#! /bin/bash # SPDX-License-Identifier: GPL-2.0 # Copyright 2019 Google LLC # # FS QA Test No. generic/581 # # Test non-root use of the fscrypt filesystem-level encryption keyring # and v2 encryption policies. # seq=`basename $0` seqres=$RESULT_DIR/$seq echo "QA output created by $seq" echo here=`pwd` tmp=/tmp/$$ status=1 # failure is the default! trap "_cleanup; exit \$status" 0 1 2 3 15 orig_maxkeys= _cleanup() { cd / rm -f $tmp.* if [ -n "$orig_maxkeys" ]; then echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys fi } # get standard environment, filters and checks . ./common/rc . ./common/filter . ./common/encrypt # remove previous $seqres.full before test rm -f $seqres.full # real QA test starts here _supported_fs generic _require_user _require_scratch_encryption -v 2 _scratch_mkfs_encrypted &>> $seqres.full _scratch_mount dir=$SCRATCH_MNT/dir raw_key="" for i in `seq 64`; do raw_key+="\\x$(printf "%02x" $i)" done keydesc="0000111122223333" keyid="69b2f6edeee720cce0577937eb8a6751" chmod 777 $SCRATCH_MNT _user_do "mkdir $dir" echo "# Setting v1 policy as regular user (should succeed)" _user_do_set_encpolicy $dir $keydesc echo "# Getting v1 policy as regular user (should succeed)" _user_do_get_encpolicy $dir | _filter_scratch echo "# Adding v1 policy key as regular user (should fail with EACCES)" _user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc rm -rf $dir echo _user_do "mkdir $dir" echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" _user_do_set_encpolicy $dir $keyid |& _filter_scratch echo "# Adding v2 policy key as regular user (should succeed)" _user_do_add_enckey $SCRATCH_MNT "$raw_key" echo "# Setting v2 policy as regular user with key added (should succeed)" _user_do_set_encpolicy $dir $keyid echo "# Getting v2 policy as regular user (should succeed)" _user_do_get_encpolicy $dir | _filter_scratch echo "# Creating encrypted file as regular user (should succeed)" _user_do "echo contents > $dir/file" echo "# Removing v2 policy key as regular user (should succeed)" _user_do_rm_enckey $SCRATCH_MNT $keyid _scratch_cycle_mount # Clear all keys # Wait for any invalidated keys to be garbage-collected. i=0 while grep -E -q '^[0-9a-f]+ [^ ]*i[^ ]*' /proc/keys; do if ((++i >= 20)); then echo "Timed out waiting for invalidated keys to be GC'ed" >> $seqres.full break fi sleep 0.5 done # Set the user key quota to the fsgqa user's current number of keys plus 5. orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") : ${orig_keys:=0} echo "orig_keys=$orig_keys" >> $seqres.full orig_maxkeys=$( /proc/sys/kernel/keys/maxkeys echo echo "# Testing user key quota" for i in `seq $((keys_to_add + 1))`; do rand_raw_key=$(_generate_raw_encryption_key) _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ | sed 's/ with identifier .*$//' done # Restore the original key quota. echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys rm -rf $dir echo _user_do "mkdir $dir" _scratch_cycle_mount # Clear all keys # Test multiple users adding the same key. echo "# Adding key as root" _add_enckey $SCRATCH_MNT "$raw_key" echo "# Getting key status as regular user" _user_do_enckey_status $SCRATCH_MNT $keyid echo "# Removing key only added by another user (should fail with ENOKEY)" _user_do_rm_enckey $SCRATCH_MNT $keyid echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" _user_do_set_encpolicy $dir $keyid |& _filter_scratch echo "# Adding second user of key" _user_do_add_enckey $SCRATCH_MNT "$raw_key" echo "# Getting key status as regular user" _user_do_enckey_status $SCRATCH_MNT $keyid echo "# Setting v2 encryption policy as regular user" _user_do_set_encpolicy $dir $keyid echo "# Removing this user's claim to the key" _user_do_rm_enckey $SCRATCH_MNT $keyid echo "# Getting key status as regular user" _user_do_enckey_status $SCRATCH_MNT $keyid echo "# Adding back second user of key" _user_do_add_enckey $SCRATCH_MNT "$raw_key" echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" _user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch _enckey_status $SCRATCH_MNT $keyid echo "# Remove key for \"all users\", as root" _rm_enckey $SCRATCH_MNT $keyid -a _enckey_status $SCRATCH_MNT $keyid # success, all done status=0 exit