| #! /bin/bash |
| # SPDX-License-Identifier: GPL-2.0 |
| # Copyright 2019 Google LLC |
| # |
| # FS QA Test No. generic/581 |
| # |
| # Test non-root use of the fscrypt filesystem-level encryption keyring |
| # and v2 encryption policies. |
| # |
| |
| . ./common/preamble |
| _begin_fstest auto quick encrypt |
| echo |
| |
| orig_maxkeys= |
| |
| # Override the default cleanup function. |
| _cleanup() |
| { |
| cd / |
| rm -f $tmp.* |
| if [ -n "$orig_maxkeys" ]; then |
| echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys |
| fi |
| } |
| |
| # Import common functions. |
| . ./common/filter |
| . ./common/encrypt |
| |
| # real QA test starts here |
| _supported_fs generic |
| _require_user |
| _require_scratch_encryption -v 2 |
| |
| _scratch_mkfs_encrypted &>> $seqres.full |
| _scratch_mount |
| |
| dir=$SCRATCH_MNT/dir |
| |
| raw_key="" |
| for i in `seq 64`; do |
| raw_key+="\\x$(printf "%02x" $i)" |
| done |
| keydesc="0000111122223333" |
| keyid="69b2f6edeee720cce0577937eb8a6751" |
| chmod 777 $SCRATCH_MNT |
| |
| _user_do "mkdir $dir" |
| |
| echo "# Setting v1 policy as regular user (should succeed)" |
| _user_do_set_encpolicy $dir $keydesc |
| |
| echo "# Getting v1 policy as regular user (should succeed)" |
| _user_do_get_encpolicy $dir | _filter_scratch |
| |
| echo "# Adding v1 policy key as regular user (should fail with EACCES)" |
| _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc |
| |
| rm -rf $dir |
| echo |
| _user_do "mkdir $dir" |
| |
| echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" |
| _user_do_set_encpolicy $dir $keyid |& _filter_scratch |
| |
| echo "# Adding v2 policy key as regular user (should succeed)" |
| _user_do_add_enckey $SCRATCH_MNT "$raw_key" |
| |
| echo "# Setting v2 policy as regular user with key added (should succeed)" |
| _user_do_set_encpolicy $dir $keyid |
| |
| echo "# Getting v2 policy as regular user (should succeed)" |
| _user_do_get_encpolicy $dir | _filter_scratch |
| |
| echo "# Creating encrypted file as regular user (should succeed)" |
| _user_do "echo contents > $dir/file" |
| |
| echo "# Removing v2 policy key as regular user (should succeed)" |
| _user_do_rm_enckey $SCRATCH_MNT $keyid |
| |
| _scratch_cycle_mount # Clear all keys |
| |
| # Wait for any invalidated keys to be garbage-collected. |
| i=0 |
| while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do |
| if ((++i >= 20)); then |
| echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full |
| break |
| fi |
| sleep 0.5 |
| done |
| |
| # Set the user key quota to the fsgqa user's current number of keys plus 5. |
| orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") |
| : ${orig_keys:=0} |
| echo "orig_keys=$orig_keys" >> $seqres.full |
| orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys) |
| keys_to_add=5 |
| echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys |
| |
| echo |
| echo "# Testing user key quota" |
| for i in `seq $((keys_to_add + 1))`; do |
| rand_raw_key=$(_generate_raw_encryption_key) |
| _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ |
| | sed 's/ with identifier .*$//' |
| done |
| |
| # Restore the original key quota. |
| echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys |
| |
| rm -rf $dir |
| echo |
| _user_do "mkdir $dir" |
| _scratch_cycle_mount # Clear all keys |
| |
| # Test multiple users adding the same key. |
| echo "# Adding key as root" |
| _add_enckey $SCRATCH_MNT "$raw_key" |
| echo "# Getting key status as regular user" |
| _user_do_enckey_status $SCRATCH_MNT $keyid |
| echo "# Removing key only added by another user (should fail with ENOKEY)" |
| _user_do_rm_enckey $SCRATCH_MNT $keyid |
| echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" |
| _user_do_set_encpolicy $dir $keyid |& _filter_scratch |
| echo "# Adding second user of key" |
| _user_do_add_enckey $SCRATCH_MNT "$raw_key" |
| echo "# Getting key status as regular user" |
| _user_do_enckey_status $SCRATCH_MNT $keyid |
| echo "# Setting v2 encryption policy as regular user" |
| _user_do_set_encpolicy $dir $keyid |
| echo "# Removing this user's claim to the key" |
| _user_do_rm_enckey $SCRATCH_MNT $keyid |
| echo "# Getting key status as regular user" |
| _user_do_enckey_status $SCRATCH_MNT $keyid |
| echo "# Adding back second user of key" |
| _user_do_add_enckey $SCRATCH_MNT "$raw_key" |
| echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" |
| _user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch |
| _enckey_status $SCRATCH_MNT $keyid |
| echo "# Remove key for \"all users\", as root" |
| _rm_enckey $SCRATCH_MNT $keyid -a |
| _enckey_status $SCRATCH_MNT $keyid |
| |
| # success, all done |
| status=0 |
| exit |