CI Gating: Add tests for debuginfod and yama

tests/Sanity/elfutils-debuginfod/body.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+
+set -xeo pipefail
+
+
+export DEBUGINFOD_VERBOSE=1
+export DEBUGINFOD_CACHE_PATH=$HOME/.debuginfod_client_cache/
+
+# Initial cleanup
+systemctl stop debuginfod
+rm -rf ~/.cache/debuginfod_client
+rm -rf /usr/src/my_extra_rpms $DEBUGINFOD_CACHE_PATH
+mkdir $DEBUGINFOD_CACHE_PATH
+journalctl -g debuginfod -f &
+logger=$!
+
+# Set up a delay.  A delay of 3 worked for me reliably for manual testing.
+DELAY=120
+
+# Clean up after possible previous failed (=> unfinished) run of this testcase
+rm -rf /usr/src/my_extra_rpms $HOME/.debuginfod_client_cache
+
+# Check the config file is there
+cat /etc/sysconfig/debuginfod
+
+# Make sure the config file doesn't contain unwanted relicts
+# from possible previous failed run of this testcase
+fgrep DEBUGINFOD_PATHS /etc/sysconfig/debuginfod | (! fgrep /usr/src/my_extra_rpms)
+
+# Add some directory to the DEBUGINFOD_PATH and configure it
+# within /etc/sysconfig/debuginfod
+mkdir -p /usr/src/my_extra_rpms
+sed -i 's/DEBUGINFOD_PATHS="[^"]*/\0\ \/usr\/src\/my_extra_rpms/' /etc/sysconfig/debuginfod
+fgrep DEBUGINFOD_PATHS /etc/sysconfig/debuginfod | fgrep /usr/src/my_extra_rpms
+
+# Note the DEBUGINFOD_PORT in the sysconfig file
+# and use it to export the server URL for the client to use
+source /etc/sysconfig/debuginfod
+export DEBUGINFOD_URLS="localhost:$DEBUGINFOD_PORT"
+
+# Get the build-id from some installed binary and make sure
+# it isn't found
+buildid=$(eu-unstrip -n -e /usr/bin/true | cut -f2 -d\ | cut -f1 -d@)
+! debuginfod-find executable $buildid
+
+# Start the service
+systemctl start debuginfod
+
+# Give it some time to index
+sleep $DELAY
+
+# Now the binary should be found
+debuginfod-find executable $buildid
+
+# Take a small debuginfo rpm and make sure you know the buildid of
+# some .debug file in to the directory you created and added to
+# the DEBUGINFO_PATH in the config file.
+cp sshpass-debuginfo-1.09-2.fc35.x86_64.rpm /usr/src/my_extra_rpms
+
+# Make sure the denuginfo can't be found yet
+# Related:
+# - https://bugzilla.redhat.com/show_bug.cgi?id=2023454
+# - https://sourceware.org/bugzilla/show_bug.cgi?id=28240
+! debuginfod-find debuginfo 73952ed43c6edc82cc92186a581ec27f009c529c
+echo 0 > $DEBUGINFOD_CACHE_PATH/cache_miss_s
+
+# Tell debuginfod to start indexing immediately
+debuginfod_pid=$(systemctl status debuginfod | fgrep PID | grep -Po '\d+')
+kill -SIGUSR1 $debuginfod_pid
+
+# Give it some time to index
+sleep $DELAY
+
+# Try to find the debug file with the known buildid
+debuginfod-find debuginfo 73952ed43c6edc82cc92186a581ec27f009c529c
+
+# Clean up
+rm -rf /usr/src/my_extra_rpms $HOME/.debuginfod_client_cache
+
+# Kill the logger
+kill $logger

tests/Sanity/elfutils-debuginfod/main.fmf

@@ -0,0 +1,14 @@
+summary: elfutils-debuginfod
+description: ''
+contact: Martin Cermak <mcermak@redhat.com>
+component:
+- elfutils
+test: ./runtest.sh
+framework: beakerlib
+recommend:
+- elfutils
+- elfutils-debuginfod
+- elfutils-debuginfod-client
+duration: 48h
+extra-summary: /tools/elfutils/Sanity/elfutils-debuginfod
+extra-task: /tools/elfutils/Sanity/elfutils-debuginfod

tests/Sanity/elfutils-debuginfod/runtest.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /tools/elfutils/Sanity/elfutils-debuginfod
+#   Description: elfutils-debuginfod
+#   Author: Martin Cermak <mcermak@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2019 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="elfutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        for p in elfutils-debuginfod elfutils-debuginfod-client; do
+            rlAssertRpm $p
+        done
+        rlRun "TMPD=$(mktemp -d)"
+        rlRun "cp body.sh sshpass-debuginfo-1.09-2.fc35.x86_64.rpm $TMPD"
+        rlRun "pushd $TMPD"
+        rlFileBackup /etc/sysconfig/debuginfod
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "./body.sh"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlFileRestore
+        rlRun "popd"
+        rlRun "rm -r $TMPD"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/Sanity/yama-scope/main.fmf

@@ -0,0 +1,16 @@
+summary: yama-scope
+description: |
+    Bug summary: Enable provide_yama_scope for rhel >= 7.4
+    Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1455514
+contact: Martin Cermak <mcermak@redhat.com>
+component:
+- elfutils
+test: ./runtest.sh
+framework: beakerlib
+recommend:
+- elfutils
+duration: 48h
+link:
+-   relates: https://bugzilla.redhat.com/show_bug.cgi?id=1455514
+extra-summary: /tools/elfutils/Sanity/yama-scope
+extra-task: /tools/elfutils/Sanity/yama-scope

tests/Sanity/yama-scope/ptrace-scope-test.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+RETVAL=0
+OUT=$(mktemp)
+eu-stack -p $$ |& tee $OUT
+grep -i 'operation not permitted' $OUT && RETVAL=1
+rm $OUT
+exit $RETVAL

tests/Sanity/yama-scope/runtest.sh

@@ -0,0 +1,108 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /tools/elfutils/Sanity/yama-scope
+#   Description: yama-scope
+#   Author: Martin Cermak <mcermak@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="elfutils"
+MY_USER="ptrace_scope_testuser"
+TESTCASE="/tmp/ptrace-scope-test.sh"
+PROCFILE='/proc/sys/kernel/yama/ptrace_scope'
+
+test_root()
+{
+    $TESTCASE
+}
+
+test_user()
+{
+    su - $MY_USER -c $TESTCASE
+}
+
+rlJournalStart
+    rlPhaseStartTest
+
+# This can easily be tested with strace. Just cycle through the settings:
+
+# 0 - Default attach security permissions.
+# 1 - Restricted attach. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+
+# echo 0 > /proc/sys/kernel/yama/ptrace_scope
+
+# With 0, strace works against any process with your uid. For example, strace -p 2190.
+# With 1, strace errors when doing the same as in 0: strace: attach: ptrace(PTRACE_SEIZE, 3180): Operation not permitted. However, you can strace any program you run from strace, "strace /bin/ls" or example.
+# With 2, you can only strace from the root account. You can no longer strace commands run from strace.
+# With 3, even root cannot strace.
+
+# ---
+
+# possible related AVCs tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1458999
+
+# ---
+
+            rlRun "useradd $MY_USER" 0,9
+
+            rlRun "cp ptrace-scope-test.sh /tmp/"
+            rlRun "chmod a+rx /tmp/ptrace-scope-test.sh"
+
+            rlRun "ORIGVAL=$( cat $PROCFILE )"
+
+            # First, test the default behaviour, which is "no restriction"
+            # from the ptrace perspective. Here we assume that
+            # elfutils-default-yama-scope.rpm is installed and so the default
+            # yama policy is set to 0 instead of 1 which would otherwise be set
+            # as a kernel default (security/yama/yama_lsm.c ---> YAMA_SCOPE_RELATIONAL)
+            rlRun test_root
+            rlRun test_user
+
+            rlRun "echo 0 > $PROCFILE"
+            rlRun test_root
+            rlRun test_user
+            rlRun "echo 1 > $PROCFILE"
+            rlRun test_root
+            rlRun test_user 1
+            rlRun "echo 2 > $PROCFILE"
+            rlRun test_root
+            rlRun test_user 1
+            # Following subtest would be irrevertible (till next reboot)
+            # rlRun "echo 3 > $PROCFILE"
+            # rlRun test_root 1
+            # rlRun test_user 1
+
+            rlRun "userdel -f $MY_USER"
+
+# This testcase could be more complex - using child and non-child processes and
+# performing reboots.  But let's keep this simple, since we are not testing the
+# kernel facility, but merely an elfutils "plugin" for it, whose purpose is to
+# set the default yama policy as such.
+
+            rlRun "echo $ORIGVAL > $PROCFILE"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd