master 568ce68: Attempt to print some debugging information on Seccomp f

emacs-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

master 568ce68: Attempt to print some debugging information on Seccomp f

From:	Philipp Stephani
Subject:	master 568ce68: Attempt to print some debugging information on Seccomp failures.
Date:	Sat, 17 Apr 2021 15:08:38 -0400 (EDT)

branch: master
commit 568ce6826fa0aaa4d5dc95880cbdc0965dc07521
Author: Philipp Stephani <phst@google.com>
Commit: Philipp Stephani <phst@google.com>

    Attempt to print some debugging information on Seccomp failures.
    
    Try to search the audit log as well as recent core dumps.
    
    * test/src/emacs-tests.el (emacs-tests--seccomp-debug): New helper
    function.
    (emacs-tests/seccomp/allows-stdout)
    (emacs-tests/seccomp/forbids-subprocess)
    (emacs-tests/bwrap/allows-stdout): Use it.
---
 test/src/emacs-tests.el | 60 ++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 52 insertions(+), 8 deletions(-)

diff --git a/test/src/emacs-tests.el b/test/src/emacs-tests.el
index 09f9a24..87c3e84 100644
--- a/test/src/emacs-tests.el
+++ b/test/src/emacs-tests.el
@@ -144,12 +144,14 @@ to `make-temp-file', which see."
     (should-not (file-remote-p filter))
     (cl-callf file-name-unquote filter)
     (with-temp-buffer
-      (let ((status (call-process
+      (let ((start-time (current-time))
+            (status (call-process
                      emacs nil t nil
                      "--quick" "--batch"
                      (concat "--seccomp=" filter)
-                     (format "--eval=%S" '(message "Hi")))))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+                     (format "--eval=%S" '(message "Hi"))))
+            (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
           (should (eql status 0)))
         (should (equal (string-trim (buffer-string)) "Hi"))))))
 
@@ -167,14 +169,16 @@ to `make-temp-file', which see."
     (should-not (file-remote-p filter))
     (cl-callf file-name-unquote filter)
     (with-temp-buffer
-      (let ((status
+      (let ((start-time (current-time))
+            (status
              (call-process
               emacs nil t nil
               "--quick" "--batch"
               (concat "--seccomp=" filter)
               (format "--eval=%S" `(call-process ,emacs nil nil nil
-                                                 "--version")))))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+                                                 "--version"))))
+            (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
           (should-not (eql status 0)))))))
 
 (ert-deftest emacs-tests/bwrap/allows-stdout ()
@@ -205,9 +209,49 @@ to `make-temp-file', which see."
                           " ")
                " 20< "
                (shell-quote-argument (file-name-unquote filter))))
-             (status (call-process bash nil t nil "-c" command)))
-        (ert-info ((format "Process output: %s" (buffer-string)))
+             (start-time (current-time))
+             (status (call-process bash nil t nil "-c" command))
+             (end-time (current-time)))
+        (ert-info ((emacs-tests--seccomp-debug start-time end-time))
           (should (eql status 0)))
         (should (equal (string-trim (buffer-string)) "Hi"))))))
 
+(defun emacs-tests--seccomp-debug (start-time end-time)
+  "Return potentially useful debugging information for Seccomp.
+Assume that the current buffer contains subprocess output for the
+failing process.  START-TIME and END-TIME are time values between
+which the process was running."
+  ;; Add a bit of slack for the timestamps.
+  (cl-callf time-subtract start-time 5)
+  (cl-callf time-add end-time 5)
+  (with-output-to-string
+    (princ "Process output:")
+    (terpri)
+    (princ (buffer-substring-no-properties (point-min) (point-max)))
+    ;; Search audit logs for Seccomp messages.
+    (when-let ((ausearch (executable-find "ausearch")))
+      (terpri)
+      (princ "Potentially relevant Seccomp audit events:")
+      (terpri)
+      (let ((process-environment '("LC_TIME=C")))
+        (call-process ausearch nil standard-output nil
+                      "--message" "SECCOMP"
+                      "--start"
+                      (format-time-string "%D" start-time)
+                      (format-time-string "%T" start-time)
+                      "--end"
+                      (format-time-string "%D" end-time)
+                      (format-time-string "%T" end-time)
+                      "--interpret")))
+    ;; Print coredump information if available.
+    (when-let ((coredumpctl (executable-find "coredumpctl")))
+      (terpri)
+      (princ "Potentially useful coredump information:")
+      (terpri)
+      (call-process coredumpctl nil standard-output nil
+                    "info"
+                    "--since" (format-time-string "%F %T" start-time)
+                    "--until" (format-time-string "%F %T" end-time)
+                    "--no-pager"))))
+
 ;;; emacs-tests.el ends here

[Prev in Thread]

Current Thread

[Next in Thread]

master 568ce68: Attempt to print some debugging information on Seccomp failures., Philipp Stephani <=

Prev by Date: feature/native-comp 75c898e: ; * src/pdumper.c (dump_do_dump_relocation): Add a FIXME comment.
Next by Date: emacs-27 2b7eed2: ; * doc/lispref/keymaps.texi (Easy Menu): Fix typo.
Previous by thread: feature/native-comp 75c898e: ; * src/pdumper.c (dump_do_dump_relocation): Add a FIXME comment.
Next by thread: emacs-27 2b7eed2: ; * doc/lispref/keymaps.texi (Easy Menu): Fix typo.
Index(es):
- Date
- Thread