blob: cabc7e1c69ab3753b09cf317675077d192ef4afa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright 2019 Google LLC
#
# FS QA Test No. generic/581
#
# Test non-root use of the fscrypt filesystem-level encryption keyring
# and v2 encryption policies.
#
. ./common/preamble
_begin_fstest auto quick encrypt
echo
orig_maxkeys=
# Override the default cleanup function.
_cleanup()
{
cd /
rm -f $tmp.*
if [ -n "$orig_maxkeys" ]; then
echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
fi
}
# Import common functions.
. ./common/filter
. ./common/encrypt
# real QA test starts here
_supported_fs generic
_require_user
_require_scratch_encryption -v 2
_scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount
dir=$SCRATCH_MNT/dir
raw_key=""
for i in `seq 64`; do
raw_key+="\\x$(printf "%02x" $i)"
done
keydesc="0000111122223333"
keyid="69b2f6edeee720cce0577937eb8a6751"
chmod 777 $SCRATCH_MNT
_user_do "mkdir $dir"
echo "# Setting v1 policy as regular user (should succeed)"
_user_do_set_encpolicy $dir $keydesc
echo "# Getting v1 policy as regular user (should succeed)"
_user_do_get_encpolicy $dir | _filter_scratch
echo "# Adding v1 policy key as regular user (should fail with EACCES)"
_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc
rm -rf $dir
echo
_user_do "mkdir $dir"
echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
_user_do_set_encpolicy $dir $keyid |& _filter_scratch
echo "# Adding v2 policy key as regular user (should succeed)"
_user_do_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Setting v2 policy as regular user with key added (should succeed)"
_user_do_set_encpolicy $dir $keyid
echo "# Getting v2 policy as regular user (should succeed)"
_user_do_get_encpolicy $dir | _filter_scratch
echo "# Creating encrypted file as regular user (should succeed)"
_user_do "echo contents > $dir/file"
echo "# Removing v2 policy key as regular user (should succeed)"
_user_do_rm_enckey $SCRATCH_MNT $keyid
_scratch_cycle_mount # Clear all keys
# Wait for any invalidated keys to be garbage-collected.
i=0
while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do
if ((++i >= 20)); then
echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full
break
fi
sleep 0.5
done
# Set the user key quota to the fsgqa user's current number of keys plus 5.
orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1")
: ${orig_keys:=0}
echo "orig_keys=$orig_keys" >> $seqres.full
orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
keys_to_add=5
echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys
echo
echo "# Testing user key quota"
for i in `seq $((keys_to_add + 1))`; do
rand_raw_key=$(_generate_raw_encryption_key)
_user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
| sed 's/ with identifier .*$//'
done
# Restore the original key quota.
echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
rm -rf $dir
echo
_user_do "mkdir $dir"
_scratch_cycle_mount # Clear all keys
# Test multiple users adding the same key.
echo "# Adding key as root"
_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Getting key status as regular user"
_user_do_enckey_status $SCRATCH_MNT $keyid
echo "# Removing key only added by another user (should fail with ENOKEY)"
_user_do_rm_enckey $SCRATCH_MNT $keyid
echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
_user_do_set_encpolicy $dir $keyid |& _filter_scratch
echo "# Adding second user of key"
_user_do_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Getting key status as regular user"
_user_do_enckey_status $SCRATCH_MNT $keyid
echo "# Setting v2 encryption policy as regular user"
_user_do_set_encpolicy $dir $keyid
echo "# Removing this user's claim to the key"
_user_do_rm_enckey $SCRATCH_MNT $keyid
echo "# Getting key status as regular user"
_user_do_enckey_status $SCRATCH_MNT $keyid
echo "# Adding back second user of key"
_user_do_add_enckey $SCRATCH_MNT "$raw_key"
echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch
_enckey_status $SCRATCH_MNT $keyid
echo "# Remove key for \"all users\", as root"
_rm_enckey $SCRATCH_MNT $keyid -a
_enckey_status $SCRATCH_MNT $keyid
# success, all done
status=0
exit
|
