Refactored offline tests support code.

Author: matejak

docs/developer/developer.adoc

@@ -174,9 +174,9 @@ Some of those probes use the chroot syscall, which an unprivileged process is no
 This is not a problem during the scanning itself, as oscap is usually scanning as root.
 However, we don't want to run oscap as root during tests, as the whole test suite would have to use root privileges to clean up.
 
-Instead, build the `oscap-chrootable` target as superuser.
-This target creates the chroot-enabled binary that the test suite will use for some of those offline tests.
-Internally, the binary is stored under `OSCAP_CHROOTABLE_EXEC` variable, and the invocation suitable for tests can be done using by unquoted expansion of the `OSCAP_CHROOTABLE` variable.
+Instead, build the `oscap-chrootable` target as superuser, or build `oscap-chrootable-nocap` first and then grant the capability manually.
+This target creates the binary that the test suite will use for some of those offline tests.
+In offline tests, use the `set_offline_test_mode [chroot directory]` and `unset_offline_test_mode` functions from the common test module - those will set variables in such way that the unquoted `$OSCAP` invocation will use the chroot-capable binary, or it will exit with an error code, aborting the test.
 Therefore, it is recommended to run
 
 ----

tests/probes/symlink/test_offline_mode_symlink.sh

@@ -44,13 +44,12 @@ function test_offline_mode_symlink {
 
 
     bash ${srcdir}/test_offline_mode_symlink.xml.sh "" > "$DF"
-    export OSCAP_PROBE_ROOT="$tmpdir"
-    if test -x "$OSCAP_CHROOTABLE_EXEC"; then
-	    $OSCAP_CHROOTABLE oval eval --results $RF $DF
-    else
-	    echo "Skipping test '${FUNCNAME[0]}' as '$OSCAP_CHROOTABLE_EXEC' oscap with chroot capability doesn't exist."
-	    return
-    fi
+
+    set_chroot_offline_test_mode "$tmpdir"
+
+    $OSCAP oval eval --results $RF $DF
+
+    unset_chroot_offline_test_mode
 
     result=$RF
 

tests/test_common.sh.in

@@ -184,4 +184,45 @@ assert_exists() {
                 return 1
         fi
 }
+
+# $1: The chroot directory
+set_chroot_offline_test_mode() {
+	if test -n "$_OSCAP_BEFORE"; then
+		echo "Already in offline test mode!" >&2
+		return
+	fi
+	if test -x "$OSCAP_CHROOTABLE_EXEC"; then
+		if ! getcap "$OSCAP_CHROOTABLE_EXEC" | grep -q 'cap_sys_chroot+ep'; then
+			echo "Skipping test '${FUNCNAME[1]}' as '$OSCAP_CHROOTABLE_EXEC' doesn't have the chroot capability." >&2
+			return 255
+		fi
+	else
+		echo "Skipping test '${FUNCNAME[1]}' as '$OSCAP_CHROOTABLE_EXEC' oscap which is supposed to have chroot capability doesn't exist." >&2
+		return 255
+	fi
+	_OSCAP_BEFORE="$OSCAP"
+	OSCAP="$OSCAP_CHROOTABLE"
+	set_offline_chroot_dir "$1"
+	return 0
+}
+
+# $1: The chroot directory. If empty, unset the OSCAP_PROBE_ROOT variable
+set_offline_chroot_dir() {
+	if test -n "$1"; then
+		export OSCAP_PROBE_ROOT="$1"
+	else
+		unset OSCAP_PROBE_ROOT
+	fi
+}
+
+unset_chroot_offline_test_mode() {
+	if ! test -n "$_OSCAP_BEFORE"; then
+		echo "Not in the offline test mode!" >&2
+		return
+	fi
+	OSCAP="$_OSCAP_BEFORE"
+	set_offline_chroot_dir ""
+	_OSCAP_BEFORE=
+}
+
 export -f assert_exists