diff mbox series

[v3,6/9] generic: add test for non-root use of fscrypt API additions

Message ID 20191015181643.6519-7-ebiggers@kernel.org (mailing list archive)
State New, archived
Headers show
Series xfstests: add tests for fscrypt key management improvements | expand

Commit Message

Eric Biggers Oct. 15, 2019, 6:16 p.m. UTC 
From: Eric Biggers <ebiggers@google.com>

Test non-root use of the fscrypt filesystem-level encryption keyring and
v2 encryption policies.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 tests/generic/801     | 144 ++++++++++++++++++++++++++++++++++++++++++
 tests/generic/801.out |  62 ++++++++++++++++++
 tests/generic/group   |   1 +
 3 files changed, 207 insertions(+)
 create mode 100755 tests/generic/801
 create mode 100644 tests/generic/801.out

Comments

Murphy Zhou Jan. 19, 2020, 5:45 a.m. UTC | #1 
Hi Eric,

On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Test non-root use of the fscrypt filesystem-level encryption keyring and
> v2 encryption policies.

This testcase now fails on latest Linus tree with latest e2fsprogs
on ext4:

FSTYP         -- ext4
PLATFORM      -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019
MKFS_OPTIONS  -- /dev/sda3
MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2
generic/581	- output mismatch (see /var/lib/xfstests/results//generic/581.out.bad)
    --- tests/generic/581.out	2019-11-25 20:30:04.536051638 -0500
    +++ /var/lib/xfstests/results//generic/581.out.bad	2019-11-26 01:04:17.318332220 -0500
    @@ -33,7 +33,7 @@
     Added encryption key
     Added encryption key
     Added encryption key
    -Error adding encryption key: Disk quota exceeded
    +Added encryption key
     
     # Adding key as root
...

A rough looking back shows that this probably started since your fscrypt
update for 5.5, added support for IV_INO_LBLK_64 encryption policies.

I guess you are aware of this :-)

Thanks,
Murphy
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  tests/generic/801     | 144 ++++++++++++++++++++++++++++++++++++++++++
>  tests/generic/801.out |  62 ++++++++++++++++++
>  tests/generic/group   |   1 +
>  3 files changed, 207 insertions(+)
>  create mode 100755 tests/generic/801
>  create mode 100644 tests/generic/801.out
> 
> diff --git a/tests/generic/801 b/tests/generic/801
> new file mode 100755
> index 00000000..c759ec94
> --- /dev/null
> +++ b/tests/generic/801
> @@ -0,0 +1,144 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright 2019 Google LLC
> +#
> +# FS QA Test generic/801
> +#
> +# Test non-root use of the fscrypt filesystem-level encryption keyring
> +# and v2 encryption policies.
> +#
> +
> +seq=`basename $0`
> +seqres=$RESULT_DIR/$seq
> +echo "QA output created by $seq"
> +echo
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1	# failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +orig_maxkeys=
> +
> +_cleanup()
> +{
> +	cd /
> +	rm -f $tmp.*
> +	if [ -n "$orig_maxkeys" ]; then
> +		echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
> +	fi
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +. ./common/encrypt
> +
> +# remove previous $seqres.full before test
> +rm -f $seqres.full
> +
> +# real QA test starts here
> +_supported_fs generic
> +_supported_os Linux
> +_require_user
> +_require_scratch_encryption -v 2
> +
> +_scratch_mkfs_encrypted &>> $seqres.full
> +_scratch_mount
> +
> +# Set the fsgqa user's key quota to their current number of keys plus 5.
> +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1")
> +: ${orig_keys:=0}
> +echo "orig_keys=$orig_keys" >> $seqres.full
> +orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
> +keys_to_add=5
> +echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys
> +
> +dir=$SCRATCH_MNT/dir
> +
> +raw_key=""
> +for i in `seq 64`; do
> +	raw_key+="\\x$(printf "%02x" $i)"
> +done
> +keydesc="0000111122223333"
> +keyid="69b2f6edeee720cce0577937eb8a6751"
> +chmod 777 $SCRATCH_MNT
> +
> +_user_do "mkdir $dir"
> +
> +echo "# Setting v1 policy as regular user (should succeed)"
> +_user_do_set_encpolicy $dir $keydesc
> +
> +echo "# Getting v1 policy as regular user (should succeed)"
> +_user_do_get_encpolicy $dir | _filter_scratch
> +
> +echo "# Adding v1 policy key as regular user (should fail with EACCES)"
> +_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc
> +
> +rm -rf $dir
> +echo
> +_user_do "mkdir $dir"
> +
> +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
> +_user_do_set_encpolicy $dir $keyid |& _filter_scratch
> +
> +echo "# Adding v2 policy key as regular user (should succeed)"
> +_user_do_add_enckey $SCRATCH_MNT "$raw_key"
> +
> +echo "# Setting v2 policy as regular user with key added (should succeed)"
> +_user_do_set_encpolicy $dir $keyid
> +
> +echo "# Getting v2 policy as regular user (should succeed)"
> +_user_do_get_encpolicy $dir | _filter_scratch
> +
> +echo "# Creating encrypted file as regular user (should succeed)"
> +_user_do "echo contents > $dir/file"
> +
> +echo "# Removing v2 policy key as regular user (should succeed)"
> +_user_do_rm_enckey $SCRATCH_MNT $keyid
> +
> +_scratch_cycle_mount	# Clear all keys
> +
> +echo
> +echo "# Testing user key quota"
> +for i in `seq $((keys_to_add + 1))`; do
> +	rand_raw_key=$(_generate_raw_encryption_key)
> +	_user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
> +	    | sed 's/ with identifier .*$//'
> +done
> +
> +rm -rf $dir
> +echo
> +_user_do "mkdir $dir"
> +_scratch_cycle_mount	# Clear all keys
> +
> +# Test multiple users adding the same key.
> +echo "# Adding key as root"
> +_add_enckey $SCRATCH_MNT "$raw_key"
> +echo "# Getting key status as regular user"
> +_user_do_enckey_status $SCRATCH_MNT $keyid
> +echo "# Removing key only added by another user (should fail with ENOKEY)"
> +_user_do_rm_enckey $SCRATCH_MNT $keyid
> +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
> +_user_do_set_encpolicy $dir $keyid |& _filter_scratch
> +echo "# Adding second user of key"
> +_user_do_add_enckey $SCRATCH_MNT "$raw_key"
> +echo "# Getting key status as regular user"
> +_user_do_enckey_status $SCRATCH_MNT $keyid
> +echo "# Setting v2 encryption policy as regular user"
> +_user_do_set_encpolicy $dir $keyid
> +echo "# Removing this user's claim to the key"
> +_user_do_rm_enckey $SCRATCH_MNT $keyid
> +echo "# Getting key status as regular user"
> +_user_do_enckey_status $SCRATCH_MNT $keyid
> +echo "# Adding back second user of key"
> +_user_do_add_enckey $SCRATCH_MNT "$raw_key"
> +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
> +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch
> +_enckey_status $SCRATCH_MNT $keyid
> +echo "# Remove key for \"all users\", as root"
> +_rm_enckey $SCRATCH_MNT $keyid -a
> +_enckey_status $SCRATCH_MNT $keyid
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/generic/801.out b/tests/generic/801.out
> new file mode 100644
> index 00000000..b5b6cec8
> --- /dev/null
> +++ b/tests/generic/801.out
> @@ -0,0 +1,62 @@
> +QA output created by 801
> +
> +# Setting v1 policy as regular user (should succeed)
> +# Getting v1 policy as regular user (should succeed)
> +Encryption policy for SCRATCH_MNT/dir:
> +	Policy version: 0
> +	Master key descriptor: 0000111122223333
> +	Contents encryption mode: 1 (AES-256-XTS)
> +	Filenames encryption mode: 4 (AES-256-CTS)
> +	Flags: 0x02
> +# Adding v1 policy key as regular user (should fail with EACCES)
> +Permission denied
> +
> +# Setting v2 policy as regular user without key already added (should fail with ENOKEY)
> +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available
> +# Adding v2 policy key as regular user (should succeed)
> +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +# Setting v2 policy as regular user with key added (should succeed)
> +# Getting v2 policy as regular user (should succeed)
> +Encryption policy for SCRATCH_MNT/dir:
> +	Policy version: 2
> +	Master key identifier: 69b2f6edeee720cce0577937eb8a6751
> +	Contents encryption mode: 1 (AES-256-XTS)
> +	Filenames encryption mode: 4 (AES-256-CTS)
> +	Flags: 0x02
> +# Creating encrypted file as regular user (should succeed)
> +# Removing v2 policy key as regular user (should succeed)
> +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +
> +# Testing user key quota
> +Added encryption key
> +Added encryption key
> +Added encryption key
> +Added encryption key
> +Added encryption key
> +Error adding encryption key: Disk quota exceeded
> +
> +# Adding key as root
> +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +# Getting key status as regular user
> +Present (user_count=1)
> +# Removing key only added by another user (should fail with ENOKEY)
> +Error removing encryption key: Required key not available
> +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)
> +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available
> +# Adding second user of key
> +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +# Getting key status as regular user
> +Present (user_count=2, added_by_self)
> +# Setting v2 encryption policy as regular user
> +# Removing this user's claim to the key
> +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +# Getting key status as regular user
> +Present (user_count=1)
> +# Adding back second user of key
> +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +# Remove key for "all users", as regular user (should fail with EACCES)
> +Permission denied
> +Present (user_count=2, added_by_self)
> +# Remove key for "all users", as root
> +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
> +Absent
> diff --git a/tests/generic/group b/tests/generic/group
> index cf2240ec..6d1ecf5a 100644
> --- a/tests/generic/group
> +++ b/tests/generic/group
> @@ -582,3 +582,4 @@
>  577 auto quick verity
>  578 auto quick rw clone
>  800 auto quick encrypt
> +801 auto quick encrypt
> -- 
> 2.23.0.700.g56cf767bdb-goog
>
Eric Biggers Jan. 19, 2020, 6:25 p.m. UTC | #2 
On Sun, Jan 19, 2020 at 01:45:15PM +0800, Murphy Zhou wrote:
> Hi Eric,
> 
> On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > Test non-root use of the fscrypt filesystem-level encryption keyring and
> > v2 encryption policies.
> 
> This testcase now fails on latest Linus tree with latest e2fsprogs
> on ext4:
> 
> FSTYP         -- ext4
> PLATFORM      -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019
> MKFS_OPTIONS  -- /dev/sda3
> MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2
> generic/581	- output mismatch (see /var/lib/xfstests/results//generic/581.out.bad)
>     --- tests/generic/581.out	2019-11-25 20:30:04.536051638 -0500
>     +++ /var/lib/xfstests/results//generic/581.out.bad	2019-11-26 01:04:17.318332220 -0500
>     @@ -33,7 +33,7 @@
>      Added encryption key
>      Added encryption key
>      Added encryption key
>     -Error adding encryption key: Disk quota exceeded
>     +Added encryption key
>      
>      # Adding key as root
> ...
> 
> A rough looking back shows that this probably started since your fscrypt
> update for 5.5, added support for IV_INO_LBLK_64 encryption policies.
> 
> I guess you are aware of this :-)
> 

Nope, this has been passing for me.  I don't see how this can have anything to
do with the fscrypt update for 5.5.  I'm guessing this is a race condition in
the test caused by the kernel's keyrings subsystem reclaiming the keys quota
asynchronously.  I'll see if I can find a way to reproduce it and make the test
more reliable.

- Eric
Murphy Zhou Jan. 20, 2020, 2:20 a.m. UTC | #3 
On Sun, Jan 19, 2020 at 10:25:42AM -0800, Eric Biggers wrote:
> On Sun, Jan 19, 2020 at 01:45:15PM +0800, Murphy Zhou wrote:
> > Hi Eric,
> > 
> > On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@google.com>
> > > 
> > > Test non-root use of the fscrypt filesystem-level encryption keyring and
> > > v2 encryption policies.
> > 
> > This testcase now fails on latest Linus tree with latest e2fsprogs
> > on ext4:
> > 
> > FSTYP         -- ext4
> > PLATFORM      -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019
> > MKFS_OPTIONS  -- /dev/sda3
> > MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2
> > generic/581	- output mismatch (see /var/lib/xfstests/results//generic/581.out.bad)
> >     --- tests/generic/581.out	2019-11-25 20:30:04.536051638 -0500
> >     +++ /var/lib/xfstests/results//generic/581.out.bad	2019-11-26 01:04:17.318332220 -0500
> >     @@ -33,7 +33,7 @@
> >      Added encryption key
> >      Added encryption key
> >      Added encryption key
> >     -Error adding encryption key: Disk quota exceeded
> >     +Added encryption key
> >      
> >      # Adding key as root
> > ...
> > 
> > A rough looking back shows that this probably started since your fscrypt
> > update for 5.5, added support for IV_INO_LBLK_64 encryption policies.
> > 
> > I guess you are aware of this :-)
> > 
> 
> Nope, this has been passing for me.  I don't see how this can have anything to
> do with the fscrypt update for 5.5.  I'm guessing this is a race condition in
> the test caused by the kernel's keyrings subsystem reclaiming the keys quota
> asynchronously.  I'll see if I can find a way to reproduce it and make the test
> more reliable.

OK, Thanks for the info. I'll try to bisect.

> 
> - Eric
>
Eric Biggers Jan. 29, 2020, 12:45 a.m. UTC | #4 
On Mon, Jan 20, 2020 at 10:20:57AM +0800, Murphy Zhou wrote:
> On Sun, Jan 19, 2020 at 10:25:42AM -0800, Eric Biggers wrote:
> > On Sun, Jan 19, 2020 at 01:45:15PM +0800, Murphy Zhou wrote:
> > > Hi Eric,
> > > 
> > > On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@google.com>
> > > > 
> > > > Test non-root use of the fscrypt filesystem-level encryption keyring and
> > > > v2 encryption policies.
> > > 
> > > This testcase now fails on latest Linus tree with latest e2fsprogs
> > > on ext4:
> > > 
> > > FSTYP         -- ext4
> > > PLATFORM      -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019
> > > MKFS_OPTIONS  -- /dev/sda3
> > > MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2
> > > generic/581	- output mismatch (see /var/lib/xfstests/results//generic/581.out.bad)
> > >     --- tests/generic/581.out	2019-11-25 20:30:04.536051638 -0500
> > >     +++ /var/lib/xfstests/results//generic/581.out.bad	2019-11-26 01:04:17.318332220 -0500
> > >     @@ -33,7 +33,7 @@
> > >      Added encryption key
> > >      Added encryption key
> > >      Added encryption key
> > >     -Error adding encryption key: Disk quota exceeded
> > >     +Added encryption key
> > >      
> > >      # Adding key as root
> > > ...
> > > 
> > > A rough looking back shows that this probably started since your fscrypt
> > > update for 5.5, added support for IV_INO_LBLK_64 encryption policies.
> > > 
> > > I guess you are aware of this :-)
> > > 
> > 
> > Nope, this has been passing for me.  I don't see how this can have anything to
> > do with the fscrypt update for 5.5.  I'm guessing this is a race condition in
> > the test caused by the kernel's keyrings subsystem reclaiming the keys quota
> > asynchronously.  I'll see if I can find a way to reproduce it and make the test
> > more reliable.
> 
> OK, Thanks for the info. I'll try to bisect.
> 

Can you check whether the test passes reliably for you if you apply
https://lkml.kernel.org/fstests/20200129004251.133747-1-ebiggers@kernel.org/?

Thanks,

- Eric
diff mbox series

Patch

diff --git a/tests/generic/801 b/tests/generic/801
new file mode 100755
index 00000000..c759ec94
--- /dev/null
+++ b/tests/generic/801
@@ -0,0 +1,144 @@ 
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2019 Google LLC
+#
+# FS QA Test generic/801
+#
+# Test non-root use of the fscrypt filesystem-level encryption keyring
+# and v2 encryption policies.
+#
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+echo
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+orig_maxkeys=
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+	if [ -n "$orig_maxkeys" ]; then
+		echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys
+	fi
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/encrypt
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_user
+_require_scratch_encryption -v 2
+
+_scratch_mkfs_encrypted &>> $seqres.full
+_scratch_mount
+
+# Set the fsgqa user's key quota to their current number of keys plus 5.
+orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1")
+: ${orig_keys:=0}
+echo "orig_keys=$orig_keys" >> $seqres.full
+orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys)
+keys_to_add=5
+echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys
+
+dir=$SCRATCH_MNT/dir
+
+raw_key=""
+for i in `seq 64`; do
+	raw_key+="\\x$(printf "%02x" $i)"
+done
+keydesc="0000111122223333"
+keyid="69b2f6edeee720cce0577937eb8a6751"
+chmod 777 $SCRATCH_MNT
+
+_user_do "mkdir $dir"
+
+echo "# Setting v1 policy as regular user (should succeed)"
+_user_do_set_encpolicy $dir $keydesc
+
+echo "# Getting v1 policy as regular user (should succeed)"
+_user_do_get_encpolicy $dir | _filter_scratch
+
+echo "# Adding v1 policy key as regular user (should fail with EACCES)"
+_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc
+
+rm -rf $dir
+echo
+_user_do "mkdir $dir"
+
+echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)"
+_user_do_set_encpolicy $dir $keyid |& _filter_scratch
+
+echo "# Adding v2 policy key as regular user (should succeed)"
+_user_do_add_enckey $SCRATCH_MNT "$raw_key"
+
+echo "# Setting v2 policy as regular user with key added (should succeed)"
+_user_do_set_encpolicy $dir $keyid
+
+echo "# Getting v2 policy as regular user (should succeed)"
+_user_do_get_encpolicy $dir | _filter_scratch
+
+echo "# Creating encrypted file as regular user (should succeed)"
+_user_do "echo contents > $dir/file"
+
+echo "# Removing v2 policy key as regular user (should succeed)"
+_user_do_rm_enckey $SCRATCH_MNT $keyid
+
+_scratch_cycle_mount	# Clear all keys
+
+echo
+echo "# Testing user key quota"
+for i in `seq $((keys_to_add + 1))`; do
+	rand_raw_key=$(_generate_raw_encryption_key)
+	_user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \
+	    | sed 's/ with identifier .*$//'
+done
+
+rm -rf $dir
+echo
+_user_do "mkdir $dir"
+_scratch_cycle_mount	# Clear all keys
+
+# Test multiple users adding the same key.
+echo "# Adding key as root"
+_add_enckey $SCRATCH_MNT "$raw_key"
+echo "# Getting key status as regular user"
+_user_do_enckey_status $SCRATCH_MNT $keyid
+echo "# Removing key only added by another user (should fail with ENOKEY)"
+_user_do_rm_enckey $SCRATCH_MNT $keyid
+echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)"
+_user_do_set_encpolicy $dir $keyid |& _filter_scratch
+echo "# Adding second user of key"
+_user_do_add_enckey $SCRATCH_MNT "$raw_key"
+echo "# Getting key status as regular user"
+_user_do_enckey_status $SCRATCH_MNT $keyid
+echo "# Setting v2 encryption policy as regular user"
+_user_do_set_encpolicy $dir $keyid
+echo "# Removing this user's claim to the key"
+_user_do_rm_enckey $SCRATCH_MNT $keyid
+echo "# Getting key status as regular user"
+_user_do_enckey_status $SCRATCH_MNT $keyid
+echo "# Adding back second user of key"
+_user_do_add_enckey $SCRATCH_MNT "$raw_key"
+echo "# Remove key for \"all users\", as regular user (should fail with EACCES)"
+_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch
+_enckey_status $SCRATCH_MNT $keyid
+echo "# Remove key for \"all users\", as root"
+_rm_enckey $SCRATCH_MNT $keyid -a
+_enckey_status $SCRATCH_MNT $keyid
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/801.out b/tests/generic/801.out
new file mode 100644
index 00000000..b5b6cec8
--- /dev/null
+++ b/tests/generic/801.out
@@ -0,0 +1,62 @@ 
+QA output created by 801
+
+# Setting v1 policy as regular user (should succeed)
+# Getting v1 policy as regular user (should succeed)
+Encryption policy for SCRATCH_MNT/dir:
+	Policy version: 0
+	Master key descriptor: 0000111122223333
+	Contents encryption mode: 1 (AES-256-XTS)
+	Filenames encryption mode: 4 (AES-256-CTS)
+	Flags: 0x02
+# Adding v1 policy key as regular user (should fail with EACCES)
+Permission denied
+
+# Setting v2 policy as regular user without key already added (should fail with ENOKEY)
+SCRATCH_MNT/dir: failed to set encryption policy: Required key not available
+# Adding v2 policy key as regular user (should succeed)
+Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+# Setting v2 policy as regular user with key added (should succeed)
+# Getting v2 policy as regular user (should succeed)
+Encryption policy for SCRATCH_MNT/dir:
+	Policy version: 2
+	Master key identifier: 69b2f6edeee720cce0577937eb8a6751
+	Contents encryption mode: 1 (AES-256-XTS)
+	Filenames encryption mode: 4 (AES-256-CTS)
+	Flags: 0x02
+# Creating encrypted file as regular user (should succeed)
+# Removing v2 policy key as regular user (should succeed)
+Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+
+# Testing user key quota
+Added encryption key
+Added encryption key
+Added encryption key
+Added encryption key
+Added encryption key
+Error adding encryption key: Disk quota exceeded
+
+# Adding key as root
+Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+# Getting key status as regular user
+Present (user_count=1)
+# Removing key only added by another user (should fail with ENOKEY)
+Error removing encryption key: Required key not available
+# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)
+SCRATCH_MNT/dir: failed to set encryption policy: Required key not available
+# Adding second user of key
+Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+# Getting key status as regular user
+Present (user_count=2, added_by_self)
+# Setting v2 encryption policy as regular user
+# Removing this user's claim to the key
+Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+# Getting key status as regular user
+Present (user_count=1)
+# Adding back second user of key
+Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+# Remove key for "all users", as regular user (should fail with EACCES)
+Permission denied
+Present (user_count=2, added_by_self)
+# Remove key for "all users", as root
+Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751
+Absent
diff --git a/tests/generic/group b/tests/generic/group
index cf2240ec..6d1ecf5a 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -582,3 +582,4 @@ 
 577 auto quick verity
 578 auto quick rw clone
 800 auto quick encrypt
+801 auto quick encrypt