2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright 2019 Google LLC
5 # FS QA Test No. generic/581
7 # Test non-root use of the fscrypt filesystem-level encryption keyring
8 # and v2 encryption policies.
12 _begin_fstest auto quick encrypt
17 # Override the default cleanup function.
22 if [ -n "$orig_maxkeys" ]; then
23 echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
27 # Import common functions.
31 # real QA test starts here
34 _require_scratch_encryption -v 2
36 _scratch_mkfs_encrypted &>> $seqres.full
43 raw_key+="\\x$(printf "%02x" $i)"
45 keydesc="0000111122223333"
46 keyid="69b2f6edeee720cce0577937eb8a6751"
47 chmod 777 $SCRATCH_MNT
51 echo "# Setting v1 policy as regular user (should succeed)"
52 _user_do_set_encpolicy $dir $keydesc
54 echo "# Getting v1 policy as regular user (should succeed)"
55 _user_do_get_encpolicy $dir | _filter_scratch
57 echo "# Adding v1 policy key as regular user (should fail with EACCES)"
58 _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc
64 echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
65 _user_do_set_encpolicy $dir $keyid |& _filter_scratch
67 echo "# Adding v2 policy key as regular user (should succeed)"
68 _user_do_add_enckey $SCRATCH_MNT "$raw_key"
70 echo "# Setting v2 policy as regular user with key added (should succeed)"
71 _user_do_set_encpolicy $dir $keyid
73 echo "# Getting v2 policy as regular user (should succeed)"
74 _user_do_get_encpolicy $dir | _filter_scratch
76 echo "# Creating encrypted file as regular user (should succeed)"
77 _user_do "echo contents > $dir/file"
79 echo "# Removing v2 policy key as regular user (should succeed)"
80 _user_do_rm_enckey $SCRATCH_MNT $keyid
82 _scratch_cycle_mount # Clear all keys
84 # Wait for any invalidated keys to be garbage-collected.
86 while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do
87 if ((++i >= 20)); then
88 echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full
94 # Set the user key quota to the fsgqa user's current number of keys plus 5.
95 orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1")
97 echo "orig_keys=$orig_keys" >> $seqres.full
98 orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
100 echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys
103 echo "# Testing user key quota"
104 for i in `seq $((keys_to_add + 1))`; do
105 rand_raw_key=$(_generate_raw_encryption_key)
106 _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
107 | sed 's/ with identifier .*$//'
110 # Restore the original key quota.
111 echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
115 _user_do "mkdir $dir"
116 _scratch_cycle_mount # Clear all keys
118 # Test multiple users adding the same key.
119 echo "# Adding key as root"
120 _add_enckey $SCRATCH_MNT "$raw_key"
121 echo "# Getting key status as regular user"
122 _user_do_enckey_status $SCRATCH_MNT $keyid
123 echo "# Removing key only added by another user (should fail with ENOKEY)"
124 _user_do_rm_enckey $SCRATCH_MNT $keyid
125 echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
126 _user_do_set_encpolicy $dir $keyid |& _filter_scratch
127 echo "# Adding second user of key"
128 _user_do_add_enckey $SCRATCH_MNT "$raw_key"
129 echo "# Getting key status as regular user"
130 _user_do_enckey_status $SCRATCH_MNT $keyid
131 echo "# Setting v2 encryption policy as regular user"
132 _user_do_set_encpolicy $dir $keyid
133 echo "# Removing this user's claim to the key"
134 _user_do_rm_enckey $SCRATCH_MNT $keyid
135 echo "# Getting key status as regular user"
136 _user_do_enckey_status $SCRATCH_MNT $keyid
137 echo "# Adding back second user of key"
138 _user_do_add_enckey $SCRATCH_MNT "$raw_key"
139 echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
140 _user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch
141 _enckey_status $SCRATCH_MNT $keyid
142 echo "# Remove key for \"all users\", as root"
143 _rm_enckey $SCRATCH_MNT $keyid -a
144 _enckey_status $SCRATCH_MNT $keyid