2 files changed, 22 insertions, 16 deletions

diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go
index bd6b04d..2daff89 100644
--- a/pam_fscrypt/pam_fscrypt.go
+++ b/pam_fscrypt/pam_fscrypt.go
@@ -193,7 +193,7 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error {
 		log.Printf("no protector to unlock: %s", err)
 		return nil
 	}
-	policies := policiesUsingProtector(protector)
+	policies := policiesUsingProtector(protector, false)
 	if len(policies) == 0 {
 		log.Print("no policies to unlock")
 		return nil
@@ -234,11 +234,6 @@ func OpenSession(handle *pam.Handle, _ map[string]bool) error {
 
 	// We don't stop provisioning polices on error, we try all of them.
 	for _, policy := range policies {
-		if policy.IsProvisionedByTargetUser() {
-			log.Printf("policy %s already provisioned by %v",
-				policy.Descriptor(), handle.PamUser.Username)
-			continue
-		}
 		if err := policy.UnlockWithProtector(protector); err != nil {
 			log.Printf("unlocking policy %s: %s", policy.Descriptor(), err)
 			continue
@@ -316,7 +311,7 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) {
 		log.Printf("nothing to lock: %s", err)
 		return needDropCaches, nil
 	}
-	policies := policiesUsingProtector(protector)
+	policies := policiesUsingProtector(protector, true)
 	if len(policies) == 0 {
 		log.Print("no policies to lock")
 		return needDropCaches, nil
@@ -328,11 +323,6 @@ func lockLoginPolicies(handle *pam.Handle) (bool, error) {
 
 	// We will try to deprovision all of the policies.
 	for _, policy := range policies {
-		if !policy.IsProvisionedByTargetUser() {
-			log.Printf("policy %s not provisioned by %v",
-				policy.Descriptor(), handle.PamUser.Username)
-			continue
-		}
 		if policy.NeedsUserKeyring() {
 			needDropCaches = true
 		}
diff --git a/pam_fscrypt/run_fscrypt.go b/pam_fscrypt/run_fscrypt.go
index 6b40854..db86d01 100644
--- a/pam_fscrypt/run_fscrypt.go
+++ b/pam_fscrypt/run_fscrypt.go
@@ -179,8 +179,10 @@ func loginProtector(handle *pam.Handle) (*actions.Protector, error) {
 }
 
 // policiesUsingProtector searches all the mountpoints for any policies
-// protected with the specified protector.
-func policiesUsingProtector(protector *actions.Protector) []*actions.Policy {
+// protected with the specified protector.  If provisioned is true, then only
+// policies provisioned by the target user are returned; otherwise only policies
+// *not* provisioned by the target user are returned.
+func policiesUsingProtector(protector *actions.Protector, provisioned bool) []*actions.Policy {
 	mounts, err := filesystem.AllFilesystems()
 	if err != nil {
 		log.Print(err)
@@ -213,9 +215,23 @@ func policiesUsingProtector(protector *actions.Protector) []*actions.Policy {
 				continue
 			}
 
-			if policy.UsesProtector(protector) {
-				policies = append(policies, policy)
+			if !policy.UsesProtector(protector) {
+				continue
+			}
+			if provisioned {
+				if !policy.IsProvisionedByTargetUser() {
+					log.Printf("policy %s not provisioned by %v",
+						policy.Descriptor(), ctx.TargetUser.Username)
+					continue
+				}
+			} else {
+				if policy.IsProvisionedByTargetUser() {
+					log.Printf("policy %s already provisioned by %v",
+						policy.Descriptor(), ctx.TargetUser.Username)
+					continue
+				}
 			}
+			policies = append(policies, policy)
 		}
 	}
 	return policies