From 068879664efd8a0f983cbc3e8115571047fe9edd Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Sun, 15 Dec 2019 19:31:39 -0800
Subject: cmd/fscrypt, keyring: add --all-users option to 'fscrypt lock'

Allow root to provide the --all-users option to 'fscrypt lock' to force
an encryption key to be removed from the filesystem (i.e., force an
encrypted directory to be locked), even if other users have added it.

To implement this option, we just need to use the
FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS ioctl rather than
FS_IOC_REMOVE_ENCRYPTION_KEY.

In theory this option could be implemented for the user keyrings case
too, but it would be difficult and the user keyrings are being
deprecated for fscrypt, so don't bother.
---
 pam_fscrypt/pam_fscrypt.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'pam_fscrypt')

diff --git a/pam_fscrypt/pam_fscrypt.go b/pam_fscrypt/pam_fscrypt.go
index 5f573e3..a7582cc 100644
--- a/pam_fscrypt/pam_fscrypt.go
+++ b/pam_fscrypt/pam_fscrypt.go
@@ -266,7 +266,7 @@ func lockLoginPolicies(handle *pam.Handle) error {
 		if err := beginProvisioningOp(handle, policy); err != nil {
 			return err
 		}
-		deprovisionErr := policy.Deprovision()
+		deprovisionErr := policy.Deprovision(false)
 		if err := endProvisioningOp(handle, policy); err != nil {
 			return err
 		}
-- 
cgit v1.2.3