#! /bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (c) 2016 Google, Inc.  All Rights Reserved.
#
# FS QA Test generic/398
#
# Filesystem encryption is designed to enforce that a consistent encryption
# policy is used within a given encrypted directory tree and that an encrypted
# directory tree does not contain any unencrypted files.  This test verifies
# that filesystem operations that would violate this constraint fail.  This does
# not test enforcement of this constraint on lookup, which is still needed to
# detect offline changes.
#
seq=`basename $0`
seqres=$RESULT_DIR/$seq
echo "QA output created by $seq"

here=`pwd`
tmp=/tmp/$$
status=1	# failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15

_cleanup()
{
	cd /
	rm -f $tmp.*
}

# The error code for incompatible rename or link into an encrypted directory was
# changed from EPERM to EXDEV in Linux v5.1, to allow tools like 'mv' to work.
# See kernel commit f5e55e777cc9 ("fscrypt: return -EXDEV for incompatible
# rename or link into encrypted dir").  Accept both errors for now.
filter_eperm_to_exdev()
{
	sed -e 's/Operation not permitted/Invalid cross-device link/'
}

# The error code for incompatible cross-rename without the key has been ENOKEY
# on all filesystems since Linux v4.16.  Previously it was EPERM on some
# filesystems.  Accept both errors for now.
filter_eperm_to_enokey()
{
	sed -e 's/Operation not permitted/Required key not available/'
}

# get standard environment, filters and checks
. ./common/rc
. ./common/filter
. ./common/encrypt
. ./common/renameat2

# remove previous $seqres.full before test
rm -f $seqres.full

# real QA test starts here
_supported_fs generic
_supported_os Linux
_require_scratch_encryption
_require_renameat2 exchange

_new_session_keyring
_scratch_mkfs_encrypted &>> $seqres.full
_scratch_mount

# Set up two encrypted directories, with different encryption policies,
# and one unencrypted directory.
edir1=$SCRATCH_MNT/edir1
edir2=$SCRATCH_MNT/edir2
udir=$SCRATCH_MNT/udir
mkdir $edir1 $edir2 $udir
keydesc1=$(_generate_session_encryption_key)
keydesc2=$(_generate_session_encryption_key)
_set_encpolicy $edir1 $keydesc1
_set_encpolicy $edir2 $keydesc2
touch $edir1/efile1
touch $edir2/efile2
touch $udir/ufile


# Test linking and renaming an encrypted file into an encrypted directory with a
# different encryption policy.  Should fail with EXDEV.

echo -e "\n*** Link encrypted <= encrypted ***"
ln $edir1/efile1 $edir2/efile1 |& _filter_scratch | filter_eperm_to_exdev

echo -e "\n*** Rename encrypted => encrypted ***"
$here/src/renameat2 $edir1/efile1 $edir2/efile1 |& filter_eperm_to_exdev


# Test linking and renaming an unencrypted file into an encrypted directory.
# Should fail with EXDEV.

echo -e "\n\n*** Link unencrypted <= encrypted ***"
ln $udir/ufile $edir1/ufile |& _filter_scratch | filter_eperm_to_exdev

echo -e "\n*** Rename unencrypted => encrypted ***"
$here/src/renameat2 $udir/ufile $edir1/ufile |& filter_eperm_to_exdev


# Test linking and renaming an encrypted file into an unencrypted directory.
# Should succeed.

echo -e "\n\n*** Link encrypted <= unencrypted ***"
ln -v $edir1/efile1 $udir/efile1 |& _filter_scratch
rm $udir/efile1 # undo

echo -e "\n*** Rename encrypted => unencrypted ***"
$here/src/renameat2 $edir1/efile1 $udir/efile1
$here/src/renameat2 $udir/efile1 $edir1/efile1 # undo


# Test renaming a forbidden (unencrypted, or encrypted with a different
# encryption policy) file into an encrypted directory via an exchange (cross
# rename) operation.  Should fail with EXDEV.

echo -e "\n\n*** Exchange encrypted <=> encrypted ***"
$here/src/renameat2 -x $edir1/efile1 $edir2/efile2 |& filter_eperm_to_exdev

echo -e "\n*** Exchange unencrypted <=> encrypted ***"
$here/src/renameat2 -x $udir/ufile $edir1/efile1 |& filter_eperm_to_exdev

echo -e "\n*** Exchange encrypted <=> unencrypted ***"
$here/src/renameat2 -x $edir1/efile1 $udir/ufile |& filter_eperm_to_exdev


# Test a file with a special type, i.e. not regular, directory, or symlink.
# Since such files are not subject to encryption, there should be no
# restrictions on linking or renaming them into encrypted directories.

echo -e "\n\n*** Special file tests ***"
mkfifo $edir1/fifo
$here/src/renameat2 $edir1/fifo $edir2/fifo
$here/src/renameat2 $edir2/fifo $udir/fifo
$here/src/renameat2 $udir/fifo $edir1/fifo
mkfifo $udir/fifo
$here/src/renameat2 -x $udir/fifo $edir1/fifo
ln -v $edir1/fifo $edir2/fifo | _filter_scratch
rm $edir1/fifo $edir2/fifo $udir/fifo


# Now test that *without* access to the encrypted key, we cannot use an exchange
# (cross rename) operation to move a forbidden file into an encrypted directory.

_unlink_session_encryption_key $keydesc1
_unlink_session_encryption_key $keydesc2
_scratch_cycle_mount
efile1=$(find $edir1 -type f)
efile2=$(find $edir2 -type f)

echo -e "\n\n*** Exchange encrypted <=> encrypted without key ***"
$here/src/renameat2 -x $efile1 $efile2 |& filter_eperm_to_enokey
echo -e "\n*** Exchange encrypted <=> unencrypted without key ***"
$here/src/renameat2 -x $efile1 $udir/ufile |& filter_eperm_to_enokey

# success, all done
status=0
exit
