modifiedContext(ctx); err != nil {
@@ -117,10 +119,10 @@ func expandedProtectorOptions(ctx *actions.Context) ([]*actions.ProtectorOption,
 	return options, nil
 }
 
-// modifiedContext returns a copy of ctx with the mountpoint replaced by that of
-// the root filesystem.
+// modifiedContext returns a copy of ctx with the mountpoint replaced by
+// LoginProtectorMountpoint.
 func modifiedContext(ctx *actions.Context) (*actions.Context, error) {
-	mnt, err := filesystem.GetMount("/")
+	mnt, err := filesystem.GetMount(actions.LoginProtectorMountpoint)
 	if err != nil {
 		return nil, err
 	}