From 26b7e0f2824e6df7d865ffae8ff2ec17fd58a9e8 Mon Sep 17 00:00:00 2001 From: Julien Olivain Date: Tue, 6 Feb 2024 20:52:37 +0100 Subject: [PATCH] support/testing: new acl runtime test Signed-off-by: Julien Olivain Signed-off-by: Peter Korsgaard --- DEVELOPERS | 1 + support/testing/tests/package/test_acl.py | 87 +++++++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 support/testing/tests/package/test_acl.py diff --git a/DEVELOPERS b/DEVELOPERS index dffbbf4605..4d916ff6a1 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1762,6 +1762,7 @@ F: support/testing/tests/package/sample_python_midiutil.py F: support/testing/tests/package/sample_python_ml_dtypes.py F: support/testing/tests/package/sample_python_pyalsa.py F: support/testing/tests/package/sample_python_spake2.py +F: support/testing/tests/package/test_acl.py F: support/testing/tests/package/test_acpica.py F: support/testing/tests/package/test_acpica/ F: support/testing/tests/package/test_apache.py diff --git a/support/testing/tests/package/test_acl.py b/support/testing/tests/package/test_acl.py new file mode 100644 index 0000000000..e4827c7bec --- /dev/null +++ b/support/testing/tests/package/test_acl.py @@ -0,0 +1,87 @@ +import os + +import infra.basetest + + +class TestAcl(infra.basetest.BRTest): + # Note: this test requires a Kernel with a filesystem on /tmp + # supporting ACLs. This is the case for the basetest reference + # config. Kernel has CONFIG_TMPFS_POSIX_ACL=y, and /tmp is tmpfs + # in the default Buildroot config. + config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \ + """ + BR2_PACKAGE_ACL=y + BR2_TARGET_ROOTFS_CPIO=y + # BR2_TARGET_ROOTFS_TAR is not set + """ + + def test_run(self): + cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio") + self.emulator.boot(arch="armv5", + kernel="builtin", + options=["-initrd", cpio_file]) + self.emulator.login() + + # Check the programs can execute. + self.assertRunOk("getfacl --version") + self.assertRunOk("setfacl --version") + + # Constants used in this test. + test_user = "acltest" + test_data = "Hello Buildroot!" + test_file = "/tmp/file.txt" + + # Create a test user: + # -D don't set a password + # -h set home directory + # -H don't create home directory + # -s set shell to /bin/sh + self.assertRunOk(f"adduser -D -h /tmp -H -s /bin/sh {test_user}") + + # Create a test file, and make sure the owner is "root" with + # standard Unix permissions to read/write only for the owner. + self.assertRunOk(f"echo '{test_data}' > {test_file}") + self.assertRunOk(f"chown root:root {test_file}") + self.assertRunOk(f"chmod 0600 {test_file}") + + # Check we have no ACL for the test user. + getacl_cmd = f"getfacl -c -p {test_file}" + out, ret = self.emulator.run(getacl_cmd) + self.assertEqual(ret, 0) + self.assertNotIn(f"user:{test_user}:", "\n".join(out)) + + # Reading the file as the test user is expected to fail. + test_read_cmd = f"su - {test_user} -c 'cat {test_file}'" + _, ret = self.emulator.run(test_read_cmd) + self.assertNotEqual(ret, 0) + + # We add a special read ACL for the test user. + cmd = f"setfacl -m u:{test_user}:r {test_file}" + self.assertRunOk(cmd) + + # Check we now have an ACL entry for the test user. + out, ret = self.emulator.run(getacl_cmd) + self.assertEqual(ret, 0) + self.assertIn(f"user:{test_user}:", "\n".join(out)) + + # Reading the file as the test user is now expected to + # succeed. + out, ret = self.emulator.run(test_read_cmd) + self.assertEqual(ret, 0) + self.assertEqual(out[0], test_data) + + # Attempting to write to the file as the test user is expected + # to fail (since we put an ACL only for reading). + cmd = f"su - {test_user} -c 'echo WriteTest > {test_file}'" + _, ret = self.emulator.run(cmd) + self.assertNotEqual(ret, 0) + + # Remove all ACLs. This could have been done with the command + # "setfacl -b". Instead, we use the "chacl -B" command which + # is doing the same. The reason is to slightly improve the + # coverage of this test, by including an execution of "chacl". + self.assertRunOk(f"chacl -B {test_file}") + + # Reading the file as the test user is expected to fail again. + _, ret = self.emulator.run(test_read_cmd) + self.assertNotEqual(ret, 0)