This change takes capsicum-test from upstream and applies some local changes to make the
tests work on FreeBSD when executed via Kyua.
The local modifications are as follows:
- Make OpenatTest.WithFlag pass with the new dot-dot lookup behavior in FreeBSD 12.x+.
- capsicum-test references a set of helper binaries: mini-me, mini-me.noexec, and mini-me.setuid, as part of the execve/fexecve tests, via execve, fexecve, and open. It achieves this upstream by assuming mini-me* is in the current directory, however, in order for Kyua to execute capsicum-test, it needs to provide a full path to mini-me*. In order to achieve this, I made capsicum-test cache the executable's path from argv in main(..) and use the cached value to compute the path to mini-me* as part of the execve/fexecve testcases.
- The capsicum-test test suite assumes that it's always being run on CAPABILITIES enabled kernels. However, there's a chance that the test will be run on a host without a CAPABILITIES enabled kernel, so we must check for the support before running the tests. The way to achieve this is to add the relevant feature_present("security_capabilities") check to SetupEnvironment::SetUp() and skip the tests when the support is not available. While here, add a check for kern.trap_enotcap being enabled. As noted by markj@ in https://github.com/google/capsicum-test/issues/23, this sysctl being enabled can trigger non-deterministic failures. Therefore, the tests should be skipped if this sysctl is enabled.
All local changes have been submitted to the capsicum-test project
(https://github.com/google/capsicum-test) and are in various stages of review.
Please see the following pull requests for more details:
MFC after: 1 month