diff options
author | obadz <obadz-git@obadz.com> | 2016-07-13 01:47:49 +0200 |
---|---|---|
committer | obadz <obadz-git@obadz.com> | 2016-07-13 01:48:41 +0200 |
commit | ab6fc297198b03b32eaa044bbc975bb701cd879b (patch) | |
tree | 77fcb1c578a4147c3474f2543996bbfdd49c70b8 /nixos/tests/ecryptfs.nix | |
parent | dde259dfb5a0787b28e260da7575079bbabad6c3 (diff) |
ecryptfs: add nixos/tests/ecryptfs.nix
Diffstat (limited to 'nixos/tests/ecryptfs.nix')
-rw-r--r-- | nixos/tests/ecryptfs.nix | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/nixos/tests/ecryptfs.nix b/nixos/tests/ecryptfs.nix new file mode 100644 index 0000000000000..f42ae1dac6271 --- /dev/null +++ b/nixos/tests/ecryptfs.nix @@ -0,0 +1,78 @@ +import ./make-test.nix ({ pkgs, ... }: +{ + name = "ecryptfs"; + + machine = { config, pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + boot.kernelModules = [ "ecryptfs" ]; + security.pam.enableEcryptfs = true; + environment.systemPackages = with pkgs; [ keyutils ]; + }; + + testScript = '' + $machine->waitForUnit("default.target"); + + # Set alice up with a password and a home + $machine->succeed("(echo foobar; echo foobar) | passwd alice"); + $machine->succeed("chown -R alice.users ~alice"); + + # Migrate alice's home + my $out = $machine->succeed("echo foobar | ecryptfs-migrate-home -u alice"); + $machine->log("ecryptfs-migrate-home said: $out"); + + # Log alice in (ecryptfs passwhrase is wrapped during first login) + $machine->sleep(2); # urgh: wait for username prompt + $machine->sendChars("alice\n"); + $machine->sleep(1); + $machine->sendChars("foobar\n"); + $machine->sleep(2); + $machine->sendChars("logout\n"); + $machine->sleep(2); + + # Why do I need to do this?? + $machine->succeed("su alice -c ecryptfs-umount-private"); + $machine->sleep(1); + $machine->fail("mount | grep ecryptfs"); # check that encrypted home is not mounted + + # Show contents of the user keyring + my $out = $machine->succeed("su - alice -c 'keyctl list \@u'"); + $machine->log("keyctl unlink said: " . $out); + + # Log alice again + $machine->sendChars("alice\n"); + $machine->sleep(1); + $machine->sendChars("foobar\n"); + $machine->sleep(2); + + # Create some files in encrypted home + $machine->succeed("su alice -c 'touch ~alice/a'"); + $machine->succeed("su alice -c 'echo c > ~alice/b'"); + + # Logout + $machine->sendChars("logout\n"); + $machine->sleep(2); + + # Why do I need to do this?? + $machine->succeed("su alice -c ecryptfs-umount-private"); + $machine->sleep(1); + + # Check that the filesystem is not accessible + $machine->fail("mount | grep ecryptfs"); + $machine->succeed("su alice -c 'test \! -f ~alice/a'"); + $machine->succeed("su alice -c 'test \! -f ~alice/b'"); + + # Log alice once more + $machine->sendChars("alice\n"); + $machine->sleep(1); + $machine->sendChars("foobar\n"); + $machine->sleep(2); + + # Check that the files are there + $machine->sleep(1); + $machine->succeed("su alice -c 'test -f ~alice/a'"); + $machine->succeed("su alice -c 'test -f ~alice/b'"); + $machine->succeed(qq%test "\$(cat ~alice/b)" = "c"%); + + $machine->sendChars("logout\n"); + ''; +}) |