From f1f50e021887658d1bb9cf3245c9cfed6f52a00a Mon Sep 17 00:00:00 2001
From: Marcel Lauhoff <marcel.lauhoff@suse.com>
Date: Wed, 7 Sep 2022 17:32:10 +0200
Subject: [PATCH] fscrypt: fix metadata directory permissions

Call Mount.Setup with SingleUserWritable constant instead of 0o755,
which is silently ignored and causes the /.fscrypt/{policy,protector}/
directories to have mode 000.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
---
 internal/util/fscrypt/fscrypt.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/util/fscrypt/fscrypt.go b/internal/util/fscrypt/fscrypt.go
index 3d35b142c..6f87b69d6 100644
--- a/internal/util/fscrypt/fscrypt.go
+++ b/internal/util/fscrypt/fscrypt.go
@@ -379,7 +379,7 @@ func Unlock(
 
 	// 1. Do we have a metadata directory (.fscrypt) set up?
 	metadataDirExists := false
-	if err = fscryptContext.Mount.Setup(0o755); err != nil {
+	if err = fscryptContext.Mount.Setup(fscryptfilesystem.SingleUserWritable); err != nil {
 		alreadySetupErr := &fscryptfilesystem.ErrAlreadySetup{}
 		if errors.As(err, &alreadySetupErr) {
 			log.DebugLog(ctx, "fscrypt: metadata directory in %q already set up", alreadySetupErr.Mount.Path)