mirror of
https://github.com/linux-apfs/apfstests.git
synced 2026-05-01 15:01:44 -07:00
Eric Biggers
881eccda82
For conciseness in tests, add helper functions that wrap the xfs_io commands 'set_encpolicy' and 'get_encpolicy'. Then update all encryption tests to use them. Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Eryu Guan <guaneryu@gmail.com> Signed-off-by: Eryu Guan <guaneryu@gmail.com>
117 lines
4.0 KiB
Bash
Executable File
117 lines
4.0 KiB
Bash
Executable File
#! /bin/bash
|
|
# SPDX-License-Identifier: GPL-2.0
|
|
# Copyright (c) 2016 Google, Inc. All Rights Reserved.
|
|
#
|
|
# FS QA Test generic/395
|
|
#
|
|
# Test setting and getting encryption policies.
|
|
#
|
|
seq=`basename $0`
|
|
seqres=$RESULT_DIR/$seq
|
|
echo "QA output created by $seq"
|
|
|
|
here=`pwd`
|
|
tmp=/tmp/$$
|
|
status=1 # failure is the default!
|
|
trap "_cleanup; exit \$status" 0 1 2 3 15
|
|
|
|
_cleanup()
|
|
{
|
|
cd /
|
|
rm -f $tmp.*
|
|
}
|
|
|
|
# get standard environment, filters and checks
|
|
. ./common/rc
|
|
. ./common/filter
|
|
. ./common/encrypt
|
|
|
|
# remove previous $seqres.full before test
|
|
rm -f $seqres.full
|
|
|
|
# real QA test starts here
|
|
_supported_fs generic
|
|
_supported_os Linux
|
|
_require_scratch_encryption
|
|
_require_xfs_io_command "get_encpolicy"
|
|
_require_user
|
|
|
|
_scratch_mkfs_encrypted &>> $seqres.full
|
|
_scratch_mount
|
|
|
|
check_no_policy()
|
|
{
|
|
# When a file is unencrypted, FS_IOC_GET_ENCRYPTION_POLICY currently
|
|
# fails with ENOENT on ext4 but with ENODATA on f2fs. TODO: it's
|
|
# planned to consistently use ENODATA. For now this test accepts both.
|
|
_get_encpolicy $1 |&
|
|
sed -e 's/No such file or directory/No data available/'
|
|
}
|
|
|
|
# Should be able to set an encryption policy on an empty directory
|
|
empty_dir=$SCRATCH_MNT/empty_dir
|
|
echo -e "\n*** Setting encryption policy on empty directory ***"
|
|
mkdir $empty_dir
|
|
check_no_policy $empty_dir |& _filter_scratch
|
|
_set_encpolicy $empty_dir 0000111122223333
|
|
_get_encpolicy $empty_dir | _filter_scratch
|
|
|
|
# Should be able to set the same policy again, but not a different one.
|
|
# TODO: the error code for "already has a different policy" is planned to switch
|
|
# from EINVAL to EEXIST. For now this test accepts both.
|
|
echo -e "\n*** Setting encryption policy again ***"
|
|
_set_encpolicy $empty_dir 0000111122223333
|
|
_get_encpolicy $empty_dir | _filter_scratch
|
|
_set_encpolicy $empty_dir 4444555566667777 |& \
|
|
_filter_scratch | sed -e 's/Invalid argument/File exists/'
|
|
_get_encpolicy $empty_dir | _filter_scratch
|
|
|
|
# Should *not* be able to set an encryption policy on a nonempty directory
|
|
nonempty_dir=$SCRATCH_MNT/nonempty_dir
|
|
echo -e "\n*** Setting encryption policy on nonempty directory ***"
|
|
mkdir $nonempty_dir
|
|
touch $nonempty_dir/file
|
|
_set_encpolicy $nonempty_dir |& _filter_scratch
|
|
check_no_policy $nonempty_dir |& _filter_scratch
|
|
|
|
# Should *not* be able to set an encryption policy on a nondirectory file, even
|
|
# an empty one. Regression test for 002ced4be642: "fscrypto: only allow setting
|
|
# encryption policy on directories".
|
|
# TODO: the error code for "not a directory" is planned to switch from EINVAL to
|
|
# ENOTDIR. For now this test accepts both.
|
|
nondirectory=$SCRATCH_MNT/nondirectory
|
|
echo -e "\n*** Setting encryption policy on nondirectory ***"
|
|
touch $nondirectory
|
|
_set_encpolicy $nondirectory |& \
|
|
_filter_scratch | sed -e 's/Invalid argument/Not a directory/'
|
|
check_no_policy $nondirectory |& _filter_scratch
|
|
|
|
# Should *not* be able to set an encryption policy on another user's directory.
|
|
# Regression test for 163ae1c6ad62: "fscrypto: add authorization check for
|
|
# setting encryption policy".
|
|
unauthorized_dir=$SCRATCH_MNT/unauthorized_dir
|
|
echo -e "\n*** Setting encryption policy on another user's directory ***"
|
|
mkdir $unauthorized_dir
|
|
_user_do_set_encpolicy $unauthorized_dir |& _filter_scratch
|
|
check_no_policy $unauthorized_dir |& _filter_scratch
|
|
|
|
# Should *not* be able to set an encryption policy on a directory on a
|
|
# filesystem mounted readonly. Regression test for ba63f23d69a3: "fscrypto:
|
|
# require write access to mount to set encryption policy". Test both a regular
|
|
# readonly filesystem and a readonly bind mount of a read-write filesystem.
|
|
echo -e "\n*** Setting encryption policy on readonly filesystem ***"
|
|
mkdir $SCRATCH_MNT/ro_dir $SCRATCH_MNT/ro_bind_mnt
|
|
_scratch_remount ro
|
|
_set_encpolicy $SCRATCH_MNT/ro_dir |& _filter_scratch
|
|
check_no_policy $SCRATCH_MNT/ro_dir |& _filter_scratch
|
|
_scratch_remount rw
|
|
mount --bind $SCRATCH_MNT $SCRATCH_MNT/ro_bind_mnt
|
|
mount -o remount,ro,bind $SCRATCH_MNT/ro_bind_mnt
|
|
_set_encpolicy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
|
|
check_no_policy $SCRATCH_MNT/ro_bind_mnt/ro_dir |& _filter_scratch
|
|
umount $SCRATCH_MNT/ro_bind_mnt
|
|
|
|
# success, all done
|
|
status=0
|
|
exit
|