generic/581 is mostly a v2 policy test, but it does do some quick checks of v1 policies as a normal user. Split the v1 and v2 related parts into two different tests so that the v2 part can get properly tested for btrfs file systems, which only support v2 policies. Signed-off-by: Josef Bacik <josef@xxxxxxxxxxxxxx> --- tests/generic/581 | 89 +--------------------------- tests/generic/581.out | 50 ---------------- tests/generic/734 | 135 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/734.out | 51 ++++++++++++++++ 4 files changed, 188 insertions(+), 137 deletions(-) create mode 100644 tests/generic/734 create mode 100644 tests/generic/734.out diff --git a/tests/generic/581 b/tests/generic/581 index cabc7e1c..ab930ac6 100755 --- a/tests/generic/581 +++ b/tests/generic/581 @@ -4,8 +4,7 @@ # # FS QA Test No. generic/581 # -# Test non-root use of the fscrypt filesystem-level encryption keyring -# and v2 encryption policies. +# Test non-root use of the fscrypt filesystem-level encryption keyring policy. # . ./common/preamble @@ -31,7 +30,7 @@ _cleanup() # real QA test starts here _supported_fs generic _require_user -_require_scratch_encryption -v 2 +_require_scratch_encryption _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount @@ -58,90 +57,6 @@ echo "# Adding v1 policy key as regular user (should fail with EACCES)" _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc rm -rf $dir -echo -_user_do "mkdir $dir" - -echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch - -echo "# Adding v2 policy key as regular user (should succeed)" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" - -echo "# Setting v2 policy as regular user with key added (should succeed)" -_user_do_set_encpolicy $dir $keyid - -echo "# Getting v2 policy as regular user (should succeed)" -_user_do_get_encpolicy $dir | _filter_scratch - -echo "# Creating encrypted file as regular user (should succeed)" -_user_do "echo contents > $dir/file" - -echo "# Removing v2 policy key as regular user (should succeed)" -_user_do_rm_enckey $SCRATCH_MNT $keyid - -_scratch_cycle_mount # Clear all keys - -# Wait for any invalidated keys to be garbage-collected. -i=0 -while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do - if ((++i >= 20)); then - echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full - break - fi - sleep 0.5 -done - -# Set the user key quota to the fsgqa user's current number of keys plus 5. -orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") -: ${orig_keys:=0} -echo "orig_keys=$orig_keys" >> $seqres.full -orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys) -keys_to_add=5 -echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys - -echo -echo "# Testing user key quota" -for i in `seq $((keys_to_add + 1))`; do - rand_raw_key=$(_generate_raw_encryption_key) - _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ - | sed 's/ with identifier .*$//' -done - -# Restore the original key quota. -echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys - -rm -rf $dir -echo -_user_do "mkdir $dir" -_scratch_cycle_mount # Clear all keys - -# Test multiple users adding the same key. -echo "# Adding key as root" -_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Removing key only added by another user (should fail with ENOKEY)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" -_user_do_set_encpolicy $dir $keyid |& _filter_scratch -echo "# Adding second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Setting v2 encryption policy as regular user" -_user_do_set_encpolicy $dir $keyid -echo "# Removing this user's claim to the key" -_user_do_rm_enckey $SCRATCH_MNT $keyid -echo "# Getting key status as regular user" -_user_do_enckey_status $SCRATCH_MNT $keyid -echo "# Adding back second user of key" -_user_do_add_enckey $SCRATCH_MNT "$raw_key" -echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" -_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch -_enckey_status $SCRATCH_MNT $keyid -echo "# Remove key for \"all users\", as root" -_rm_enckey $SCRATCH_MNT $keyid -a -_enckey_status $SCRATCH_MNT $keyid # success, all done status=0 diff --git a/tests/generic/581.out b/tests/generic/581.out index b3f7d889..a8cb96a8 100644 --- a/tests/generic/581.out +++ b/tests/generic/581.out @@ -10,53 +10,3 @@ Encryption policy for SCRATCH_MNT/dir: Flags: 0x02 # Adding v1 policy key as regular user (should fail with EACCES) Permission denied - -# Setting v2 policy as regular user without key already added (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding v2 policy key as regular user (should succeed) -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Setting v2 policy as regular user with key added (should succeed) -# Getting v2 policy as regular user (should succeed) -Encryption policy for SCRATCH_MNT/dir: - Policy version: 2 - Master key identifier: 69b2f6edeee720cce0577937eb8a6751 - Contents encryption mode: 1 (AES-256-XTS) - Filenames encryption mode: 4 (AES-256-CTS) - Flags: 0x02 -# Creating encrypted file as regular user (should succeed) -# Removing v2 policy key as regular user (should succeed) -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 - -# Testing user key quota -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Added encryption key -Error adding encryption key: Disk quota exceeded - -# Adding key as root -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Removing key only added by another user (should fail with ENOKEY) -Error removing encryption key: Required key not available -# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) -SCRATCH_MNT/dir: failed to set encryption policy: Required key not available -# Adding second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=2, added_by_self) -# Setting v2 encryption policy as regular user -# Removing this user's claim to the key -Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Getting key status as regular user -Present (user_count=1) -# Adding back second user of key -Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -# Remove key for "all users", as regular user (should fail with EACCES) -Permission denied -Present (user_count=2, added_by_self) -# Remove key for "all users", as root -Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 -Absent diff --git a/tests/generic/734 b/tests/generic/734 new file mode 100644 index 00000000..a6f46e7e --- /dev/null +++ b/tests/generic/734 @@ -0,0 +1,135 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test No. generic/581 +# +# Test non-root use of the fscrypt filesystem-level encryption v2 policy. +# + +. ./common/preamble +_begin_fstest auto quick encrypt +echo + +orig_maxkeys= + +# Override the default cleanup function. +_cleanup() +{ + cd / + rm -f $tmp.* + if [ -n "$orig_maxkeys" ]; then + echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + fi +} + +# Import common functions. +. ./common/filter +. ./common/encrypt + +# real QA test starts here +_supported_fs generic +_require_user +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +dir=$SCRATCH_MNT/dir + +raw_key="" +for i in `seq 64`; do + raw_key+="\\x$(printf "%02x" $i)" +done +keydesc="0000111122223333" +keyid="69b2f6edeee720cce0577937eb8a6751" +chmod 777 $SCRATCH_MNT + +_user_do "mkdir $dir" + +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch + +echo "# Adding v2 policy key as regular user (should succeed)" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" + +echo "# Setting v2 policy as regular user with key added (should succeed)" +_user_do_set_encpolicy $dir $keyid + +echo "# Getting v2 policy as regular user (should succeed)" +_user_do_get_encpolicy $dir | _filter_scratch + +echo "# Creating encrypted file as regular user (should succeed)" +_user_do "echo contents > $dir/file" + +echo "# Removing v2 policy key as regular user (should succeed)" +_user_do_rm_enckey $SCRATCH_MNT $keyid + +_scratch_cycle_mount # Clear all keys + +# Wait for any invalidated keys to be garbage-collected. +i=0 +while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do + if ((++i >= 20)); then + echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full + break + fi + sleep 0.5 +done + +# Set the user key quota to the fsgqa user's current number of keys plus 5. +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") +: ${orig_keys:=0} +echo "orig_keys=$orig_keys" >> $seqres.full +orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys) +keys_to_add=5 +echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys + +echo +echo "# Testing user key quota" +for i in `seq $((keys_to_add + 1))`; do + rand_raw_key=$(_generate_raw_encryption_key) + _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ + | sed 's/ with identifier .*$//' +done + +# Restore the original key quota. +echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + +rm -rf $dir +echo +_user_do "mkdir $dir" +_scratch_cycle_mount # Clear all keys + +# Test multiple users adding the same key. +echo "# Adding key as root" +_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Removing key only added by another user (should fail with ENOKEY)" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch +echo "# Adding second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy as regular user" +_user_do_set_encpolicy $dir $keyid +echo "# Removing this user's claim to the key" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Adding back second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch +_enckey_status $SCRATCH_MNT $keyid +echo "# Remove key for \"all users\", as root" +_rm_enckey $SCRATCH_MNT $keyid -a +_enckey_status $SCRATCH_MNT $keyid + +# success, all done +status=0 +exit + diff --git a/tests/generic/734.out b/tests/generic/734.out new file mode 100644 index 00000000..85a8c973 --- /dev/null +++ b/tests/generic/734.out @@ -0,0 +1,51 @@ +QA output created by 734 + +# Setting v2 policy as regular user without key already added (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding v2 policy key as regular user (should succeed) +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Setting v2 policy as regular user with key added (should succeed) +# Getting v2 policy as regular user (should succeed) +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Creating encrypted file as regular user (should succeed) +# Removing v2 policy key as regular user (should succeed) +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Testing user key quota +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Error adding encryption key: Disk quota exceeded + +# Adding key as root +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Removing key only added by another user (should fail with ENOKEY) +Error removing encryption key: Required key not available +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=2, added_by_self) +# Setting v2 encryption policy as regular user +# Removing this user's claim to the key +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Adding back second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Remove key for "all users", as regular user (should fail with EACCES) +Permission denied +Present (user_count=2, added_by_self) +# Remove key for "all users", as root +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Absent -- 2.41.0