#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright 2018 Google LLC
#
# FS QA Test generic/573
#
# Test access controls on the fs-verity ioctls.  FS_IOC_MEASURE_VERITY is
# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access.
#
. ./common/preamble
_begin_fstest auto quick verity

# Override the default cleanup function.
_cleanup()
{
	cd /
	_restore_fsverity_signatures
	rm -f $tmp.*
}

# Import common functions.
. ./common/filter
. ./common/verity

# real QA test starts here
_supported_fs generic
_require_scratch_verity
_require_user
_require_chattr ia
_disable_fsverity_signatures

_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
fsv_file=$SCRATCH_MNT/file.fsv

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root"
echo foo > $fsv_file
chmod 666 $fsv_file
_user_do "$FSVERITY_PROG enable --block-size=$FSV_BLOCK_SIZE $fsv_file"

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access"
echo foo > $fsv_file >> $seqres.full
chmod 444 $fsv_file
_user_do "$FSVERITY_PROG enable --block-size=$FSV_BLOCK_SIZE $fsv_file" |& _filter_scratch

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only"
echo foo > $fsv_file >> $seqres.full
$CHATTR_PROG +a $fsv_file
_fsv_enable $fsv_file |& _filter_scratch
$CHATTR_PROG -a $fsv_file

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable"
echo foo > $fsv_file >> $seqres.full
$CHATTR_PROG +i $fsv_file
_fsv_enable $fsv_file |& _filter_scratch
$CHATTR_PROG -i $fsv_file

_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root"
_fsv_create_enable_file $fsv_file >> $seqres.full
chmod 444 $fsv_file
su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full

# success, all done
status=0
exit