Attempt to print some debugging information on Seccomp failures.

Try to search the audit log as well as recent core dumps.

* test/src/emacs-tests.el (emacs-tests--seccomp-debug): New helper
function.
(emacs-tests/seccomp/allows-stdout)
(emacs-tests/seccomp/forbids-subprocess)
(emacs-tests/bwrap/allows-stdout): Use it.

diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el
index 09f9a248efb1482969d48de2437c0b17e63c9a3e..87c3e84cdd28e6b2e5e23551b241a0af95185413 100644 (file)
--- a/test/src/emacs-tests.el
+++ b/test/src/emacs-tests.el
@@ -144,12 +144,14 @@ to `make-temp-file', which see."
     (should-not (file-remote-p filter))
     (cl-callf file-name-unquote filter)
     (with-temp-buffer
-      (let ((status (call-process
+      (let ((start-time (current-time))
+            (status (call-process
                      emacs nil t nil
                      "--quick" "--batch"
                      (concat "--seccomp=" filter)
-                     (format "--eval=%S" '(message "Hi")))))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+                     (format "--eval=%S" '(message "Hi"))))
+            (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
           (should (eql status 0)))
         (should (equal (string-trim (buffer-string)) "Hi"))))))
 
@@ -167,14 +169,16 @@ to `make-temp-file', which see."
     (should-not (file-remote-p filter))
     (cl-callf file-name-unquote filter)
     (with-temp-buffer
-      (let ((status
+      (let ((start-time (current-time))
+            (status
              (call-process
               emacs nil t nil
               "--quick" "--batch"
               (concat "--seccomp=" filter)
               (format "--eval=%S" `(call-process ,emacs nil nil nil
-                                                 "--version")))))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+                                                 "--version"))))
+            (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
           (should-not (eql status 0)))))))
 
 (ert-deftest emacs-tests/bwrap/allows-stdout ()
@@ -205,9 +209,49 @@ to `make-temp-file', which see."
                           " ")
                " 20< "
                (shell-quote-argument (file-name-unquote filter))))
-             (status (call-process bash nil t nil "-c" command)))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+             (start-time (current-time))
+             (status (call-process bash nil t nil "-c" command))
+             (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
           (should (eql status 0)))
         (should (equal (string-trim (buffer-string)) "Hi"))))))
 
+(defun emacs-tests--seccomp-debug (start-time end-time)
+  "Return potentially useful debugging information for Seccomp.
+Assume that the current buffer contains subprocess output for the
+failing process.  START-TIME and END-TIME are time values between
+which the process was running."
+  ;; Add a bit of slack for the timestamps.
+  (cl-callf time-subtract start-time 5)
+  (cl-callf time-add end-time 5)
+  (with-output-to-string
+    (princ "Process output:")
+    (terpri)
+    (princ (buffer-substring-no-properties (point-min) (point-max)))
+    ;; Search audit logs for Seccomp messages.
+    (when-let ((ausearch (executable-find "ausearch")))
+      (terpri)
+      (princ "Potentially relevant Seccomp audit events:")
+      (terpri)
+      (let ((process-environment '("LC_TIME=C")))
+        (call-process ausearch nil standard-output nil
+                      "--message" "SECCOMP"
+                      "--start"
+                      (format-time-string "%D" start-time)
+                      (format-time-string "%T" start-time)
+                      "--end"
+                      (format-time-string "%D" end-time)
+                      (format-time-string "%T" end-time)
+                      "--interpret")))
+    ;; Print coredump information if available.
+    (when-let ((coredumpctl (executable-find "coredumpctl")))
+      (terpri)
+      (princ "Potentially useful coredump information:")
+      (terpri)
+      (call-process coredumpctl nil standard-output nil
+                    "info"
+                    "--since" (format-time-string "%F %T" start-time)
+                    "--until" (format-time-string "%F %T" end-time)
+                    "--no-pager"))))
+
 ;;; emacs-tests.el ends here