From patchwork Mon Dec  5 19:21:07 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers@google.com>
X-Patchwork-Id: 9461389
Return-Path: <fstests-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	07AFB6022E for <patchwork-fstests@patchwork.kernel.org>;
	Mon,  5 Dec 2016 19:23:35 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EA29227F80
	for <patchwork-fstests@patchwork.kernel.org>;
	Mon,  5 Dec 2016 19:23:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DEA9D27F9A; Mon,  5 Dec 2016 19:23:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A15427F90
	for <patchwork-fstests@patchwork.kernel.org>;
	Mon,  5 Dec 2016 19:23:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751758AbcLETXa (ORCPT
	<rfc822;patchwork-fstests@patchwork.kernel.org>);
	Mon, 5 Dec 2016 14:23:30 -0500
Received: from mail-pg0-f53.google.com ([74.125.83.53]:34437 "EHLO
	mail-pg0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751623AbcLETX1 (ORCPT
	<rfc822;fstests@vger.kernel.org>); Mon, 5 Dec 2016 14:23:27 -0500
Received: by mail-pg0-f53.google.com with SMTP id x23so139740043pgx.1
	for <fstests@vger.kernel.org>; Mon, 05 Dec 2016 11:23:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=IkwkwYROTqbzGEgEBPljKAifOCyK1F9AYRGY5ojlOdg=;
	b=L9CYe4P0YhX34g84TXzdBhhq1MyMgx+Ky4R22U4WvXlkfprQNkIBNJV5hFhpNukjsm
	9ISRnCbFvlG5n9Fwyca2L2xn+cqzlxA5FS6k13H0jiCEPZnR7vjt2g80E1tFWIRixv4z
	K5vLe4+7W3RGTmqIc2f1LBEwRnYVyRYjKMpqZZllv130RZ8H7UE9id5kym4mpLKf9trr
	8CceAm2t/HETo78FjqrAm2eXeYHJjWoafvyWHjgbzoBtfkPqDV0yIjb3WubYa5LCxoJo
	1IVrmYzWZZqlA+IuzOuSxinOVqbHANIcB74H6y/TPz9BrV0ZUhQoTQPIh8JGEOAqNcg9
	rbCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=IkwkwYROTqbzGEgEBPljKAifOCyK1F9AYRGY5ojlOdg=;
	b=WkLsVQEJTOSVa9UywHpF207imMXNqy/lw5+jFj/yUasXir/c+5OJtJuTNnMSO078d7
	//LIs26ZkVmCZC51eJ8OiAFjuzT9VGWNlXSailgRCnVWjKmmnrGW1zvnObv+X4qB90P1
	6273OvvkVMZXFPPa1b2712SR2VahgBroPIQSQgQldqCJYMOVeoobIfzp2BANw+EBoP4t
	KQyZlqmTGxS8Mo1FhaXDvr1+OZsciVvDCRyTde5Z3npvk5ZObPNEKb2kBJXB0re4PYXA
	rzHqVs8ZNlQGX55CSq14EZK1WPFKJu+IpqZ58NzPDn3KeBDGAaa1tc4lsU1srYSfAOrx
	APYQ==
X-Gm-Message-State: 
 AKaTC00ojp6BSyY76W4A5/zrrAiEEywzgf//wiSY04XSMbMCkUKyuREoPtB4QAQiFWwzc1T7
X-Received: by 10.84.164.106 with SMTP id m39mr126678236plg.97.1480965806666;
	Mon, 05 Dec 2016 11:23:26 -0800 (PST)
Received: from ebiggers-linuxstation.kir.corp.google.com ([100.119.31.230])
	by smtp.gmail.com with ESMTPSA id
	16sm29239004pfk.54.2016.12.05.11.23.25
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 05 Dec 2016 11:23:25 -0800 (PST)
From: Eric Biggers <ebiggers@google.com>
To: fstests@vger.kernel.org
Cc: Theodore Ts'o <tytso@mit.edu>, Jaegeuk Kim <jaegeuk@kernel.org>,
	Richard Weinberger <richard@nod.at>, David Gstir <david@sigma-star.at>,
	Michael Halcrow <mhalcrow@google.com>, Eric Biggers <ebiggers@google.com>
Subject: [PATCH v3 4/6] generic: test encrypted file access
Date: Mon,  5 Dec 2016 11:21:07 -0800
Message-Id: <1480965669-39714-5-git-send-email-ebiggers@google.com>
X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020
In-Reply-To: <1480965669-39714-1-git-send-email-ebiggers@google.com>
References: <1480965669-39714-1-git-send-email-ebiggers@google.com>
Sender: fstests-owner@vger.kernel.org
Precedence: bulk
List-ID: <fstests.vger.kernel.org>
X-Mailing-List: fstests@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Test accessing encrypted files and directories, both with and without
the encryption key.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 tests/generic/402     | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/402.out |  13 +++++
 tests/generic/group   |   1 +
 3 files changed, 159 insertions(+)
 create mode 100755 tests/generic/402
 create mode 100644 tests/generic/402.out

diff --git a/tests/generic/402 b/tests/generic/402
new file mode 100755
index 0000000..f644196
--- /dev/null
+++ b/tests/generic/402
@@ -0,0 +1,145 @@
+#! /bin/bash
+# FS QA Test generic/402
+#
+# Test accessing encrypted files and directories, both with and without the
+# encryption key.  Access with the encryption key is more of a sanity check and
+# is not intended to fully test all the encrypted I/O paths; to do that you'd
+# need to run all the xfstests with encryption enabled.  Access without the
+# encryption key, on the other hand, should result in some particular behaviors.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs ext4 f2fs
+_supported_os Linux
+_require_xfs_io_command "set_encpolicy"
+_require_scratch
+_require_command "$KEYCTL_PROG" keyctl
+_require_encryption
+
+_new_session_keyring
+
+_scratch_mkfs_encrypted >> $seqres.full
+_scratch_mount
+
+mkdir $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
+keydesc=$(_generate_encryption_key)
+$XFS_IO_PROG -c "set_encpolicy $keydesc" $SCRATCH_MNT/edir
+for dir in $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir; do
+	touch $dir/empty > /dev/null
+	$XFS_IO_PROG -t -f -c "pwrite 0 4k" $dir/a > /dev/null
+	$XFS_IO_PROG -t -f -c "pwrite 0 33k" $dir/abcdefghijklmnopqrstuvwxyz > /dev/null
+	maxname=$(yes | head -255 | tr -d '\n') # 255 character filename
+	$XFS_IO_PROG -t -f -c "pwrite 0 1k" $dir/$maxname > /dev/null
+	ln -s a $dir/symlink
+	ln -s abcdefghijklmnopqrstuvwxyz $dir/symlink2
+	ln -s $maxname $dir/symlink3
+	mkdir $dir/subdir
+	mkdir $dir/subdir/subsubdir
+done
+# Diff encrypted directory with unencrypted reference directory
+diff -r $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
+# Cycle mount and diff again
+_scratch_cycle_mount
+diff -r $SCRATCH_MNT/edir $SCRATCH_MNT/ref_dir
+
+#
+# Now try accessing the files without the encryption key.  It should still be
+# possible to list the directory and remove files.  But filenames should be
+# encrypted, and it should not be possible to read regular files or to create
+# new files or subdirectories.
+#
+# Note that we cannot simply use ls -R to verify the files because the encrypted
+# filenames are unpredictable.  By design, the key used to encrypt a directory's
+# filenames is derived from the master key (the key in the keyring) and a nonce
+# generated by the kernel.  Hence, the encrypted filenames will be different
+# every time this test is run, even if we were to put a fixed key into the
+# keyring instead of a random one.  The same applies to symlink targets.
+#
+# TODO: there are some inconsistencies in which error codes are returned on
+# different kernel versions and filesystems when trying to create a file or
+# subdirectory without access to the parent directory's encryption key.  It's
+# planned to consistently use ENOKEY, but for now make this test accept multiple
+# error codes...
+#
+
+filter_create_errors()
+{
+	sed -e 's/No such file or directory/Required key not available/' \
+	    -e 's/Permission denied/Required key not available/' \
+	    -e 's/Operation not permitted/Required key not available/'
+}
+
+_unlink_encryption_key $keydesc
+_scratch_cycle_mount
+
+# Check that unencrypted names aren't there
+stat $SCRATCH_MNT/edir/empty |& _filter_scratch
+stat $SCRATCH_MNT/edir/symlink |& _filter_scratch
+
+# Check that the correct numbers of files and subdirectories are there
+ls $SCRATCH_MNT/edir | wc -l
+find $SCRATCH_MNT/edir -mindepth 2 -maxdepth 2 -type d | wc -l
+
+# Try to read a nondirectory file (should fail with ENOKEY)
+md5sum $(find $SCRATCH_MNT/edir -maxdepth 1 -type f | head -1) |& \
+		cut -d ' ' -f3-
+
+# Try to create new files, directories, and symlinks in the encrypted directory,
+# both with and without using correctly base-64 encoded filenames.  These should
+# all fail with ENOKEY.
+$XFS_IO_PROG -f $SCRATCH_MNT/edir/newfile |& filter_create_errors | _filter_scratch
+$XFS_IO_PROG -f $SCRATCH_MNT/edir/0123456789abcdef |& filter_create_errors | _filter_scratch
+mkdir $SCRATCH_MNT/edir/newdir |& filter_create_errors | _filter_scratch
+mkdir $SCRATCH_MNT/edir/0123456789abcdef |& filter_create_errors | _filter_scratch
+ln -s foo $SCRATCH_MNT/edir/newlink |& filter_create_errors | _filter_scratch
+ln -s foo $SCRATCH_MNT/edir/0123456789abcdef |& filter_create_errors | _filter_scratch
+
+# Delete the encrypted directory (should succeed)
+rm -r $SCRATCH_MNT/edir
+stat $SCRATCH_MNT/edir |& _filter_scratch
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/402.out b/tests/generic/402.out
new file mode 100644
index 0000000..8573474
--- /dev/null
+++ b/tests/generic/402.out
@@ -0,0 +1,13 @@
+QA output created by 402
+stat: cannot stat 'SCRATCH_MNT/edir/empty': No such file or directory
+stat: cannot stat 'SCRATCH_MNT/edir/symlink': No such file or directory
+8
+1
+Required key not available
+SCRATCH_MNT/edir/newfile: Required key not available
+SCRATCH_MNT/edir/0123456789abcdef: Required key not available
+mkdir: cannot create directory 'SCRATCH_MNT/edir/newdir': Required key not available
+mkdir: cannot create directory 'SCRATCH_MNT/edir/0123456789abcdef': Required key not available
+ln: failed to create symbolic link 'SCRATCH_MNT/edir/newlink': Required key not available
+ln: failed to create symbolic link 'SCRATCH_MNT/edir/0123456789abcdef': Required key not available
+stat: cannot stat 'SCRATCH_MNT/edir': No such file or directory
diff --git a/tests/generic/group b/tests/generic/group
index a455c29..e218380 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -398,3 +398,4 @@
 393 auto quick rw
 400 auto quick encrypt
 401 auto quick encrypt
+402 auto quick encrypt