kumquat-buildroot/support/testing/tests/package/test_acl.py
Julien Olivain 26b7e0f282 support/testing: new acl runtime test
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-06 22:49:08 +01:00

88 lines
3.3 KiB
Python

import os
import infra.basetest
class TestAcl(infra.basetest.BRTest):
# Note: this test requires a Kernel with a filesystem on /tmp
# supporting ACLs. This is the case for the basetest reference
# config. Kernel has CONFIG_TMPFS_POSIX_ACL=y, and /tmp is tmpfs
# in the default Buildroot config.
config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
"""
BR2_PACKAGE_ACL=y
BR2_TARGET_ROOTFS_CPIO=y
# BR2_TARGET_ROOTFS_TAR is not set
"""
def test_run(self):
cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
self.emulator.boot(arch="armv5",
kernel="builtin",
options=["-initrd", cpio_file])
self.emulator.login()
# Check the programs can execute.
self.assertRunOk("getfacl --version")
self.assertRunOk("setfacl --version")
# Constants used in this test.
test_user = "acltest"
test_data = "Hello Buildroot!"
test_file = "/tmp/file.txt"
# Create a test user:
# -D don't set a password
# -h set home directory
# -H don't create home directory
# -s set shell to /bin/sh
self.assertRunOk(f"adduser -D -h /tmp -H -s /bin/sh {test_user}")
# Create a test file, and make sure the owner is "root" with
# standard Unix permissions to read/write only for the owner.
self.assertRunOk(f"echo '{test_data}' > {test_file}")
self.assertRunOk(f"chown root:root {test_file}")
self.assertRunOk(f"chmod 0600 {test_file}")
# Check we have no ACL for the test user.
getacl_cmd = f"getfacl -c -p {test_file}"
out, ret = self.emulator.run(getacl_cmd)
self.assertEqual(ret, 0)
self.assertNotIn(f"user:{test_user}:", "\n".join(out))
# Reading the file as the test user is expected to fail.
test_read_cmd = f"su - {test_user} -c 'cat {test_file}'"
_, ret = self.emulator.run(test_read_cmd)
self.assertNotEqual(ret, 0)
# We add a special read ACL for the test user.
cmd = f"setfacl -m u:{test_user}:r {test_file}"
self.assertRunOk(cmd)
# Check we now have an ACL entry for the test user.
out, ret = self.emulator.run(getacl_cmd)
self.assertEqual(ret, 0)
self.assertIn(f"user:{test_user}:", "\n".join(out))
# Reading the file as the test user is now expected to
# succeed.
out, ret = self.emulator.run(test_read_cmd)
self.assertEqual(ret, 0)
self.assertEqual(out[0], test_data)
# Attempting to write to the file as the test user is expected
# to fail (since we put an ACL only for reading).
cmd = f"su - {test_user} -c 'echo WriteTest > {test_file}'"
_, ret = self.emulator.run(cmd)
self.assertNotEqual(ret, 0)
# Remove all ACLs. This could have been done with the command
# "setfacl -b". Instead, we use the "chacl -B" command which
# is doing the same. The reason is to slightly improve the
# coverage of this test, by including an execution of "chacl".
self.assertRunOk(f"chacl -B {test_file}")
# Reading the file as the test user is expected to fail again.
_, ret = self.emulator.run(test_read_cmd)
self.assertNotEqual(ret, 0)