2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (c) 2016 Google, Inc. All Rights Reserved.
5 # FS QA Test generic/395
7 # Test setting and getting encryption policies.
10 _begin_fstest auto quick encrypt
12 # Import common functions.
16 # real QA test starts here
18 _require_scratch_encryption
19 _require_xfs_io_command "get_encpolicy"
22 _scratch_mkfs_encrypted &>> $seqres.full
25 # Should be able to set an encryption policy on an empty directory
26 empty_dir=$SCRATCH_MNT/empty_dir
27 echo -e "\n*** Setting encryption policy on empty directory ***"
29 _get_encpolicy $empty_dir |& _filter_scratch
30 _set_encpolicy $empty_dir 0000111122223333
31 _get_encpolicy $empty_dir | _filter_scratch
33 # Should be able to set the same policy again, but not a different one.
34 echo -e "\n*** Setting encryption policy again ***"
35 _set_encpolicy $empty_dir 0000111122223333
36 _get_encpolicy $empty_dir | _filter_scratch
37 _set_encpolicy $empty_dir 4444555566667777 |& _filter_scratch
38 _get_encpolicy $empty_dir | _filter_scratch
40 # Should *not* be able to set an encryption policy on a nonempty directory
41 nonempty_dir=$SCRATCH_MNT/nonempty_dir
42 echo -e "\n*** Setting encryption policy on nonempty directory ***"
44 touch $nonempty_dir/file
45 _set_encpolicy $nonempty_dir |& _filter_scratch
46 _get_encpolicy $nonempty_dir |& _filter_scratch
48 # Should *not* be able to set an encryption policy on a nondirectory file, even
49 # an empty one. Regression test for 002ced4be642: "fscrypto: only allow setting
50 # encryption policy on directories".
51 nondirectory=$SCRATCH_MNT/nondirectory
52 echo -e "\n*** Setting encryption policy on nondirectory ***"
54 _set_encpolicy $nondirectory |& _filter_scratch
55 _get_encpolicy $nondirectory |& _filter_scratch
57 # Should *not* be able to set an encryption policy on another user's directory.
58 # Regression test for 163ae1c6ad62: "fscrypto: add authorization check for
59 # setting encryption policy".
60 unauthorized_dir=$SCRATCH_MNT/unauthorized_dir
61 echo -e "\n*** Setting encryption policy on another user's directory ***"
62 mkdir $unauthorized_dir
63 _user_do_set_encpolicy $unauthorized_dir |& _filter_scratch
64 _get_encpolicy $unauthorized_dir |& _filter_scratch
66 # Should *not* be able to set an encryption policy on a directory on a
67 # filesystem mounted readonly. Regression test for ba63f23d69a3: "fscrypto:
68 # require write access to mount to set encryption policy". Test both a regular
69 # readonly filesystem and a readonly bind mount of a read-write filesystem.
70 echo -e "\n*** Setting encryption policy on readonly filesystem ***"
71 mkdir $SCRATCH_MNT/ro_dir $SCRATCH_MNT/ro_bind_mnt
73 _set_encpolicy $SCRATCH_MNT/ro_dir |& _filter_scratch
74 _get_encpolicy $SCRATCH_MNT/ro_dir |& _filter_scratch
76 mount --bind $SCRATCH_MNT $SCRATCH_MNT/ro_bind_mnt
77 mount -o remount,ro,bind $SCRATCH_MNT/ro_bind_mnt
78 _set_encpolicy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
79 _get_encpolicy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
80 umount $SCRATCH_MNT/ro_bind_mnt