tests/generic/573 - pub/scm/fs/xfs/xfstests-dev - Git at Google

 #! /bin/bash
 # SPDX-License-Identifier: GPL-2.0
 # Copyright 2018 Google LLC
 #
 # FS QA Test generic/573
 #
 # Test access controls on the fs-verity ioctls.  FS_IOC_MEASURE_VERITY is
 # allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access.
 #
 seq=`basename $0`
 seqres=$RESULT_DIR/$seq
 echo "QA output created by $seq"

 here=`pwd`
 tmp=/tmp/$$
 status=1	# failure is the default!
 trap "_cleanup; exit \$status" 0 1 2 3 15

 _cleanup()
 {
 	cd /
 	_restore_fsverity_signatures
 	rm -f $tmp.*
 }

 # get standard environment, filters and checks
 . ./common/rc
 . ./common/filter
 . ./common/verity

 # remove previous $seqres.full before test
 rm -f $seqres.full

 # real QA test starts here
 _supported_fs generic
 _require_scratch_verity
 _require_user
 _require_chattr ia
 _disable_fsverity_signatures

 _scratch_mkfs_verity &>> $seqres.full
 _scratch_mount
 fsv_file=$SCRATCH_MNT/file.fsv

 _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root"
 echo foo > $fsv_file
 chmod 666 $fsv_file
 _user_do "$FSVERITY_PROG enable $fsv_file"

 _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access"
 echo foo > $fsv_file >> $seqres.full
 chmod 444 $fsv_file
 _user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch

 _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only"
 echo foo > $fsv_file >> $seqres.full
 $CHATTR_PROG +a $fsv_file
 $FSVERITY_PROG enable $fsv_file |& _filter_scratch
 $CHATTR_PROG -a $fsv_file

 _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable"
 echo foo > $fsv_file >> $seqres.full
 $CHATTR_PROG +i $fsv_file
 $FSVERITY_PROG enable $fsv_file |& _filter_scratch
 $CHATTR_PROG -i $fsv_file

 _fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root"
 _fsv_create_enable_file $fsv_file >> $seqres.full
 chmod 444 $fsv_file
 su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full

 # success, all done
 status=0
 exit
	#! /bin/bash
	# SPDX-License-Identifier: GPL-2.0
	# Copyright 2018 Google LLC
	#
	# FS QA Test generic/573
	#
	# Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is
	# allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access.
	#
	seq=`basename $0`
	seqres=$RESULT_DIR/$seq
	echo "QA output created by $seq"

	here=`pwd`
	tmp=/tmp/$$
	status=1 # failure is the default!
	trap "_cleanup; exit \$status" 0 1 2 3 15

	_cleanup()
	{
	cd /
	_restore_fsverity_signatures
	rm -f $tmp.*
	}

	# get standard environment, filters and checks
	. ./common/rc
	. ./common/filter
	. ./common/verity

	# remove previous $seqres.full before test
	rm -f $seqres.full

	# real QA test starts here
	_supported_fs generic
	_require_scratch_verity
	_require_user
	_require_chattr ia
	_disable_fsverity_signatures

	_scratch_mkfs_verity &>> $seqres.full
	_scratch_mount
	fsv_file=$SCRATCH_MNT/file.fsv

	_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root"
	echo foo > $fsv_file
	chmod 666 $fsv_file
	_user_do "$FSVERITY_PROG enable $fsv_file"

	_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access"
	echo foo > $fsv_file >> $seqres.full
	chmod 444 $fsv_file
	_user_do "$FSVERITY_PROG enable $fsv_file" \|& _filter_scratch

	_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only"
	echo foo > $fsv_file >> $seqres.full
	$CHATTR_PROG +a $fsv_file
	$FSVERITY_PROG enable $fsv_file \|& _filter_scratch
	$CHATTR_PROG -a $fsv_file

	_fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable"
	echo foo > $fsv_file >> $seqres.full
	$CHATTR_PROG +i $fsv_file
	$FSVERITY_PROG enable $fsv_file \|& _filter_scratch
	$CHATTR_PROG -i $fsv_file

	_fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root"
	_fsv_create_enable_file $fsv_file >> $seqres.full
	chmod 444 $fsv_file
	su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full

	# success, all done
	status=0
	exit