From 068879664efd8a0f983cbc3e8115571047fe9edd Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sun, 15 Dec 2019 19:31:39 -0800
Subject: cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock'

Allow root to provide the --all-users option to 'fscrypt lock' to force
an encryption key to be removed from the filesystem (i.e., force an
encrypted directory to be locked), even if other users have added it.

To implement this option, we just need to use the
FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than
FS_IOC_REMOVE_ENCRYPTION_KEY.

In theory this option could be implemented for the user keyrings case
too, but it would be difficult and the user keyrings are being
deprecated for fscrypt, so don't bother.
---
 cmd/fscrypt/errors.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'cmd/fscrypt/errors.go')

diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
index ba9ec7a..5239155 100644
--- a/cmd/fscrypt/errors.go
+++ b/cmd/fscrypt/errors.go
@@ -103,7 +103,8 @@ func getErrorSuggestions(err error) string {
 			re-running 'fscrypt lock'.`
 	case keyring.ErrKeyAddedByOtherUsers:
 		return `Directory couldn't be fully locked because other user(s)
-			have unlocked it.`
+			have unlocked it. If you want to force the directory to
+			be locked, use 'sudo fscrypt lock --all-users DIR'.`
 	case keyring.ErrSessionUserKeying:
 		return `This is usually the result of a bad PAM configuration.
 			Either correct the problem in your PAM stack, enable
-- 
cgit v1.2.3