88 lines
3.3 KiB
Python
88 lines
3.3 KiB
Python
import os
|
|
|
|
import infra.basetest
|
|
|
|
|
|
class TestAcl(infra.basetest.BRTest):
|
|
# Note: this test requires a Kernel with a filesystem on /tmp
|
|
# supporting ACLs. This is the case for the basetest reference
|
|
# config. Kernel has CONFIG_TMPFS_POSIX_ACL=y, and /tmp is tmpfs
|
|
# in the default Buildroot config.
|
|
config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
|
|
"""
|
|
BR2_PACKAGE_ACL=y
|
|
BR2_TARGET_ROOTFS_CPIO=y
|
|
# BR2_TARGET_ROOTFS_TAR is not set
|
|
"""
|
|
|
|
def test_run(self):
|
|
cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
|
|
self.emulator.boot(arch="armv5",
|
|
kernel="builtin",
|
|
options=["-initrd", cpio_file])
|
|
self.emulator.login()
|
|
|
|
# Check the programs can execute.
|
|
self.assertRunOk("getfacl --version")
|
|
self.assertRunOk("setfacl --version")
|
|
|
|
# Constants used in this test.
|
|
test_user = "acltest"
|
|
test_data = "Hello Buildroot!"
|
|
test_file = "/tmp/file.txt"
|
|
|
|
# Create a test user:
|
|
# -D don't set a password
|
|
# -h set home directory
|
|
# -H don't create home directory
|
|
# -s set shell to /bin/sh
|
|
self.assertRunOk(f"adduser -D -h /tmp -H -s /bin/sh {test_user}")
|
|
|
|
# Create a test file, and make sure the owner is "root" with
|
|
# standard Unix permissions to read/write only for the owner.
|
|
self.assertRunOk(f"echo '{test_data}' > {test_file}")
|
|
self.assertRunOk(f"chown root:root {test_file}")
|
|
self.assertRunOk(f"chmod 0600 {test_file}")
|
|
|
|
# Check we have no ACL for the test user.
|
|
getacl_cmd = f"getfacl -c -p {test_file}"
|
|
out, ret = self.emulator.run(getacl_cmd)
|
|
self.assertEqual(ret, 0)
|
|
self.assertNotIn(f"user:{test_user}:", "\n".join(out))
|
|
|
|
# Reading the file as the test user is expected to fail.
|
|
test_read_cmd = f"su - {test_user} -c 'cat {test_file}'"
|
|
_, ret = self.emulator.run(test_read_cmd)
|
|
self.assertNotEqual(ret, 0)
|
|
|
|
# We add a special read ACL for the test user.
|
|
cmd = f"setfacl -m u:{test_user}:r {test_file}"
|
|
self.assertRunOk(cmd)
|
|
|
|
# Check we now have an ACL entry for the test user.
|
|
out, ret = self.emulator.run(getacl_cmd)
|
|
self.assertEqual(ret, 0)
|
|
self.assertIn(f"user:{test_user}:", "\n".join(out))
|
|
|
|
# Reading the file as the test user is now expected to
|
|
# succeed.
|
|
out, ret = self.emulator.run(test_read_cmd)
|
|
self.assertEqual(ret, 0)
|
|
self.assertEqual(out[0], test_data)
|
|
|
|
# Attempting to write to the file as the test user is expected
|
|
# to fail (since we put an ACL only for reading).
|
|
cmd = f"su - {test_user} -c 'echo WriteTest > {test_file}'"
|
|
_, ret = self.emulator.run(cmd)
|
|
self.assertNotEqual(ret, 0)
|
|
|
|
# Remove all ACLs. This could have been done with the command
|
|
# "setfacl -b". Instead, we use the "chacl -B" command which
|
|
# is doing the same. The reason is to slightly improve the
|
|
# coverage of this test, by including an execution of "chacl".
|
|
self.assertRunOk(f"chacl -B {test_file}")
|
|
|
|
# Reading the file as the test user is expected to fail again.
|
|
_, ret = self.emulator.run(test_read_cmd)
|
|
self.assertNotEqual(ret, 0)
|