#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright 2018 Google LLC
#
# FS QA Test generic/573
#
# Test access controls on the fs-verity ioctls.  FS_IOC_MEASURE_VERITY is
# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access.
#
seq=`basename $0`
seqres=$RESULT_DIR/$seq
echo "QA output created by $seq"

here=`pwd`
tmp=/tmp/$$
status=1	# failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15

_cleanup()
{
	cd /
	_restore_fsverity_signatures
	rm -f $tmp.*
}

# get standard environment, filters and checks
. ./common/rc
. ./common/filter
. ./common/verity

# remove previous $seqres.full before test
rm -f $seqres.full

# real QA test starts here
_supported_fs generic
_supported_os Linux
_require_scratch_verity
_require_user
_require_chattr ia
_disable_fsverity_signatures

_scratch_mkfs_verity &>> $seqres.full
_scratch_mount
fsv_file=$SCRATCH_MNT/file.fsv

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root"
echo foo > $fsv_file
chmod 666 $fsv_file
_user_do "$FSVERITY_PROG enable $fsv_file"

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access"
echo foo > $fsv_file >> $seqres.full
chmod 444 $fsv_file
_user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only"
echo foo > $fsv_file >> $seqres.full
$CHATTR_PROG +a $fsv_file
$FSVERITY_PROG enable $fsv_file |& _filter_scratch
$CHATTR_PROG -a $fsv_file

_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable"
echo foo > $fsv_file >> $seqres.full
$CHATTR_PROG +i $fsv_file
$FSVERITY_PROG enable $fsv_file |& _filter_scratch
$CHATTR_PROG -i $fsv_file

_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root"
_fsv_create_enable_file $fsv_file >> $seqres.full
chmod 444 $fsv_file
su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full

# success, all done
status=0
exit