From 568ce6826fa0aaa4d5dc95880cbdc0965dc07521 Mon Sep 17 00:00:00 2001 From: Philipp Stephani Date: Sat, 17 Apr 2021 21:06:11 +0200 Subject: [PATCH] Attempt to print some debugging information on Seccomp failures. Try to search the audit log as well as recent core dumps. * test/src/emacs-tests.el (emacs-tests--seccomp-debug): New helper function. (emacs-tests/seccomp/allows-stdout) (emacs-tests/seccomp/forbids-subprocess) (emacs-tests/bwrap/allows-stdout): Use it. --- test/src/emacs-tests.el | 60 +++++++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 8 deletions(-) diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el index 09f9a248efb..87c3e84cdd2 100644 --- a/test/src/emacs-tests.el +++ b/test/src/emacs-tests.el @@ -144,12 +144,14 @@ to `make-temp-file', which see." (should-not (file-remote-p filter)) (cl-callf file-name-unquote filter) (with-temp-buffer - (let ((status (call-process + (let ((start-time (current-time)) + (status (call-process emacs nil t nil "--quick" "--batch" (concat "--seccomp=" filter) - (format "--eval=%S" '(message "Hi"))))) - (ert-info ((format "Process output: %s" (buffer-string))) + (format "--eval=%S" '(message "Hi")))) + (end-time (current-time))) + (ert-info ((emacs-tests--seccomp-debug start-time end-time)) (should (eql status 0))) (should (equal (string-trim (buffer-string)) "Hi")))))) @@ -167,14 +169,16 @@ to `make-temp-file', which see." (should-not (file-remote-p filter)) (cl-callf file-name-unquote filter) (with-temp-buffer - (let ((status + (let ((start-time (current-time)) + (status (call-process emacs nil t nil "--quick" "--batch" (concat "--seccomp=" filter) (format "--eval=%S" `(call-process ,emacs nil nil nil - "--version"))))) - (ert-info ((format "Process output: %s" (buffer-string))) + "--version")))) + (end-time (current-time))) + (ert-info ((emacs-tests--seccomp-debug start-time end-time)) (should-not (eql status 0))))))) (ert-deftest emacs-tests/bwrap/allows-stdout () @@ -205,9 +209,49 @@ to `make-temp-file', which see." " ") " 20< " (shell-quote-argument (file-name-unquote filter)))) - (status (call-process bash nil t nil "-c" command))) - (ert-info ((format "Process output: %s" (buffer-string))) + (start-time (current-time)) + (status (call-process bash nil t nil "-c" command)) + (end-time (current-time))) + (ert-info ((emacs-tests--seccomp-debug start-time end-time)) (should (eql status 0))) (should (equal (string-trim (buffer-string)) "Hi")))))) +(defun emacs-tests--seccomp-debug (start-time end-time) + "Return potentially useful debugging information for Seccomp. +Assume that the current buffer contains subprocess output for the +failing process. START-TIME and END-TIME are time values between +which the process was running." + ;; Add a bit of slack for the timestamps. + (cl-callf time-subtract start-time 5) + (cl-callf time-add end-time 5) + (with-output-to-string + (princ "Process output:") + (terpri) + (princ (buffer-substring-no-properties (point-min) (point-max))) + ;; Search audit logs for Seccomp messages. + (when-let ((ausearch (executable-find "ausearch"))) + (terpri) + (princ "Potentially relevant Seccomp audit events:") + (terpri) + (let ((process-environment '("LC_TIME=C"))) + (call-process ausearch nil standard-output nil + "--message" "SECCOMP" + "--start" + (format-time-string "%D" start-time) + (format-time-string "%T" start-time) + "--end" + (format-time-string "%D" end-time) + (format-time-string "%T" end-time) + "--interpret"))) + ;; Print coredump information if available. + (when-let ((coredumpctl (executable-find "coredumpctl"))) + (terpri) + (princ "Potentially useful coredump information:") + (terpri) + (call-process coredumpctl nil standard-output nil + "info" + "--since" (format-time-string "%F %T" start-time) + "--until" (format-time-string "%F %T" end-time) + "--no-pager")))) + ;;; emacs-tests.el ends here -- 2.39.2