Skip to content

Commit 552f0f5

Browse files
committed
Refactored offline tests support code.
1 parent c987667 commit 552f0f5

File tree

3 files changed

+50
-10
lines changed

3 files changed

+50
-10
lines changed

docs/developer/developer.adoc

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -174,9 +174,9 @@ Some of those probes use the chroot syscall, which an unprivileged process is no
174174
This is not a problem during the scanning itself, as oscap is usually scanning as root.
175175
However, we don't want to run oscap as root during tests, as the whole test suite would have to use root privileges to clean up.
176176

177-
Instead, build the `oscap-chrootable` target as superuser.
178-
This target creates the chroot-enabled binary that the test suite will use for some of those offline tests.
179-
Internally, the binary is stored under `OSCAP_CHROOTABLE_EXEC` variable, and the invocation suitable for tests can be done using by unquoted expansion of the `OSCAP_CHROOTABLE` variable.
177+
Instead, build the `oscap-chrootable` target as superuser, or build `oscap-chrootable-nocap` first and then grant the capability manually.
178+
This target creates the binary that the test suite will use for some of those offline tests.
179+
In offline tests, use the `set_offline_test_mode [chroot directory]` and `unset_offline_test_mode` functions from the common test module - those will set variables in such way that the unquoted `$OSCAP` invocation will use the chroot-capable binary, or it will exit with an error code, aborting the test.
180180
Therefore, it is recommended to run
181181

182182
----

tests/probes/symlink/test_offline_mode_symlink.sh

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -44,13 +44,12 @@ function test_offline_mode_symlink {
4444

4545

4646
bash ${srcdir}/test_offline_mode_symlink.xml.sh "" > "$DF"
47-
export OSCAP_PROBE_ROOT="$tmpdir"
48-
if test -x "$OSCAP_CHROOTABLE_EXEC"; then
49-
$OSCAP_CHROOTABLE oval eval --results $RF $DF
50-
else
51-
echo "Skipping test '${FUNCNAME[0]}' as '$OSCAP_CHROOTABLE_EXEC' oscap with chroot capability doesn't exist."
52-
return
53-
fi
47+
48+
set_chroot_offline_test_mode "$tmpdir"
49+
50+
$OSCAP oval eval --results $RF $DF
51+
52+
unset_chroot_offline_test_mode
5453

5554
result=$RF
5655

tests/test_common.sh.in

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,4 +184,45 @@ assert_exists() {
184184
return 1
185185
fi
186186
}
187+
188+
# $1: The chroot directory
189+
set_chroot_offline_test_mode() {
190+
if test -n "$_OSCAP_BEFORE"; then
191+
echo "Already in offline test mode!" >&2
192+
return
193+
fi
194+
if test -x "$OSCAP_CHROOTABLE_EXEC"; then
195+
if ! getcap "$OSCAP_CHROOTABLE_EXEC" | grep -q 'cap_sys_chroot+ep'; then
196+
echo "Skipping test '${FUNCNAME[1]}' as '$OSCAP_CHROOTABLE_EXEC' doesn't have the chroot capability." >&2
197+
return 255
198+
fi
199+
else
200+
echo "Skipping test '${FUNCNAME[1]}' as '$OSCAP_CHROOTABLE_EXEC' oscap which is supposed to have chroot capability doesn't exist." >&2
201+
return 255
202+
fi
203+
_OSCAP_BEFORE="$OSCAP"
204+
OSCAP="$OSCAP_CHROOTABLE"
205+
set_offline_chroot_dir "$1"
206+
return 0
207+
}
208+
209+
# $1: The chroot directory. If empty, unset the OSCAP_PROBE_ROOT variable
210+
set_offline_chroot_dir() {
211+
if test -n "$1"; then
212+
export OSCAP_PROBE_ROOT="$1"
213+
else
214+
unset OSCAP_PROBE_ROOT
215+
fi
216+
}
217+
218+
unset_chroot_offline_test_mode() {
219+
if ! test -n "$_OSCAP_BEFORE"; then
220+
echo "Not in the offline test mode!" >&2
221+
return
222+
fi
223+
OSCAP="$_OSCAP_BEFORE"
224+
set_offline_chroot_dir ""
225+
_OSCAP_BEFORE=
226+
}
227+
187228
export -f assert_exists

0 commit comments

Comments
 (0)