tests/generic/398

#! /bin/bash
# FS QA Test generic/398
#
# Filesystem encryption is designed to enforce that a consistent encryption
# policy is used within a given encrypted directory tree and that an encrypted
# directory tree does not contain any unencrypted files.  This test verifies
# that filesystem operations that would violate this constraint fail with EPERM.
# This does not test enforcement of this constraint on lookup, which is still
# needed to detect offline changes.
#
#-----------------------------------------------------------------------
# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
#
# Author: Eric Biggers <ebiggers@google.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#-----------------------------------------------------------------------
#

seq=`basename $0`
seqres=$RESULT_DIR/$seq
echo "QA output created by $seq"

here=`pwd`
tmp=/tmp/$$
status=1	# failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15

_cleanup()
{
	cd /
	rm -f $tmp.*
}

filter_enokey()
{
	# rename without key can also fail with EPERM instead of ENOKEY
	sed -e "s/Required key not available/Operation not permitted/g"
}

# get standard environment, filters and checks
. ./common/rc
. ./common/filter
. ./common/encrypt
. ./common/renameat2

# remove previous $seqres.full before test
rm -f $seqres.full

# real QA test starts here
_supported_fs generic
_supported_os Linux
_require_scratch_encryption
_require_xfs_io_command "set_encpolicy"
_requires_renameat2

_new_session_keyring
_scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount

# Set up two encrypted directories, with different encryption policies,
# and one unencrypted directory.
edir1=$SCRATCH_MNT/edir1
edir2=$SCRATCH_MNT/edir2
udir=$SCRATCH_MNT/udir
mkdir $edir1 $edir2 $udir
keydesc1=$(_generate_encryption_key)
keydesc2=$(_generate_encryption_key)
$XFS_IO_PROG -c "set_encpolicy $keydesc1" $edir1
$XFS_IO_PROG -c "set_encpolicy $keydesc2" $edir2
touch $edir1/efile1
touch $edir2/efile2
touch $udir/ufile


# Test linking and moving an encrypted file into an encrypted directory with a
# different encryption policy.  Should fail with EPERM.

echo -e "\n*** Link encrypted <= encrypted ***"
ln $edir1/efile1 $edir2/efile1 |& _filter_scratch

echo -e "\n*** Rename encrypted => encrypted ***"
mv $edir1/efile1 $edir2/efile1 |& _filter_scratch


# Test linking and moving an unencrypted file into an encrypted directory.
# Should fail with EPERM.

echo -e "\n\n*** Link unencrypted <= encrypted ***"
ln $udir/ufile $edir1/ufile |& _filter_scratch

echo -e "\n*** Rename unencrypted => encrypted ***"
mv $udir/ufile $edir1/ufile |& _filter_scratch


# Test linking and moving an encrypted file into an unencrypted directory.
# Should succeed.

echo -e "\n\n*** Link encrypted <= unencrypted ***"
ln -v $edir1/efile1 $udir/efile1 |& _filter_scratch
rm $udir/efile1 # undo

echo -e "\n*** Rename encrypted => unencrypted ***"
mv -v $edir1/efile1 $udir/efile1 |& _filter_scratch
mv $udir/efile1 $edir1/efile1 # undo


# Test moving a forbidden (unencrypted, or encrypted with a different encryption
# policy) file into an encrypted directory via an exchange (cross rename)
# operation.  Should fail with EPERM.

echo -e "\n\n*** Exchange encrypted <=> encrypted ***"
src/renameat2 -x $edir1/efile1 $edir2/efile2 |& _filter_scratch

echo -e "\n*** Exchange unencrypted <=> encrypted ***"
src/renameat2 -x $udir/ufile $edir1/efile1 |& _filter_scratch

echo -e "\n*** Exchange encrypted <=> unencrypted ***"
src/renameat2 -x $edir1/efile1 $udir/ufile |& _filter_scratch


# Test a file with a special type, i.e. not regular, directory, or symlink.
# Since such files are not subject to encryption, there should be no
# restrictions on linking or moving them into encrypted directories.

echo -e "\n\n*** Special file tests ***"
mkfifo $edir1/fifo
mv -v $edir1/fifo $edir2/fifo | _filter_scratch
mv -v $edir2/fifo $udir/fifo | _filter_scratch
mv -v $udir/fifo $edir1/fifo | _filter_scratch
mkfifo $udir/fifo
src/renameat2 -x $udir/fifo $edir1/fifo
ln -v $edir1/fifo $edir2/fifo | _filter_scratch
rm $edir1/fifo $edir2/fifo $udir/fifo


# Now test that *without* access to the encrypted key, we cannot use an exchange
# (cross rename) operation to move a forbidden file into an encrypted directory.

_unlink_encryption_key $keydesc1
_unlink_encryption_key $keydesc2
_scratch_cycle_mount
efile1=$(find $edir1 -type f)
efile2=$(find $edir2 -type f)

echo -e "\n\n*** Exchange encrypted <=> encrypted without key ***"
src/renameat2 -x $efile1 $efile2 |& filter_enokey
echo -e "\n*** Exchange encrypted <=> unencrypted without key ***"
src/renameat2 -x $efile1 $udir/ufile |& filter_enokey

# success, all done
status=0
exit
generic: test enforcement of one encryption policy per tree 2016-12-15 12:26:24 -08:00			`#! /bin/bash`
			`# FS QA Test generic/398`
			`#`
			`# Filesystem encryption is designed to enforce that a consistent encryption`
			`# policy is used within a given encrypted directory tree and that an encrypted`
			`# directory tree does not contain any unencrypted files. This test verifies`
			`# that filesystem operations that would violate this constraint fail with EPERM.`
			`# This does not test enforcement of this constraint on lookup, which is still`
			`# needed to detect offline changes.`
			`#`
			`#-----------------------------------------------------------------------`
			`# Copyright (c) 2016 Google, Inc. All Rights Reserved.`
			`#`
			`# Author: Eric Biggers <ebiggers@google.com>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License as`
			`# published by the Free Software Foundation.`
			`#`
			`# This program is distributed in the hope that it would be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, write the Free Software Foundation,`
			`# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`#-----------------------------------------------------------------------`
			`#`

			seq=`basename $0`
			`seqres=$RESULT_DIR/$seq`
			`echo "QA output created by $seq"`

			here=`pwd`
			`tmp=/tmp/$$`
			`status=1 # failure is the default!`
			`trap "_cleanup; exit \$status" 0 1 2 3 15`

			`_cleanup()`
			`{`
			`cd /`
			`rm -f $tmp.*`
			`}`

generic/398: Accept failing with EPERM in addition to ENOKEY for rename without key 2017-06-07 10:20:46 +02:00			`filter_enokey()`
			`{`
			`# rename without key can also fail with EPERM instead of ENOKEY`
			`sed -e "s/Required key not available/Operation not permitted/g"`
			`}`

generic: test enforcement of one encryption policy per tree 2016-12-15 12:26:24 -08:00			`# get standard environment, filters and checks`
			`. ./common/rc`
			`. ./common/filter`
			`. ./common/encrypt`
			`. ./common/renameat2`

			`# remove previous $seqres.full before test`
			`rm -f $seqres.full`

			`# real QA test starts here`
			`_supported_fs generic`
			`_supported_os Linux`
			`_require_scratch_encryption`
			`_require_xfs_io_command "set_encpolicy"`
			`_requires_renameat2`

			`_new_session_keyring`
			`_scratch_mkfs_encrypted &>> $seqres.full`
			`_scratch_mount`

			`# Set up two encrypted directories, with different encryption policies,`
			`# and one unencrypted directory.`
			`edir1=$SCRATCH_MNT/edir1`
			`edir2=$SCRATCH_MNT/edir2`
			`udir=$SCRATCH_MNT/udir`
			`mkdir $edir1 $edir2 $udir`
			`keydesc1=$(_generate_encryption_key)`
			`keydesc2=$(_generate_encryption_key)`
			`$XFS_IO_PROG -c "set_encpolicy $keydesc1" $edir1`
			`$XFS_IO_PROG -c "set_encpolicy $keydesc2" $edir2`
			`touch $edir1/efile1`
			`touch $edir2/efile2`
			`touch $udir/ufile`


			`# Test linking and moving an encrypted file into an encrypted directory with a`
			`# different encryption policy. Should fail with EPERM.`

			`echo -e "\n* Link encrypted <= encrypted *"`
			`ln $edir1/efile1 $edir2/efile1 \|& _filter_scratch`

			`echo -e "\n* Rename encrypted => encrypted *"`
			`mv $edir1/efile1 $edir2/efile1 \|& _filter_scratch`


			`# Test linking and moving an unencrypted file into an encrypted directory.`
			`# Should fail with EPERM.`

			`echo -e "\n\n* Link unencrypted <= encrypted *"`
			`ln $udir/ufile $edir1/ufile \|& _filter_scratch`

			`echo -e "\n* Rename unencrypted => encrypted *"`
			`mv $udir/ufile $edir1/ufile \|& _filter_scratch`


			`# Test linking and moving an encrypted file into an unencrypted directory.`
			`# Should succeed.`

			`echo -e "\n\n* Link encrypted <= unencrypted *"`
			`ln -v $edir1/efile1 $udir/efile1 \|& _filter_scratch`
			`rm $udir/efile1 # undo`

			`echo -e "\n* Rename encrypted => unencrypted *"`
			`mv -v $edir1/efile1 $udir/efile1 \|& _filter_scratch`
			`mv $udir/efile1 $edir1/efile1 # undo`


			`# Test moving a forbidden (unencrypted, or encrypted with a different encryption`
			`# policy) file into an encrypted directory via an exchange (cross rename)`
			`# operation. Should fail with EPERM.`

			`echo -e "\n\n* Exchange encrypted <=> encrypted *"`
			`src/renameat2 -x $edir1/efile1 $edir2/efile2 \|& _filter_scratch`

			`echo -e "\n* Exchange unencrypted <=> encrypted *"`
			`src/renameat2 -x $udir/ufile $edir1/efile1 \|& _filter_scratch`

			`echo -e "\n* Exchange encrypted <=> unencrypted *"`
			`src/renameat2 -x $edir1/efile1 $udir/ufile \|& _filter_scratch`


			`# Test a file with a special type, i.e. not regular, directory, or symlink.`
			`# Since such files are not subject to encryption, there should be no`
			`# restrictions on linking or moving them into encrypted directories.`

			`echo -e "\n\n* Special file tests *"`
			`mkfifo $edir1/fifo`
			`mv -v $edir1/fifo $edir2/fifo \| _filter_scratch`
			`mv -v $edir2/fifo $udir/fifo \| _filter_scratch`
			`mv -v $udir/fifo $edir1/fifo \| _filter_scratch`
			`mkfifo $udir/fifo`
			`src/renameat2 -x $udir/fifo $edir1/fifo`
			`ln -v $edir1/fifo $edir2/fifo \| _filter_scratch`
			`rm $edir1/fifo $edir2/fifo $udir/fifo`


			`# Now test that without access to the encrypted key, we cannot use an exchange`
			`# (cross rename) operation to move a forbidden file into an encrypted directory.`

			`_unlink_encryption_key $keydesc1`
			`_unlink_encryption_key $keydesc2`
			`_scratch_cycle_mount`
			`efile1=$(find $edir1 -type f)`
			`efile2=$(find $edir2 -type f)`

			`echo -e "\n\n* Exchange encrypted <=> encrypted without key *"`
generic/398: Accept failing with EPERM in addition to ENOKEY for rename without key 2017-06-07 10:20:46 +02:00			`src/renameat2 -x $efile1 $efile2 \|& filter_enokey`
generic: test enforcement of one encryption policy per tree 2016-12-15 12:26:24 -08:00			`echo -e "\n* Exchange encrypted <=> unencrypted without key *"`
generic/398: Accept failing with EPERM in addition to ENOKEY for rename without key 2017-06-07 10:20:46 +02:00			`src/renameat2 -x $efile1 $udir/ufile \|& filter_enokey`
generic: test enforcement of one encryption policy per tree 2016-12-15 12:26:24 -08:00
			`# success, all done`
			`status=0`
			`exit`