2 files changed, 21 insertions, 8 deletions

diff --git a/actions/context.go b/actions/context.go
index 7703db5..f7e98cf 100644
--- a/actions/context.go
+++ b/actions/context.go
@@ -58,10 +58,11 @@ type Context struct {
 	// modified after being loaded to customise parameters.
 	Config *metadata.Config
 	// Mount is the filesystem relative to which all Protectors and Policies
-	// are added, edited, removed, and applied.
+	// are added, edited, removed, and applied, and to which policies using
+	// the filesystem keyring are provisioned.
 	Mount *filesystem.Mount
-	// TargetUser is the user for which protectors are created and to whose
-	// keyring policies are provisioned.
+	// TargetUser is the user for whom protectors are created, and to whose
+	// keyring policies using the user keyring are provisioned.
 	TargetUser *user.User
 }
 
@@ -148,8 +149,10 @@ func (ctx *Context) getService() string {
 
 func (ctx *Context) getKeyringOptions() *keyring.Options {
 	return &keyring.Options{
-		User:    ctx.TargetUser,
-		Service: ctx.getService(),
+		Mount:                     ctx.Mount,
+		User:                      ctx.TargetUser,
+		Service:                   ctx.getService(),
+		UseFsKeyringForV1Policies: ctx.Config.GetUseFsKeyringForV1Policies(),
 	}
 }
 
diff --git a/actions/policy.go b/actions/policy.go
index 5bc2c5c..6ef83ce 100644
--- a/actions/policy.go
+++ b/actions/policy.go
@@ -44,8 +44,8 @@ var (
 )
 
 // PurgeAllPolicies removes all policy keys on the filesystem from the kernel
-// keyring. In order for this removal to have an effect, the filesystem should
-// also be unmounted.
+// keyring. In order for this to fully take effect, the filesystem may also need
+// to be unmounted or caches dropped.
 func PurgeAllPolicies(ctx *Context) error {
 	if err := ctx.checkContext(); err != nil {
 		return err
@@ -60,6 +60,9 @@ func PurgeAllPolicies(ctx *Context) error {
 		switch errors.Cause(err) {
 		case nil, keyring.ErrKeyNotPresent:
 			// We don't care if the key has already been removed
+		case keyring.ErrKeyFilesOpen:
+			log.Printf("Key for policy %s couldn't be fully removed because some files are still in-use",
+				policyDescriptor)
 		default:
 			return err
 		}
@@ -379,6 +382,12 @@ func (policy *Policy) IsProvisioned() bool {
 	return policy.GetProvisioningStatus() == keyring.KeyPresent
 }
 
+// IsFullyDeprovisioned returns true if the policy has been fully deprovisioned,
+// including all files protected by it having been closed.
+func (policy *Policy) IsFullyDeprovisioned() bool {
+	return policy.GetProvisioningStatus() == keyring.KeyAbsent
+}
+
 // Provision inserts the Policy key into the kernel keyring. This allows reading
 // and writing of files encrypted with this directory. Requires unlocked Policy.
 func (policy *Policy) Provision() error {
@@ -390,7 +399,8 @@ func (policy *Policy) Provision() error {
 }
 
 // Deprovision removes the Policy key from the kernel keyring. This prevents
-// reading and writing to the directory once the caches are cleared.
+// reading and writing to the directory --- unless the target keyring is a user
+// keyring, in which case caches must be dropped too.
 func (policy *Policy) Deprovision() error {
 	return keyring.RemoveEncryptionKey(policy.Descriptor(),
 		policy.Context.getKeyringOptions())