From de51add609bc74b7247ec4776bd694abbea24a45 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sat, 9 May 2020 14:17:17 -0700
Subject: Try to detect incomplete locking of v1-encrypted directory

'fscrypt lock' on a v1-encrypted directory doesn't warn about in-use
files, as the kernel doesn't provide a way to easily detect it.

Instead, implement a heuristic where we check whether a subdirectory can
be created.  If yes, then the directory must not be fully locked.

Make both 'fscrypt lock' and 'fscrypt status' use this heuristic.

Resolves https://github.com/google/fscrypt/issues/215
---
 cli-tests/t_v1_policy.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'cli-tests/t_v1_policy.sh')

diff --git a/cli-tests/t_v1_policy.sh b/cli-tests/t_v1_policy.sh
index 1ebfae5..e9f3acf 100755
--- a/cli-tests/t_v1_policy.sh
+++ b/cli-tests/t_v1_policy.sh
@@ -54,3 +54,18 @@ _print_header "Lock v1-encrypted directory"
 fscrypt lock "$dir" --user="$TEST_USER"
 _user_do "fscrypt status '$dir'"
 _expect_failure "cat '$dir/file'"
+
+# 'fscrypt lock' and 'fscrypt status' implement a heuristic that should detect
+# the "files busy" case with v1.
+_print_header "Testing incompletely locking v1-encrypted directory"
+_user_do "echo hunter2 | fscrypt unlock '$dir'"
+exec 3<"$dir/file"
+_expect_failure "fscrypt lock '$dir' --user='$TEST_USER'"
+_user_do "fscrypt status '$dir'"
+# ... except in this case, because we can't detect it without a directory path.
+_user_do "fscrypt status '$MNT'"
+exec 3<&-
+_print_header "Finishing locking v1-encrypted directory"
+fscrypt lock "$dir" --user="$TEST_USER"
+_user_do "fscrypt status '$dir'"
+_expect_failure "cat '$dir/file'"
-- 
cgit v1.2.3