-
Notifications
You must be signed in to change notification settings - Fork 97
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cli-tests: add t_v1_policy_fs_keyring
Test using v1 encryption policies (deprecated) with use_fs_keyring_for_v1_policies = true.
- Loading branch information
Showing
2 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
|
|
||
| # Enabling v1 policies with fs keyring | ||
|
|
||
| # Trying to encrypt directory as user | ||
| [ERROR] fscrypt encrypt: root is required to add/remove v1 encryption policy | ||
| keys to/from filesystem | ||
|
|
||
| Either this command should be run as root, or you should set | ||
| '"use_fs_keyring_for_v1_policies": false' in /etc/fscrypt.conf, or you should | ||
| re-create your encrypted directories using v2 encryption policies rather than v1 | ||
| (this requires setting '"policy_version": "2"' in the "options" section of | ||
| /etc/fscrypt.conf). | ||
| [ERROR] fscrypt status: get encryption policy MNT/dir: file | ||
| or directory not encrypted | ||
|
|
||
| # Encrypt directory as user with --skip-unlock | ||
| "MNT/dir" is encrypted with fscrypt. | ||
|
|
||
| Policy: desc1 | ||
| Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 | ||
| Unlocked: No | ||
|
|
||
| Protected with 1 protector: | ||
| PROTECTOR LINKED DESCRIPTION | ||
| desc2 No custom protector "aoeu" | ||
| mkdir: cannot create directory ‘MNT/dir/subdir’: Required key not available | ||
|
|
||
| # Try to unlock directory as user | ||
| [ERROR] fscrypt unlock: root is required to add/remove v1 encryption policy keys | ||
| to/from filesystem | ||
|
|
||
| Either this command should be run as root, or you should set | ||
| '"use_fs_keyring_for_v1_policies": false' in /etc/fscrypt.conf, or you should | ||
| re-create your encrypted directories using v2 encryption policies rather than v1 | ||
| (this requires setting '"policy_version": "2"' in the "options" section of | ||
| /etc/fscrypt.conf). | ||
|
|
||
| # Unlock directory as root | ||
| Enter custom passphrase for protector "aoeu": "MNT/dir" is now unlocked and ready for use. | ||
| "MNT/dir" is encrypted with fscrypt. | ||
|
|
||
| Policy: desc1 | ||
| Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 | ||
| Unlocked: Yes | ||
|
|
||
| Protected with 1 protector: | ||
| PROTECTOR LINKED DESCRIPTION | ||
| desc2 No custom protector "aoeu" | ||
|
|
||
| # Try to lock directory as user | ||
| [ERROR] fscrypt lock: root is required to add/remove v1 encryption policy keys | ||
| to/from filesystem | ||
|
|
||
| Either this command should be run as root, or you should set | ||
| '"use_fs_keyring_for_v1_policies": false' in /etc/fscrypt.conf, or you should | ||
| re-create your encrypted directories using v2 encryption policies rather than v1 | ||
| (this requires setting '"policy_version": "2"' in the "options" section of | ||
| /etc/fscrypt.conf). | ||
|
|
||
| # Lock directory as root | ||
| "MNT/dir" is now locked. | ||
| cat: MNT/dir/file: No such file or directory | ||
| "MNT/dir" is encrypted with fscrypt. | ||
|
|
||
| Policy: desc1 | ||
| Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 | ||
| Unlocked: No | ||
|
|
||
| Protected with 1 protector: | ||
| PROTECTOR LINKED DESCRIPTION | ||
| desc2 No custom protector "aoeu" | ||
|
|
||
| # User can access file when directory is unlocked by root | ||
| Enter custom passphrase for protector "aoeu": "MNT/dir" is now unlocked and ready for use. | ||
| contents |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| #!/bin/bash | ||
|
|
||
| # Test using v1 encryption policies (deprecated) with | ||
| # use_fs_keyring_for_v1_policies = true. | ||
|
|
||
| # This works similar to v2 policies, except locking and unlocking (including | ||
| # 'fscrypt encrypt' without --skip-unlock) will only work as root. | ||
|
|
||
| cd "$(dirname "$0")" | ||
| . common.sh | ||
|
|
||
| # Ensure that the session keyring is not used. | ||
| _setup_session_keyring | ||
| keyctl clear @s | ||
| keyctl setperm @s 0x08000000 # KEY_POS_SEARCH only | ||
|
|
||
| _print_header "Enabling v1 policies with fs keyring" | ||
| sed -e 's/"use_fs_keyring_for_v1_policies": false/"use_fs_keyring_for_v1_policies": true/' \ | ||
| -e 's/"policy_version": "2"/"policy_version": "1"/' \ | ||
| -i "$FSCRYPT_CONF" | ||
|
|
||
| dir="$MNT/dir" | ||
| mkdir "$dir" | ||
| chown "$TEST_USER" "$dir" | ||
|
|
||
| _print_header "Trying to encrypt directory as user" | ||
| _user_do_and_expect_failure "echo hunter2 | fscrypt encrypt --quiet --name=aoeu '$dir'" | ||
| _expect_failure "fscrypt status '$dir'" | ||
|
|
||
| _print_header "Encrypt directory as user with --skip-unlock" | ||
| _user_do "echo hunter2 | fscrypt encrypt --quiet --name=aoeu --skip-unlock '$dir'" | ||
| fscrypt status "$dir" | ||
| _expect_failure "mkdir '$dir/subdir'" | ||
|
|
||
| _print_header "Try to unlock directory as user" | ||
| _user_do_and_expect_failure "echo hunter2 | fscrypt unlock '$dir'" | ||
|
|
||
| _print_header "Unlock directory as root" | ||
| echo hunter2 | fscrypt unlock "$dir" | ||
| mkdir "$dir/subdir" | ||
| echo contents > "$dir/file" | ||
| fscrypt status "$dir" | ||
|
|
||
| _print_header "Try to lock directory as user" | ||
| _user_do_and_expect_failure "fscrypt lock '$dir'" | ||
|
|
||
| _print_header "Lock directory as root" | ||
| fscrypt lock "$dir" | ||
| _expect_failure "cat '$dir/file'" | ||
| fscrypt status "$dir" | ||
|
|
||
| _print_header "User can access file when directory is unlocked by root" | ||
| echo hunter2 | fscrypt unlock "$dir" | ||
| _user_do "cat '$dir/file'" |