If a session is opened for a user twice and the second doesn't have the AUTHTOK data, pam_fscrypt prints an error message that says it failed to unlock a protector because AUTHTOK data is missing. This is misleading because the protector and its associated policies were already unlocked by the first session.
To avoid this, move the check for whether the policy is provisioned or not into policiesUsingProtector(). Also do the same for CloseSession.
If a session is opened for a user twice and the second doesn't have the AUTHTOK data, pam_fscrypt prints an error message that says it failed to unlock a protector because AUTHTOK data is missing. This is misleading because the protector and its associated policies were already unlocked by the first session.
To avoid this, move the check for whether the policy is provisioned or not into policiesUsingProtector(). Also do the same for CloseSession.