Attempt to print some debugging information on Seccomp failures.

Try to search the audit log as well as recent core dumps. * test/src/emacs-tests.el (emacs-tests--seccomp-debug): New helper function. (emacs-tests/seccomp/allows-stdout) (emacs-tests/seccomp/forbids-subprocess) (emacs-tests/bwrap/allows-stdout): Use it.
author: Philipp Stephani 2021-04-17 21:06:11 +0200
committer: Philipp Stephani 2021-04-17 21:08:17 +0200
commit: 568ce6826fa0aaa4d5dc95880cbdc0965dc07521 (patch)
tree: 806b8a6d0a42f0b8fd6e34f1d449a48617fb764d /test/src
parent: 3430c12154579103c3de991bcda4558ed46a485e (diff)
download: emacs-568ce6826fa0aaa4d5dc95880cbdc0965dc07521.tar.gz
emacs-568ce6826fa0aaa4d5dc95880cbdc0965dc07521.zip
1 files changed, 52 insertions, 8 deletions
diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el
index 09f9a248efb..87c3e84cdd2 100644
--- a/test/src/emacs-tests.el
+++ b/test/src/emacs-tests.el
@@ -144,12 +144,14 @@ to `make-temp-file', which see."
    (should-not (file-remote-p filter))
    (cl-callf file-name-unquote filter)
    (with-temp-buffer
-      (let ((status (call-process
+      (let ((start-time (current-time))
+            (status (call-process
                     emacs nil t nil
                     "--quick" "--batch"
                     (concat "--seccomp=" filter)
-                     (format "--eval=%S" '(message "Hi")))))
+                     (format "--eval=%S" '(message "Hi"))))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+            (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
          (should (eql status 0)))
        (should (equal (string-trim (buffer-string)) "Hi"))))))
@@ -167,14 +169,16 @@ to `make-temp-file', which see."
    (should-not (file-remote-p filter))
    (cl-callf file-name-unquote filter)
    (with-temp-buffer
-      (let ((status
+      (let ((start-time (current-time))
+            (status
             (call-process
              emacs nil t nil
              "--quick" "--batch"
              (concat "--seccomp=" filter)
              (format "--eval=%S" `(call-process ,emacs nil nil nil
-                                                 "--version")))))
+                                                 "--version"))))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+            (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
          (should-not (eql status 0)))))))
 (ert-deftest emacs-tests/bwrap/allows-stdout ()
@@ -205,9 +209,49 @@ to `make-temp-file', which see."
                          " ")
               " 20< "
               (shell-quote-argument (file-name-unquote filter))))
-             (status (call-process bash nil t nil "-c" command)))
+             (start-time (current-time))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+             (status (call-process bash nil t nil "-c" command))
+             (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
          (should (eql status 0)))
        (should (equal (string-trim (buffer-string)) "Hi"))))))
+(defun emacs-tests--seccomp-debug (start-time end-time)
+  "Return potentially useful debugging information for Seccomp.
+Assume that the current buffer contains subprocess output for the
+failing process.  START-TIME and END-TIME are time values between
+which the process was running."
+  ;; Add a bit of slack for the timestamps.
+  (cl-callf time-subtract start-time 5)
+  (cl-callf time-add end-time 5)
+  (with-output-to-string
+    (princ "Process output:")
+    (terpri)
+    (princ (buffer-substring-no-properties (point-min) (point-max)))
+    ;; Search audit logs for Seccomp messages.
+    (when-let ((ausearch (executable-find "ausearch")))
+      (terpri)
+      (princ "Potentially relevant Seccomp audit events:")
+      (terpri)
+      (let ((process-environment '("LC_TIME=C")))
+        (call-process ausearch nil standard-output nil
+                      "--message" "SECCOMP"
+                      "--start"
+                      (format-time-string "%D" start-time)
+                      (format-time-string "%T" start-time)
+                      "--end"
+                      (format-time-string "%D" end-time)
+                      (format-time-string "%T" end-time)
+                      "--interpret")))
+    ;; Print coredump information if available.
+    (when-let ((coredumpctl (executable-find "coredumpctl")))
+      (terpri)
+      (princ "Potentially useful coredump information:")
+      (terpri)
+      (call-process coredumpctl nil standard-output nil
+                    "info"
+                    "--since" (format-time-string "%F %T" start-time)
+                    "--until" (format-time-string "%F %T" end-time)
+                    "--no-pager"))))
 ;;; emacs-tests.el ends here
author	Philipp Stephani	2021-04-17 21:06:11 +0200
committer	Philipp Stephani	2021-04-17 21:08:17 +0200
commit	568ce6826fa0aaa4d5dc95880cbdc0965dc07521 (patch)
tree	806b8a6d0a42f0b8fd6e34f1d449a48617fb764d /test/src
parent	3430c12154579103c3de991bcda4558ed46a485e (diff)
download	emacs-568ce6826fa0aaa4d5dc95880cbdc0965dc07521.tar.gz emacs-568ce6826fa0aaa4d5dc95880cbdc0965dc07521.zip

diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el index 09f9a248efb..87c3e84cdd2 100644 --- a/test/src/emacs-tests.el +++ b/test/src/emacs-tests.el
@@ -144,12 +144,14 @@ to `make-temp-file', which see."
144	(should-not (file-remote-p filter))	144	(should-not (file-remote-p filter))
145	(cl-callf file-name-unquote filter)	145	(cl-callf file-name-unquote filter)
146	(with-temp-buffer	146	(with-temp-buffer
147	(let ((status (call-process	147	(let ((start-time (current-time))
		148	(status (call-process
148	emacs nil t nil	149	emacs nil t nil
149	"--quick" "--batch"	150	"--quick" "--batch"
150	(concat "--seccomp=" filter)	151	(concat "--seccomp=" filter)
151	(format "--eval=%S" '(message "Hi")))))	152	(format "--eval=%S" '(message "Hi"))))
152	(ert-info ((format "Process output: %s" (buffer-string)))	153	(end-time (current-time)))
		154	(ert-info ((emacs-tests--seccomp-debug start-time end-time))
153	(should (eql status 0)))	155	(should (eql status 0)))
154	(should (equal (string-trim (buffer-string)) "Hi"))))))	156	(should (equal (string-trim (buffer-string)) "Hi"))))))
155		157
@@ -167,14 +169,16 @@ to `make-temp-file', which see."
167	(should-not (file-remote-p filter))	169	(should-not (file-remote-p filter))
168	(cl-callf file-name-unquote filter)	170	(cl-callf file-name-unquote filter)
169	(with-temp-buffer	171	(with-temp-buffer
170	(let ((status	172	(let ((start-time (current-time))
		173	(status
171	(call-process	174	(call-process
172	emacs nil t nil	175	emacs nil t nil
173	"--quick" "--batch"	176	"--quick" "--batch"
174	(concat "--seccomp=" filter)	177	(concat "--seccomp=" filter)
175	(format "--eval=%S" `(call-process ,emacs nil nil nil	178	(format "--eval=%S" `(call-process ,emacs nil nil nil
176	"--version")))))	179	"--version"))))
177	(ert-info ((format "Process output: %s" (buffer-string)))	180	(end-time (current-time)))
		181	(ert-info ((emacs-tests--seccomp-debug start-time end-time))
178	(should-not (eql status 0)))))))	182	(should-not (eql status 0)))))))
179		183
180	(ert-deftest emacs-tests/bwrap/allows-stdout ()	184	(ert-deftest emacs-tests/bwrap/allows-stdout ()
@@ -205,9 +209,49 @@ to `make-temp-file', which see."
205	" ")	209	" ")
206	" 20< "	210	" 20< "
207	(shell-quote-argument (file-name-unquote filter))))	211	(shell-quote-argument (file-name-unquote filter))))
208	(status (call-process bash nil t nil "-c" command)))	212	(start-time (current-time))
209	(ert-info ((format "Process output: %s" (buffer-string)))	213	(status (call-process bash nil t nil "-c" command))
		214	(end-time (current-time)))
		215	(ert-info ((emacs-tests--seccomp-debug start-time end-time))
210	(should (eql status 0)))	216	(should (eql status 0)))
211	(should (equal (string-trim (buffer-string)) "Hi"))))))	217	(should (equal (string-trim (buffer-string)) "Hi"))))))
212		218
		219	(defun emacs-tests--seccomp-debug (start-time end-time)
		220	"Return potentially useful debugging information for Seccomp.
		221	Assume that the current buffer contains subprocess output for the
		222	failing process. START-TIME and END-TIME are time values between
		223	which the process was running."
		224	;; Add a bit of slack for the timestamps.
		225	(cl-callf time-subtract start-time 5)
		226	(cl-callf time-add end-time 5)
		227	(with-output-to-string
		228	(princ "Process output:")
		229	(terpri)
		230	(princ (buffer-substring-no-properties (point-min) (point-max)))
		231	;; Search audit logs for Seccomp messages.
		232	(when-let ((ausearch (executable-find "ausearch")))
		233	(terpri)
		234	(princ "Potentially relevant Seccomp audit events:")
		235	(terpri)
		236	(let ((process-environment '("LC_TIME=C")))
		237	(call-process ausearch nil standard-output nil
		238	"--message" "SECCOMP"
		239	"--start"
		240	(format-time-string "%D" start-time)
		241	(format-time-string "%T" start-time)
		242	"--end"
		243	(format-time-string "%D" end-time)
		244	(format-time-string "%T" end-time)
		245	"--interpret")))
		246	;; Print coredump information if available.
		247	(when-let ((coredumpctl (executable-find "coredumpctl")))
		248	(terpri)
		249	(princ "Potentially useful coredump information:")
		250	(terpri)
		251	(call-process coredumpctl nil standard-output nil
		252	"info"
		253	"--since" (format-time-string "%F %T" start-time)
		254	"--until" (format-time-string "%F %T" end-time)
		255	"--no-pager"))))
		256
213	;;; emacs-tests.el ends here	257	;;; emacs-tests.el ends here