1 files changed, 17 insertions, 12 deletions

diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go
index 04ca13c..bd6b04d 100644
--- a/pam_fscrypt/pam_fscrypt.go
+++ b/pam_fscrypt/pam_fscrypt.go
@@ -55,9 +55,12 @@ const (
 	debugFlag = "debug"
 
 	// This option is accepted for compatibility with existing config files,
-	// but now we lock policies unconditionally and this option is a no-op.
+	// but now we lock policies by default and this option is a no-op.
 	lockPoliciesFlag = "lock_policies"
 
+	// Only unlock directories, don't lock them.
+	unlockOnlyFlag = "unlock_only"
+
 	// This option is accepted for compatibility with existing config files,
 	// but it no longer does anything.  pam_fscrypt now drops caches if and
 	// only if it is needed.  (Usually it is not needed anymore, as the
@@ -279,19 +282,21 @@ func CloseSession(handle *pam.Handle, args map[string]bool) error {
 	// Don't automatically drop privileges, since we may need them to
 	// deprovision policies or to drop caches.
 
-	log.Print("locking policies protected with login protector")
-	needDropCaches, errLock := lockLoginPolicies(handle)
-
-	var errCache error
-	if needDropCaches {
-		log.Print("dropping appropriate filesystem caches at session close")
-		errCache = security.DropFilesystemCache()
-	}
+	if !args[unlockOnlyFlag] {
+		log.Print("locking policies protected with login protector")
+		needDropCaches, errLock := lockLoginPolicies(handle)
 
-	if errLock != nil {
-		return errLock
+		var errCache error
+		if needDropCaches {
+			log.Print("dropping appropriate filesystem caches at session close")
+			errCache = security.DropFilesystemCache()
+		}
+		if errLock != nil {
+			return errLock
+		}
+		return errCache
 	}
-	return errCache
+	return nil
 }
 
 // lockLoginPolicies deprovisions all policy keys that are protected by the