tests/generic/581 - external/git.kernel.org/fs/xfs/xfstests-dev - Git at Google

 #! /bin/bash
 # SPDX-License-Identifier: GPL-2.0
 # Copyright 2019 Google LLC
 #
 # FS QA Test No. generic/581
 #
 # Test non-root use of the fscrypt filesystem-level encryption keyring
 # and v2 encryption policies.
 #

 . ./common/preamble
 _begin_fstest auto quick encrypt
 echo

 orig_maxkeys=

 # Override the default cleanup function.
 _cleanup()
 {
 	cd /
 	rm -f $tmp.*
 	if [ -n "$orig_maxkeys" ]; then
 		echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
 	fi
 }

 # Import common functions.
 . ./common/filter
 . ./common/encrypt

 # real QA test starts here
 _supported_fs generic
 _require_user
 _require_scratch_encryption -v 2

 _scratch_mkfs_encrypted &>> $seqres.full
 _scratch_mount

 dir=$SCRATCH_MNT/dir

 raw_key=""
 for i in `seq 64`; do
 	raw_key+="\\x$(printf "%02x" $i)"
 done
 keydesc="0000111122223333"
 keyid="69b2f6edeee720cce0577937eb8a6751"
 chmod 777 $SCRATCH_MNT

 _user_do "mkdir $dir"

 echo "# Setting v1 policy as regular user (should succeed)"
 _user_do_set_encpolicy $dir $keydesc

 echo "# Getting v1 policy as regular user (should succeed)"
 _user_do_get_encpolicy $dir | _filter_scratch

 echo "# Adding v1 policy key as regular user (should fail with EACCES)"
 _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc

 rm -rf $dir
 echo
 _user_do "mkdir $dir"

 echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
 _user_do_set_encpolicy $dir $keyid |& _filter_scratch

 echo "# Adding v2 policy key as regular user (should succeed)"
 _user_do_add_enckey $SCRATCH_MNT "$raw_key"

 echo "# Setting v2 policy as regular user with key added (should succeed)"
 _user_do_set_encpolicy $dir $keyid

 echo "# Getting v2 policy as regular user (should succeed)"
 _user_do_get_encpolicy $dir | _filter_scratch

 echo "# Creating encrypted file as regular user (should succeed)"
 _user_do "echo contents > $dir/file"

 echo "# Removing v2 policy key as regular user (should succeed)"
 _user_do_rm_enckey $SCRATCH_MNT $keyid

 _scratch_cycle_mount	# Clear all keys

 # Wait for any invalidated keys to be garbage-collected.
 i=0
 while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do
 	if ((++i >= 20)); then
 		echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full
 		break
 	fi
 	sleep 0.5
 done

 # Set the user key quota to the fsgqa user's current number of keys plus 5.
 orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1")
 : ${orig_keys:=0}
 echo "orig_keys=$orig_keys" >> $seqres.full
 orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
 keys_to_add=5
 echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys

 echo
 echo "# Testing user key quota"
 for i in `seq $((keys_to_add + 1))`; do
 	rand_raw_key=$(_generate_raw_encryption_key)
 	_user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
 	    | sed 's/ with identifier .*$//'
 done

 # Restore the original key quota.
 echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys

 rm -rf $dir
 echo
 _user_do "mkdir $dir"
 _scratch_cycle_mount	# Clear all keys

 # Test multiple users adding the same key.
 echo "# Adding key as root"
 _add_enckey $SCRATCH_MNT "$raw_key"
 echo "# Getting key status as regular user"
 _user_do_enckey_status $SCRATCH_MNT $keyid
 echo "# Removing key only added by another user (should fail with ENOKEY)"
 _user_do_rm_enckey $SCRATCH_MNT $keyid
 echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
 _user_do_set_encpolicy $dir $keyid |& _filter_scratch
 echo "# Adding second user of key"
 _user_do_add_enckey $SCRATCH_MNT "$raw_key"
 echo "# Getting key status as regular user"
 _user_do_enckey_status $SCRATCH_MNT $keyid
 echo "# Setting v2 encryption policy as regular user"
 _user_do_set_encpolicy $dir $keyid
 echo "# Removing this user's claim to the key"
 _user_do_rm_enckey $SCRATCH_MNT $keyid
 echo "# Getting key status as regular user"
 _user_do_enckey_status $SCRATCH_MNT $keyid
 echo "# Adding back second user of key"
 _user_do_add_enckey $SCRATCH_MNT "$raw_key"
 echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
 _user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch
 _enckey_status $SCRATCH_MNT $keyid
 echo "# Remove key for \"all users\", as root"
 _rm_enckey $SCRATCH_MNT $keyid -a
 _enckey_status $SCRATCH_MNT $keyid

 # success, all done
 status=0
 exit
	#! /bin/bash
	# SPDX-License-Identifier: GPL-2.0
	# Copyright 2019 Google LLC
	#
	# FS QA Test No. generic/581
	#
	# Test non-root use of the fscrypt filesystem-level encryption keyring
	# and v2 encryption policies.
	#

	. ./common/preamble
	_begin_fstest auto quick encrypt
	echo

	orig_maxkeys=

	# Override the default cleanup function.
	_cleanup()
	{
	cd /
	rm -f $tmp.*
	if [ -n "$orig_maxkeys" ]; then
	echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
	fi
	}

	# Import common functions.
	. ./common/filter
	. ./common/encrypt

	# real QA test starts here
	_supported_fs generic
	_require_user
	_require_scratch_encryption -v 2

	_scratch_mkfs_encrypted &>> $seqres.full
	_scratch_mount

	dir=$SCRATCH_MNT/dir

	raw_key=""
	for i in `seq 64`; do
	raw_key+="\\x$(printf "%02x" $i)"
	done
	keydesc="0000111122223333"
	keyid="69b2f6edeee720cce0577937eb8a6751"
	chmod 777 $SCRATCH_MNT

	_user_do "mkdir $dir"

	echo "# Setting v1 policy as regular user (should succeed)"
	_user_do_set_encpolicy $dir $keydesc

	echo "# Getting v1 policy as regular user (should succeed)"
	_user_do_get_encpolicy $dir \| _filter_scratch

	echo "# Adding v1 policy key as regular user (should fail with EACCES)"
	_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc

	rm -rf $dir
	echo
	_user_do "mkdir $dir"

	echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
	_user_do_set_encpolicy $dir $keyid \|& _filter_scratch

	echo "# Adding v2 policy key as regular user (should succeed)"
	_user_do_add_enckey $SCRATCH_MNT "$raw_key"

	echo "# Setting v2 policy as regular user with key added (should succeed)"
	_user_do_set_encpolicy $dir $keyid

	echo "# Getting v2 policy as regular user (should succeed)"
	_user_do_get_encpolicy $dir \| _filter_scratch

	echo "# Creating encrypted file as regular user (should succeed)"
	_user_do "echo contents > $dir/file"

	echo "# Removing v2 policy key as regular user (should succeed)"
	_user_do_rm_enckey $SCRATCH_MNT $keyid

	_scratch_cycle_mount # Clear all keys

	# Wait for any invalidated keys to be garbage-collected.
	i=0
	while grep -E -q '^[0-9a-f]+ [^ ]i[^ ]' /proc/keys; do
	if ((++i >= 20)); then
	echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full
	break
	fi
	sleep 0.5
	done

	# Set the user key quota to the fsgqa user's current number of keys plus 5.
	orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users \| cut -d/ -f1")
	: ${orig_keys:=0}
	echo "orig_keys=$orig_keys" >> $seqres.full
	orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
	keys_to_add=5
	echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys

	echo
	echo "# Testing user key quota"
	for i in `seq $((keys_to_add + 1))`; do
	rand_raw_key=$(_generate_raw_encryption_key)
	_user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
	\| sed 's/ with identifier .*$//'
	done

	# Restore the original key quota.
	echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys

	rm -rf $dir
	echo
	_user_do "mkdir $dir"
	_scratch_cycle_mount # Clear all keys

	# Test multiple users adding the same key.
	echo "# Adding key as root"
	_add_enckey $SCRATCH_MNT "$raw_key"
	echo "# Getting key status as regular user"
	_user_do_enckey_status $SCRATCH_MNT $keyid
	echo "# Removing key only added by another user (should fail with ENOKEY)"
	_user_do_rm_enckey $SCRATCH_MNT $keyid
	echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
	_user_do_set_encpolicy $dir $keyid \|& _filter_scratch
	echo "# Adding second user of key"
	_user_do_add_enckey $SCRATCH_MNT "$raw_key"
	echo "# Getting key status as regular user"
	_user_do_enckey_status $SCRATCH_MNT $keyid
	echo "# Setting v2 encryption policy as regular user"
	_user_do_set_encpolicy $dir $keyid
	echo "# Removing this user's claim to the key"
	_user_do_rm_enckey $SCRATCH_MNT $keyid
	echo "# Getting key status as regular user"
	_user_do_enckey_status $SCRATCH_MNT $keyid
	echo "# Adding back second user of key"
	_user_do_add_enckey $SCRATCH_MNT "$raw_key"
	echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
	_user_do_rm_enckey $SCRATCH_MNT $keyid -a \|& _filter_scratch
	_enckey_status $SCRATCH_MNT $keyid
	echo "# Remove key for \"all users\", as root"
	_rm_enckey $SCRATCH_MNT $keyid -a
	_enckey_status $SCRATCH_MNT $keyid

	# success, all done
	status=0
	exit