2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (c) 2016 Google, Inc. All Rights Reserved.
5 # FS QA Test generic/398
7 # Filesystem encryption is designed to enforce that a consistent encryption
8 # policy is used within a given encrypted directory tree and that an encrypted
9 # directory tree does not contain any unencrypted files. This test verifies
10 # that filesystem operations that would violate this constraint fail. This does
11 # not test enforcement of this constraint on lookup, which is still needed to
12 # detect offline changes.
15 seqres=$RESULT_DIR/$seq
16 echo "QA output created by $seq"
20 status=1 # failure is the default!
21 trap "_cleanup; exit \$status" 0 1 2 3 15
29 # The error code for incompatible rename or link into an encrypted directory was
30 # changed from EPERM to EXDEV in Linux v5.1, to allow tools like 'mv' to work.
31 # See kernel commit f5e55e777cc9 ("fscrypt: return -EXDEV for incompatible
32 # rename or link into encrypted dir"). Accept both errors for now.
33 filter_eperm_to_exdev()
35 sed -e 's/Operation not permitted/Invalid cross-device link/'
38 # The error code for incompatible cross-rename without the key has been ENOKEY
39 # on all filesystems since Linux v4.16. Previously it was EPERM on some
40 # filesystems. Accept both errors for now.
41 filter_eperm_to_enokey()
43 sed -e 's/Operation not permitted/Required key not available/'
46 # get standard environment, filters and checks
52 # remove previous $seqres.full before test
55 # real QA test starts here
58 _require_scratch_encryption
59 _require_xfs_io_command "set_encpolicy"
63 _scratch_mkfs_encrypted &>> $seqres.full
66 # Set up two encrypted directories, with different encryption policies,
67 # and one unencrypted directory.
68 edir1=$SCRATCH_MNT/edir1
69 edir2=$SCRATCH_MNT/edir2
70 udir=$SCRATCH_MNT/udir
71 mkdir $edir1 $edir2 $udir
72 keydesc1=$(_generate_encryption_key)
73 keydesc2=$(_generate_encryption_key)
74 $XFS_IO_PROG -c "set_encpolicy $keydesc1" $edir1
75 $XFS_IO_PROG -c "set_encpolicy $keydesc2" $edir2
81 # Test linking and renaming an encrypted file into an encrypted directory with a
82 # different encryption policy. Should fail with EXDEV.
84 echo -e "\n*** Link encrypted <= encrypted ***"
85 ln $edir1/efile1 $edir2/efile1 |& _filter_scratch | filter_eperm_to_exdev
87 echo -e "\n*** Rename encrypted => encrypted ***"
88 src/renameat2 $edir1/efile1 $edir2/efile1 |& filter_eperm_to_exdev
91 # Test linking and renaming an unencrypted file into an encrypted directory.
92 # Should fail with EXDEV.
94 echo -e "\n\n*** Link unencrypted <= encrypted ***"
95 ln $udir/ufile $edir1/ufile |& _filter_scratch | filter_eperm_to_exdev
97 echo -e "\n*** Rename unencrypted => encrypted ***"
98 src/renameat2 $udir/ufile $edir1/ufile |& filter_eperm_to_exdev
101 # Test linking and renaming an encrypted file into an unencrypted directory.
104 echo -e "\n\n*** Link encrypted <= unencrypted ***"
105 ln -v $edir1/efile1 $udir/efile1 |& _filter_scratch
106 rm $udir/efile1 # undo
108 echo -e "\n*** Rename encrypted => unencrypted ***"
109 src/renameat2 $edir1/efile1 $udir/efile1
110 src/renameat2 $udir/efile1 $edir1/efile1 # undo
113 # Test renaming a forbidden (unencrypted, or encrypted with a different
114 # encryption policy) file into an encrypted directory via an exchange (cross
115 # rename) operation. Should fail with EXDEV.
117 echo -e "\n\n*** Exchange encrypted <=> encrypted ***"
118 src/renameat2 -x $edir1/efile1 $edir2/efile2 |& filter_eperm_to_exdev
120 echo -e "\n*** Exchange unencrypted <=> encrypted ***"
121 src/renameat2 -x $udir/ufile $edir1/efile1 |& filter_eperm_to_exdev
123 echo -e "\n*** Exchange encrypted <=> unencrypted ***"
124 src/renameat2 -x $edir1/efile1 $udir/ufile |& filter_eperm_to_exdev
127 # Test a file with a special type, i.e. not regular, directory, or symlink.
128 # Since such files are not subject to encryption, there should be no
129 # restrictions on linking or renaming them into encrypted directories.
131 echo -e "\n\n*** Special file tests ***"
133 src/renameat2 $edir1/fifo $edir2/fifo
134 src/renameat2 $edir2/fifo $udir/fifo
135 src/renameat2 $udir/fifo $edir1/fifo
137 src/renameat2 -x $udir/fifo $edir1/fifo
138 ln -v $edir1/fifo $edir2/fifo | _filter_scratch
139 rm $edir1/fifo $edir2/fifo $udir/fifo
142 # Now test that *without* access to the encrypted key, we cannot use an exchange
143 # (cross rename) operation to move a forbidden file into an encrypted directory.
145 _unlink_encryption_key $keydesc1
146 _unlink_encryption_key $keydesc2
148 efile1=$(find $edir1 -type f)
149 efile2=$(find $edir2 -type f)
151 echo -e "\n\n*** Exchange encrypted <=> encrypted without key ***"
152 src/renameat2 -x $efile1 $efile2 |& filter_eperm_to_enokey
153 echo -e "\n*** Exchange encrypted <=> unencrypted without key ***"
154 src/renameat2 -x $efile1 $udir/ufile |& filter_eperm_to_enokey