2 # FS QA Test generic/395
4 # Test setting and getting encryption policies.
6 #-----------------------------------------------------------------------
7 # Copyright (c) 2016 Google, Inc. All Rights Reserved.
9 # Author: Eric Biggers <ebiggers@google.com>
11 # This program is free software; you can redistribute it and/or
12 # modify it under the terms of the GNU General Public License as
13 # published by the Free Software Foundation.
15 # This program is distributed in the hope that it would be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program; if not, write the Free Software Foundation,
22 # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
23 #-----------------------------------------------------------------------
27 seqres=$RESULT_DIR/$seq
28 echo "QA output created by $seq"
32 status=1 # failure is the default!
33 trap "_cleanup; exit \$status" 0 1 2 3 15
41 # get standard environment, filters and checks
46 # remove previous $seqres.full before test
49 # real QA test starts here
52 _require_scratch_encryption
53 _require_xfs_io_command "get_encpolicy"
54 _require_xfs_io_command "set_encpolicy"
57 _scratch_mkfs_encrypted &>> $seqres.full
62 # When a file is unencrypted, FS_IOC_GET_ENCRYPTION_POLICY currently
63 # fails with ENOENT on ext4 but with ENODATA on f2fs. TODO: it's
64 # planned to consistently use ENODATA. For now this test accepts both.
65 $XFS_IO_PROG -c "get_encpolicy" $1 |&
66 sed -e 's/No such file or directory/No data available/'
69 # Should be able to set an encryption policy on an empty directory
70 empty_dir=$SCRATCH_MNT/empty_dir
71 echo -e "\n*** Setting encryption policy on empty directory ***"
73 check_no_policy $empty_dir |& _filter_scratch
74 $XFS_IO_PROG -c "set_encpolicy 0000111122223333" $empty_dir
75 $XFS_IO_PROG -c "get_encpolicy" $empty_dir | _filter_scratch
77 # Should be able to set the same policy again, but not a different one.
78 # TODO: the error code for "already has a different policy" is planned to switch
79 # from EINVAL to EEXIST. For now this test accepts both.
80 echo -e "\n*** Setting encryption policy again ***"
81 $XFS_IO_PROG -c "set_encpolicy 0000111122223333" $empty_dir
82 $XFS_IO_PROG -c "get_encpolicy" $empty_dir | _filter_scratch
83 $XFS_IO_PROG -c "set_encpolicy 4444555566667777" $empty_dir |& \
84 _filter_scratch | sed -e 's/Invalid argument/File exists/'
85 $XFS_IO_PROG -c "get_encpolicy" $empty_dir | _filter_scratch
87 # Should *not* be able to set an encryption policy on a nonempty directory
88 nonempty_dir=$SCRATCH_MNT/nonempty_dir
89 echo -e "\n*** Setting encryption policy on nonempty directory ***"
91 touch $nonempty_dir/file
92 $XFS_IO_PROG -c "set_encpolicy" $nonempty_dir |& _filter_scratch
93 check_no_policy $nonempty_dir |& _filter_scratch
95 # Should *not* be able to set an encryption policy on a nondirectory file, even
96 # an empty one. Regression test for 002ced4be642: "fscrypto: only allow setting
97 # encryption policy on directories".
98 # TODO: the error code for "not a directory" is planned to switch from EINVAL to
99 # ENOTDIR. For now this test accepts both.
100 nondirectory=$SCRATCH_MNT/nondirectory
101 echo -e "\n*** Setting encryption policy on nondirectory ***"
103 $XFS_IO_PROG -c "set_encpolicy" $nondirectory |& \
104 _filter_scratch | sed -e 's/Invalid argument/Not a directory/'
105 check_no_policy $nondirectory |& _filter_scratch
107 # Should *not* be able to set an encryption policy on another user's directory.
108 # Regression test for 163ae1c6ad62: "fscrypto: add authorization check for
109 # setting encryption policy".
110 unauthorized_dir=$SCRATCH_MNT/unauthorized_dir
111 echo -e "\n*** Setting encryption policy on another user's directory ***"
112 mkdir $unauthorized_dir
113 su $qa_user -c "$XFS_IO_PROG -c \"set_encpolicy\" $unauthorized_dir" |& \
115 check_no_policy $unauthorized_dir |& _filter_scratch
117 # Should *not* be able to set an encryption policy on a directory on a
118 # filesystem mounted readonly. Regression test for ba63f23d69a3: "fscrypto:
119 # require write access to mount to set encryption policy". Test both a regular
120 # readonly filesystem and a readonly bind mount of a read-write filesystem.
121 echo -e "\n*** Setting encryption policy on readonly filesystem ***"
122 mkdir $SCRATCH_MNT/ro_dir $SCRATCH_MNT/ro_bind_mnt
124 $XFS_IO_PROG -c "set_encpolicy" $SCRATCH_MNT/ro_dir |& _filter_scratch
125 check_no_policy $SCRATCH_MNT/ro_dir |& _filter_scratch
127 mount --bind $SCRATCH_MNT $SCRATCH_MNT/ro_bind_mnt
128 mount -o remount,ro,bind $SCRATCH_MNT/ro_bind_mnt
129 $XFS_IO_PROG -c "set_encpolicy" $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
130 check_no_policy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
131 umount $SCRATCH_MNT/ro_bind_mnt