diff options
| -rw-r--r-- | cli-tests/common.sh | 12 | ||||
| -rw-r--r-- | cli-tests/t_v1_policy.out | 4 | ||||
| -rwxr-xr-x | cli-tests/t_v1_policy.sh | 1 | ||||
| -rw-r--r-- | cmd/fscrypt/status.go | 9 |
4 files changed, 19 insertions, 7 deletions
diff --git a/cli-tests/common.sh b/cli-tests/common.sh index fcebfd6..79b42ae 100644 --- a/cli-tests/common.sh +++ b/cli-tests/common.sh @@ -128,6 +128,18 @@ _user_do_and_expect_failure() _expect_failure "_user_do '$1'" } +# Clear the test user's user keyring and unlink it from root's user keyring, if +# it is linked into it. +_cleanup_user_keyrings() +{ + local ringid + + ringid=$(_user_do "keyctl show @u" | awk '/keyring: _uid/{print $1}') + + _user_do "keyctl clear $ringid" + keyctl unlink "$ringid" @u &> /dev/null || true +} + # Gives the test a new session keyring which contains the test user's keyring # but not root's keyring. Also clears the test user's keyring. This must be # called at the beginning of the test script as it may re-execute the script. diff --git a/cli-tests/t_v1_policy.out b/cli-tests/t_v1_policy.out index b47bcca..9adb00a 100644 --- a/cli-tests/t_v1_policy.out +++ b/cli-tests/t_v1_policy.out @@ -42,7 +42,7 @@ desc2 No custom protector "prot" Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 -Unlocked: Yes +Unlocked: Partially (incompletely locked, or unlocked by another user) Protected with 1 protector: PROTECTOR LINKED DESCRIPTION @@ -115,7 +115,7 @@ Then re-run: Policy: desc1 Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 -Unlocked: Partially (incompletely locked) +Unlocked: Partially (incompletely locked, or unlocked by another user) Protected with 1 protector: PROTECTOR LINKED DESCRIPTION diff --git a/cli-tests/t_v1_policy.sh b/cli-tests/t_v1_policy.sh index e9f3acf..e883dcd 100755 --- a/cli-tests/t_v1_policy.sh +++ b/cli-tests/t_v1_policy.sh @@ -6,6 +6,7 @@ cd "$(dirname "$0")" . common.sh _setup_session_keyring +trap _cleanup_user_keyrings EXIT dir="$MNT/dir" mkdir "$dir" diff --git a/cmd/fscrypt/status.go b/cmd/fscrypt/status.go index 02fdc74..255bb2b 100644 --- a/cmd/fscrypt/status.go +++ b/cmd/fscrypt/status.go @@ -68,13 +68,12 @@ func policyUnlockedStatus(policy *actions.Policy, path string) string { status := policy.GetProvisioningStatus() // Due to a limitation in the old kernel API for fscrypt, for v1 - // policies using the user keyring that are incompletely locked we'll - // get KeyAbsent, not KeyAbsentButFilesBusy as expected. If we have a - // directory path, use a heuristic to try to detect whether it is still - // usable and thus the policy is actually incompletely locked. + // policies using the user keyring that are incompletely locked or are + // unlocked by another user, we'll get KeyAbsent. If we have a + // directory path, use a heuristic to try to detect these cases. if status == keyring.KeyAbsent && policy.NeedsUserKeyring() && path != "" && isDirUnlockedHeuristic(path) { - status = keyring.KeyAbsentButFilesBusy + return "Partially (incompletely locked, or unlocked by another user)" } switch status { |