debugging recursion
This commit is contained in:
Samuel Aubertin
@@ -447,6 +447,99 @@ run_auth_file_mount() {
|
||||
teardown_stub_env
|
||||
}
|
||||
|
||||
run_codex_home_override() {
|
||||
local scenario_dir codex_root
|
||||
scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
|
||||
printf '==> codex_home_override\n'
|
||||
setup_stub_env
|
||||
codex_root="$STUB_HOME/codex-root"
|
||||
mkdir -p "$codex_root"
|
||||
printf '{"access_token":"test"}\n' >"$codex_root/auth.json"
|
||||
if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" CODEX_HOME="$codex_root" SLOPTRAP_PREFER_CODEX_HOME=1 \
|
||||
FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
|
||||
"$SLOPTRAP_BIN" "$scenario_dir" </dev/null >/dev/null 2>&1; then
|
||||
record_failure "codex_home_override: sloptrap exited non-zero"
|
||||
teardown_stub_env
|
||||
return
|
||||
fi
|
||||
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
|
||||
record_failure "codex_home_override: missing CODEX_HOME auth file mount"
|
||||
fi
|
||||
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
|
||||
record_failure "codex_home_override: missing CODEX_HOME project state bind mount"
|
||||
fi
|
||||
if grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
|
||||
record_failure "codex_home_override: should not fall back to HOME/.codex when CODEX_HOME is set"
|
||||
fi
|
||||
local first_run
|
||||
first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
|
||||
if [[ -z $first_run || $first_run == *" login" ]]; then
|
||||
record_failure "codex_home_override: existing CODEX_HOME auth should avoid login target"
|
||||
fi
|
||||
teardown_stub_env
|
||||
}
|
||||
|
||||
run_recursive_slopsloptrap() {
|
||||
local scenario_dir temp_root codex_root
|
||||
printf '==> recursive_slopsloptrap\n'
|
||||
setup_stub_env
|
||||
temp_root=$(mktemp -d)
|
||||
scenario_dir="$temp_root/slopsloptrap"
|
||||
codex_root="$temp_root/codex-root"
|
||||
mkdir -p "$scenario_dir" "$codex_root"
|
||||
cat >"$scenario_dir/.sloptrap" <<'EOF'
|
||||
name=slopsloptrap
|
||||
capabilities=nested-podman
|
||||
allow_host_network=false
|
||||
EOF
|
||||
printf '{"access_token":"test"}\n' >"$codex_root/auth.json"
|
||||
if ! PATH="$STUB_BIN:$PATH" HOME="$codex_root" CODEX_HOME="$codex_root" \
|
||||
FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
|
||||
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" shell </dev/null >/dev/null 2>&1; then
|
||||
record_failure "recursive_slopsloptrap: sloptrap exited non-zero"
|
||||
teardown_stub_env
|
||||
rm -rf "$temp_root"
|
||||
return
|
||||
fi
|
||||
if ! grep -q -- "slopsloptrap-sloptrap-image" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: child image name missing"
|
||||
fi
|
||||
if ! grep -q -- "slopsloptrap-sloptrap-container" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: child container name missing"
|
||||
fi
|
||||
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: missing recursive auth bind mount"
|
||||
fi
|
||||
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: missing recursive state bind mount"
|
||||
fi
|
||||
if grep -q -- "-v ${codex_root}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: should not fall back to CODEX_HOME/.codex in recursive mode"
|
||||
fi
|
||||
if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: launcher should not mount subid helper files"
|
||||
fi
|
||||
if grep -q -- "--read-only" "$STUB_LOG"; then
|
||||
record_failure "recursive_slopsloptrap: nested podman should disable read-only rootfs"
|
||||
fi
|
||||
local first_run
|
||||
first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
|
||||
if [[ -z $first_run || $first_run == *" login" ]]; then
|
||||
record_failure "recursive_slopsloptrap: recursive auth should avoid login target"
|
||||
fi
|
||||
if [[ $first_run != *"/bin/bash"* ]]; then
|
||||
record_failure "recursive_slopsloptrap: shell target did not reach child container run"
|
||||
fi
|
||||
if [[ $first_run == *"--user "* ]]; then
|
||||
record_failure "recursive_slopsloptrap: nested podman shell should not force --user"
|
||||
fi
|
||||
if [[ $first_run != *"--cap-add SETUID"* || $first_run != *"--cap-add SETGID"* ]]; then
|
||||
record_failure "recursive_slopsloptrap: nested podman shell missing privilege bootstrap capabilities"
|
||||
fi
|
||||
teardown_stub_env
|
||||
rm -rf "$temp_root"
|
||||
}
|
||||
|
||||
run_project_state_isolation() {
|
||||
local scenario_a scenario_b
|
||||
scenario_a=$(cd "$TEST_ROOT/resume_target" && pwd -P)
|
||||
@@ -735,6 +828,9 @@ run_capability_profiles() {
|
||||
if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman uidmap fuse-overlayfs slirp4netns" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: build arg for capability packages missing"
|
||||
fi
|
||||
if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network host " "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: build should inherit host networking"
|
||||
fi
|
||||
if ! grep -q -- "--cap-add NET_RAW" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: NET_RAW capability missing"
|
||||
fi
|
||||
@@ -744,6 +840,12 @@ run_capability_profiles() {
|
||||
if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: /dev/fuse device missing"
|
||||
fi
|
||||
if ! grep -q -- "--cap-add SYS_CHROOT" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: SYS_CHROOT capability missing"
|
||||
fi
|
||||
if ! grep -q -- "--cap-add MKNOD" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: MKNOD capability missing"
|
||||
fi
|
||||
if ! grep -q -- "--cap-add SETUID" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: SETUID capability missing"
|
||||
fi
|
||||
@@ -759,6 +861,12 @@ run_capability_profiles() {
|
||||
if ! grep -q -- "--cap-add FOWNER" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: FOWNER capability missing"
|
||||
fi
|
||||
if ! grep -q -- "--security-opt seccomp=unconfined" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: nested podman seccomp override missing"
|
||||
fi
|
||||
if grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: nested podman should not force no-new-privileges"
|
||||
fi
|
||||
if grep -q -- "--read-only" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: apt profile should disable read-only rootfs"
|
||||
fi
|
||||
@@ -780,6 +888,9 @@ run_capability_profiles() {
|
||||
if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: inner podman host-network mirror flag missing"
|
||||
fi
|
||||
if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then
|
||||
record_failure "capability_profiles: launcher should not mount subid helper files"
|
||||
fi
|
||||
local state_root capability_dir
|
||||
state_root="$STUB_HOME/.codex/sloptrap/state"
|
||||
capability_dir=$(find "$state_root" -mindepth 2 -maxdepth 2 -type d -name capabilities | head -n 1 || true)
|
||||
@@ -830,6 +941,8 @@ run_embedded_capability_helpers() {
|
||||
cat >"$helper_bin/podman" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
printf 'podman-env BUILDAH_ISOLATION=%s CONTAINERS_STORAGE_CONF=%s CONTAINERS_CONF=%s\n' \
|
||||
"${BUILDAH_ISOLATION:-}" "${CONTAINERS_STORAGE_CONF:-}" "${CONTAINERS_CONF:-}" >>"$TEST_TOOL_LOG"
|
||||
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
|
||||
exit 0
|
||||
EOF
|
||||
@@ -861,6 +974,7 @@ EOF
|
||||
cat >"$helper_bin/setpriv" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
printf 'setpriv %s\n' "$*" >>"$TEST_TOOL_LOG"
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--reuid|--regid)
|
||||
@@ -883,7 +997,7 @@ EOF
|
||||
chmod +x "$helper_bin/podman" "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv"
|
||||
|
||||
if ! grep -q "chmod 711 \"\\\$helper_dir\"" "$helper_bin/sloptrap-entrypoint" \
|
||||
|| ! grep -q "chown \"\\\$target_uid:\\\$target_gid\" \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then
|
||||
|| ! grep -q "chmod 1733 \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then
|
||||
record_failure "embedded_capability_helpers: entrypoint did not expose helper queue to the dropped user"
|
||||
fi
|
||||
|
||||
@@ -950,6 +1064,86 @@ EOF
|
||||
if ! grep -q -- 'podman --root ' "$tool_log" || ! grep -q -- '-v ./data:/data' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not invoke podman with the validated run arguments"
|
||||
fi
|
||||
if ! grep -q -- 'setpriv --reuid 0 --regid 0 --clear-groups -- env ' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not re-enter root before invoking podman"
|
||||
fi
|
||||
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
|
||||
SLOPTRAP_WORKDIR="$workspace_dir" \
|
||||
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
|
||||
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
|
||||
XDG_RUNTIME_DIR="$inner_runtime_dir" \
|
||||
"$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then
|
||||
record_failure "embedded_capability_helpers: sloppodman rejected image inspect"
|
||||
fi
|
||||
if ! grep -q -- 'podman --root .* image inspect example/image' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not forward image inspect"
|
||||
fi
|
||||
if ! grep -q -- '--storage-driver vfs' "$tool_log" \
|
||||
|| ! grep -q -- '--cgroup-manager cgroupfs' "$tool_log" \
|
||||
|| ! grep -q -- '--events-backend file' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not apply the nested podman runtime defaults"
|
||||
fi
|
||||
if ! grep -q -- 'podman-env BUILDAH_ISOLATION=chroot ' "$tool_log"; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not set BUILDAH_ISOLATION=chroot"
|
||||
fi
|
||||
if [[ ! -f $inner_runtime_dir/config/containers/storage.conf ]] \
|
||||
|| [[ ! -f $inner_runtime_dir/config/containers/containers.conf ]]; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not materialize its container config files"
|
||||
elif ! grep -q -- 'ignore_chown_errors = "true"' "$inner_runtime_dir/config/containers/storage.conf"; then
|
||||
record_failure "embedded_capability_helpers: storage.conf did not enable ignore_chown_errors"
|
||||
fi
|
||||
|
||||
local caller_uid caller_gid caller_user
|
||||
caller_uid=$(id -u)
|
||||
caller_gid=$(id -g)
|
||||
caller_user=$(id -un)
|
||||
cat >"$helper_bin/id" <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
case "${1-}" in
|
||||
-u)
|
||||
printf '0\n'
|
||||
;;
|
||||
-g)
|
||||
printf '0\n'
|
||||
;;
|
||||
-un)
|
||||
printf 'root\n'
|
||||
;;
|
||||
*)
|
||||
printf 'uid=0(root) gid=0(root) groups=0(root)\n'
|
||||
;;
|
||||
esac
|
||||
EOF
|
||||
chmod +x "$helper_bin/id"
|
||||
local caller_subuid root_subuid caller_subgid root_subgid
|
||||
local helper_subuid_file helper_subgid_file
|
||||
helper_subuid_file="$temp_root/helper-subuid"
|
||||
helper_subgid_file="$temp_root/helper-subgid"
|
||||
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
|
||||
SLOPTRAP_WORKDIR="$workspace_dir" \
|
||||
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
|
||||
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
|
||||
XDG_RUNTIME_DIR="$inner_runtime_dir" \
|
||||
SLOPTRAP_PODMAN_ESCALATED=1 \
|
||||
SLOPTRAP_PODMAN_CALLER_UID="$caller_uid" \
|
||||
SLOPTRAP_PODMAN_CALLER_GID="$caller_gid" \
|
||||
SLOPTRAP_PODMAN_CALLER_USER="$caller_user" \
|
||||
SLOPTRAP_PODMAN_SUBUID_FILE="$helper_subuid_file" \
|
||||
SLOPTRAP_PODMAN_SUBGID_FILE="$helper_subgid_file" \
|
||||
"$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not synthesize caller and root subid files"
|
||||
fi
|
||||
caller_subuid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true)
|
||||
root_subuid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true)
|
||||
caller_subgid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true)
|
||||
root_subgid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true)
|
||||
if [[ -z $caller_subuid || $caller_subuid != "$root_subuid" ]]; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not mirror caller subuid data onto root"
|
||||
fi
|
||||
if [[ -z $caller_subgid || $caller_subgid != "$root_subgid" ]]; then
|
||||
record_failure "embedded_capability_helpers: sloppodman did not mirror caller subgid data onto root"
|
||||
fi
|
||||
|
||||
TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
|
||||
SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
|
||||
@@ -1074,6 +1268,8 @@ run_runtime_context_prompt
|
||||
run_sh_reexec
|
||||
run_resume_omits_runtime_context
|
||||
run_auth_file_mount
|
||||
run_codex_home_override
|
||||
run_recursive_slopsloptrap
|
||||
run_project_state_isolation
|
||||
run_auto_login_empty_auth
|
||||
run_codex_symlink_home
|
||||
|
||||
Reference in New Issue
Block a user