From a6c5029cd114cd27cc59024e968feb4765e5323d Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sat, 9 Dec 2023 14:36:03 -0800
Subject: Provide better error message when given a locked regular file

Since opening an encrypted regular file that is locked fails with
ENOKEY, getting the encryption policy of such a file is not possible.
As a result, 'fscrypt status' and 'fscrypt lock' fail on such files.
Provide a better error message that tries to explain what is going on.

Resolves https://github.com/google/fscrypt/issues/393
---
 metadata/policy.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'metadata')

diff --git a/metadata/policy.go b/metadata/policy.go
index 7831e53..fe6c38f 100644
--- a/metadata/policy.go
+++ b/metadata/policy.go
@@ -28,6 +28,7 @@ import (
 	"os"
 	"os/user"
 	"strconv"
+	"syscall"
 	"unsafe"
 
 	"github.com/pkg/errors"
@@ -85,6 +86,15 @@ func (err *ErrDirectoryNotOwned) Error() string {
 	write access to the directory.`, err.Path, owner)
 }
 
+// ErrLockedRegularFile indicates that the path is a locked regular file.
+type ErrLockedRegularFile struct {
+	Path string
+}
+
+func (err *ErrLockedRegularFile) Error() string {
+	return fmt.Sprintf("cannot operate on locked regular file %q", err.Path)
+}
+
 // ErrNotEncrypted indicates that the path is not encrypted.
 type ErrNotEncrypted struct {
 	Path string
@@ -164,6 +174,9 @@ func buildV2PolicyData(policy *unix.FscryptPolicyV2) *PolicyData {
 func GetPolicy(path string) (*PolicyData, error) {
 	file, err := os.Open(path)
 	if err != nil {
+		if err.(*os.PathError).Err == syscall.ENOKEY {
+			return nil, &ErrLockedRegularFile{path}
+		}
 		return nil, err
 	}
 	defer file.Close()
-- 
cgit v1.2.3