cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock'

Allow root to provide the --all-users option to 'fscrypt lock' to force
an encryption key to be removed from the filesystem (i.e., force an
encrypted directory to be locked), even if other users have added it.

To implement this option, we just need to use the
FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than
FS_IOC_REMOVE_ENCRYPTION_KEY.

In theory this option could be implemented for the user keyrings case
too, but it would be difficult and the user keyrings are being
deprecated for fscrypt, so don't bother.

3 files changed, 15 insertions, 6 deletions

diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index 0bf0a4c..41009b0 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -232,7 +232,7 @@ func encryptPath(path string) (err error) {
 	defer func() {
 		policy.Lock()
 		if err != nil {
-			policy.Deprovision()
+			policy.Deprovision(false)
 			policy.Revert()
 		}
 	}()
@@ -248,7 +248,7 @@ func encryptPath(path string) (err error) {
 			return
 		}
 		if skipUnlockFlag.Value {
-			defer policy.Deprovision()
+			defer policy.Deprovision(false)
 		}
 	}
 	if err = policy.Apply(path); os.IsPermission(errors.Cause(err)) {
@@ -426,7 +426,7 @@ var Lock = cli.Command{
 		recoverable by an attacker who compromises system memory. To be
 		fully safe, you must reboot with a power cycle.`,
 		directoryArg, shortDisplay(dropCachesFlag)),
-	Flags:  []cli.Flag{dropCachesFlag, userFlag},
+	Flags:  []cli.Flag{dropCachesFlag, userFlag, allUsersFlag},
 	Action: lockAction,
 }
 
@@ -465,7 +465,7 @@ func lockAction(c *cli.Context) error {
 		return newExitError(c, ErrDropCachesPerm)
 	}
 
-	if err = policy.Deprovision(); err != nil {
+	if err = policy.Deprovision(allUsersFlag.Value); err != nil {
 		return newExitError(c, err)
 	}
 
diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
index ba9ec7a..5239155 100644
--- a/cmd/fscrypt/errors.go
+++ b/cmd/fscrypt/errors.go
@@ -103,7 +103,8 @@ func getErrorSuggestions(err error) string {
 			re-running 'fscrypt lock'.`
 	case keyring.ErrKeyAddedByOtherUsers:
 		return `Directory couldn't be fully locked because other user(s)
-			have unlocked it.`
+			have unlocked it. If you want to force the directory to
+			be locked, use 'sudo fscrypt lock --all-users DIR'.`
 	case keyring.ErrSessionUserKeying:
 		return `This is usually the result of a bad PAM configuration.
 			Either correct the problem in your PAM stack, enable
diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
index a22ec05..b7933c9 100644
--- a/cmd/fscrypt/flags.go
+++ b/cmd/fscrypt/flags.go
@@ -116,7 +116,7 @@ var (
 	allFlags = []prettyFlag{helpFlag, versionFlag, verboseFlag, quietFlag,
 		forceFlag, legacyFlag, skipUnlockFlag, timeTargetFlag,
 		sourceFlag, nameFlag, keyFileFlag, protectorFlag,
-		unlockWithFlag, policyFlag}
+		unlockWithFlag, policyFlag, allUsersFlag}
 	// universalFlags contains flags that should be on every command
 	universalFlags = []cli.Flag{verboseFlag, quietFlag, helpFlag}
 )
@@ -170,6 +170,14 @@ var (
 			privileges.`,
 		Default: true,
 	}
+	allUsersFlag = &boolFlag{
+		Name: "all-users",
+		Usage: `Lock the directory no matter which user(s) have unlocked
+			it. Requires root privileges. This flag is only
+			necessary if the directory was unlocked by a user
+			different from the one you're locking it as. This flag
+			is only implemented for v2 encryption policies.`,
+	}
 )
 
 // Option flags: used to specify options instead of being prompted for them