diff options
| author | Eric Biggers <ebiggers@google.com> | 2020-05-09 15:21:07 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-09 15:21:07 -0700 |
| commit | 1cdefc21b8b07aad7aafeefd05d3124cf93b9216 (patch) | |
| tree | b5f304a4ecc101a5410bb2274d129dbc7dad6441 /cli-tests | |
| parent | 338347ac4766f899fdc471d57f293798ff0e6c29 (diff) | |
| parent | de51add609bc74b7247ec4776bd694abbea24a45 (diff) | |
Merge pull request #217 from ebiggers/detect-incomplete-v1-locking
Try to detect incomplete locking of v1-encrypted directory
Diffstat (limited to 'cli-tests')
| -rw-r--r-- | cli-tests/t_v1_policy.out | 39 | ||||
| -rwxr-xr-x | cli-tests/t_v1_policy.sh | 15 |
2 files changed, 54 insertions, 0 deletions
diff --git a/cli-tests/t_v1_policy.out b/cli-tests/t_v1_policy.out index 747cf81..0ff5219 100644 --- a/cli-tests/t_v1_policy.out +++ b/cli-tests/t_v1_policy.out @@ -96,3 +96,42 @@ Protected with 1 protector: PROTECTOR LINKED DESCRIPTION desc2 No custom protector "prot" cat: MNT/dir/file: No such file or directory + +# Testing incompletely locking v1-encrypted directory +Enter custom passphrase for protector "prot": "MNT/dir" is now unlocked and ready for use. +Encrypted data removed from filesystem cache. +[ERROR] fscrypt lock: some files using the key are still open + +Directory was incompletely locked because some files are still open. These files +remain accessible. Try killing any processes using files in the directory, then +re-running 'fscrypt lock'. +"MNT/dir" is encrypted with fscrypt. + +Policy: desc1 +Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 +Unlocked: Partially (incompletely locked) + +Protected with 1 protector: +PROTECTOR LINKED DESCRIPTION +desc2 No custom protector "prot" +ext4 filesystem "MNT" has 1 protector and 1 policy + +PROTECTOR LINKED DESCRIPTION +desc2 No custom protector "prot" + +POLICY UNLOCKED PROTECTORS +desc1 No desc2 + +# Finishing locking v1-encrypted directory +Encrypted data removed from filesystem cache. +"MNT/dir" is now locked. +"MNT/dir" is encrypted with fscrypt. + +Policy: desc1 +Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:1 +Unlocked: No + +Protected with 1 protector: +PROTECTOR LINKED DESCRIPTION +desc2 No custom protector "prot" +cat: MNT/dir/file: No such file or directory diff --git a/cli-tests/t_v1_policy.sh b/cli-tests/t_v1_policy.sh index 1ebfae5..e9f3acf 100755 --- a/cli-tests/t_v1_policy.sh +++ b/cli-tests/t_v1_policy.sh @@ -54,3 +54,18 @@ _print_header "Lock v1-encrypted directory" fscrypt lock "$dir" --user="$TEST_USER" _user_do "fscrypt status '$dir'" _expect_failure "cat '$dir/file'" + +# 'fscrypt lock' and 'fscrypt status' implement a heuristic that should detect +# the "files busy" case with v1. +_print_header "Testing incompletely locking v1-encrypted directory" +_user_do "echo hunter2 | fscrypt unlock '$dir'" +exec 3<"$dir/file" +_expect_failure "fscrypt lock '$dir' --user='$TEST_USER'" +_user_do "fscrypt status '$dir'" +# ... except in this case, because we can't detect it without a directory path. +_user_do "fscrypt status '$MNT'" +exec 3<&- +_print_header "Finishing locking v1-encrypted directory" +fscrypt lock "$dir" --user="$TEST_USER" +_user_do "fscrypt status '$dir'" +_expect_failure "cat '$dir/file'" |