From a6c5029cd114cd27cc59024e968feb4765e5323d Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sat, 9 Dec 2023 14:36:03 -0800
Subject: Provide better error message when given a locked regular file

Since opening an encrypted regular file that is locked fails with
ENOKEY, getting the encryption policy of such a file is not possible.
As a result, 'fscrypt status' and 'fscrypt lock' fail on such files.
Provide a better error message that tries to explain what is going on.

Resolves https://github.com/google/fscrypt/issues/393
---
 cli-tests/t_lock.out | 15 +++++++++++++++
 cli-tests/t_lock.sh  | 11 +++++++++++
 2 files changed, 26 insertions(+)

(limited to 'cli-tests')

diff --git a/cli-tests/t_lock.out b/cli-tests/t_lock.out
index d630e74..ce27713 100644
--- a/cli-tests/t_lock.out
+++ b/cli-tests/t_lock.out
@@ -85,3 +85,18 @@ If you want to force the directory to be locked, use:
 contents
 "MNT/dir" is now locked.
 cat: MNT/dir/file: No such file or directory
+
+# Try to operate on locked regular file
+"MNT/dir" is now locked.
+[ERROR] fscrypt status: cannot operate on locked regular file
+                        "MNT/file"
+
+It is not possible to operate directly on a locked regular file, since the
+kernel does not support this. Specify the parent directory instead. (For loose
+files, any directory with the file's policy works.)
+[ERROR] fscrypt unlock: cannot operate on locked regular file
+                        "MNT/file"
+
+It is not possible to operate directly on a locked regular file, since the
+kernel does not support this. Specify the parent directory instead. (For loose
+files, any directory with the file's policy works.)
diff --git a/cli-tests/t_lock.sh b/cli-tests/t_lock.sh
index 9b193fd..e5df4df 100755
--- a/cli-tests/t_lock.sh
+++ b/cli-tests/t_lock.sh
@@ -52,3 +52,14 @@ _expect_failure "fscrypt lock '$dir'"
 cat "$dir/file"
 fscrypt lock --all-users "$dir"
 _expect_failure "cat '$dir/file'"
+
+_print_header "Try to operate on locked regular file"
+_reset_filesystems
+rm -rf "$dir"
+mkdir "$dir"
+echo hunter2 | fscrypt encrypt --quiet --name=prot "$dir"
+echo contents > "$dir/file"
+mv "$dir/file" "$MNT/file"  # Make it a loose encrypted file.
+fscrypt lock "$dir"
+_expect_failure "fscrypt status '$MNT/file'"
+_expect_failure "fscrypt unlock '$MNT/file'"
-- 
cgit v1.2.3