This test case was skipped before because it was not running with root. https://ci.freebsd.org/job/FreeBSD-head-amd64-test/16739/testReport/junit/sys.capsicum/functional/Capability__NoBypassDAC/ /usr/src/contrib/capsicum-test/procdesc.cc:538: Failure Expected equality of these values: -1 kill(pid, 9) Which is: 0 /usr/src/contrib/capsicum-test/procdesc.cc:539: Failure Expected equality of these values: 1 (* __error()) Which is: 2 /usr/src/contrib/capsicum-test/procdesc.cc:540: Failure Value of: state == 'R' || state == 'S' Actual: false Expected: true pid 22844 in state Z /usr/src/contrib/capsicum-test/procdesc.cc:522: Failure Expected equality of these values: 0 rc Which is: 1
(In reply to Li-Wen Hsu from comment #0) The stderr in comment #0 is wrong, this is the correct one: /usr/src/contrib/capsicum-test/capability-fd.cc:1296: Failure Expected equality of these values: -1 rc Which is: 0 /usr/src/contrib/capsicum-test/capability-fd.cc:1297: Failure Expected equality of these values: 1 (* __error()) Which is: 2 /usr/src/contrib/capsicum-test/capability-fd.cc:1303: Failure Expected equality of these values: 0 ((status) >> 8) Which is: 1 /usr/src/contrib/capsicum-test/capability-fd.cc:1306: Failure Expected equality of these values: (mode_t)(0100000|0644) Which is: 33188 info.st_mode Which is: 33206
A commit references this bug: Author: lwhsu Date: Wed Oct 7 09:53:25 UTC 2020 New revision: 366512 URL: https://svnweb.freebsd.org/changeset/base/366512 Log: Temporarily skip failing test cases in CI: sys.capsicum.functional.Capability__NoBypassDAC sys.capsicum.functional.Pdfork__OtherUserForked PR: 250178, 250179 Sponsored by: The FreeBSD Foundation Changes: head/tests/sys/capsicum/functional.sh
1281 TEST(Capability, NoBypassDAC) { 1282 REQUIRE_ROOT(); 1283 int fd = open(TmpFile("cap_root_owned"), O_RDONLY|O_CREAT, 0644); 1284 EXPECT_OK(fd); 1285 cap_rights_t rights; 1286 cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FCHMOD, CAP_FSTAT); 1287 EXPECT_OK(cap_rights_limit(fd, &rights)); 1288 1289 pid_t child = fork(); 1290 if (child == 0) { 1291 // Child: change uid to a lesser being 1292 setuid(other_uid); 1293 // Attempt to fchmod the file, and fail. 1294 // Having CAP_FCHMOD doesn't bypass the need to comply with DAC policy. 1295 int rc = fchmod(fd, 0666); 1296 EXPECT_EQ(-1, rc); 1297 EXPECT_EQ(EPERM, errno); 1298 exit(HasFailure()); 1299 } 1300 int status; 1301 EXPECT_EQ(child, waitpid(child, &status, 0)); 1302 EXPECT_TRUE(WIFEXITED(status)) << "0x" << std::hex << status; 1303 EXPECT_EQ(0, WEXITSTATUS(status)); 1304 struct stat info; 1305 EXPECT_OK(fstat(fd, &info)); 1306 EXPECT_EQ((mode_t)(S_IFREG|0644), info.st_mode); 1307 close(fd); 1308 unlink(TmpFile("cap_root_owned")); 1309 }
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=53a535c1d80a2e5ea33a4e8807647e600402b1d8 commit 53a535c1d80a2e5ea33a4e8807647e600402b1d8 Author: Alex Richardson <arichardson@FreeBSD.org> AuthorDate: 2021-03-02 18:27:34 +0000 Commit: Alex Richardson <arichardson@FreeBSD.org> CommitDate: 2021-03-02 18:27:36 +0000 Simplify the capsicum-test wrapper script Instead of running tests one-by-one with the shell wrapper we now run the full gtest testsuite twice (once as root, once as non root). This significantly speeds up running tests despite running them twice. This change also passes the missing -u flag to capsicum-test that caused test failures (https://bugs.freebsd.org/250178) Previously, running the testsuite with the wrapper script took ~3s per test on aarch64 QEMU, i.e. a total of almost 5 minutes. Now it takes 6 seconds to run all tests twice. Before: root@freebsd-aarch64:/usr/tests/sys/capsicum # /usr/bin/time kyua test functional 94/96 passed (2 failed) 309.97 real 58.46 user 244.31 sys After: root@freebsd-aarch64:/usr/tests/sys/capsicum # /usr/bin/time kyua test functional functional:test_root -> passed [2.659s] functional:test_unprivileged -> passed [2.391s] 2/2 passed (0 failed) 5.48 real 1.06 user 2.52 sys This overhead is caused by kyua + atf-sh spawning lots of additional processes and can be avoided by just running the googletest test binary. syscall seconds calls errors fork 39.810229456 1275 0 sigprocmask 13.546928736 572 0 i.e. 1275 processes spawned to run a single test. Test Plan: All tests pass with D28907. PR: 250178 Reviewed By: lwhsu Differential Revision: https://reviews.freebsd.org/D29014 tests/sys/capsicum/functional.sh | 70 ++++++++++------------------------------ 1 file changed, 17 insertions(+), 53 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=cad3bfa094e6135b939a948f45c4dee2df9d64f3 commit cad3bfa094e6135b939a948f45c4dee2df9d64f3 Author: Alex Richardson <arichardson@FreeBSD.org> AuthorDate: 2021-03-02 18:27:34 +0000 Commit: Alex Richardson <arichardson@FreeBSD.org> CommitDate: 2021-03-17 22:22:49 +0000 Simplify the capsicum-test wrapper script Instead of running tests one-by-one with the shell wrapper we now run the full gtest testsuite twice (once as root, once as non root). This significantly speeds up running tests despite running them twice. This change also passes the missing -u flag to capsicum-test that caused test failures (https://bugs.freebsd.org/250178) Previously, running the testsuite with the wrapper script took ~3s per test on aarch64 QEMU, i.e. a total of almost 5 minutes. Now it takes 6 seconds to run all tests twice. Before: root@freebsd-aarch64:/usr/tests/sys/capsicum # /usr/bin/time kyua test functional 94/96 passed (2 failed) 309.97 real 58.46 user 244.31 sys After: root@freebsd-aarch64:/usr/tests/sys/capsicum # /usr/bin/time kyua test functional functional:test_root -> passed [2.659s] functional:test_unprivileged -> passed [2.391s] 2/2 passed (0 failed) 5.48 real 1.06 user 2.52 sys This overhead is caused by kyua + atf-sh spawning lots of additional processes and can be avoided by just running the googletest test binary. syscall seconds calls errors fork 39.810229456 1275 0 sigprocmask 13.546928736 572 0 i.e. 1275 processes spawned to run a single test. Test Plan: All tests pass with D28907. PR: 250178 Reviewed By: lwhsu Differential Revision: https://reviews.freebsd.org/D29014 (cherry picked from commit 53a535c1d80a2e5ea33a4e8807647e600402b1d8) tests/sys/capsicum/functional.sh | 70 ++++++++++------------------------------ 1 file changed, 17 insertions(+), 53 deletions(-)