+ #!/bin/bash

+ 

+ set -xeo pipefail

+ 

+ 

+ export DEBUGINFOD_VERBOSE=1

+ export DEBUGINFOD_CACHE_PATH=$HOME/.debuginfod_client_cache/

+ 

+ # Initial cleanup

+ systemctl stop debuginfod

+ rm -rf ~/.cache/debuginfod_client

+ rm -rf /usr/src/my_extra_rpms $DEBUGINFOD_CACHE_PATH

+ mkdir $DEBUGINFOD_CACHE_PATH

+ journalctl -g debuginfod -f &

+ logger=$!

+ 

+ # Set up a delay.  A delay of 3 worked for me reliably for manual testing.

+ DELAY=120

+ 

+ # Clean up after possible previous failed (=> unfinished) run of this testcase

+ rm -rf /usr/src/my_extra_rpms $HOME/.debuginfod_client_cache

+ 

+ # Check the config file is there

+ cat /etc/sysconfig/debuginfod

+ 

+ # Make sure the config file doesn't contain unwanted relicts

+ # from possible previous failed run of this testcase

+ fgrep DEBUGINFOD_PATHS /etc/sysconfig/debuginfod | (! fgrep /usr/src/my_extra_rpms)

+ 

+ # Add some directory to the DEBUGINFOD_PATH and configure it

+ # within /etc/sysconfig/debuginfod

+ mkdir -p /usr/src/my_extra_rpms

+ sed -i 's/DEBUGINFOD_PATHS="[^"]*/\0\ \/usr\/src\/my_extra_rpms/' /etc/sysconfig/debuginfod

+ fgrep DEBUGINFOD_PATHS /etc/sysconfig/debuginfod | fgrep /usr/src/my_extra_rpms

+ 

+ # Note the DEBUGINFOD_PORT in the sysconfig file

+ # and use it to export the server URL for the client to use

+ source /etc/sysconfig/debuginfod

+ export DEBUGINFOD_URLS="localhost:$DEBUGINFOD_PORT"

+ 

+ # Get the build-id from some installed binary and make sure

+ # it isn't found

+ buildid=$(eu-unstrip -n -e /usr/bin/true | cut -f2 -d\ | cut -f1 -d@)

+ ! debuginfod-find executable $buildid

+ 

+ # Start the service

+ systemctl start debuginfod

+ 

+ # Give it some time to index

+ sleep $DELAY

+ 

+ # Now the binary should be found

+ debuginfod-find executable $buildid

+ 

+ # Take a small debuginfo rpm and make sure you know the buildid of

+ # some .debug file in to the directory you created and added to

+ # the DEBUGINFO_PATH in the config file.

+ cp sshpass-debuginfo-1.09-2.fc35.x86_64.rpm /usr/src/my_extra_rpms

+ 

+ # Make sure the denuginfo can't be found yet

+ # Related:

+ # - https://bugzilla.redhat.com/show_bug.cgi?id=2023454

+ # - https://sourceware.org/bugzilla/show_bug.cgi?id=28240

+ ! debuginfod-find debuginfo 73952ed43c6edc82cc92186a581ec27f009c529c

+ echo 0 > $DEBUGINFOD_CACHE_PATH/cache_miss_s

+ 

+ # Tell debuginfod to start indexing immediately

+ debuginfod_pid=$(systemctl status debuginfod | fgrep PID | grep -Po '\d+')

+ kill -SIGUSR1 $debuginfod_pid

+ 

+ # Give it some time to index

+ sleep $DELAY

+ 

+ # Try to find the debug file with the known buildid

+ debuginfod-find debuginfo 73952ed43c6edc82cc92186a581ec27f009c529c

+ 

+ # Clean up

+ rm -rf /usr/src/my_extra_rpms $HOME/.debuginfod_client_cache

+ 

+ # Kill the logger

+ kill $logger

+ summary: elfutils-debuginfod

+ description: ''

+ contact: Martin Cermak <mcermak@redhat.com>

+ component:

+ - elfutils

+ test: ./runtest.sh

+ framework: beakerlib

+ recommend:

+ - elfutils

+ - elfutils-debuginfod

+ - elfutils-debuginfod-client

+ duration: 48h

+ extra-summary: /tools/elfutils/Sanity/elfutils-debuginfod

+ extra-task: /tools/elfutils/Sanity/elfutils-debuginfod

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /tools/elfutils/Sanity/elfutils-debuginfod

+ #   Description: elfutils-debuginfod

+ #   Author: Martin Cermak <mcermak@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2019 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="elfutils"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         for p in elfutils-debuginfod elfutils-debuginfod-client; do

+             rlAssertRpm $p

+         done

+         rlRun "TMPD=$(mktemp -d)"

+         rlRun "cp body.sh sshpass-debuginfo-1.09-2.fc35.x86_64.rpm $TMPD"

+         rlRun "pushd $TMPD"

+         rlFileBackup /etc/sysconfig/debuginfod

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         rlRun "./body.sh"

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlFileRestore

+         rlRun "popd"

+         rlRun "rm -r $TMPD"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

+ summary: yama-scope

+ description: |

+     Bug summary: Enable provide_yama_scope for rhel >= 7.4

+     Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1455514

+ contact: Martin Cermak <mcermak@redhat.com>

+ component:

+ - elfutils

+ test: ./runtest.sh

+ framework: beakerlib

+ recommend:

+ - elfutils

+ duration: 48h

+ link:

+ -   relates: https://bugzilla.redhat.com/show_bug.cgi?id=1455514

+ extra-summary: /tools/elfutils/Sanity/yama-scope

+ extra-task: /tools/elfutils/Sanity/yama-scope

+ #!/bin/bash

+ 

+ RETVAL=0

+ OUT=$(mktemp)

+ eu-stack -p $$ |& tee $OUT

+ grep -i 'operation not permitted' $OUT && RETVAL=1

+ rm $OUT

+ exit $RETVAL

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /tools/elfutils/Sanity/yama-scope

+ #   Description: yama-scope

+ #   Author: Martin Cermak <mcermak@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2017 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="elfutils"

+ MY_USER="ptrace_scope_testuser"

+ TESTCASE="/tmp/ptrace-scope-test.sh"

+ PROCFILE='/proc/sys/kernel/yama/ptrace_scope'

+ 

+ test_root()

+ {

+     $TESTCASE

+ }

+ 

+ test_user()

+ {

+     su - $MY_USER -c $TESTCASE

+ }

+ 

+ rlJournalStart

+     rlPhaseStartTest

+ 

+ # This can easily be tested with strace. Just cycle through the settings:

+ 

+ # 0 - Default attach security permissions.

+ # 1 - Restricted attach. Only child processes plus normal permissions.

+ # 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.

+ # 3 - No attach. No process may call ptrace at all. Irrevocable.

+ 

+ # echo 0 > /proc/sys/kernel/yama/ptrace_scope

+ 

+ # With 0, strace works against any process with your uid. For example, strace -p 2190.

+ # With 1, strace errors when doing the same as in 0: strace: attach: ptrace(PTRACE_SEIZE, 3180): Operation not permitted. However, you can strace any program you run from strace, "strace /bin/ls" or example.

+ # With 2, you can only strace from the root account. You can no longer strace commands run from strace.

+ # With 3, even root cannot strace.

+ 

+ # ---

+ 

+ # possible related AVCs tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1458999

+ 

+ # ---

+ 

+             rlRun "useradd $MY_USER" 0,9

+ 

+             rlRun "cp ptrace-scope-test.sh /tmp/"

+             rlRun "chmod a+rx /tmp/ptrace-scope-test.sh"

+ 

+             rlRun "ORIGVAL=$( cat $PROCFILE )"

+ 

+             # First, test the default behaviour, which is "no restriction"

+             # from the ptrace perspective. Here we assume that

+             # elfutils-default-yama-scope.rpm is installed and so the default

+             # yama policy is set to 0 instead of 1 which would otherwise be set

+             # as a kernel default (security/yama/yama_lsm.c ---> YAMA_SCOPE_RELATIONAL)

+             rlRun test_root

+             rlRun test_user

+ 

+             rlRun "echo 0 > $PROCFILE"

+             rlRun test_root

+             rlRun test_user

+             rlRun "echo 1 > $PROCFILE"

+             rlRun test_root

+             rlRun test_user 1

+             rlRun "echo 2 > $PROCFILE"

+             rlRun test_root

+             rlRun test_user 1

+             # Following subtest would be irrevertible (till next reboot)

+             # rlRun "echo 3 > $PROCFILE"

+             # rlRun test_root 1

+             # rlRun test_user 1

+ 

+             rlRun "userdel -f $MY_USER"

+ 

+ # This testcase could be more complex - using child and non-child processes and

+ # performing reboots.  But let's keep this simple, since we are not testing the

+ # kernel facility, but merely an elfutils "plugin" for it, whose purpose is to

+ # set the default yama policy as such.

+ 

+             rlRun "echo $ORIGVAL > $PROCFILE"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd