Skip to content

Commit

Permalink
Merge pull request #237 from ebiggers/t_v1_policy_fix
Browse files Browse the repository at this point in the history
Adjust status message for v1 policies unlocked by another user and fix cli-tests/t_v1_policy
  • Loading branch information
ebiggers authored Jun 13, 2020
2 parents 9649ed0 + 5c1f617 commit d4c6fc5
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 7 deletions.
12 changes: 12 additions & 0 deletions cli-tests/common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,18 @@ _user_do_and_expect_failure()
_expect_failure "_user_do '$1'"
}

# Clear the test user's user keyring and unlink it from root's user keyring, if
# it is linked into it.
_cleanup_user_keyrings()
{
local ringid

ringid=$(_user_do "keyctl show @u" | awk '/keyring: _uid/{print $1}')

_user_do "keyctl clear $ringid"
keyctl unlink "$ringid" @u &> /dev/null || true
}

# Gives the test a new session keyring which contains the test user's keyring
# but not root's keyring. Also clears the test user's keyring. This must be
# called at the beginning of the test script as it may re-execute the script.
Expand Down
4 changes: 2 additions & 2 deletions cli-tests/t_v1_policy.out
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ desc2 No custom protector "prot"

Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Yes
Unlocked: Partially (incompletely locked, or unlocked by another user)

Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
Expand Down Expand Up @@ -115,7 +115,7 @@ Then re-run:

Policy: desc1
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1
Unlocked: Partially (incompletely locked)
Unlocked: Partially (incompletely locked, or unlocked by another user)

Protected with 1 protector:
PROTECTOR LINKED DESCRIPTION
Expand Down
1 change: 1 addition & 0 deletions cli-tests/t_v1_policy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ cd "$(dirname "$0")"
. common.sh

_setup_session_keyring
trap _cleanup_user_keyrings EXIT

dir="$MNT/dir"
mkdir "$dir"
Expand Down
9 changes: 4 additions & 5 deletions cmd/fscrypt/status.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,13 +68,12 @@ func policyUnlockedStatus(policy *actions.Policy, path string) string {
status := policy.GetProvisioningStatus()

// Due to a limitation in the old kernel API for fscrypt, for v1
// policies using the user keyring that are incompletely locked we'll
// get KeyAbsent, not KeyAbsentButFilesBusy as expected. If we have a
// directory path, use a heuristic to try to detect whether it is still
// usable and thus the policy is actually incompletely locked.
// policies using the user keyring that are incompletely locked or are
// unlocked by another user, we'll get KeyAbsent. If we have a
// directory path, use a heuristic to try to detect these cases.
if status == keyring.KeyAbsent && policy.NeedsUserKeyring() &&
path != "" && isDirUnlockedHeuristic(path) {
status = keyring.KeyAbsentButFilesBusy
return "Partially (incompletely locked, or unlocked by another user)"
}

switch status {
Expand Down

0 comments on commit d4c6fc5

Please sign in to comment.