4 files changed, 43 insertions, 12 deletions
diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index 621651e..0bf0a4c 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -139,6 +139,18 @@ func encryptAction(c *cli.Context) error {
 // of the key for the given encryption policy (if policy != nil) or for the
 // current default encryption policy (if policy == nil).
 func validateKeyringPrereqs(ctx *actions.Context, policy *actions.Policy) error {
+	var policyVersion int64
+	if policy == nil {
+		policyVersion = ctx.Config.Options.PolicyVersion
+	} else {
+		policyVersion = policy.Version()
+	}
+	// If it's a v2 policy, we're good to go, since non-root users can
+	// add/remove v2 policy keys directly to/from the filesystem, where they
+	// are usable by the filesystem on behalf of any process.
+	if policyVersion != 1 {
+		return nil
+	}
 	if ctx.Config.GetUseFsKeyringForV1Policies() {
 		// We'll be using the filesystem keyring, but it's a v1
 		// encryption policy so root is required.
@@ -225,14 +237,19 @@ func encryptPath(path string) (err error) {
 		}
 	}()
 
-	// Unlock() first, so if the Unlock() fails the directory isn't changed.
-	if !skipUnlockFlag.Value {
+	// Unlock() and Provision() first, so if that if these fail the
+	// directory isn't changed, and also because v2 policies can't be
+	// applied while deprovisioned unless the process is running as root.
+	if !skipUnlockFlag.Value || !policy.CanBeAppliedWithoutProvisioning() {
 		if err = policy.Unlock(optionFn, existingKeyFn); err != nil {
 			return
 		}
 		if err = policy.Provision(); err != nil {
 			return
 		}
+		if skipUnlockFlag.Value {
+			defer policy.Deprovision()
+		}
 	}
 	if err = policy.Apply(path); os.IsPermission(errors.Cause(err)) {
 		// EACCES at this point indicates ownership issues.
@@ -352,8 +369,9 @@ func unlockAction(c *cli.Context) error {
 		return newExitError(c, err)
 	}
 	// Check if directory is already unlocked
-	if policy.IsProvisioned() {
-		log.Printf("policy %s is already provisioned", policy.Descriptor())
+	if policy.IsProvisionedByTargetUser() {
+		log.Printf("policy %s is already provisioned by %v",
+			policy.Descriptor(), ctx.TargetUser.Username)
 		return newExitError(c, errors.Wrapf(ErrPolicyUnlocked, path))
 	}
 
@@ -395,8 +413,13 @@ var Lock = cli.Command{
 		For this to be effective, all files in the directory must first
 		be closed.
 
-		The %s=true option may be needed to properly lock the directory.
-		Root is required for this.
+		If the directory uses a v1 encryption policy, then the %s=true
+		option may be needed to properly lock it. Root is required for
+		this.
+
+		If the directory uses a v2 encryption policy, then a non-root
+		user can lock it, but only if it's the same user who unlocked it
+		originally and if no other users have unlocked it too.
 
 		WARNING: even after the key has been removed, decrypted data may
 		still be present in freed memory, where it may still be
diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
index ac969f6..ba9ec7a 100644
--- a/cmd/fscrypt/errors.go
+++ b/cmd/fscrypt/errors.go
@@ -101,6 +101,9 @@ func getErrorSuggestions(err error) string {
 			still open. These files remain accessible. Try killing
 			any processes using files in the directory, then
 			re-running 'fscrypt lock'.`
+	case keyring.ErrKeyAddedByOtherUsers:
+		return `Directory couldn't be fully locked because other user(s)
+			have unlocked it.`
 	case keyring.ErrSessionUserKeying:
 		return `This is usually the result of a bad PAM configuration.
 			Either correct the problem in your PAM stack, enable
@@ -145,7 +148,10 @@ func getErrorSuggestions(err error) string {
 	case ErrFsKeyringPerm:
 		return `Either this command should be run as root, or you should
 			set '"use_fs_keyring_for_v1_policies": false' in
-			/etc/fscrypt.conf.`
+			/etc/fscrypt.conf, or you should re-create your
+			encrypted directories using v2 encryption policies
+			rather than v1 (this requires setting '"policy_version":
+			"2"' in the "options" section of /etc/fscrypt.conf).`
 	case ErrSpecifyUser:
 		return fmt.Sprintf(`When running this command as root, you
 			usually still want to provision/remove keys for a normal
diff --git a/cmd/fscrypt/flags.go b/cmd/fscrypt/flags.go
index 361732c..a22ec05 100644
--- a/cmd/fscrypt/flags.go
+++ b/cmd/fscrypt/flags.go
@@ -162,10 +162,12 @@ var (
 	}
 	dropCachesFlag = &boolFlag{
 		Name: "drop-caches",
-		Usage: `After purging the keys from the keyring, drop the
-			associated caches for the purge to take effect. Without
-			this flag, cached encrypted files may still have their
-			plaintext visible. Requires root privileges.`,
+		Usage: `After removing the key(s) from the keyring, drop the
+			kernel's filesystem caches if needed. Without this flag,
+			files encrypted with v1 encryption policies may still be
+			accessible. This flag is not needed for v2 encryption
+			policies. This flag, if actually needed, requires root
+			privileges.`,
 		Default: true,
 	}
 )
diff --git a/cmd/fscrypt/status.go b/cmd/fscrypt/status.go
index 3f7f577..bf11495 100644
--- a/cmd/fscrypt/status.go
+++ b/cmd/fscrypt/status.go
@@ -68,7 +68,7 @@ func yesNoString(b bool) string {
 
 func policyUnlockedStatus(policy *actions.Policy) string {
 	switch policy.GetProvisioningStatus() {
-	case keyring.KeyPresent:
+	case keyring.KeyPresent, keyring.KeyPresentButOnlyOtherUsers:
 		return "Yes"
 	case keyring.KeyAbsent:
 		return "No"