Modified test suite to make use of setcap-blessed oscap binary.

Some offline-mode tests require chroot syscalls during execution.
The build system and test suite are now aware of this and support build/usage
of oscap buddy binary that is oscap with setcap chroot blessing.

Author: matejak

docs/developer/developer.adoc

@@ -169,7 +169,21 @@ It's also possible to use `ctest` to test any other oscap binary present in the
 $ export CUSTOM_OSCAP=/usr/bin/oscap; ctest
 ----
 
-Not every check tests the oscap tool, however, when the CUSTOM_OSCAP variable is set, only the checks which do are executed.
+Some tests that use the so-called offline mode of probes need to chroot during the test execution.
+Some of those probes use the chroot syscall, which an unprivileged process is not allowed to do.
+This is not a problem during the scanning itself, as oscap is usually scanning as root.
+However, we don't want to run oscap as root during tests, as the whole test suite would have to use root privileges to clean up.
+
+Instead, build the `oscap-chrootable` target as superuser.
+This target creates the chroot-enabled binary that the test suite will use for some of those offline tests.
+Internally, the binary is stored under `OSCAP_CHROOTABLE_EXEC` variable, and the invocation suitable for tests can be done using by unquoted expansion of the `OSCAP_CHROOTABLE` variable.
+Therefore, it is recommended to run
+
+----
+$ sudo make oscap-chrootable
+----
+
+Not every check tests the oscap tool, however, when the `CUSTOM_OSCAP` variable is set, only the checks which do are executed.
 
 To enable the MITRE tests, use the `ENABLE_MITRE` flag:
 

tests/probes/symlink/test_offline_mode_symlink.sh

@@ -45,7 +45,12 @@ function test_offline_mode_symlink {
 
     bash ${srcdir}/test_offline_mode_symlink.xml.sh "" > "$DF"
     export OSCAP_PROBE_ROOT="$tmpdir"
-    $OSCAP oval eval --results $RF $DF
+    if test -x "$OSCAP_CHROOTABLE_EXEC"; then
+	    $OSCAP_CHROOTABLE oval eval --results $RF $DF
+    else
+	    echo "Skipping test '${FUNCNAME[0]}' as '$OSCAP_CHROOTABLE_EXEC' oscap with chroot capability doesn't exist."
+	    return
+    fi
 
     result=$RF
 

tests/test_common.sh.in

@@ -29,6 +29,8 @@ if [ -z ${CUSTOM_OSCAP+x} ] ; then
     else
         [ -z "@CMAKE_BINARY_DIR@" ] || export OSCAP="bash @CMAKE_BINARY_DIR@/run @CMAKE_BINARY_DIR@/utils/oscap"
     fi
+    [ -z "@CMAKE_BINARY_DIR@" ] || export OSCAP_CHROOTABLE_EXEC="@CMAKE_BINARY_DIR@/utils/oscap-chrootable"
+    [ -z "@CMAKE_BINARY_DIR@" ] || export OSCAP_CHROOTABLE="bash @CMAKE_BINARY_DIR@/run $OSCAP_CHROOTABLE_EXEC"
 else
     export OSCAP=${CUSTOM_OSCAP}
 fi

utils/CMakeLists.txt

@@ -33,6 +33,18 @@ if(ENABLE_OSCAP_UTIL)
 			DESTINATION "${CMAKE_INSTALL_MANDIR}/man8"
 		)
 	endif()
+
+	add_custom_target(oscap-chrootable-nocap
+		COMMAND cp oscap oscap-chrootable
+		COMMENT "Copying oscap binary to a buddy binary that awaits chroot blessing by setcap"
+		DEPENDS oscap
+	)
+
+	add_custom_target(oscap-chrootable
+		COMMAND setcap cap_sys_chroot+ep oscap-chrootable
+		COMMENT "Generating chroot-capable oscap buddy"
+		DEPENDS oscap-chrootable
+	)
 endif()
 if(ENABLE_OSCAP_UTIL_CHROOT)
 	install(PROGRAMS "oscap-chroot"
@@ -49,15 +61,15 @@ if(ENABLE_OSCAP_UTIL_DOCKER)
 		DESTINATION ${CMAKE_CURRENT_BINARY_DIR}
 		FILE_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
 	)
-	
+
 	if(NOT PYTHON_SITE_PACKAGES_INSTALL_DIR)
 	execute_process(COMMAND
 		${OSCAP_DOCKER_PYTHON} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(False, False, prefix='${CMAKE_INSTALL_PREFIX}'))"
 		OUTPUT_VARIABLE PYTHON_SITE_PACKAGES_INSTALL_DIR
 		OUTPUT_STRIP_TRAILING_WHITESPACE
 	)
 	endif()
-	
+
 	install(DIRECTORY oscap_docker_python
 		DESTINATION ${PYTHON_SITE_PACKAGES_INSTALL_DIR}
 	)