From patchwork Mon Dec 5 19:21:08 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9461393 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B77746074E for ; Mon, 5 Dec 2016 19:23:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A576627E3E for ; Mon, 5 Dec 2016 19:23:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 94F1627E71; Mon, 5 Dec 2016 19:23:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5AA2D27F95 for ; Mon, 5 Dec 2016 19:23:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751667AbcLETXb (ORCPT ); Mon, 5 Dec 2016 14:23:31 -0500 Received: from mail-pf0-f170.google.com ([209.85.192.170]:36758 "EHLO mail-pf0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751670AbcLETX3 (ORCPT ); Mon, 5 Dec 2016 14:23:29 -0500 Received: by mail-pf0-f170.google.com with SMTP id 189so65153567pfz.3 for ; Mon, 05 Dec 2016 11:23:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=nIxY2biqgGRBck6FzcpuDUAYLlq7+et+MufdaTxISVs=; b=YY7xxvisizwerD09WAoZEn3/YG42wD+joi8/zhuhCV6ajMWzv7LXB4c52QApHuhJIU /GUriQSG3hCfrNapVDoxtwgoEHWE2dsGleYb8OL9LLA+8aLn4Yb/+9Wjho3S9CptqRcU 3MpDRxPzURfv3q1hlNVNGjRfqoGJ+q/OtlMj8OI38Ho1Jb6vrjFdteoBu5gRvhzfXd2+ vQYVB8QnxYLBm7ddUYnp3q4o8KtbNupRMJMPj8yLYR5yv8meh6QMPqJYCFh1EvYFKaJq +R3lwP8Zclurn2+RbLkg0yjwjz3Jyx1NlznQ7nnOEx6snhzrUpaFdr7FwgxzKMcNzias 60qA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=nIxY2biqgGRBck6FzcpuDUAYLlq7+et+MufdaTxISVs=; b=TsxgGBZma6fBnoeMLnLzgcCxv/oeaOR6xvbN+PrwcShVmKgT0OdQ8O9T4yli1AMgUe Gc/ZM/hhYSyyHVgwFGZjGLW36BRbH2/M58XwcmgUFlsSsYvDvlqyWIcmf5Raq1EFobip +9LYLOiEUtziiL2uZMB5lP6kPuDfm3YkROEI6ZzsD8AFA1v4kALI5TKL81rBOPUHNurB wv/DB3nlpVCTrzVJ4/Pj51j3PCUuARF7SXfRWRAm+mFBELh8h8NG6TT2lFXDguZ8GWnx xk3wodVYziDSsXQDu5zkTdwk7QGj6b/8dn8ntfRUY47pg0jawNu0/8b2X3LmsTMXjy3z yBpQ== X-Gm-Message-State: AKaTC01Kou5wB2e4/Cd+XyZBleMJHpY/gyOYy0flQWX3Z8MKi6qKoKYFgpcnQryUo74frRN5 X-Received: by 10.84.215.2 with SMTP id k2mr126012296pli.58.1480965808273; Mon, 05 Dec 2016 11:23:28 -0800 (PST) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.119.31.230]) by smtp.gmail.com with ESMTPSA id 16sm29239004pfk.54.2016.12.05.11.23.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 05 Dec 2016 11:23:27 -0800 (PST) From: Eric Biggers To: fstests@vger.kernel.org Cc: Theodore Ts'o , Jaegeuk Kim , Richard Weinberger , David Gstir , Michael Halcrow , Eric Biggers Subject: [PATCH v3 5/6] generic: test enforcement of one encryption policy per tree Date: Mon, 5 Dec 2016 11:21:08 -0800 Message-Id: <1480965669-39714-6-git-send-email-ebiggers@google.com> X-Mailer: git-send-email 2.8.0.rc3.226.g39d4020 In-Reply-To: <1480965669-39714-1-git-send-email-ebiggers@google.com> References: <1480965669-39714-1-git-send-email-ebiggers@google.com> Sender: fstests-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: fstests@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add an xfstest which partially verifies that the filesystem enforces that all files in an encrypted directory tree use the same encryption policy. Signed-off-by: Eric Biggers --- tests/generic/403 | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++ tests/generic/403.out | 34 +++++++++++++ tests/generic/group | 1 + 3 files changed, 165 insertions(+) create mode 100644 tests/generic/403 create mode 100644 tests/generic/403.out diff --git a/tests/generic/403 b/tests/generic/403 new file mode 100644 index 0000000..77427b8 --- /dev/null +++ b/tests/generic/403 @@ -0,0 +1,130 @@ +#! /bin/bash +# FS QA Test generic/403 +# +# Filesystem encryption is designed to enforce that a consistent encryption +# policy is used within a given encrypted directory tree and that an encrypted +# directory tree does not contain any unencrypted files. This test verifies +# that filesystem operations that would violate this constraint fail with EPERM. +# This does not yet test enforcement of this constraint on lookup, which is +# needed to detect offline changes. +# +#----------------------------------------------------------------------- +# Copyright (c) 2016 Google, Inc. All Rights Reserved. +# +# Author: Eric Biggers +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/encrypt +. ./common/renameat2 + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs ext4 f2fs +_supported_os Linux +_require_xfs_io_command "set_encpolicy" +_require_scratch +_require_encryption +_requires_renameat2 + +_new_session_keyring +_scratch_mkfs_encrypted >> $seqres.full +_scratch_mount + +# Set up two encrypted directories, with different encryption policies, +# and one unencrypted directory. +edir1=$SCRATCH_MNT/edir1 +edir2=$SCRATCH_MNT/edir2 +udir=$SCRATCH_MNT/udir +mkdir $edir1 $edir2 $udir +keydesc1=$(_generate_encryption_key) +keydesc2=$(_generate_encryption_key) +$XFS_IO_PROG -c "set_encpolicy $keydesc1" $edir1 +$XFS_IO_PROG -c "set_encpolicy $keydesc2" $edir2 +touch $edir1/efile1 +touch $edir2/efile2 +touch $udir/ufile + +echo -e "\n*** Link encrypted <= encrypted ***" +ln $edir1/efile1 $edir2/efile1 |& _filter_scratch + +echo -e "\n*** Rename encrypted => encrypted ***" +mv $edir1/efile1 $edir2/efile1 |& _filter_scratch + +echo -e "\n*** Exchange encrypted <=> encrypted ***" +src/renameat2 -x $edir1/efile1 $edir2/efile2 |& _filter_scratch + + +echo -e "\n\n*** Link unencrypted <= encrypted ***" +ln $udir/ufile $edir1/ufile |& _filter_scratch + +echo -e "\n*** Rename unencrypted => encrypted ***" +mv $udir/ufile $edir1/ufile |& _filter_scratch + +echo -e "\n*** Exchange unencrypted <=> encrypted ***" +src/renameat2 -x $udir/ufile $edir1/efile1 |& _filter_scratch + + +echo -e "\n\n*** Link encrypted <= unencrypted ***" +ln -v $edir1/efile1 $udir/efile1 |& _filter_scratch # should succeed +rm $udir/efile1 # undo + +echo -e "\n*** Rename encrypted => unencrypted ***" +mv -v $edir1/efile1 $udir/efile1 |& _filter_scratch # should succeed +mv $udir/efile1 $edir1/efile1 # undo + +echo -e "\n*** Exchange encrypted <=> unencrypted ***" +src/renameat2 -x $edir1/efile1 $udir/ufile |& _filter_scratch + +# Now test the cases where we don't have access to the encryption keys. + +_unlink_encryption_key $keydesc1 +_unlink_encryption_key $keydesc2 +_scratch_cycle_mount +efile1=$(find $edir1 -type f) +efile2=$(find $edir2 -type f) +echo + +# TODO: this currently succeeds. It should fail. Fix this kernel-side. +#echo -e "\n*** Exchange encrypted <=> encrypted without key ***" +#src/renameat2 -x $efile1 $efile2 + +echo -e "\n*** Exchange encrypted <=> unencrypted without key ***" +src/renameat2 -x $efile1 $udir/ufile + +# success, all done +status=0 +exit diff --git a/tests/generic/403.out b/tests/generic/403.out new file mode 100644 index 0000000..27ed8cb --- /dev/null +++ b/tests/generic/403.out @@ -0,0 +1,34 @@ +QA output created by 403 + +*** Link encrypted <= encrypted *** +ln: failed to create hard link 'SCRATCH_MNT/edir2/efile1' => 'SCRATCH_MNT/edir1/efile1': Operation not permitted + +*** Rename encrypted => encrypted *** +mv: cannot move 'SCRATCH_MNT/edir1/efile1' to 'SCRATCH_MNT/edir2/efile1': Operation not permitted + +*** Exchange encrypted <=> encrypted *** +Operation not permitted + + +*** Link unencrypted <= encrypted *** +ln: failed to create hard link 'SCRATCH_MNT/edir1/ufile' => 'SCRATCH_MNT/udir/ufile': Operation not permitted + +*** Rename unencrypted => encrypted *** +mv: cannot move 'SCRATCH_MNT/udir/ufile' to 'SCRATCH_MNT/edir1/ufile': Operation not permitted + +*** Exchange unencrypted <=> encrypted *** +Operation not permitted + + +*** Link encrypted <= unencrypted *** +'SCRATCH_MNT/udir/efile1' => 'SCRATCH_MNT/edir1/efile1' + +*** Rename encrypted => unencrypted *** +'SCRATCH_MNT/edir1/efile1' -> 'SCRATCH_MNT/udir/efile1' + +*** Exchange encrypted <=> unencrypted *** +Operation not permitted + + +*** Exchange encrypted <=> unencrypted without key *** +Operation not permitted diff --git a/tests/generic/group b/tests/generic/group index e218380..a0d6e84 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -399,3 +399,4 @@ 400 auto quick encrypt 401 auto quick encrypt 402 auto quick encrypt +403 auto quick encrypt