buildroot/support/testing/tests/package/test_acl.py

import os

import infra.basetest


class TestAcl(infra.basetest.BRTest):
    # Note: this test requires a Kernel with a filesystem on /tmp
    # supporting ACLs. This is the case for the basetest reference
    # config. Kernel has CONFIG_TMPFS_POSIX_ACL=y, and /tmp is tmpfs
    # in the default Buildroot config.
    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
        """
        BR2_PACKAGE_ACL=y
        BR2_TARGET_ROOTFS_CPIO=y
        # BR2_TARGET_ROOTFS_TAR is not set
        """

    def test_run(self):
        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
        self.emulator.boot(arch="armv5",
                           kernel="builtin",
                           options=["-initrd", cpio_file])
        self.emulator.login()

        # Check the programs can execute.
        self.assertRunOk("getfacl --version")
        self.assertRunOk("setfacl --version")

        # Constants used in this test.
        test_user = "acltest"
        test_data = "Hello Buildroot!"
        test_file = "/tmp/file.txt"

        # Create a test user:
        # -D    don't set a password
        # -h    set home directory
        # -H    don't create home directory
        # -s    set shell to /bin/sh
        self.assertRunOk(f"adduser -D -h /tmp -H -s /bin/sh {test_user}")

        # Create a test file, and make sure the owner is "root" with
        # standard Unix permissions to read/write only for the owner.
        self.assertRunOk(f"echo '{test_data}' > {test_file}")
        self.assertRunOk(f"chown root:root {test_file}")
        self.assertRunOk(f"chmod 0600 {test_file}")

        # Check we have no ACL for the test user.
        getacl_cmd = f"getfacl -c -p {test_file}"
        out, ret = self.emulator.run(getacl_cmd)
        self.assertEqual(ret, 0)
        self.assertNotIn(f"user:{test_user}:", "\n".join(out))

        # Reading the file as the test user is expected to fail.
        test_read_cmd = f"su - {test_user} -c 'cat {test_file}'"
        _, ret = self.emulator.run(test_read_cmd)
        self.assertNotEqual(ret, 0)

        # We add a special read ACL for the test user.
        cmd = f"setfacl -m u:{test_user}:r {test_file}"
        self.assertRunOk(cmd)

        # Check we now have an ACL entry for the test user.
        out, ret = self.emulator.run(getacl_cmd)
        self.assertEqual(ret, 0)
        self.assertIn(f"user:{test_user}:", "\n".join(out))

        # Reading the file as the test user is now expected to
        # succeed.
        out, ret = self.emulator.run(test_read_cmd)
        self.assertEqual(ret, 0)
        self.assertEqual(out[0], test_data)

        # Attempting to write to the file as the test user is expected
        # to fail (since we put an ACL only for reading).
        cmd = f"su - {test_user} -c 'echo WriteTest > {test_file}'"
        _, ret = self.emulator.run(cmd)
        self.assertNotEqual(ret, 0)

        # Remove all ACLs. This could have been done with the command
        # "setfacl -b". Instead, we use the "chacl -B" command which
        # is doing the same. The reason is to slightly improve the
        # coverage of this test, by including an execution of "chacl".
        self.assertRunOk(f"chacl -B {test_file}")

        # Reading the file as the test user is expected to fail again.
        _, ret = self.emulator.run(test_read_cmd)
        self.assertNotEqual(ret, 0)