generic: test fs-verity access control

Signed-off-by: Eric Biggers <ebiggers@google.com>

3 files changed, 79 insertions, 0 deletions

diff --git a/tests/generic/901 b/tests/generic/901
new file mode 100755
index 0000000000..8a811fb78d
--- /dev/null
+++ b/tests/generic/901
@@ -0,0 +1,70 @@
+#! /bin/bash
+# FS QA Test generic/901
+#
+# Test fs-verity access control
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2018 Google, Inc.  All Rights Reserved.
+#
+# Author: Eric Biggers <ebiggers@google.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/verity
+
+# remove previous $seqres.full before test
+rm -f $seqres.full
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_scratch_verity
+_require_user
+
+_scratch_mkfs_verity &>> $seqres.full
+_scratch_mount
+fsv_file=$SCRATCH_MNT/file.fsv
+
+_fsv_begin_subtest "Enabling fs-verity as regular user fails with EACCES"
+_fsv_create_setup_file $fsv_file >> $seqres.full
+su $qa_user -c "$FSVERITY_PROG enable $fsv_file"
+$XFS_IO_PROG -c '' $fsv_file
+
+_fsv_begin_subtest "Setting measurement as regular user fails with EACCES"
+_fsv_create_enable_file $fsv_file >> $seqres.full
+su $qa_user -c "$FSVERITY_PROG set_measurement $fsv_file $(_fsv_randstring 64)"
+md5sum $fsv_file |& _filter_scratch
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/901.out b/tests/generic/901.out
new file mode 100644
index 0000000000..aa713b3039
--- /dev/null
+++ b/tests/generic/901.out
@@ -0,0 +1,8 @@
+QA output created by 901
+
+# Enabling fs-verity as regular user fails with EACCES
+FS_IOC_ENABLE_VERITY: Permission denied
+
+# Setting measurement as regular user fails with EACCES
+FS_IOC_SET_VERITY_MEASUREMENT: Permission denied
+md5sum: SCRATCH_MNT/file.fsv: Input/output error
diff --git a/tests/generic/group b/tests/generic/group
index 0485ecf6cc..69b3c46726 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -487,3 +487,4 @@
 482 auto metadata replay
 483 auto quick log metadata
 900 auto quick verity
+901 auto quick verity