So usually for this kind of side-effect sysctl, you would do a sysctl_handle_int() somewhere early in the function with a bogus zero output, then if (error != 0 || req->newptr == NULL) return (error);

That way simply "get"ing the value from the sysctl does not cause the side effect. (This would impact sysctl -a too, except we're using SKIP already.)

Instead, you "set" a value explicitly to run the test: sysctl debug.test_foo=1.

Test pass/failure can be indicated by returning zero (success) or an errno value, rather than in-band 0/1 SYSCTL_OUT.

Does that make sense?

CTLFLAG_MPSAFE, too.

This file is missing?

Does CTLFLAG_SKIP sufficiently avoid the sysctl -a case and other inadvertent execution? I can also #ifdef INVARIANTS to make this debug only.

If the sysctl returns an errno, the 'sysctl' commandline utility still exits with a 0 exitcode and outputs nothing to stdout. For a simple atf-sh testcase I'd like either the exitcode to be non-zero for the failure case or for the output to give me the info I need. Since sysctl(1) seems to insist on returning 0 regardless of error return, it seems like I'm forced to use stdout.

I'm on board with the proposal to rely on SKIP and INVARIANTS to prevent accidental misuse.

If the sysctl returns an errno, the 'sysctl' commandline utility still exits with a 0 exitcode and outputs nothing to stdout.

This may be true of "get" operations, but I don't believe it is true of "set" operations. We can easily prove this. (Note that 10% below is actually fairly high as there are quite a few sysctl syscalls involved in name2oiding, plus separate sysctls for IN/OUT operations; 5% may be more appropriate.)

# 5 == EIO
$ sysctl debug.fail_point.sysctl_running='10%return(5)'

# After this point, repeated trials may be necessary to overcome EIOs from name2oid or oid2fmt.  When the EIO hits the actual syscall value handler, though, the result is below:
$ sysctl kern.timecounter.alloweddeviation=5
kern.timecounter.alloweddeviation: 5
sysctl: kern.timecounter.alloweddeviation=5: Input/output error

$ echo $?
1

The syscall raised error 5; libc wrapped that in -1/errno=5; and sysctl(8) invokes warn(3) (stderr output on the 2nd line printed above) and increments warnings, which results in non-zero exit.