From fbc161a77962fe64e3caad80efb535d28d8c1f74 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sat, 9 May 2020 14:52:07 -0700
Subject: metadata: improve errors

ErrBadOwners:
	Rename to ErrDirectoryNotOwned for clarity, move it from
	cmd/fscrypt/ to metadata/ where it better belongs, and improve
	the message.

ErrEncrypted:
	Rename to ErrAlreadyEncrypted for clarity, and include the path.

ErrNotEncrypted:
	Include the path.

ErrBadEncryptionOptions:
	Include the path and bad options.

ErrEncryptionNotSupported:
ErrEncryptionNotEnabled:
	Don't wrap with "get encryption policy %s", in preparation for
	wrapping these with filesystem-level context instead.

Also avoid mixing together the error handling for the "get policy" and
"set policy" ioctls.  Make it very clear how we're handling the errors
from each ioctl.
---
 cmd/fscrypt/commands.go | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

(limited to 'cmd/fscrypt/commands.go')

diff --git a/cmd/fscrypt/commands.go b/cmd/fscrypt/commands.go
index 51cf136..86816ba 100644
--- a/cmd/fscrypt/commands.go
+++ b/cmd/fscrypt/commands.go
@@ -282,11 +282,7 @@ func encryptPath(path string) (err error) {
 			}
 		}()
 	}
-	if err = policy.Apply(path); os.IsPermission(errors.Cause(err)) {
-		// EACCES at this point indicates ownership issues.
-		err = errors.Wrap(ErrBadOwners, path)
-	}
-	if err != nil {
+	if err = policy.Apply(path); err != nil {
 		return
 	}
 	if recoveryPassphrase != nil {
@@ -320,14 +316,15 @@ func checkEncryptable(ctx *actions.Context, path string) error {
 
 	log.Printf("ensuring %s supports encryption and filesystem is using fscrypt", path)
 	switch _, err := actions.GetPolicyFromPath(ctx, path); errors.Cause(err) {
-	case metadata.ErrNotEncrypted:
-		// We are not encrypted. Finally, we check that the filesystem
-		// supports encryption
-		return ctx.Mount.CheckSupport()
 	case nil:
 		// We are encrypted
-		return errors.Wrap(metadata.ErrEncrypted, path)
+		return &metadata.ErrAlreadyEncrypted{path}
 	default:
+		if _, ok := err.(*metadata.ErrNotEncrypted); ok {
+			// We are not encrypted. Finally, we check that the filesystem
+			// supports encryption
+			return ctx.Mount.CheckSupport()
+		}
 		return err
 	}
 }
-- 
cgit v1.2.3