From a6c5029cd114cd27cc59024e968feb4765e5323d Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sat, 9 Dec 2023 14:36:03 -0800
Subject: Provide better error message when given a locked regular file

Since opening an encrypted regular file that is locked fails with
ENOKEY, getting the encryption policy of such a file is not possible.
As a result, 'fscrypt status' and 'fscrypt lock' fail on such files.
Provide a better error message that tries to explain what is going on.

Resolves https://github.com/google/fscrypt/issues/393
---
 cmd/fscrypt/errors.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'cmd')

diff --git a/cmd/fscrypt/errors.go b/cmd/fscrypt/errors.go
index 1ccf544..c4814f4 100644
--- a/cmd/fscrypt/errors.go
+++ b/cmd/fscrypt/errors.go
@@ -251,6 +251,11 @@ func getErrorSuggestions(err error) string {
 		return `This is usually the result of a bad PAM configuration.
 			Either correct the problem in your PAM stack, enable
 			pam_keyinit.so, or run "keyctl link @u @s".`
+	case *metadata.ErrLockedRegularFile:
+		return `It is not possible to operate directly on a locked
+			regular file, since the kernel does not support this.
+			Specify the parent directory instead. (For loose files,
+			any directory with the file's policy works.)`
 	}
 	switch errors.Cause(err) {
 	case crypto.ErrMlockUlimit:
-- 
cgit v1.2.3