From e0b8e76c5d6e93be0d8d61a8e0678ba67865e95b Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 21 Sep 2023 15:25:08 +0200 Subject: [PATCH] Test that the -o digest=XXX mount option work correctly Signed-off-by: Alexander Larsson --- tests/test-lib.sh | 34 +++++++++++++++++++++++++++++++++- tests/test-units.sh | 27 ++++++++++++++++++++++++++- 2 files changed, 59 insertions(+), 2 deletions(-) diff --git a/tests/test-lib.sh b/tests/test-lib.sh index a373f666..1d630fe6 100644 --- a/tests/test-lib.sh +++ b/tests/test-lib.sh @@ -1,5 +1,28 @@ #!/usr/bin/bash +fatal() { + echo $@ 1>&2; exit 1 +} + +# Dump ls -al + file contents to stderr, then fatal() +_fatal_print_file() { + file="$1" + shift + ls -al "$file" >&2 + sed -e 's/^/# /' < "$file" >&2 + fatal "$@" +} + +assert_file_has_content () { + fpath=$1 + shift + for re in "$@"; do + if ! grep -q -e "$re" "$fpath"; then + _fatal_print_file "$fpath" "File '$fpath' doesn't match regexp '$re'" + fi + done +} + check_whiteout () { tmpfile=$(mktemp /tmp/lcfs-whiteout.XXXXXX) rm -f $tmpfile @@ -31,8 +54,17 @@ check_erofs_fsck () { fi } +check_fsverity () { + fsverity --version >/dev/null 2>&1 || return 1 + tmpfile=$(mktemp /var/tmp/lcfs-fsverity.XXXXXX) + echo foo > $tmpfile + fsverity enable $tmpfile fsverity --version >/dev/null 2>&1 || return 1 + return 0 +} + [[ -v can_whiteout ]] || can_whiteout=$(check_whiteout) [[ -v has_fuse ]] || has_fuse=$(if check_fuse; then echo y; else echo n; fi) [[ -v has_fsck ]] || has_fsck=$(check_erofs_fsck) +[[ -v has_fsverity ]] || has_fsverity=$(if check_fsverity; then echo y; else echo n; fi) -echo Test options: can_whiteout=$can_whiteout has_fuse=$has_fuse has_fsck=$has_fsck +echo Test options: can_whiteout=$can_whiteout has_fuse=$has_fuse has_fsck=$has_fsck has_fsverity=$has_fsverity diff --git a/tests/test-units.sh b/tests/test-units.sh index 2769ecf0..78c4a290 100755 --- a/tests/test-units.sh +++ b/tests/test-units.sh @@ -7,6 +7,8 @@ set -e workdir=$(mktemp -d /var/tmp/lcfs-test.XXXXXX) trap 'rm -rf -- "$workdir"' EXIT +. test-lib.sh + function makeimage () { local dir=$1 ${VALGRIND_PREFIX} $BINDIR/mkcomposefs --digest-store=$dir/objects $dir/root $dir/test.cfs @@ -44,7 +46,30 @@ function test_objects () { fi } -TESTS="test_inline test_objects" +function test_mount_digest () { + local dir=$1 + echo foo > $dir/root/a-file + makeimage $dir + + $BINDIR/mount.composefs -o basedir=$dir/objects,digest=3d248ca542a24fc62d1c43b916eae5016878e2533c88238480b26128a1f1af95 $dir/test.cfs $dir/mnt 2> $dir/stderr && fatal "non-fsverity mount should not succeed" + assert_file_has_content $dir/stderr "Image has no fs-verity" + + if [ has_fsverity = y ]; then + fsverity enable $dir/test.cfs + + local DIGEST=$(fsverity measure a | awk "{ print \$1 }" | sed s/sha256://) + echo "DIGEST=$DIGEST" + + $BINDIR/mount.composefs -o basedir=$dir/objects,digest=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $dir/test.cfs $dir/mnt 2> $dir/stderr && fatal "wrong fsverity mount should not succeed" + assert_file_has_content $dir/stderr "Image has wrong fs-verity" + + $BINDIR/mount.composefs -o basedir=$dir/objects,digest=$DIGEST $dir/test.cfs $dir/mnt 2> $dir/stderr && fatal "Should not have been able to mount unprivileged" + cat $dir/stderr + return 1 + fi +} + +TESTS="test_inline test_objects test_mount_digest" res=0 for i in $TESTS; do testdir=$(mktemp -d $workdir/$i.XXXXXX)