summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorJakob Unterwurzacher2021-05-08 17:17:08 +0200
committerJakob Unterwurzacher2021-05-15 17:58:37 +0200
commit86d8336b43418c028c34c37f06fcbd43ab0d44a1 (patch)
tree571dfa970a43938587496ac63b95a17060c8df80 /tests
parenta91ad29d362e8cb5348766da637202ac8905b9f2 (diff)
Add -acl flag to enable ACL enforcement
With test to verify that it actually works this time: Run "make root_test". Depends-on: https://github.com/rfjakob/gocryptfs/issues/536 Fixes: https://github.com/rfjakob/gocryptfs/issues/536
Diffstat (limited to 'tests')
-rw-r--r--tests/root_test/root_test.go82
1 files changed, 82 insertions, 0 deletions
diff --git a/tests/root_test/root_test.go b/tests/root_test/root_test.go
index 9a22add..8547e4e 100644
--- a/tests/root_test/root_test.go
+++ b/tests/root_test/root_test.go
@@ -137,6 +137,7 @@ func writeTillFull(t *testing.T, path string) (int, syscall.Errno) {
return sz, 0
}
+// TestDiskFull needs root permissions because it creates a loop disk
func TestDiskFull(t *testing.T) {
if os.Getuid() != 0 {
t.Skip("must run as root")
@@ -229,3 +230,84 @@ func TestDiskFull(t *testing.T) {
t.Fail()
}
}
+
+func TestAcl(t *testing.T) {
+ if os.Getuid() != 0 {
+ t.Skip("must run as root")
+ }
+ cDir := test_helpers.InitFS(t)
+ os.Chmod(cDir, 0755)
+ pDir := cDir + ".mnt"
+ test_helpers.MountOrFatal(t, cDir, pDir, "-allow_other", "-acl", "-extpass=echo test")
+ defer test_helpers.UnmountPanic(pDir)
+
+ f1 := pDir + "/f1"
+ if err := ioutil.WriteFile(f1, []byte("hello world\n"), 000); err != nil {
+ t.Fatal(err)
+ }
+
+ openUser1234 := func(rwMode int) error {
+ return asUser(1234, 1234, nil, func() error {
+ fd, err := syscall.Open(f1, rwMode, 0)
+ if err != nil {
+ return err
+ }
+ defer syscall.Close(fd)
+ buf := make([]byte, 100)
+ if rwMode == syscall.O_RDONLY || rwMode == syscall.O_RDWR {
+ _, err = syscall.Read(fd, buf)
+ if err != nil {
+ return err
+ }
+ }
+ if rwMode == syscall.O_WRONLY || rwMode == syscall.O_RDWR {
+ _, err = syscall.Write(fd, buf)
+ if err != nil {
+ return err
+ }
+ }
+ return err
+ })
+ }
+
+ dumpAcl := func() {
+ out, err := exec.Command("getfacl", f1).CombinedOutput()
+ if err != nil {
+ t.Fatal(err)
+ }
+ t.Log(string(out))
+ }
+
+ if err := openUser1234(syscall.O_RDONLY); err == nil {
+ t.Error("this should have failed")
+ dumpAcl()
+ }
+
+ // Allow read
+ out, err := exec.Command("setfacl", "-m", "u:1234:r", f1).CombinedOutput()
+ if err != nil {
+ t.Fatal(string(out))
+ }
+ if err := openUser1234(syscall.O_RDONLY); err != nil {
+ t.Errorf("O_RDONLY should have worked, but got error: %v", err)
+ dumpAcl()
+ }
+ if err := openUser1234(syscall.O_WRONLY); err == nil {
+ t.Error("O_WRONLY should have failed")
+ dumpAcl()
+ }
+
+ // Allow write
+ out, err = exec.Command("setfacl", "-m", "u:1234:w", f1).CombinedOutput()
+ if err != nil {
+ t.Fatal(string(out))
+ }
+ if err := openUser1234(syscall.O_WRONLY); err != nil {
+ t.Errorf("O_WRONLY should have worked, but got error: %v", err)
+ dumpAcl()
+ }
+ if err := openUser1234(syscall.O_RDONLY); err == nil {
+ t.Error("O_RDONLY should have failed")
+ dumpAcl()
+ }
+}