{"id":2229321,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229321/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-ext4/patch/645e504d5551d6e100b344998f34737f65797db8.1777357321.git.asj@kernel.org/","project":{"id":8,"url":"http://patchwork.ozlabs.org/api/1.1/projects/8/?format=json","name":"Linux ext4 filesystem development","link_name":"linux-ext4","list_id":"linux-ext4.vger.kernel.org","list_email":"linux-ext4@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<645e504d5551d6e100b344998f34737f65797db8.1777357321.git.asj@kernel.org>","date":"2026-04-28T06:42:57","name":"[v4,7/9] fstests: verify IMA isolation on cloned filesystems","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"3ad46224eebfc7c355190477581399fefda215b5","submitter":{"id":92722,"url":"http://patchwork.ozlabs.org/api/1.1/people/92722/?format=json","name":"Anand Jain","email":"asj@kernel.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-ext4/patch/645e504d5551d6e100b344998f34737f65797db8.1777357321.git.asj@kernel.org/mbox/","series":[{"id":501769,"url":"http://patchwork.ozlabs.org/api/1.1/series/501769/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-ext4/list/?series=501769","date":"2026-04-28T06:42:52","name":"fstests: add test coverage for cloned filesystem ids","version":4,"mbox":"http://patchwork.ozlabs.org/series/501769/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229321/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229321/checks/","tags":{},"headers":{"Return-Path":"\n <SRS0=1xAf=C3=vger.kernel.org=linux-ext4+bounces-16142-patchwork-incoming=ozlabs.org@ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-ext4@vger.kernel.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","patchwork-incoming@ozlabs.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=IF7EPLR7;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=2404:9400:2221:ea00::3; helo=mail.ozlabs.org;\n envelope-from=srs0=1xaf=c3=vger.kernel.org=linux-ext4+bounces-16142-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)","gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=172.232.135.74 arc.chain=subspace.kernel.org","gandalf.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=kernel.org","gandalf.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=IF7EPLR7;\n\tdkim-atps=neutral","gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=linux-ext4+bounces-16142-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"IF7EPLR7\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4W9d4fYMz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 16:43:49 +1000 (AEST)","from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4g4W9d4B6Pz4wJP\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 16:43:49 +1000 (AEST)","by gandalf.ozlabs.org (Postfix)\n\tid 4g4W9d475bz4wK5; Tue, 28 Apr 2026 16:43:49 +1000 (AEST)","from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4g4W9Z0f2vz4wJP\n\tfor <patchwork-incoming@ozlabs.org>; Tue, 28 Apr 2026 16:43:46 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 378EE3013B95\n\tfor <patchwork-incoming@ozlabs.org>; Tue, 28 Apr 2026 06:43:30 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 45BE3351C13;\n\tTue, 28 Apr 2026 06:43:28 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0611834D901;\n\tTue, 28 Apr 2026 06:43:27 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id E58C8C2BCAF;\n\tTue, 28 Apr 2026 06:43:25 +0000 (UTC)"],"ARC-Seal":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1777358629; cv=pass;\n\tb=toRCHWzPpAXLHM8FZFKGG1SUJyDt/ugWH+njfSCuXDeqkrhzLDgrGnFwpWP9EOnoSFz954QRtstTKxpLzCTFX/2JDJ1XudrbJau52D7f2X7tInx4DGP53Odk55qeslSkRw6Z8Qr15UagvY68ZOiGgYzAp9VvTV883Nd+Uytvn9vScWzmBhTk2h/Ye6EvYn3tFYy9T9MgYf4Qn8SDWvRrZPawZucUBsRbvsOFq4WYq+w+rDxho97UcWVkfBlnVh146kzVcvtqEyq2e+fOvJKsmCvnJvUdPVo2LNNFfiquOTFx3mQIoxoCfe5QcYCQuBXN9ZlcFSzrKjh6UKmxJz9Qxg==","i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777358608; cv=none;\n b=PYuDnPsz6oGkV5OprS+3Ii5y8CVZhHo2lqtCszVR7cVIemSS5r0Ejz9VSvTEX4jU+mqUeRc353jMdjCcBJ83kxPv/nBsePJFs7EOrBaPNEmJbUF4CVgy3OzkAjVCOQCFxnGSkEEwADdyQoCKRXhdSnk1ZQkKJJNJNtoizoOnLcY="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1777358629; c=relaxed/relaxed;\n\tbh=dY4LyjHoGxaj9yFvm5X3/M1de93OcDCzufSUYzPXJkk=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=VEIpi8B+bbanUrVkrmzMTHjk6j05Kb/FZrfETCF6AFdD6D3rO8tYFoJVgrayoCeblRisbviSWWdgrjEDHjn7/QJuqZvFXcuDukq+/wrKjT3oRNSE046QNJVyLe368Iq0gcImc8zPBJIPA41S8x5BdlcooMiUKMHhsnQ/uA3m3JPH6RM8wwi4jAQ3DSQUGUkDk0vSQjQTs70p5ESW/maV9IV3DqyU2Yaxx4YW/yo/Sm7kHvRRl90kfbpvd/FAeSQkAYVT3heQziYTyEnceBN96KbfIhpdaC+34vvO8/28NUrpZNRK5dixXQ+9dMkSaK2eBDnovXHT2dwHDrzsmRO6oQ==","i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777358608; c=relaxed/simple;\n\tbh=e+dUxwRHiS/KXwaFoKmm2PRdWDcEVAE4PqqycqAupW8=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=Z7ugR5Nqm4ZSwFrqvLK0ybcmHTFpSNjfPhrjYVxQ9gUnKGthE7OnAtN69rgFtyelYPygX4d6u8EDOs3XuQ4pGuzWH4LwMssGRQCzo/K4mCL41UuN8ROL9UySHoNOZKQC2ffsf4/pFt8bQgXTLwa53nzvLhL5gdPrwpMDEF7z0E0="],"ARC-Authentication-Results":["i=2; gandalf.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=kernel.org;\n dkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=IF7EPLR7; dkim-atps=neutral;\n spf=pass (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=linux-ext4+bounces-16142-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org","i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=IF7EPLR7; arc=none smtp.client-ip=10.30.226.201"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1777358607;\n\tbh=e+dUxwRHiS/KXwaFoKmm2PRdWDcEVAE4PqqycqAupW8=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=IF7EPLR7YLLHKz6YiL4soyZs+IEGi2JQqDj2/MAKU87ZQQi2ueBEvggnVf9C3+3Vc\n\t J9Xwib9+wYMtKk5qVxw32gwAmbqQ7/me3ILDZI58+awTC6QNyKV5CMvAJvcICOAjUE\n\t SVb1sECSZ5CDKGhOcdlLlyuYOE5iRr8mGKE48+mqGhX3VkxFZ4wfaMBi56ie1A1y83\n\t JezMZYmSRbaBmiIx7d7eWgRg1dwa1Aoh62CsMY2Epe04ecyImDgc0s6nHtEGmg2gmv\n\t rtYvghQ2AMCEHVJouczsu2jIINPFvjDktsa1LOTMyAGkt+MPq0LTWznnERGO4XiMRB\n\t AFeoKcUhiMdtQ==","From":"Anand Jain <asj@kernel.org>","To":"fstests@vger.kernel.org","Cc":"linux-btrfs@vger.kernel.org,\n\tlinux-ext4@vger.kernel.org,\n\tlinux-xfs@vger.kernel.org,\n\tlinux-f2fs@vger.kernel.org,\n\tamir73il@gmail.com,\n\tzlang@redhat.com,\n\thch@infradead.org","Subject":"[PATCH v4 7/9] fstests: verify IMA isolation on cloned filesystems","Date":"Tue, 28 Apr 2026 14:42:57 +0800","Message-ID":"\n <645e504d5551d6e100b344998f34737f65797db8.1777357321.git.asj@kernel.org>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<cover.1777357320.git.asj@kernel.org>","References":"<cover.1777357320.git.asj@kernel.org>","Precedence":"bulk","X-Mailing-List":"linux-ext4@vger.kernel.org","List-Id":"<linux-ext4.vger.kernel.org>","List-Subscribe":"<mailto:linux-ext4+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-ext4+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spam-Status":"No, score=-1.2 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,\n\tMAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=disabled\n\tversion=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org"},"content":"Add testcase to verify IMA measurement isolation when multiple devices\nshare the same FSUUID.\n\nSigned-off-by: Anand Jain <asj@kernel.org>\n---\n tests/generic/804     | 103 ++++++++++++++++++++++++++++++++++++++++++\n tests/generic/804.out |  10 ++++\n 2 files changed, 113 insertions(+)\n create mode 100644 tests/generic/804\n create mode 100644 tests/generic/804.out","diff":"diff --git a/tests/generic/804 b/tests/generic/804\nnew file mode 100644\nindex 000000000000..9f3459015422\n--- /dev/null\n+++ b/tests/generic/804\n@@ -0,0 +1,103 @@\n+#! /bin/bash\n+# SPDX-License-Identifier: GPL-2.0\n+# Copyright (c) 2026 Anand Jain <asj@kernel.org>.  All Rights Reserved.\n+#\n+# FS QA Test 804\n+# Verify IMA isolation on cloned filesystems:\n+# . Mount two devices sharing the same FSUUID (cloned).\n+# . Apply an IMA policy to measure files based on that FSUUID.\n+# . Create unique files on each mount point to trigger measurements.\n+# . Confirm the IMA log correctly attributes events to the respective mounts.\n+\n+. ./common/preamble\n+. ./common/filter\n+\n+_begin_fstest auto quick clone\n+\n+_require_test\n+_require_block_device $TEST_DEV\n+_require_loop\n+\n+[ \"$FSTYP\" = \"btrfs\" ] && _fixed_by_kernel_commit xxxxxxxxxxxx \\\n+\t\"btrfs: use on-disk uuid for s_uuid in temp_fsid mounts\"\n+[ \"$FSTYP\" = \"btrfs\" ] && _fixed_by_kernel_commit xxxxxxxxxxxx \\\n+\t\"btrfs: derive f_fsid from on-disk fsuuid and dev_t\"\n+\n+_cleanup()\n+{\n+\tcd /\n+\trm -r -f $tmp.*\n+\t_unmount $mnt1 2>/dev/null\n+\t_unmount $mnt2 2>/dev/null\n+\t_loop_image_destroy \"${devs[@]}\" 2> /dev/null\n+}\n+\n+filter_pool()\n+{\n+\tsed -e \"s|${devs[0]}|DEV1|g\" -e \"s|$mnt1|MNT1|g\" \\\n+\t    -e \"s|${devs[1]}|DEV2|g\" -e \"s|$mnt2|MNT2|g\" | _filter_spaces\n+}\n+\n+do_ima()\n+{\n+\tlocal ima_policy=\"/sys/kernel/security/ima/policy\"\n+\tlocal ima_log=\"/sys/kernel/security/ima/ascii_runtime_measurements\"\n+\tlocal fsuuid\n+\tlocal mnt=$1\n+\tlocal enable=$2\n+\n+\t# Since the in-memory IMA audit log is only cleared upon reboot,\n+\t# use unique random filenames to avoid log collisions.\n+\tlocal foofile=$(mktemp --dry-run foobar_XXXXX)\n+\n+\techo $mnt $enable | filter_pool\n+\n+\t[ -w \"$ima_policy\" ] || _notrun \"IMA policy not writable\"\n+\n+\tfsuuid=$(blkid -s UUID -o value ${devs[0]})\n+\n+\t# Load IMA policy to measure file access specifically for this\n+\t# filesystem UUID.\n+\tif [[ $enable -eq 1 ]]; then\n+\t\techo \"measure func=FILE_CHECK fsuuid=$fsuuid\" > \"$ima_policy\" || \\\n+\t\t\t_notrun \"Policy rejected\"\n+\tfi\n+\n+\t# Create a file to trigger measurement and verify its entry in\n+\t# the IMA log.\n+\techo \"test_data\" > $mnt/$foofile\n+\n+\t# For $ima_log column entry please ref to\n+\tgrep $foofile \"$ima_log\" | awk '{ print $5 }' | filter_pool | \\\n+\t\t\t\t\t\tsed \"s/$foofile/FOOBAR_FILE/\"\n+\n+\techo \"dbg: $mnt $fsuuid $foofile\" >> $seqres.full\n+\tcat $ima_log | tail -1 >> $seqres.full\n+\techo >> $seqres.full\n+}\n+\n+devs=()\n+_loop_image_create_clone devs\n+mnt1=$TEST_DIR/$seq/mnt1\n+mnt2=$TEST_DIR/$seq/mnt2\n+mkdir -p $mnt1\n+mkdir -p $mnt2\n+\n+_mount $(_common_dev_mount_options) $(_clone_mount_option) ${devs[0]} $mnt1 || \\\n+\t\t\t\t\t\t_fail \"Failed to mount dev1\"\n+_mount $(_common_dev_mount_options) $(_clone_mount_option) ${devs[1]} $mnt2 || \\\n+\t\t\t\t\t\t_fail \"Failed to mount dev2\"\n+\n+do_ima $mnt1 1\n+do_ima $mnt2 0\n+\n+# Btrfs uses in-memory dynamic temp_fsid\n+echo mount cycle\n+_unmount $mnt2\n+_mount $mount_opts ${devs[1]} $mnt2 || _fail \"Failed to mount dev2\"\n+\n+do_ima $mnt1 0\n+do_ima $mnt2 0\n+\n+status=0\n+exit\ndiff --git a/tests/generic/804.out b/tests/generic/804.out\nnew file mode 100644\nindex 000000000000..9804181d6c17\n--- /dev/null\n+++ b/tests/generic/804.out\n@@ -0,0 +1,10 @@\n+QA output created by 804\n+MNT1 1\n+MNT1/FOOBAR_FILE\n+MNT2 0\n+MNT2/FOOBAR_FILE\n+mount cycle\n+MNT1 0\n+MNT1/FOOBAR_FILE\n+MNT2 0\n+MNT2/FOOBAR_FILE\n","prefixes":["v4","7/9"]}