| #! /bin/bash |
| # SPDX-License-Identifier: GPL-2.0 |
| # Copyright 2018 Google LLC |
| # |
| # FS QA Test generic/573 |
| # |
| # Test access controls on the fs-verity ioctls. FS_IOC_MEASURE_VERITY is |
| # allowed on any file, whereas FS_IOC_ENABLE_VERITY requires write access. |
| # |
| seq=`basename $0` |
| seqres=$RESULT_DIR/$seq |
| echo "QA output created by $seq" |
| |
| here=`pwd` |
| tmp=/tmp/$$ |
| status=1 # failure is the default! |
| trap "_cleanup; exit \$status" 0 1 2 3 15 |
| |
| _cleanup() |
| { |
| cd / |
| _restore_fsverity_signatures |
| rm -f $tmp.* |
| } |
| |
| # get standard environment, filters and checks |
| . ./common/rc |
| . ./common/filter |
| . ./common/verity |
| |
| # remove previous $seqres.full before test |
| rm -f $seqres.full |
| |
| # real QA test starts here |
| _supported_fs generic |
| _require_scratch_verity |
| _require_user |
| _require_chattr ia |
| _disable_fsverity_signatures |
| |
| _scratch_mkfs_verity &>> $seqres.full |
| _scratch_mount |
| fsv_file=$SCRATCH_MNT/file.fsv |
| |
| _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY doesn't require root" |
| echo foo > $fsv_file |
| chmod 666 $fsv_file |
| _user_do "$FSVERITY_PROG enable $fsv_file" |
| |
| _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires write access" |
| echo foo > $fsv_file >> $seqres.full |
| chmod 444 $fsv_file |
| _user_do "$FSVERITY_PROG enable $fsv_file" |& _filter_scratch |
| |
| _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !append-only" |
| echo foo > $fsv_file >> $seqres.full |
| $CHATTR_PROG +a $fsv_file |
| $FSVERITY_PROG enable $fsv_file |& _filter_scratch |
| $CHATTR_PROG -a $fsv_file |
| |
| _fsv_scratch_begin_subtest "FS_IOC_ENABLE_VERITY requires !immutable" |
| echo foo > $fsv_file >> $seqres.full |
| $CHATTR_PROG +i $fsv_file |
| $FSVERITY_PROG enable $fsv_file |& _filter_scratch |
| $CHATTR_PROG -i $fsv_file |
| |
| _fsv_scratch_begin_subtest "FS_IOC_MEASURE_VERITY doesn't require root" |
| _fsv_create_enable_file $fsv_file >> $seqres.full |
| chmod 444 $fsv_file |
| su $qa_user -c "$FSVERITY_PROG measure $fsv_file" >> $seqres.full |
| |
| # success, all done |
| status=0 |
| exit |