4 files changed, 25 insertions, 26 deletions
diff --git a/metadata/constants.go b/metadata/constants.go
index 344f955..8855ae3 100644
--- a/metadata/constants.go
+++ b/metadata/constants.go
@@ -28,7 +28,7 @@ import (
 // Lengths for our keys, buffers, and strings used in fscrypt.
 const (
 	// DescriptorLen is the length of all Protector and Policy descriptors.
-	DescriptorLen = 2 * unix.FS_KEY_DESCRIPTOR_SIZE
+	DescriptorLen = 2 * unix.FSCRYPT_KEY_DESCRIPTOR_SIZE
 	// We always use 256-bit keys internally (compared to 512-bit policy keys).
 	InternalKeyLen = 32
 	IVLen          = 16
@@ -36,7 +36,7 @@ const (
 	// We use SHA256 for the HMAC, and len(HMAC) == len(hash size).
 	HMACLen = sha256.Size
 	// PolicyKeyLen is the length of all keys passed directly to the Keyring
-	PolicyKeyLen = unix.FS_MAX_KEY_SIZE
+	PolicyKeyLen = unix.FSCRYPT_MAX_KEY_SIZE
 )
 
 var (
diff --git a/metadata/metadata.pb.go b/metadata/metadata.pb.go
index 2b62a91..bd3ee2a 100644
--- a/metadata/metadata.pb.go
+++ b/metadata/metadata.pb.go
@@ -45,10 +45,10 @@ func (x SourceType) String() string {
 	return proto.EnumName(SourceType_name, int32(x))
 }
 func (SourceType) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{0}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{0}
 }
 
-// Type of encryption; should match declarations of unix.FS_ENCRYPTION_MODE
+// Type of encryption; should match declarations of unix.FSCRYPT_MODE
 type EncryptionOptions_Mode int32
 
 const (
@@ -87,7 +87,7 @@ func (x EncryptionOptions_Mode) String() string {
 	return proto.EnumName(EncryptionOptions_Mode_name, int32(x))
 }
 func (EncryptionOptions_Mode) EnumDescriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{3, 0}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{3, 0}
 }
 
 // Cost parameters to be used in our hashing functions.
@@ -104,7 +104,7 @@ func (m *HashingCosts) Reset()         { *m = HashingCosts{} }
 func (m *HashingCosts) String() string { return proto.CompactTextString(m) }
 func (*HashingCosts) ProtoMessage()    {}
 func (*HashingCosts) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{0}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{0}
 }
 func (m *HashingCosts) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_HashingCosts.Unmarshal(m, b)
@@ -159,7 +159,7 @@ func (m *WrappedKeyData) Reset()         { *m = WrappedKeyData{} }
 func (m *WrappedKeyData) String() string { return proto.CompactTextString(m) }
 func (*WrappedKeyData) ProtoMessage()    {}
 func (*WrappedKeyData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{1}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{1}
 }
 func (m *WrappedKeyData) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_WrappedKeyData.Unmarshal(m, b)
@@ -219,7 +219,7 @@ func (m *ProtectorData) Reset()         { *m = ProtectorData{} }
 func (m *ProtectorData) String() string { return proto.CompactTextString(m) }
 func (*ProtectorData) ProtoMessage()    {}
 func (*ProtectorData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{2}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{2}
 }
 func (m *ProtectorData) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_ProtectorData.Unmarshal(m, b)
@@ -302,7 +302,7 @@ func (m *EncryptionOptions) Reset()         { *m = EncryptionOptions{} }
 func (m *EncryptionOptions) String() string { return proto.CompactTextString(m) }
 func (*EncryptionOptions) ProtoMessage()    {}
 func (*EncryptionOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{3}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{3}
 }
 func (m *EncryptionOptions) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_EncryptionOptions.Unmarshal(m, b)
@@ -355,7 +355,7 @@ func (m *WrappedPolicyKey) Reset()         { *m = WrappedPolicyKey{} }
 func (m *WrappedPolicyKey) String() string { return proto.CompactTextString(m) }
 func (*WrappedPolicyKey) ProtoMessage()    {}
 func (*WrappedPolicyKey) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{4}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{4}
 }
 func (m *WrappedPolicyKey) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_WrappedPolicyKey.Unmarshal(m, b)
@@ -403,7 +403,7 @@ func (m *PolicyData) Reset()         { *m = PolicyData{} }
 func (m *PolicyData) String() string { return proto.CompactTextString(m) }
 func (*PolicyData) ProtoMessage()    {}
 func (*PolicyData) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{5}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{5}
 }
 func (m *PolicyData) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_PolicyData.Unmarshal(m, b)
@@ -459,7 +459,7 @@ func (m *Config) Reset()         { *m = Config{} }
 func (m *Config) String() string { return proto.CompactTextString(m) }
 func (*Config) ProtoMessage()    {}
 func (*Config) Descriptor() ([]byte, []int) {
-	return fileDescriptor_metadata_5e732a616277e389, []int{6}
+	return fileDescriptor_metadata_fa046c95c3cd6aa1, []int{6}
 }
 func (m *Config) XXX_Unmarshal(b []byte) error {
 	return xxx_messageInfo_Config.Unmarshal(m, b)
@@ -519,9 +519,9 @@ func init() {
 	proto.RegisterEnum("metadata.EncryptionOptions_Mode", EncryptionOptions_Mode_name, EncryptionOptions_Mode_value)
 }
 
-func init() { proto.RegisterFile("metadata/metadata.proto", fileDescriptor_metadata_5e732a616277e389) }
+func init() { proto.RegisterFile("metadata/metadata.proto", fileDescriptor_metadata_fa046c95c3cd6aa1) }
 
-var fileDescriptor_metadata_5e732a616277e389 = []byte{
+var fileDescriptor_metadata_fa046c95c3cd6aa1 = []byte{
 	// 656 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x94, 0xef, 0x6a, 0xdb, 0x3c,
 	0x14, 0xc6, 0x5f, 0xdb, 0x69, 0xd2, 0x9c, 0xfc, 0x79, 0x5d, 0xb5, 0x6f, 0x5f, 0xb3, 0x7d, 0x09,
diff --git a/metadata/metadata.proto b/metadata/metadata.proto
index 6fe0ad9..735181e 100644
--- a/metadata/metadata.proto
+++ b/metadata/metadata.proto
@@ -63,7 +63,7 @@ message ProtectorData {
 message EncryptionOptions {
   int64 padding = 1;
 
-  // Type of encryption; should match declarations of unix.FS_ENCRYPTION_MODE
+  // Type of encryption; should match declarations of unix.FSCRYPT_MODE
   enum Mode {
     default = 0;
     AES_256_XTS = 1;
diff --git a/metadata/policy.go b/metadata/policy.go
index 7926e9e..f9af44a 100644
--- a/metadata/policy.go
+++ b/metadata/policy.go
@@ -46,7 +46,7 @@ var (
 // pointers and file descriptors to the IOCTL syscall. This function also takes
 // some of the unclear errors returned by the syscall and translates then into
 // more specific error strings.
-func policyIoctl(file *os.File, request uintptr, policy *unix.FscryptPolicy) error {
+func policyIoctl(file *os.File, request uintptr, policy *unix.FscryptPolicyV1) error {
 	// The returned errno value can sometimes give strange errors, so we
 	// return encryption specific errors.
 	_, _, errno := unix.Syscall(unix.SYS_IOCTL, file.Fd(), request, uintptr(unsafe.Pointer(policy)))
@@ -68,11 +68,11 @@ func policyIoctl(file *os.File, request uintptr, policy *unix.FscryptPolicy) err
 	}
 }
 
-// Maps EncryptionOptions.Padding <-> FscryptPolicy.Flags
+// Maps EncryptionOptions.Padding <-> FSCRYPT_POLICY_FLAGS
 var (
 	paddingArray = []int64{4, 8, 16, 32}
-	flagsArray   = []int64{unix.FS_POLICY_FLAGS_PAD_4, unix.FS_POLICY_FLAGS_PAD_8,
-		unix.FS_POLICY_FLAGS_PAD_16, unix.FS_POLICY_FLAGS_PAD_32}
+	flagsArray   = []int64{unix.FSCRYPT_POLICY_FLAGS_PAD_4, unix.FSCRYPT_POLICY_FLAGS_PAD_8,
+		unix.FSCRYPT_POLICY_FLAGS_PAD_16, unix.FSCRYPT_POLICY_FLAGS_PAD_32}
 )
 
 // GetPolicy returns the Policy data for the given directory or file (includes
@@ -85,13 +85,13 @@ func GetPolicy(path string) (*PolicyData, error) {
 	}
 	defer file.Close()
 
-	var policy unix.FscryptPolicy
+	var policy unix.FscryptPolicyV1
 	if err = policyIoctl(file, unix.FS_IOC_GET_ENCRYPTION_POLICY, &policy); err != nil {
 		return nil, errors.Wrapf(err, "get encryption policy %s", path)
 	}
 
 	// Convert the padding flag into an amount of padding
-	paddingFlag := int64(policy.Flags & unix.FS_POLICY_FLAGS_PAD_MASK)
+	paddingFlag := int64(policy.Flags & unix.FSCRYPT_POLICY_FLAGS_PAD_MASK)
 
 	// This lookup should always succeed
 	padding, ok := util.Lookup(paddingFlag, flagsArray, paddingArray)
@@ -147,12 +147,11 @@ func SetPolicy(path string, data *PolicyData) error {
 	}
 
 	if shouldUseDirectKeyFlag(data.Options) {
-		// TODO: use unix.FS_POLICY_FLAG_DIRECT_KEY here once available
-		flags |= 0x4
+		flags |= unix.FSCRYPT_POLICY_FLAG_DIRECT_KEY
 	}
 
-	policy := unix.FscryptPolicy{
-		Version:                   0, // Version must always be zero
+	policy := unix.FscryptPolicyV1{
+		Version:                   unix.FSCRYPT_POLICY_V1,
 		Contents_encryption_mode:  uint8(data.Options.Contents),
 		Filenames_encryption_mode: uint8(data.Options.Filenames),
 		Flags:                     uint8(flags),
@@ -189,7 +188,7 @@ func CheckSupport(path string) error {
 	defer file.Close()
 
 	// On supported directories, giving a bad policy will return EINVAL
-	badPolicy := unix.FscryptPolicy{
+	badPolicy := unix.FscryptPolicyV1{
 		Version:                   math.MaxUint8,
 		Contents_encryption_mode:  math.MaxUint8,
 		Filenames_encryption_mode: math.MaxUint8,