Message ID | 20191015181643.6519-7-ebiggers@kernel.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | xfstests: add tests for fscrypt key management improvements | expand |
Hi Eric, On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Test non-root use of the fscrypt filesystem-level encryption keyring and > v2 encryption policies. This testcase now fails on latest Linus tree with latest e2fsprogs on ext4: FSTYP -- ext4 PLATFORM -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019 MKFS_OPTIONS -- /dev/sda3 MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2 generic/581 - output mismatch (see /var/lib/xfstests/results//generic/581.out.bad) --- tests/generic/581.out 2019-11-25 20:30:04.536051638 -0500 +++ /var/lib/xfstests/results//generic/581.out.bad 2019-11-26 01:04:17.318332220 -0500 @@ -33,7 +33,7 @@ Added encryption key Added encryption key Added encryption key -Error adding encryption key: Disk quota exceeded +Added encryption key # Adding key as root ... A rough looking back shows that this probably started since your fscrypt update for 5.5, added support for IV_INO_LBLK_64 encryption policies. I guess you are aware of this :-) Thanks, Murphy > > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > tests/generic/801 | 144 ++++++++++++++++++++++++++++++++++++++++++ > tests/generic/801.out | 62 ++++++++++++++++++ > tests/generic/group | 1 + > 3 files changed, 207 insertions(+) > create mode 100755 tests/generic/801 > create mode 100644 tests/generic/801.out > > diff --git a/tests/generic/801 b/tests/generic/801 > new file mode 100755 > index 00000000..c759ec94 > --- /dev/null > +++ b/tests/generic/801 > @@ -0,0 +1,144 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright 2019 Google LLC > +# > +# FS QA Test generic/801 > +# > +# Test non-root use of the fscrypt filesystem-level encryption keyring > +# and v2 encryption policies. > +# > + > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > +echo > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > +orig_maxkeys= > + > +_cleanup() > +{ > + cd / > + rm -f $tmp.* > + if [ -n "$orig_maxkeys" ]; then > + echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys > + fi > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/filter > +. ./common/encrypt > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > +_supported_fs generic > +_supported_os Linux > +_require_user > +_require_scratch_encryption -v 2 > + > +_scratch_mkfs_encrypted &>> $seqres.full > +_scratch_mount > + > +# Set the fsgqa user's key quota to their current number of keys plus 5. > +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") > +: ${orig_keys:=0} > +echo "orig_keys=$orig_keys" >> $seqres.full > +orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys) > +keys_to_add=5 > +echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys > + > +dir=$SCRATCH_MNT/dir > + > +raw_key="" > +for i in `seq 64`; do > + raw_key+="\\x$(printf "%02x" $i)" > +done > +keydesc="0000111122223333" > +keyid="69b2f6edeee720cce0577937eb8a6751" > +chmod 777 $SCRATCH_MNT > + > +_user_do "mkdir $dir" > + > +echo "# Setting v1 policy as regular user (should succeed)" > +_user_do_set_encpolicy $dir $keydesc > + > +echo "# Getting v1 policy as regular user (should succeed)" > +_user_do_get_encpolicy $dir | _filter_scratch > + > +echo "# Adding v1 policy key as regular user (should fail with EACCES)" > +_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc > + > +rm -rf $dir > +echo > +_user_do "mkdir $dir" > + > +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" > +_user_do_set_encpolicy $dir $keyid |& _filter_scratch > + > +echo "# Adding v2 policy key as regular user (should succeed)" > +_user_do_add_enckey $SCRATCH_MNT "$raw_key" > + > +echo "# Setting v2 policy as regular user with key added (should succeed)" > +_user_do_set_encpolicy $dir $keyid > + > +echo "# Getting v2 policy as regular user (should succeed)" > +_user_do_get_encpolicy $dir | _filter_scratch > + > +echo "# Creating encrypted file as regular user (should succeed)" > +_user_do "echo contents > $dir/file" > + > +echo "# Removing v2 policy key as regular user (should succeed)" > +_user_do_rm_enckey $SCRATCH_MNT $keyid > + > +_scratch_cycle_mount # Clear all keys > + > +echo > +echo "# Testing user key quota" > +for i in `seq $((keys_to_add + 1))`; do > + rand_raw_key=$(_generate_raw_encryption_key) > + _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ > + | sed 's/ with identifier .*$//' > +done > + > +rm -rf $dir > +echo > +_user_do "mkdir $dir" > +_scratch_cycle_mount # Clear all keys > + > +# Test multiple users adding the same key. > +echo "# Adding key as root" > +_add_enckey $SCRATCH_MNT "$raw_key" > +echo "# Getting key status as regular user" > +_user_do_enckey_status $SCRATCH_MNT $keyid > +echo "# Removing key only added by another user (should fail with ENOKEY)" > +_user_do_rm_enckey $SCRATCH_MNT $keyid > +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" > +_user_do_set_encpolicy $dir $keyid |& _filter_scratch > +echo "# Adding second user of key" > +_user_do_add_enckey $SCRATCH_MNT "$raw_key" > +echo "# Getting key status as regular user" > +_user_do_enckey_status $SCRATCH_MNT $keyid > +echo "# Setting v2 encryption policy as regular user" > +_user_do_set_encpolicy $dir $keyid > +echo "# Removing this user's claim to the key" > +_user_do_rm_enckey $SCRATCH_MNT $keyid > +echo "# Getting key status as regular user" > +_user_do_enckey_status $SCRATCH_MNT $keyid > +echo "# Adding back second user of key" > +_user_do_add_enckey $SCRATCH_MNT "$raw_key" > +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" > +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch > +_enckey_status $SCRATCH_MNT $keyid > +echo "# Remove key for \"all users\", as root" > +_rm_enckey $SCRATCH_MNT $keyid -a > +_enckey_status $SCRATCH_MNT $keyid > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/801.out b/tests/generic/801.out > new file mode 100644 > index 00000000..b5b6cec8 > --- /dev/null > +++ b/tests/generic/801.out > @@ -0,0 +1,62 @@ > +QA output created by 801 > + > +# Setting v1 policy as regular user (should succeed) > +# Getting v1 policy as regular user (should succeed) > +Encryption policy for SCRATCH_MNT/dir: > + Policy version: 0 > + Master key descriptor: 0000111122223333 > + Contents encryption mode: 1 (AES-256-XTS) > + Filenames encryption mode: 4 (AES-256-CTS) > + Flags: 0x02 > +# Adding v1 policy key as regular user (should fail with EACCES) > +Permission denied > + > +# Setting v2 policy as regular user without key already added (should fail with ENOKEY) > +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available > +# Adding v2 policy key as regular user (should succeed) > +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > +# Setting v2 policy as regular user with key added (should succeed) > +# Getting v2 policy as regular user (should succeed) > +Encryption policy for SCRATCH_MNT/dir: > + Policy version: 2 > + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 > + Contents encryption mode: 1 (AES-256-XTS) > + Filenames encryption mode: 4 (AES-256-CTS) > + Flags: 0x02 > +# Creating encrypted file as regular user (should succeed) > +# Removing v2 policy key as regular user (should succeed) > +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > + > +# Testing user key quota > +Added encryption key > +Added encryption key > +Added encryption key > +Added encryption key > +Added encryption key > +Error adding encryption key: Disk quota exceeded > + > +# Adding key as root > +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > +# Getting key status as regular user > +Present (user_count=1) > +# Removing key only added by another user (should fail with ENOKEY) > +Error removing encryption key: Required key not available > +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) > +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available > +# Adding second user of key > +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > +# Getting key status as regular user > +Present (user_count=2, added_by_self) > +# Setting v2 encryption policy as regular user > +# Removing this user's claim to the key > +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > +# Getting key status as regular user > +Present (user_count=1) > +# Adding back second user of key > +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > +# Remove key for "all users", as regular user (should fail with EACCES) > +Permission denied > +Present (user_count=2, added_by_self) > +# Remove key for "all users", as root > +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 > +Absent > diff --git a/tests/generic/group b/tests/generic/group > index cf2240ec..6d1ecf5a 100644 > --- a/tests/generic/group > +++ b/tests/generic/group > @@ -582,3 +582,4 @@ > 577 auto quick verity > 578 auto quick rw clone > 800 auto quick encrypt > +801 auto quick encrypt > -- > 2.23.0.700.g56cf767bdb-goog >
On Sun, Jan 19, 2020 at 01:45:15PM +0800, Murphy Zhou wrote: > Hi Eric, > > On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Test non-root use of the fscrypt filesystem-level encryption keyring and > > v2 encryption policies. > > This testcase now fails on latest Linus tree with latest e2fsprogs > on ext4: > > FSTYP -- ext4 > PLATFORM -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019 > MKFS_OPTIONS -- /dev/sda3 > MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2 > generic/581 - output mismatch (see /var/lib/xfstests/results//generic/581.out.bad) > --- tests/generic/581.out 2019-11-25 20:30:04.536051638 -0500 > +++ /var/lib/xfstests/results//generic/581.out.bad 2019-11-26 01:04:17.318332220 -0500 > @@ -33,7 +33,7 @@ > Added encryption key > Added encryption key > Added encryption key > -Error adding encryption key: Disk quota exceeded > +Added encryption key > > # Adding key as root > ... > > A rough looking back shows that this probably started since your fscrypt > update for 5.5, added support for IV_INO_LBLK_64 encryption policies. > > I guess you are aware of this :-) > Nope, this has been passing for me. I don't see how this can have anything to do with the fscrypt update for 5.5. I'm guessing this is a race condition in the test caused by the kernel's keyrings subsystem reclaiming the keys quota asynchronously. I'll see if I can find a way to reproduce it and make the test more reliable. - Eric
On Sun, Jan 19, 2020 at 10:25:42AM -0800, Eric Biggers wrote: > On Sun, Jan 19, 2020 at 01:45:15PM +0800, Murphy Zhou wrote: > > Hi Eric, > > > > On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote: > > > From: Eric Biggers <ebiggers@google.com> > > > > > > Test non-root use of the fscrypt filesystem-level encryption keyring and > > > v2 encryption policies. > > > > This testcase now fails on latest Linus tree with latest e2fsprogs > > on ext4: > > > > FSTYP -- ext4 > > PLATFORM -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019 > > MKFS_OPTIONS -- /dev/sda3 > > MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2 > > generic/581 - output mismatch (see /var/lib/xfstests/results//generic/581.out.bad) > > --- tests/generic/581.out 2019-11-25 20:30:04.536051638 -0500 > > +++ /var/lib/xfstests/results//generic/581.out.bad 2019-11-26 01:04:17.318332220 -0500 > > @@ -33,7 +33,7 @@ > > Added encryption key > > Added encryption key > > Added encryption key > > -Error adding encryption key: Disk quota exceeded > > +Added encryption key > > > > # Adding key as root > > ... > > > > A rough looking back shows that this probably started since your fscrypt > > update for 5.5, added support for IV_INO_LBLK_64 encryption policies. > > > > I guess you are aware of this :-) > > > > Nope, this has been passing for me. I don't see how this can have anything to > do with the fscrypt update for 5.5. I'm guessing this is a race condition in > the test caused by the kernel's keyrings subsystem reclaiming the keys quota > asynchronously. I'll see if I can find a way to reproduce it and make the test > more reliable. OK, Thanks for the info. I'll try to bisect. > > - Eric >
On Mon, Jan 20, 2020 at 10:20:57AM +0800, Murphy Zhou wrote: > On Sun, Jan 19, 2020 at 10:25:42AM -0800, Eric Biggers wrote: > > On Sun, Jan 19, 2020 at 01:45:15PM +0800, Murphy Zhou wrote: > > > Hi Eric, > > > > > > On Tue, Oct 15, 2019 at 11:16:40AM -0700, Eric Biggers wrote: > > > > From: Eric Biggers <ebiggers@google.com> > > > > > > > > Test non-root use of the fscrypt filesystem-level encryption keyring and > > > > v2 encryption policies. > > > > > > This testcase now fails on latest Linus tree with latest e2fsprogs > > > on ext4: > > > > > > FSTYP -- ext4 > > > PLATFORM -- Linux/x86_64 dell-pesc430-01 5.4.0+ #1 SMP Mon Nov 25 16:40:55 EST 2019 > > > MKFS_OPTIONS -- /dev/sda3 > > > MOUNT_OPTIONS -- -o acl,user_xattr -o context=system_u:object_r:nfs_t:s0 /dev/sda3 /mnt/xfstests/mnt2 > > > generic/581 - output mismatch (see /var/lib/xfstests/results//generic/581.out.bad) > > > --- tests/generic/581.out 2019-11-25 20:30:04.536051638 -0500 > > > +++ /var/lib/xfstests/results//generic/581.out.bad 2019-11-26 01:04:17.318332220 -0500 > > > @@ -33,7 +33,7 @@ > > > Added encryption key > > > Added encryption key > > > Added encryption key > > > -Error adding encryption key: Disk quota exceeded > > > +Added encryption key > > > > > > # Adding key as root > > > ... > > > > > > A rough looking back shows that this probably started since your fscrypt > > > update for 5.5, added support for IV_INO_LBLK_64 encryption policies. > > > > > > I guess you are aware of this :-) > > > > > > > Nope, this has been passing for me. I don't see how this can have anything to > > do with the fscrypt update for 5.5. I'm guessing this is a race condition in > > the test caused by the kernel's keyrings subsystem reclaiming the keys quota > > asynchronously. I'll see if I can find a way to reproduce it and make the test > > more reliable. > > OK, Thanks for the info. I'll try to bisect. > Can you check whether the test passes reliably for you if you apply https://lkml.kernel.org/fstests/20200129004251.133747-1-ebiggers@kernel.org/? Thanks, - Eric
diff --git a/tests/generic/801 b/tests/generic/801 new file mode 100755 index 00000000..c759ec94 --- /dev/null +++ b/tests/generic/801 @@ -0,0 +1,144 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright 2019 Google LLC +# +# FS QA Test generic/801 +# +# Test non-root use of the fscrypt filesystem-level encryption keyring +# and v2 encryption policies. +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" +echo + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 +orig_maxkeys= + +_cleanup() +{ + cd / + rm -f $tmp.* + if [ -n "$orig_maxkeys" ]; then + echo "$orig_maxkeys" > /proc/sys/kernel/keys/maxkeys + fi +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/encrypt + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_user +_require_scratch_encryption -v 2 + +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount + +# Set the fsgqa user's key quota to their current number of keys plus 5. +orig_keys=$(_user_do "awk '/^[[:space:]]*$(id -u fsgqa):/{print \$4}' /proc/key-users | cut -d/ -f1") +: ${orig_keys:=0} +echo "orig_keys=$orig_keys" >> $seqres.full +orig_maxkeys=$(</proc/sys/kernel/keys/maxkeys) +keys_to_add=5 +echo $((orig_keys + keys_to_add)) > /proc/sys/kernel/keys/maxkeys + +dir=$SCRATCH_MNT/dir + +raw_key="" +for i in `seq 64`; do + raw_key+="\\x$(printf "%02x" $i)" +done +keydesc="0000111122223333" +keyid="69b2f6edeee720cce0577937eb8a6751" +chmod 777 $SCRATCH_MNT + +_user_do "mkdir $dir" + +echo "# Setting v1 policy as regular user (should succeed)" +_user_do_set_encpolicy $dir $keydesc + +echo "# Getting v1 policy as regular user (should succeed)" +_user_do_get_encpolicy $dir | _filter_scratch + +echo "# Adding v1 policy key as regular user (should fail with EACCES)" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" -d $keydesc + +rm -rf $dir +echo +_user_do "mkdir $dir" + +echo "# Setting v2 policy as regular user without key already added (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch + +echo "# Adding v2 policy key as regular user (should succeed)" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" + +echo "# Setting v2 policy as regular user with key added (should succeed)" +_user_do_set_encpolicy $dir $keyid + +echo "# Getting v2 policy as regular user (should succeed)" +_user_do_get_encpolicy $dir | _filter_scratch + +echo "# Creating encrypted file as regular user (should succeed)" +_user_do "echo contents > $dir/file" + +echo "# Removing v2 policy key as regular user (should succeed)" +_user_do_rm_enckey $SCRATCH_MNT $keyid + +_scratch_cycle_mount # Clear all keys + +echo +echo "# Testing user key quota" +for i in `seq $((keys_to_add + 1))`; do + rand_raw_key=$(_generate_raw_encryption_key) + _user_do_add_enckey $SCRATCH_MNT "$rand_raw_key" \ + | sed 's/ with identifier .*$//' +done + +rm -rf $dir +echo +_user_do "mkdir $dir" +_scratch_cycle_mount # Clear all keys + +# Test multiple users adding the same key. +echo "# Adding key as root" +_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Removing key only added by another user (should fail with ENOKEY)" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY)" +_user_do_set_encpolicy $dir $keyid |& _filter_scratch +echo "# Adding second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Setting v2 encryption policy as regular user" +_user_do_set_encpolicy $dir $keyid +echo "# Removing this user's claim to the key" +_user_do_rm_enckey $SCRATCH_MNT $keyid +echo "# Getting key status as regular user" +_user_do_enckey_status $SCRATCH_MNT $keyid +echo "# Adding back second user of key" +_user_do_add_enckey $SCRATCH_MNT "$raw_key" +echo "# Remove key for \"all users\", as regular user (should fail with EACCES)" +_user_do_rm_enckey $SCRATCH_MNT $keyid -a |& _filter_scratch +_enckey_status $SCRATCH_MNT $keyid +echo "# Remove key for \"all users\", as root" +_rm_enckey $SCRATCH_MNT $keyid -a +_enckey_status $SCRATCH_MNT $keyid + +# success, all done +status=0 +exit diff --git a/tests/generic/801.out b/tests/generic/801.out new file mode 100644 index 00000000..b5b6cec8 --- /dev/null +++ b/tests/generic/801.out @@ -0,0 +1,62 @@ +QA output created by 801 + +# Setting v1 policy as regular user (should succeed) +# Getting v1 policy as regular user (should succeed) +Encryption policy for SCRATCH_MNT/dir: + Policy version: 0 + Master key descriptor: 0000111122223333 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Adding v1 policy key as regular user (should fail with EACCES) +Permission denied + +# Setting v2 policy as regular user without key already added (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding v2 policy key as regular user (should succeed) +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Setting v2 policy as regular user with key added (should succeed) +# Getting v2 policy as regular user (should succeed) +Encryption policy for SCRATCH_MNT/dir: + Policy version: 2 + Master key identifier: 69b2f6edeee720cce0577937eb8a6751 + Contents encryption mode: 1 (AES-256-XTS) + Filenames encryption mode: 4 (AES-256-CTS) + Flags: 0x02 +# Creating encrypted file as regular user (should succeed) +# Removing v2 policy key as regular user (should succeed) +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 + +# Testing user key quota +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Added encryption key +Error adding encryption key: Disk quota exceeded + +# Adding key as root +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Removing key only added by another user (should fail with ENOKEY) +Error removing encryption key: Required key not available +# Setting v2 encryption policy with key only added by another user (should fail with ENOKEY) +SCRATCH_MNT/dir: failed to set encryption policy: Required key not available +# Adding second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=2, added_by_self) +# Setting v2 encryption policy as regular user +# Removing this user's claim to the key +Removed user's claim to encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Getting key status as regular user +Present (user_count=1) +# Adding back second user of key +Added encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +# Remove key for "all users", as regular user (should fail with EACCES) +Permission denied +Present (user_count=2, added_by_self) +# Remove key for "all users", as root +Removed encryption key with identifier 69b2f6edeee720cce0577937eb8a6751 +Absent diff --git a/tests/generic/group b/tests/generic/group index cf2240ec..6d1ecf5a 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -582,3 +582,4 @@ 577 auto quick verity 578 auto quick rw clone 800 auto quick encrypt +801 auto quick encrypt