procyberian/emacs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Attempt to print some debugging information on Seccomp failures.

Browse source 
Try to search the audit log as well as recent core dumps.

* test/src/emacs-tests.el (emacs-tests--seccomp-debug): New helper
function.
(emacs-tests/seccomp/allows-stdout)
(emacs-tests/seccomp/forbids-subprocess)
(emacs-tests/bwrap/allows-stdout): Use it.
This commit is contained in:
Philipp Stephani 2021-04-17 21:06:11 +02:00
parent 3430c12154
commit 568ce6826f
1 changed files with 52 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
test/src/emacs-tests.el
View file

@ -144,12 +144,14 @@ to `make-temp-file', which see."
(should-not (file-remote-p filter))
(cl-callf file-name-unquote filter)
(with-temp-buffer
(let ((status (call-process
(let ((start-time (current-time))
(status (call-process
emacs nil t nil
"--quick" "--batch"
(concat "--seccomp=" filter)
(format "--eval=%S" '(message "Hi")))))
(ert-info ((format "Process output: %s" (buffer-string)))
(format "--eval=%S" '(message "Hi"))))
(end-time (current-time)))
(ert-info ((emacs-tests--seccomp-debug start-time end-time))
(should (eql status 0)))
(should (equal (string-trim (buffer-string)) "Hi"))))))
@ -167,14 +169,16 @@ to `make-temp-file', which see."
(should-not (file-remote-p filter))
(cl-callf file-name-unquote filter)
(with-temp-buffer
(let ((status
(let ((start-time (current-time))
(status
(call-process
emacs nil t nil
"--quick" "--batch"
(concat "--seccomp=" filter)
(format "--eval=%S" `(call-process ,emacs nil nil nil
"--version")))))
(ert-info ((format "Process output: %s" (buffer-string)))
"--version"))))
(end-time (current-time)))
(ert-info ((emacs-tests--seccomp-debug start-time end-time))
(should-not (eql status 0)))))))
(ert-deftest emacs-tests/bwrap/allows-stdout ()
@ -205,9 +209,49 @@ to `make-temp-file', which see."
" ")
" 20< "
(shell-quote-argument (file-name-unquote filter))))
(status (call-process bash nil t nil "-c" command)))
(ert-info ((format "Process output: %s" (buffer-string)))
(start-time (current-time))
(status (call-process bash nil t nil "-c" command))
(end-time (current-time)))
(ert-info ((emacs-tests--seccomp-debug start-time end-time))
(should (eql status 0)))
(should (equal (string-trim (buffer-string)) "Hi"))))))
(defun emacs-tests--seccomp-debug (start-time end-time)
"Return potentially useful debugging information for Seccomp.
Assume that the current buffer contains subprocess output for the
failing process. START-TIME and END-TIME are time values between
which the process was running."
;; Add a bit of slack for the timestamps.
(cl-callf time-subtract start-time 5)
(cl-callf time-add end-time 5)
(with-output-to-string
(princ "Process output:")
(terpri)
(princ (buffer-substring-no-properties (point-min) (point-max)))
;; Search audit logs for Seccomp messages.
(when-let ((ausearch (executable-find "ausearch")))
(terpri)
(princ "Potentially relevant Seccomp audit events:")
(terpri)
(let ((process-environment '("LC_TIME=C")))
(call-process ausearch nil standard-output nil
"--message" "SECCOMP"
"--start"
(format-time-string "%D" start-time)
(format-time-string "%T" start-time)
"--end"
(format-time-string "%D" end-time)
(format-time-string "%T" end-time)
"--interpret")))
;; Print coredump information if available.
(when-let ((coredumpctl (executable-find "coredumpctl")))
(terpri)
(princ "Potentially useful coredump information:")
(terpri)
(call-process coredumpctl nil standard-output nil
"info"
"--since" (format-time-string "%F %T" start-time)
"--until" (format-time-string "%F %T" end-time)
"--no-pager"))))
;;; emacs-tests.el ends here