Auto-enable trusted sloptrap capabilities and harden bash launcher

2026-03-09 19:06:36 +01:00
parent da001da48f
commit 0ad137c6dc
9 changed files with 118 additions and 87 deletions
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -335,7 +335,10 @@ run_runtime_context_prompt() {
  if [[ -z $run_line || $run_line != *"You are running inside sloptrap"* ]]; then
    record_failure "runtime_context_prompt: startup prompt missing from fresh run"
  fi
-  if ! grep -q -- "manifest_present=true" "$STUB_LOG" || ! grep -q -- "requested_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG"; then
+  if ! grep -q -- "manifest_present=true" "$STUB_LOG" \
+    || ! grep -q -- "manifest_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \
+    || ! grep -q -- "trusted_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \
+    || ! grep -q -- "enabled_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG"; then
    record_failure "runtime_context_prompt: runtime summary missing manifest or capability state"
  fi
  if [[ -n $login_line && $login_line == *"You are running inside sloptrap"* ]]; then
@@ -344,6 +347,22 @@ run_runtime_context_prompt() {
  teardown_stub_env
 }

+run_sh_reexec() {
+  local scenario_dir="$TEST_ROOT/capability_repo"
+  printf '==> sh_reexec\n'
+  setup_stub_env
+  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
+    sh "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    record_failure "sh_reexec: sloptrap exited non-zero when launched via sh"
+    teardown_stub_env
+    return
+  fi
+  if ! grep -q -- "You are running inside sloptrap" "$STUB_LOG"; then
+    record_failure "sh_reexec: startup prompt missing after sh re-exec"
+  fi
+  teardown_stub_env
+}
+
 run_resume_omits_runtime_context() {
  local scenario_dir="$TEST_ROOT/capability_repo"
  local session_id="019a81b7-32d2-7622-8639-6698c6579625"
@@ -569,77 +588,83 @@ run_invalid_allow_host_network() {
  fi
 }

-run_wizzard_create_manifest() {
-  local scenario_dir="$TEST_ROOT/wizzard_empty"
-  printf '==> wizzard_create_manifest\n'
+run_wizard_create_manifest() {
+  local scenario_dir="$TEST_ROOT/wizard_empty"
+  printf '==> wizard_create_manifest\n'
  if ! can_run_script_pty; then
-    printf 'skipping wizzard_create_manifest: script PTY support not available\n'
+    printf 'skipping wizard_create_manifest: script PTY support not available\n'
    return
  fi
  rm -f "$scenario_dir/.sloptrap"
-  local input=$'\n\n\n\n\n'
-  if ! printf '%s' "$input" | script -q -c "$SLOPTRAP_BIN \"$scenario_dir\" wizzard" /dev/null >/dev/null 2>&1; then
-    record_failure "wizzard_create_manifest: wizzard failed"
+  local input=$'\n\n\n\n'
+  if ! printf '%s' "$input" | script -q -c "$SLOPTRAP_BIN \"$scenario_dir\" wizard" /dev/null >/dev/null 2>&1; then
+    record_failure "wizard_create_manifest: wizard failed"
    return
  fi
  if [[ ! -f $scenario_dir/.sloptrap ]]; then
-    record_failure "wizzard_create_manifest: manifest not created"
+    record_failure "wizard_create_manifest: manifest not created"
    return
  fi
-  if ! grep -qx "name=wizzard_empty" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_create_manifest: name default mismatch"
+  if ! grep -qx "name=wizard_empty" "$scenario_dir/.sloptrap"; then
+    record_failure "wizard_create_manifest: name default mismatch"
  fi
  if ! grep -qx "packages_extra=" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_create_manifest: packages_extra mismatch"
+    record_failure "wizard_create_manifest: packages_extra mismatch"
+  fi
+  if ! grep -qx "capabilities=" "$scenario_dir/.sloptrap"; then
+    record_failure "wizard_create_manifest: capabilities mismatch"
  fi
  if ! grep -qx "allow_host_network=false" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_create_manifest: allow_host_network mismatch"
+    record_failure "wizard_create_manifest: allow_host_network mismatch"
  fi
 }

-run_wizzard_existing_defaults() {
-  local scenario_dir="$TEST_ROOT/wizzard_existing"
-  printf '==> wizzard_existing_defaults\n'
+run_wizard_existing_defaults() {
+  local scenario_dir="$TEST_ROOT/wizard_existing"
+  printf '==> wizard_existing_defaults\n'
  if ! can_run_script_pty; then
-    printf 'skipping wizzard_existing_defaults: script PTY support not available\n'
+    printf 'skipping wizard_existing_defaults: script PTY support not available\n'
    return
  fi
-  local input=$'\n\n\n\n\n'
-  if ! printf '%s' "$input" | script -q -c "$SLOPTRAP_BIN \"$scenario_dir\" wizzard" /dev/null >/dev/null 2>&1; then
-    record_failure "wizzard_existing_defaults: wizzard failed"
+  local input=$'\n\n\n\n'
+  if ! printf '%s' "$input" | script -q -c "$SLOPTRAP_BIN \"$scenario_dir\" wizard" /dev/null >/dev/null 2>&1; then
+    record_failure "wizard_existing_defaults: wizard failed"
    return
  fi
-  if ! grep -qx "name=custom-wizzard" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_existing_defaults: name not preserved"
+  if ! grep -qx "name=custom-wizard" "$scenario_dir/.sloptrap"; then
+    record_failure "wizard_existing_defaults: name not preserved"
  fi
  if ! grep -qx "packages_extra=make git" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_existing_defaults: packages_extra not preserved"
+    record_failure "wizard_existing_defaults: packages_extra not preserved"
+  fi
+  if ! grep -qx "capabilities=apt-install packet-capture" "$scenario_dir/.sloptrap"; then
+    record_failure "wizard_existing_defaults: capabilities not preserved"
  fi
  if ! grep -qx "allow_host_network=true" "$scenario_dir/.sloptrap"; then
-    record_failure "wizzard_existing_defaults: allow_host_network not preserved"
+    record_failure "wizard_existing_defaults: allow_host_network not preserved"
  fi
 }

-run_wizzard_build_trigger() {
-  local scenario_dir="$TEST_ROOT/wizzard_build"
-  printf '==> wizzard_build_trigger\n'
+run_wizard_build_trigger() {
+  local scenario_dir="$TEST_ROOT/wizard_build"
+  printf '==> wizard_build_trigger\n'
  if ! can_run_script_pty; then
-    printf 'skipping wizzard_build_trigger: script PTY support not available\n'
+    printf 'skipping wizard_build_trigger: script PTY support not available\n'
    return
  fi
  setup_stub_env
  rm -f "$scenario_dir/.sloptrap"
-  local input=$'\n\n\n\n\n'
+  local input=$'\n\n\n\n'
  if ! printf '%s' "$input" | script -q -c "env PATH=\"$STUB_BIN:$PATH\" HOME=\"$STUB_HOME\" FAKE_PODMAN_LOG=\"$STUB_LOG\" FAKE_PODMAN_INSPECT_FAIL=1 \"$SLOPTRAP_BIN\" \"$scenario_dir\"" /dev/null >/dev/null 2>&1; then
-    record_failure "wizzard_build_trigger: sloptrap failed"
+    record_failure "wizard_build_trigger: sloptrap failed"
    teardown_stub_env
    return
  fi
  if [[ ! -f $scenario_dir/.sloptrap ]]; then
-    record_failure "wizzard_build_trigger: manifest not created"
+    record_failure "wizard_build_trigger: manifest not created"
  fi
  if ! grep -q -- "FAKE PODMAN: build " "$STUB_LOG"; then
-    record_failure "wizzard_build_trigger: build not invoked after wizard"
+    record_failure "wizard_build_trigger: build not invoked after wizard"
  fi
  teardown_stub_env
 }
@@ -649,7 +674,7 @@ run_capability_trust_required() {
  printf '==> capability_trust_required\n'
  setup_stub_env
  if PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
-    "$SLOPTRAP_BIN" --enable-capability apt-install "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    "$SLOPTRAP_BIN" "$scenario_dir" </dev/null >/dev/null 2>&1; then
    record_failure "capability_trust_required: expected failure without trusted capabilities"
  fi
  teardown_stub_env
@@ -660,9 +685,7 @@ run_capability_profiles() {
  printf '==> capability_profiles\n'
  setup_stub_env
  if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
-    "$SLOPTRAP_BIN" --trust-capabilities --enable-capability apt-install \
-    --enable-capability packet-capture --enable-capability nested-podman \
-    "$scenario_dir" </dev/null >/dev/null 2>&1; then
+    "$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
    record_failure "capability_profiles: sloptrap exited non-zero"
    teardown_stub_env
    return
@@ -703,6 +726,7 @@ run_helper_symlink
 run_secret_mask
 run_resume_target
 run_runtime_context_prompt
+run_sh_reexec
 run_resume_omits_runtime_context
 run_auth_file_mount
 run_project_state_isolation
@@ -718,9 +742,9 @@ run_invalid_manifest_sandbox
 run_invalid_manifest_packages
 run_invalid_manifest_capabilities
 run_invalid_allow_host_network
-run_wizzard_create_manifest
-run_wizzard_existing_defaults
-run_wizzard_build_trigger
+run_wizard_create_manifest
+run_wizard_existing_defaults
+run_wizard_build_trigger
 run_capability_trust_required
 run_capability_profiles

--- a/tests/wizzard_build/.sloptrap
+++ b/tests/wizzard_build/.sloptrap
@@ -1,3 +1,4 @@
-name=wizzard_build
+name=wizard_build
 packages_extra=
+capabilities=
 allow_host_network=false
--- a/tests/wizzard_empty/.sloptrap
+++ b/tests/wizzard_empty/.sloptrap
@@ -1,3 +1,4 @@
-name=wizzard_empty
+name=wizard_empty
 packages_extra=
+capabilities=
 allow_host_network=false
--- a/tests/wizard_existing/.sloptrap
+++ b/tests/wizard_existing/.sloptrap
@@ -0,0 +1,4 @@
+name=custom-wizard
+packages_extra=make git
+capabilities=apt-install packet-capture
+allow_host_network=true
--- a/tests/wizzard_existing/.sloptrap
+++ b/tests/wizzard_existing/.sloptrap
@@ -1,3 +0,0 @@
-name=custom-wizzard
-packages_extra=make git
-allow_host_network=true