Re: [PATCH v3 5/6] generic: test enforcement of one encryption policy per tree

[Eryu Guan <eguan@redhat.com>]

On Mon, Dec 05, 2016 at 11:21:08AM -0800, Eric Biggers wrote:
> Add an xfstest which partially verifies that the filesystem enforces
> that all files in an encrypted directory tree use the same encryption
> policy.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  tests/generic/403     | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++
>  tests/generic/403.out |  34 +++++++++++++
>  tests/generic/group   |   1 +
>  3 files changed, 165 insertions(+)
>  create mode 100644 tests/generic/403
>  create mode 100644 tests/generic/403.out
> 
> diff --git a/tests/generic/403 b/tests/generic/403
> new file mode 100644
> index 0000000..77427b8
> --- /dev/null
> +++ b/tests/generic/403
> @@ -0,0 +1,130 @@
> +#! /bin/bash
> +# FS QA Test generic/403
> +#
> +# Filesystem encryption is designed to enforce that a consistent encryption
> +# policy is used within a given encrypted directory tree and that an encrypted
> +# directory tree does not contain any unencrypted files.  This test verifies
> +# that filesystem operations that would violate this constraint fail with EPERM.
> +# This does not yet test enforcement of this constraint on lookup, which is
> +# needed to detect offline changes.
> +#
> +#-----------------------------------------------------------------------
> +# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
> +#
> +# Author: Eric Biggers <ebiggers@google.com>
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation.
> +#
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program; if not, write the Free Software Foundation,
> +# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
> +#-----------------------------------------------------------------------
> +#
> +
> +seq=`basename $0`
> +seqres=$RESULT_DIR/$seq
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1	# failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	cd /
> +	rm -f $tmp.*
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +. ./common/encrypt
> +. ./common/renameat2
> +
> +# remove previous $seqres.full before test
> +rm -f $seqres.full
> +
> +# real QA test starts here
> +_supported_fs ext4 f2fs
> +_supported_os Linux
> +_require_xfs_io_command "set_encpolicy"
> +_require_scratch
> +_require_encryption
> +_requires_renameat2
> +
> +_new_session_keyring
> +_scratch_mkfs_encrypted >> $seqres.full
> +_scratch_mount
> +
> +# Set up two encrypted directories, with different encryption policies,
> +# and one unencrypted directory.
> +edir1=$SCRATCH_MNT/edir1
> +edir2=$SCRATCH_MNT/edir2
> +udir=$SCRATCH_MNT/udir
> +mkdir $edir1 $edir2 $udir
> +keydesc1=$(_generate_encryption_key)
> +keydesc2=$(_generate_encryption_key)
> +$XFS_IO_PROG -c "set_encpolicy $keydesc1" $edir1
> +$XFS_IO_PROG -c "set_encpolicy $keydesc2" $edir2
> +touch $edir1/efile1
> +touch $edir2/efile2
> +touch $udir/ufile
> +
> +echo -e "\n*** Link encrypted <= encrypted ***"
> +ln $edir1/efile1 $edir2/efile1 |& _filter_scratch
> +
> +echo -e "\n*** Rename encrypted => encrypted ***"
> +mv $edir1/efile1 $edir2/efile1 |& _filter_scratch
> +
> +echo -e "\n*** Exchange encrypted <=> encrypted ***"
> +src/renameat2 -x $edir1/efile1 $edir2/efile2 |& _filter_scratch
> +
> +
> +echo -e "\n\n*** Link unencrypted <= encrypted ***"
> +ln $udir/ufile $edir1/ufile |& _filter_scratch
> +
> +echo -e "\n*** Rename unencrypted => encrypted ***"
> +mv $udir/ufile $edir1/ufile |& _filter_scratch
> +
> +echo -e "\n*** Exchange unencrypted <=> encrypted ***"
> +src/renameat2 -x $udir/ufile $edir1/efile1 |& _filter_scratch
> +
> +
> +echo -e "\n\n*** Link encrypted <= unencrypted ***"
> +ln -v $edir1/efile1 $udir/efile1 |& _filter_scratch # should succeed
> +rm $udir/efile1 # undo
> +
> +echo -e "\n*** Rename encrypted => unencrypted ***"
> +mv -v $edir1/efile1 $udir/efile1 |& _filter_scratch # should succeed
> +mv $udir/efile1 $edir1/efile1 # undo
> +
> +echo -e "\n*** Exchange encrypted <=> unencrypted ***"
> +src/renameat2 -x $edir1/efile1 $udir/ufile |& _filter_scratch
> +
> +# Now test the cases where we don't have access to the encryption keys.
> +
> +_unlink_encryption_key $keydesc1
> +_unlink_encryption_key $keydesc2
> +_scratch_cycle_mount
> +efile1=$(find $edir1 -type f)
> +efile2=$(find $edir2 -type f)
> +echo
> +
> +# TODO: this currently succeeds.  It should fail.  Fix this kernel-side.
> +#echo -e "\n*** Exchange encrypted <=> encrypted without key ***"
> +#src/renameat2 -x $efile1 $efile2

If it reveals a kernel bug, just uncomment it & update the .out file and
let it fail, as long as it's not a kernel crash, so it acts as a
reminder that there's an unfixed bug :)

For kernel-crashing tests, we tend to merge them after there's a known
fix, at least in maintainer's tree. But if it's a bug that won't be
fixed in the near future, we can merge such tests with "dangerous"
group, so they can be skipped by using "-x dangerous" option to check.

Thanks,
Eryu

> +
> +echo -e "\n*** Exchange encrypted <=> unencrypted without key ***"
> +src/renameat2 -x $efile1 $udir/ufile
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/generic/403.out b/tests/generic/403.out
> new file mode 100644
> index 0000000..27ed8cb
> --- /dev/null
> +++ b/tests/generic/403.out
> @@ -0,0 +1,34 @@
> +QA output created by 403
> +
> +*** Link encrypted <= encrypted ***
> +ln: failed to create hard link 'SCRATCH_MNT/edir2/efile1' => 'SCRATCH_MNT/edir1/efile1': Operation not permitted
> +
> +*** Rename encrypted => encrypted ***
> +mv: cannot move 'SCRATCH_MNT/edir1/efile1' to 'SCRATCH_MNT/edir2/efile1': Operation not permitted
> +
> +*** Exchange encrypted <=> encrypted ***
> +Operation not permitted
> +
> +
> +*** Link unencrypted <= encrypted ***
> +ln: failed to create hard link 'SCRATCH_MNT/edir1/ufile' => 'SCRATCH_MNT/udir/ufile': Operation not permitted
> +
> +*** Rename unencrypted => encrypted ***
> +mv: cannot move 'SCRATCH_MNT/udir/ufile' to 'SCRATCH_MNT/edir1/ufile': Operation not permitted
> +
> +*** Exchange unencrypted <=> encrypted ***
> +Operation not permitted
> +
> +
> +*** Link encrypted <= unencrypted ***
> +'SCRATCH_MNT/udir/efile1' => 'SCRATCH_MNT/edir1/efile1'
> +
> +*** Rename encrypted => unencrypted ***
> +'SCRATCH_MNT/edir1/efile1' -> 'SCRATCH_MNT/udir/efile1'
> +
> +*** Exchange encrypted <=> unencrypted ***
> +Operation not permitted
> +
> +
> +*** Exchange encrypted <=> unencrypted without key ***
> +Operation not permitted
> diff --git a/tests/generic/group b/tests/generic/group
> index e218380..a0d6e84 100644
> --- a/tests/generic/group
> +++ b/tests/generic/group
> @@ -399,3 +399,4 @@
>  400 auto quick encrypt
>  401 auto quick encrypt
>  402 auto quick encrypt
> +403 auto quick encrypt
> -- 
> 2.8.0.rc3.226.g39d4020
> 
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html