From 209a2d1419ea575fd316bd9975fb63e40cce7a77 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Sat, 9 May 2020 14:52:07 -0700 Subject: actions/policy: improve errors ErrMissingPolicyMetadata: Include the mount, directory path, and metadata path. Also move the explanation into actions/ since it doesn't refer to any CLI command. ErrPolicyMetadataMismatch: Include a lot more information. Also start checking for consistency of the policy key descriptors, not just the encryption options. Add a test for this. ErrDifferentFilesystem: Include the mountpoints. ErrOnlyProtector: Clarify the message and include the protector descriptor. ErrAlreadyProtected: ErrNotProtected: Include the policy and protector descriptors. ErrAccessDeniedPossiblyV2: Make it slightly clearer what failed. Also move the explanation into actions/ since it doesn't refer to any CLI command. --- cli-tests/t_unlock.out | 38 ++++++++++++++++++++++++++++---------- cli-tests/t_unlock.sh | 13 +++++++++++++ 2 files changed, 41 insertions(+), 10 deletions(-) (limited to 'cli-tests') diff --git a/cli-tests/t_unlock.out b/cli-tests/t_unlock.out index 29a10dd..710b063 100644 --- a/cli-tests/t_unlock.out +++ b/cli-tests/t_unlock.out @@ -81,21 +81,39 @@ contents desc1 Yes desc2 # Try to unlock with corrupt policy metadata -[ERROR] fscrypt unlock: MNT/dir: system error: missing - policy metadata for encrypted directory - -This file or directory has either been encrypted with another tool (such as -e4crypt) or the corresponding filesystem metadata has been deleted. +[ERROR] fscrypt unlock: filesystem "MNT" does not contain + the policy metadata for "MNT/dir". + This directory has either been encrypted with another + tool (such as e4crypt), or the file + "MNT/.fscrypt/policies/desc1" + has been deleted. # Try to unlock with missing policy metadata -[ERROR] fscrypt unlock: MNT/dir: system error: missing - policy metadata for encrypted directory - -This file or directory has either been encrypted with another tool (such as -e4crypt) or the corresponding filesystem metadata has been deleted. +[ERROR] fscrypt unlock: filesystem "MNT" does not contain + the policy metadata for "MNT/dir". + This directory has either been encrypted with another + tool (such as e4crypt), or the file + "MNT/.fscrypt/policies/desc20" + has been deleted. # Try to unlock with missing protector metadata [ERROR] fscrypt unlock: could not load any protectors You may need to mount a linked filesystem. Run with --verbose for more information. + +# Try to unlock with wrong policy metadata +[ERROR] fscrypt unlock: inconsistent metadata between encrypted directory + "MNT/dir1" and its corresponding + metadata file + "MNT/.fscrypt/policies/desc21". + + Directory has + descriptor:desc21 padding:32 + contents:AES_256_XTS filenames:AES_256_CTS + policy_version:2 + + Metadata file has + descriptor:desc23 padding:32 + contents:AES_256_XTS filenames:AES_256_CTS + policy_version:2 diff --git a/cli-tests/t_unlock.sh b/cli-tests/t_unlock.sh index 3dfba41..e32b0f7 100755 --- a/cli-tests/t_unlock.sh +++ b/cli-tests/t_unlock.sh @@ -67,3 +67,16 @@ mkdir "$dir" echo hunter2 | fscrypt encrypt --quiet --name=prot --skip-unlock "$dir" rm "$MNT"/.fscrypt/protectors/* _expect_failure "echo hunter2 | fscrypt unlock '$dir'" + +_print_header "Try to unlock with wrong policy metadata" +_reset_filesystems +mkdir "$MNT/dir1" +mkdir "$MNT/dir2" +echo hunter2 | fscrypt encrypt --quiet --name=dir1 --skip-unlock "$MNT/dir1" +echo hunter2 | fscrypt encrypt --quiet --name=dir2 --skip-unlock "$MNT/dir2" +policy1=$(find "$MNT/.fscrypt/policies/" -type f | head -1) +policy2=$(find "$MNT/.fscrypt/policies/" -type f | tail -1) +mv "$policy1" "$TMPDIR/policy" +mv "$policy2" "$policy1" +mv "$TMPDIR/policy" "$policy2" +_expect_failure "echo hunter2 | fscrypt unlock '$MNT/dir1'" -- cgit v1.2.3