From b66c700964fb59e84c077d6b6d48cccc2a3c0689 Mon Sep 17 00:00:00 2001
From: Marcel Lauhoff <marcel.lauhoff@suse.com>
Date: Fri, 12 Aug 2022 15:05:02 +0200
Subject: [PATCH] fscrypt: fsync encrypted dir after setting policy
 [workaround]

Revert once our google/fscrypt dependency is upgraded to a version
that includes https://github.com/google/fscrypt/pull/359 gets accepted

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
---
 internal/util/fscrypt/fscrypt.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/internal/util/fscrypt/fscrypt.go b/internal/util/fscrypt/fscrypt.go
index 3bc78fcf1aa6..5f843cf82ccd 100644
--- a/internal/util/fscrypt/fscrypt.go
+++ b/internal/util/fscrypt/fscrypt.go
@@ -111,6 +111,21 @@ func createKeyFuncFromVolumeEncryption(
 	return keyFunc, nil
 }
 
+func fsyncEncryptedDirectory(dirPath string) error {
+	dir, err := os.Open(dirPath)
+	if err != nil {
+		return err
+	}
+	defer dir.Close()
+
+	err = dir.Sync()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // unlockExisting tries to unlock an already set up fscrypt directory using keys from Ceph CSI.
 func unlockExisting(
 	ctx context.Context,
@@ -225,6 +240,12 @@ func initializeAndUnlock(
 		return err
 	}
 
+	if err = fsyncEncryptedDirectory(encryptedPath); err != nil {
+		log.ErrorLog(ctx, "fscrypt: fsync encrypted dir - to flush kernel policy to disk failed %v", err)
+
+		return err
+	}
+
 	return nil
 }