sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sk4nz:87a23e97725f2af24ed20c4e1d71afe4d6529ffc
Branches Tags
sk4nz:master
..
compare: sk4nz:438959ca03527a6a1775f7c95a8f2e3e1ddce2d2
Branches Tags
sk4nz:master

3 Commits
87a23e9772 ... 438959ca03

Author SHA1 Message Date
Samuel Aubertin
438959ca03 Try to inject the parent image in slopslopstrap 2026-03-10 01:22:58 +01:00
Samuel Aubertin
3731094f60 debugging recursion 2026-03-10 00:42:19 +01:00
Samuel Aubertin
1e97baa534 Fix capabilities 2026-03-09 21:34:06 +01:00
6 changed files with 1855 additions and 84 deletions
Expand all files Collapse all files

2
.sloptrap
View File

@@ -1,4 +1,4 @@
name=skz-sloptrap name=skz-sloptrap
packages_extra=bash make shellcheck jq podman packages_extra=bash make shellcheck jq podman iproute2 strace
capabilities=apt-install nested-podman packet-capture capabilities=apt-install nested-podman packet-capture
allow_host_network=false allow_host_network=false

42
AGENTS.md Normal file
View File

@@ -0,0 +1,42 @@
# skz-sloptrap
This workspace is the source code of `sloptrap`, eg. your own runtime.
Your author, 'sk4nz', has ran the command `sloptrap path/to/skz-sloptrap` and you are living in your own reflection.
# Recursive `slopsloptrap`
sloptrap can recurse.
If you need to prove it, spawn a child from this repo with sloptrap:
`./sloptrap /workspace ...`
This starts a child `slopsloptrap`. Use the child normally, as the end-user would.
# Keep Memory
Future sloptrap instances should add short, useful, durable notes they learn during their session to this file.
Only add high-signal information that is likely to help later runs.
Keep additions brief.
Do not remove existing instructions unless they are outdated or wrong.
---
# Session Memory
- When you make changes that affect how the runtime behaves and cannot test it with recursion, you can ask sk4nz to restart you.
- If recursion is blocked by the current session state and a restart is required, give sk4nz an exact prompt to paste into the next restarted session so it can continue from the current checkpoint.
- Useful checks in the skz-sloptrap repo:
`shellcheck sloptrap`
`bash tests/run_tests.sh` (you can also run them separately)
- Recursive nested-podman inside an already user-namespaced sloptrap needs subuid/subgid ranges derived from `/proc/self/uid_map` and `/proc/self/gid_map`; hardcoding `100000:65536` breaks `newuidmap`.
- When running tests from inside sloptrap, inherited `CODEX_HOME=/codex` plus `SLOPTRAP_PREFER_CODEX_HOME=1` can leak into host-style child launches; ignore that preference when `HOME` has been redirected elsewhere and the runtime hints still point into the inherited `/codex` tree.
- For real recursive `./sloptrap` launches, correct `/proc/self/uid_map` alone is not enough: if the current session still has stale read-only `/etc/subuid` and `/etc/subgid` mounts (for example `sk4nz:100000:65536`), the first nested podman launch still fails before child startup.
- Forcing `SLOPTRAP_CONTAINER_ENGINE=sloppodman` inside sloptrap also needs `TMPDIR` under `/workspace`; otherwise its build-context path guard rejects the staged Dockerfile under `/tmp` before you reach the real subuid/subgid problem.
- If a restarted session still inherits stale read-only `/etc/subuid` and `/etc/subgid` tmpfs mounts, an unprivileged agent cannot repair them in-place (`umount` says `must be superuser to unmount`); both podman and sloppodman stay blocked until the session starts without those mounts.
- Outer sloptrap launches no longer need `/etc/subuid` or `/etc/subgid` bind mounts: `nested-podman` now disables read-only rootfs and the container entrypoint synthesizes container-local subid files from `/proc/self/{uid,gid}_map` before dropping privileges.
- Even without stale `/etc/subuid` mounts, recursion still fails if the container-local subid files name `sloptrap` instead of the real dropped user (`sk4nz` here): `podman info --debug` warns `no subuid ranges found for user "sk4nz"` and the first inner build dies in `newuidmap ... write to uid_map failed: Operation not permitted`.
- In this Debian 13 / podman 5.4.2 environment, exporting `_CONTAINERS_USERNS_CONFIGURED=done` for nested podman moves the failure past `newuidmap`, but the next blockers are inside Buildah: with `BUILDAH_ISOLATION=chroot`, recursive builds fail `cannot set --network other than host with --isolation chroot`; without chroot, `podman build` can segfault in `network.defaultNetworkBackend`.
- Recursive preload now has a host-side path: the outer launcher saves `$SLOPTRAP_IMAGE_NAME` into capability state and mounts it into the container as `SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/<image>.tar`, and child `build-if-missing` tries `sloppodman load -i` before any inner build. A pre-existing session must be restarted to test that path because it cannot add the new preload mount/env to itself after startup.
- With stale subid mounts gone, recursive `./sloptrap /workspace` can still fail earlier during the inner image build: `crun` tries to open `/proc/sys/net/ipv4/ping_group_range` and gets `Read-only file system` while creating the build container.
- In a fragile nested-podman session, `podman system migrate` can make things worse: a state that still answered `podman info` fell back to repeated `newuidmap ... write to uid_map failed: Operation not permitted` failures afterward.

8
README.md
View File

@@ -68,7 +68,7 @@ Supported keys when the manifest is present:
Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start. Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start.
sloptrap always runs Codex with `--sandbox danger-full-access --ask-for-approval never`. `codex_args` is deprecated and rejected if present. sloptrap always runs Codex with `--sandbox danger-full-access --ask-for-approval never`. `codex_args` is deprecated and rejected if present.
Capability trust is local state, not part of the repository. Builds for manifests that request capabilities require either an interactive trust confirmation or `--trust-capabilities`. Trusted capabilities can then be activated per run with `--enable-capability <name>`. Capability trust is local state, not part of the repository. Builds for manifests that request capabilities require either an interactive trust confirmation or `--trust-capabilities`. Once the current manifest is trusted, its requested capabilities are enabled automatically for that project configuration.
### `.sloptrapignore` ### `.sloptrapignore`
@@ -80,7 +80,7 @@ Capability trust is local state, not part of the repository. Builds for manifest
## CLI Reference ## CLI Reference
``` ```
./sloptrap [--dry-run] [--print-config] [--trust-capabilities] [--enable-capability <name> ...] <code-directory> [target ...] ./sloptrap [--dry-run] [--print-config] [--trust-capabilities] <code-directory> [target ...]
``` ```
Options: Options:
@@ -88,7 +88,6 @@ Options:
- `--dry-run` &mdash; print the container/engine commands that would run without executing them. - `--dry-run` &mdash; print the container/engine commands that would run without executing them.
- `--print-config` &mdash; output the resolved manifest values, defaults, and ignore list. - `--print-config` &mdash; output the resolved manifest values, defaults, and ignore list.
- `--trust-capabilities` &mdash; trust the manifest's requested capabilities for the current build flow. - `--trust-capabilities` &mdash; trust the manifest's requested capabilities for the current build flow.
- `--enable-capability <name>` &mdash; enable a trusted runtime capability for this invocation. Repeat for multiple capabilities.
- `-h, --help` &mdash; display usage. - `-h, --help` &mdash; display usage.
- `--` &mdash; stop option parsing; remaining arguments are treated as targets. - `--` &mdash; stop option parsing; remaining arguments are treated as targets.
@@ -128,11 +127,12 @@ The launcher executes targets sequentially, so `./sloptrap repo build run` perfo
### Capability Helpers ### Capability Helpers
When a trusted capability is enabled for a run, the container includes helper commands: When the current manifest's capabilities are trusted and enabled, the container includes helper commands:
- `slop-apt install <package...>` for session-scoped package installation. - `slop-apt install <package...>` for session-scoped package installation.
- `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for packet capture. - `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for packet capture.
- `sloppodman <pull|build|tag|run|ps|logs|stop|rm|inspect> ...` for nested Podman workflows. `build` contexts and Dockerfiles must remain inside `/workspace`, and pushes are not supported. - `sloppodman <pull|build|tag|run|ps|logs|stop|rm|inspect> ...` for nested Podman workflows. `build` contexts and Dockerfiles must remain inside `/workspace`, and pushes are not supported.
- When `nested-podman` is enabled, sloptrap makes the container root filesystem writable long enough to synthesize container-local `/etc/subuid` and `/etc/subgid` files from the live namespace maps, so rootless nested Podman does not depend on host subid files.
## Execution Environment ## Execution Environment

3
slopsloptrap/.sloptrap Normal file
View File

@@ -0,0 +1,3 @@
name=slopsloptrap
capabilities=nested-podman
allow_host_network=false

1235
sloptrap
View File

File diff suppressed because it is too large Load Diff

649
tests/run_tests.sh
View File

@@ -98,6 +98,10 @@ verify_secret_mounts() {
} }
if [[ ${1-} == "image" && ${2-} == "inspect" && ${FAKE_PODMAN_INSPECT_FAIL:-0} == 1 ]]; then if [[ ${1-} == "image" && ${2-} == "inspect" && ${FAKE_PODMAN_INSPECT_FAIL:-0} == 1 ]]; then
if [[ " $* " == *" --format "* ]]; then
printf 'fake-image-id\n'
exit 0
fi
echo "FAKE PODMAN (fail): $*" >>"$FAKE_PODMAN_LOG" echo "FAKE PODMAN (fail): $*" >>"$FAKE_PODMAN_LOG"
exit 1 exit 1
fi fi
@@ -211,6 +215,33 @@ teardown_stub_env() {
rm -f "${STUB_LOG:-}" rm -f "${STUB_LOG:-}"
} }
extract_embedded_helper() {
local helper=$1
local output=$2
if ! awk -v helper="$helper" '
$0 ~ "^[[:space:]]*" helper "\\)$" { state=1; next }
state == 1 && /cat <<'\''EOF'\''$/ { state=2; next }
state == 2 && /^EOF$/ { exit }
state == 2 { print }
' "$SLOPTRAP_BIN" >"$output"; then
return 1
fi
chmod +x "$output"
}
wait_for_path() {
local path=$1
local attempts=${2:-100}
while (( attempts > 0 )); do
if [[ -e $path ]]; then
return 0
fi
sleep 0.1
((attempts-=1))
done
return 1
}
record_failure() { record_failure() {
failures+=("$1") failures+=("$1")
} }
@@ -302,6 +333,22 @@ run_secret_mask() {
teardown_stub_env teardown_stub_env
} }
run_git_ignore_mask() {
local scenario_dir="$ROOT_DIR"
printf '==> git_ignore_mask\n'
setup_stub_env
if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" </dev/null >/dev/null 2>&1; then
record_failure "git_ignore_mask: sloptrap exited non-zero"
teardown_stub_env
return
fi
if ! grep -q -- "--mount type=tmpfs,target=/workspace/.git" "$STUB_LOG"; then
record_failure "git_ignore_mask: .git was not masked with tmpfs"
fi
teardown_stub_env
}
run_resume_target() { run_resume_target() {
local scenario_dir="$TEST_ROOT/resume_target" local scenario_dir="$TEST_ROOT/resume_target"
printf '==> resume_target\n' printf '==> resume_target\n'
@@ -335,10 +382,9 @@ run_runtime_context_prompt() {
if [[ -z $run_line || $run_line != *"You are running inside sloptrap"* ]]; then if [[ -z $run_line || $run_line != *"You are running inside sloptrap"* ]]; then
record_failure "runtime_context_prompt: startup prompt missing from fresh run" record_failure "runtime_context_prompt: startup prompt missing from fresh run"
fi fi
if ! grep -q -- "manifest_present=true" "$STUB_LOG" \ if ! grep -q -- "name=capability-repo" "$STUB_LOG" \
|| ! grep -q -- "manifest_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \ || ! grep -q -- "enabled_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \
|| ! grep -q -- "trusted_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG" \ || ! grep -q -- "network_mode=host" "$STUB_LOG"; then
|| ! grep -q -- "enabled_capabilities=apt-install nested-podman packet-capture" "$STUB_LOG"; then
record_failure "runtime_context_prompt: runtime summary missing manifest or capability state" record_failure "runtime_context_prompt: runtime summary missing manifest or capability state"
fi fi
if [[ -n $login_line && $login_line == *"You are running inside sloptrap"* ]]; then if [[ -n $login_line && $login_line == *"You are running inside sloptrap"* ]]; then
@@ -405,6 +451,204 @@ run_auth_file_mount() {
teardown_stub_env teardown_stub_env
} }
run_codex_home_override() {
local scenario_dir codex_root
scenario_dir=$(cd "$TEST_ROOT/resume_target" && pwd -P)
printf '==> codex_home_override\n'
setup_stub_env
codex_root="$STUB_HOME/codex-root"
mkdir -p "$codex_root"
printf '{"access_token":"test"}\n' >"$codex_root/auth.json"
if ! PATH="$STUB_BIN:$PATH" HOME="$STUB_HOME" CODEX_HOME="$codex_root" SLOPTRAP_PREFER_CODEX_HOME=1 \
FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
"$SLOPTRAP_BIN" "$scenario_dir" </dev/null >/dev/null 2>&1; then
record_failure "codex_home_override: sloptrap exited non-zero"
teardown_stub_env
return
fi
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "codex_home_override: missing CODEX_HOME auth file mount"
fi
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
record_failure "codex_home_override: missing CODEX_HOME project state bind mount"
fi
if grep -q -- "-v ${STUB_HOME}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "codex_home_override: should not fall back to HOME/.codex when CODEX_HOME is set"
fi
local first_run
first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
if [[ -z $first_run || $first_run == *" login" ]]; then
record_failure "codex_home_override: existing CODEX_HOME auth should avoid login target"
fi
teardown_stub_env
}
run_recursive_slopsloptrap() {
local scenario_dir temp_root codex_root
printf '==> recursive_slopsloptrap\n'
setup_stub_env
temp_root=$(mktemp -d)
scenario_dir="$temp_root/slopsloptrap"
codex_root="$temp_root/codex-root"
mkdir -p "$scenario_dir" "$codex_root"
cat >"$scenario_dir/.sloptrap" <<'EOF'
name=slopsloptrap
capabilities=nested-podman
allow_host_network=false
EOF
printf '{"access_token":"test"}\n' >"$codex_root/auth.json"
if ! PATH="$STUB_BIN:$PATH" HOME="$codex_root" CODEX_HOME="$codex_root" \
FAKE_PODMAN_LOG="$STUB_LOG" FAKE_PODMAN_INSPECT_FAIL=1 \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" shell </dev/null >/dev/null 2>&1; then
record_failure "recursive_slopsloptrap: sloptrap exited non-zero"
teardown_stub_env
rm -rf "$temp_root"
return
fi
if ! grep -q -- "slopsloptrap-sloptrap-image" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: child image name missing"
fi
if ! grep -q -- "slopsloptrap-sloptrap-container" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: child container name missing"
fi
if ! grep -q -- "-v ${codex_root}/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive auth bind mount"
fi
if ! grep -q -- "/capabilities/podman-preload:/codex/capabilities/podman/preload:Z" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive preload bind mount"
fi
if ! grep -q -- "-v ${codex_root}/sloptrap/state/" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive state bind mount"
fi
if ! grep -q -- "SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/slopsloptrap-sloptrap-image.tar" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: missing recursive preload archive environment"
fi
if grep -q -- "-v ${codex_root}/.codex/auth.json:/codex/auth.json:Z" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: should not fall back to CODEX_HOME/.codex in recursive mode"
fi
if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: launcher should not mount subid helper files"
fi
if grep -q -- "--read-only" "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: nested podman should disable read-only rootfs"
fi
local first_run
first_run=$(grep "FAKE PODMAN: run " "$STUB_LOG" | head -n 1 || true)
if [[ -z $first_run || $first_run == *" login" ]]; then
record_failure "recursive_slopsloptrap: recursive auth should avoid login target"
fi
if ! grep -q -- "FAKE PODMAN: save -o " "$STUB_LOG"; then
record_failure "recursive_slopsloptrap: should export the parent image for recursive preload"
fi
if [[ $first_run != *"/bin/bash"* ]]; then
record_failure "recursive_slopsloptrap: shell target did not reach child container run"
fi
if [[ $first_run == *"--user "* ]]; then
record_failure "recursive_slopsloptrap: nested podman shell should not force --user"
fi
if [[ $first_run != *"--cap-add SETUID"* || $first_run != *"--cap-add SETGID"* ]]; then
record_failure "recursive_slopsloptrap: nested podman shell missing privilege bootstrap capabilities"
fi
teardown_stub_env
rm -rf "$temp_root"
}
run_recursive_parent_image_fallback() {
printf '==> recursive_parent_image_fallback\n'
local temp_root helper_bin scenario_dir archive_path tool_log
local inner_podman_root inner_podman_runroot inner_runtime_dir
temp_root=$(mktemp -d)
helper_bin="$temp_root/bin"
scenario_dir="$temp_root/fallback-repo"
archive_path="$scenario_dir/parent-runtime.tar"
tool_log="$temp_root/tool.log"
inner_podman_root="$temp_root/podman-storage"
inner_podman_runroot="$temp_root/podman-run"
inner_runtime_dir="$temp_root/podman-runtime"
mkdir -p "$helper_bin" "$scenario_dir" "$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir"
: >"$tool_log"
cat >"$scenario_dir/.sloptrap" <<'EOF'
name=fallback-repo
capabilities=nested-podman
EOF
printf 'archive\n' >"$archive_path"
if ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then
record_failure "recursive_parent_image_fallback: failed to extract sloppodman helper"
rm -rf "$temp_root"
return
fi
cat >"$helper_bin/podman" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
args=("$@")
idx=0
loaded_flag="${TEST_TOOL_LOG}.loaded"
while (( idx < ${#args[@]} )); do
if [[ ${args[$idx]} == "image" ]] && (( idx + 1 < ${#args[@]} )) && [[ ${args[$((idx + 1))]} == "inspect" ]]; then
if [[ -f $loaded_flag ]]; then
exit 0
fi
exit 1
fi
if [[ ${args[$idx]} == "load" ]]; then
: >"$loaded_flag"
exit 0
fi
((idx+=1))
done
exit 0
EOF
cat >"$helper_bin/setpriv" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
while [[ $# -gt 0 ]]; do
case "$1" in
--reuid|--regid)
shift 2
;;
--clear-groups)
shift
;;
--)
shift
break
;;
*)
break
;;
esac
done
exec "$@"
EOF
chmod +x "$helper_bin/sloppodman" "$helper_bin/podman" "$helper_bin/setpriv"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" HOME="$temp_root/home" CODEX_HOME="$temp_root/home" \
SLOPTRAP_CONTAINER_ENGINE="sloppodman" \
SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$scenario_dir" \
SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE="$archive_path" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$SLOPTRAP_BIN" --trust-capabilities "$scenario_dir" build-if-missing >/dev/null 2>&1; then
record_failure "recursive_parent_image_fallback: build-if-missing exited non-zero"
rm -rf "$temp_root"
return
fi
if grep -q -- 'podman --root .* build ' "$tool_log"; then
record_failure "recursive_parent_image_fallback: fallback should avoid podman build"
fi
if ! grep -q -- "podman --root $inner_podman_root --runroot $inner_podman_runroot --storage-driver vfs --cgroup-manager cgroupfs --events-backend file load -i $archive_path" "$tool_log"; then
record_failure "recursive_parent_image_fallback: fallback did not load the parent archive into the nested store"
fi
rm -rf "$temp_root"
}
run_project_state_isolation() { run_project_state_isolation() {
local scenario_a scenario_b local scenario_a scenario_b
scenario_a=$(cd "$TEST_ROOT/resume_target" && pwd -P) scenario_a=$(cd "$TEST_ROOT/resume_target" && pwd -P)
@@ -690,9 +934,12 @@ run_capability_profiles() {
teardown_stub_env teardown_stub_env
return return
fi fi
if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman fuse-overlayfs slirp4netns" "$STUB_LOG"; then if ! grep -q -- "CAPABILITY_PACKAGES=tcpdump podman uidmap fuse-overlayfs slirp4netns" "$STUB_LOG"; then
record_failure "capability_profiles: build arg for capability packages missing" record_failure "capability_profiles: build arg for capability packages missing"
fi fi
if ! grep -q -- "FAKE PODMAN: build --quiet -t capability-repo-sloptrap-image -f .* --network host " "$STUB_LOG"; then
record_failure "capability_profiles: build should inherit host networking"
fi
if ! grep -q -- "--cap-add NET_RAW" "$STUB_LOG"; then if ! grep -q -- "--cap-add NET_RAW" "$STUB_LOG"; then
record_failure "capability_profiles: NET_RAW capability missing" record_failure "capability_profiles: NET_RAW capability missing"
fi fi
@@ -702,21 +949,408 @@ run_capability_profiles() {
if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then if ! grep -q -- "--device /dev/fuse" "$STUB_LOG"; then
record_failure "capability_profiles: /dev/fuse device missing" record_failure "capability_profiles: /dev/fuse device missing"
fi fi
if ! grep -q -- "--cap-add SYS_CHROOT" "$STUB_LOG"; then
record_failure "capability_profiles: SYS_CHROOT capability missing"
fi
if ! grep -q -- "--cap-add MKNOD" "$STUB_LOG"; then
record_failure "capability_profiles: MKNOD capability missing"
fi
if ! grep -q -- "--cap-add SETUID" "$STUB_LOG"; then
record_failure "capability_profiles: SETUID capability missing"
fi
if ! grep -q -- "--cap-add SETGID" "$STUB_LOG"; then
record_failure "capability_profiles: SETGID capability missing"
fi
if ! grep -q -- "--cap-add CHOWN" "$STUB_LOG"; then
record_failure "capability_profiles: CHOWN capability missing"
fi
if ! grep -q -- "--cap-add DAC_OVERRIDE" "$STUB_LOG"; then
record_failure "capability_profiles: DAC_OVERRIDE capability missing"
fi
if ! grep -q -- "--cap-add FOWNER" "$STUB_LOG"; then
record_failure "capability_profiles: FOWNER capability missing"
fi
if ! grep -q -- "--security-opt seccomp=unconfined" "$STUB_LOG"; then
record_failure "capability_profiles: nested podman seccomp override missing"
fi
if grep -q -- "--security-opt no-new-privileges" "$STUB_LOG"; then
record_failure "capability_profiles: nested podman should not force no-new-privileges"
fi
if grep -q -- "--read-only" "$STUB_LOG"; then if grep -q -- "--read-only" "$STUB_LOG"; then
record_failure "capability_profiles: apt profile should disable read-only rootfs" record_failure "capability_profiles: apt profile should disable read-only rootfs"
fi fi
if grep -q -- "--user " "$STUB_LOG"; then if grep -q -- "--user " "$STUB_LOG"; then
record_failure "capability_profiles: capability-enabled run should not force --user" record_failure "capability_profiles: capability-enabled run should not force --user"
fi fi
if ! grep -q -- "--userns=keep-id:uid=$(id -u),gid=$(id -g)" "$STUB_LOG"; then
record_failure "capability_profiles: podman keep-id user namespace missing"
fi
if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install nested-podman packet-capture" "$STUB_LOG"; then if ! grep -q -- "SLOPTRAP_ACTIVE_CAPABILITIES=apt-install nested-podman packet-capture" "$STUB_LOG"; then
record_failure "capability_profiles: active capability environment missing" record_failure "capability_profiles: active capability environment missing"
fi fi
if ! grep -q -- "SLOPTRAP_HOST_UID=$(id -u)" "$STUB_LOG"; then
record_failure "capability_profiles: host uid environment missing"
fi
if ! grep -q -- "SLOPTRAP_HOST_GID=$(id -g)" "$STUB_LOG"; then
record_failure "capability_profiles: host gid environment missing"
fi
if ! grep -q -- "SLOPTRAP_HOST_USER=$(id -un)" "$STUB_LOG"; then
record_failure "capability_profiles: host user environment missing"
fi
if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then if ! grep -q -- "SLOPTRAP_INNER_PODMAN_HOST_NETWORK=1" "$STUB_LOG"; then
record_failure "capability_profiles: inner podman host-network mirror flag missing" record_failure "capability_profiles: inner podman host-network mirror flag missing"
fi fi
if grep -q -- "/etc/subuid" "$STUB_LOG" || grep -q -- "/etc/subgid" "$STUB_LOG"; then
record_failure "capability_profiles: launcher should not mount subid helper files"
fi
local state_root capability_dir
state_root="$STUB_HOME/.codex/sloptrap/state"
capability_dir=$(find "$state_root" -mindepth 2 -maxdepth 2 -type d -name capabilities | head -n 1 || true)
if [[ -z $capability_dir ]]; then
record_failure "capability_profiles: project capability state directory missing"
else
if [[ ! -d $capability_dir/podman-storage ]]; then
record_failure "capability_profiles: nested podman storage state missing"
fi
if [[ ! -d $capability_dir/podman-run ]]; then
record_failure "capability_profiles: nested podman runroot state missing"
fi
if [[ ! -d $capability_dir/podman-runtime ]]; then
record_failure "capability_profiles: nested podman runtime state missing"
fi
fi
teardown_stub_env teardown_stub_env
} }
run_embedded_capability_helpers() {
printf '==> embedded_capability_helpers\n'
local temp_root helper_bin helper_dir workspace_dir capture_dir tool_log helper_pid
local inner_podman_root inner_podman_runroot inner_runtime_dir
temp_root=$(mktemp -d)
helper_bin="$temp_root/bin"
helper_dir="$temp_root/helper"
workspace_dir="$temp_root/workspace"
capture_dir="$temp_root/captures"
tool_log="$temp_root/tool.log"
inner_podman_root="$temp_root/podman-storage"
inner_podman_runroot="$temp_root/podman-run"
inner_runtime_dir="$temp_root/podman-runtime"
helper_pid=""
mkdir -p "$helper_bin" "$helper_dir/queue" "$workspace_dir/data" "$capture_dir" \
"$inner_podman_root" "$inner_podman_runroot" "$inner_runtime_dir"
: >"$tool_log"
if ! extract_embedded_helper "sloptrap-entrypoint" "$helper_bin/sloptrap-entrypoint" \
|| ! extract_embedded_helper "sloptrap-helperd" "$helper_bin/sloptrap-helperd" \
|| ! extract_embedded_helper "slop-apt" "$helper_bin/slop-apt" \
|| ! extract_embedded_helper "slopcap" "$helper_bin/slopcap" \
|| ! extract_embedded_helper "sloppodman" "$helper_bin/sloppodman"; then
record_failure "embedded_capability_helpers: failed to extract embedded helper scripts"
rm -rf "$temp_root"
return
fi
cat >"$helper_bin/podman" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf 'podman-env BUILDAH_ISOLATION=%s _CONTAINERS_USERNS_CONFIGURED=%s CONTAINERS_STORAGE_CONF=%s CONTAINERS_CONF=%s\n' \
"${BUILDAH_ISOLATION:-}" "${_CONTAINERS_USERNS_CONFIGURED:-}" "${CONTAINERS_STORAGE_CONF:-}" "${CONTAINERS_CONF:-}" >>"$TEST_TOOL_LOG"
printf 'podman %s\n' "$*" >>"$TEST_TOOL_LOG"
exit 0
EOF
cat >"$helper_bin/apt-get" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf 'apt-get %s\n' "$*" >>"$TEST_TOOL_LOG"
exit 0
EOF
cat >"$helper_bin/tcpdump" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf 'tcpdump %s\n' "$*" >>"$TEST_TOOL_LOG"
output=""
prev=""
for arg in "$@"; do
if [[ $prev == "-w" ]]; then
output=$arg
break
fi
prev=$arg
done
if [[ -n $output ]]; then
mkdir -p "$(dirname "$output")"
: >"$output"
fi
exit 0
EOF
cat >"$helper_bin/setpriv" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
printf 'setpriv %s\n' "$*" >>"$TEST_TOOL_LOG"
while [[ $# -gt 0 ]]; do
case "$1" in
--reuid|--regid)
shift 2
;;
--clear-groups)
shift
;;
--)
shift
break
;;
*)
break
;;
esac
done
exec "$@"
EOF
chmod +x "$helper_bin/podman" "$helper_bin/apt-get" "$helper_bin/tcpdump" "$helper_bin/setpriv"
if ! grep -q "chmod 711 \"\\\$helper_dir\"" "$helper_bin/sloptrap-entrypoint" \
|| ! grep -q "chmod 1733 \"\\\$queue_dir\"" "$helper_bin/sloptrap-entrypoint"; then
record_failure "embedded_capability_helpers: entrypoint did not expose helper queue to the dropped user"
fi
local autostart_helper_dir
autostart_helper_dir="$temp_root/helper-autostart"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$autostart_helper_dir" \
SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_AUDIT_LOG="$temp_root/autostart-audit.log" \
SLOPTRAP_HOST_UID="$(id -u)" SLOPTRAP_HOST_GID="$(id -g)" \
"$helper_bin/slop-apt" install jq >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slop-apt did not self-bootstrap the helper daemon"
fi
if [[ ! -r $autostart_helper_dir/helperd.pid ]]; then
record_failure "embedded_capability_helpers: helper self-bootstrap did not create a pid file"
else
kill "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true
wait "$(cat "$autostart_helper_dir/helperd.pid")" >/dev/null 2>&1 || true
fi
local missing_cap_status=0
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" ps >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman should reject runs without nested-podman"
else
missing_cap_status=$?
fi
if [[ $missing_cap_status -ne 126 ]]; then
record_failure "embedded_capability_helpers: sloppodman returned the wrong status when capability was absent"
fi
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" run --privileged example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman allowed --privileged"
fi
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" run -v /tmp:/host example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman allowed an out-of-workspace bind mount"
fi
if ! (
cd "$workspace_dir" && TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" \
SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" run -v ./data:/data example/image true >/dev/null 2>&1
); then
record_failure "embedded_capability_helpers: sloppodman rejected a workspace-local bind mount"
fi
if ! grep -q -- 'podman --root ' "$tool_log" || ! grep -q -- '-v ./data:/data' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not invoke podman with the validated run arguments"
fi
if ! grep -q -- 'setpriv --reuid 0 --regid 0 --clear-groups -- env ' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not re-enter root before invoking podman"
fi
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
"$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman rejected image inspect"
fi
if ! grep -q -- 'podman --root .* image inspect example/image' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not forward image inspect"
fi
if ! grep -q -- '--storage-driver vfs' "$tool_log" \
|| ! grep -q -- '--cgroup-manager cgroupfs' "$tool_log" \
|| ! grep -q -- '--events-backend file' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not apply the nested podman runtime defaults"
fi
if ! grep -q -- 'podman-env BUILDAH_ISOLATION=chroot ' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not set BUILDAH_ISOLATION=chroot"
fi
if ! grep -q -- '_CONTAINERS_USERNS_CONFIGURED=done ' "$tool_log"; then
record_failure "embedded_capability_helpers: sloppodman did not mark nested podman as already userns-configured"
fi
if [[ ! -f $inner_runtime_dir/config/containers/storage.conf ]] \
|| [[ ! -f $inner_runtime_dir/config/containers/containers.conf ]]; then
record_failure "embedded_capability_helpers: sloppodman did not materialize its container config files"
elif ! grep -q -- 'ignore_chown_errors = "true"' "$inner_runtime_dir/config/containers/storage.conf"; then
record_failure "embedded_capability_helpers: storage.conf did not enable ignore_chown_errors"
fi
local caller_uid caller_gid caller_user
caller_uid=$(id -u)
caller_gid=$(id -g)
caller_user=$(id -un)
cat >"$helper_bin/id" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
case "${1-}" in
-u)
printf '0\n'
;;
-g)
printf '0\n'
;;
-un)
printf 'root\n'
;;
*)
printf 'uid=0(root) gid=0(root) groups=0(root)\n'
;;
esac
EOF
cat >"$temp_root/entrypoint-helperd" <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
exit 0
EOF
chmod +x "$helper_bin/id" "$temp_root/entrypoint-helperd"
local entry_subuid entry_subgid
entry_subuid="$temp_root/entry-subuid"
entry_subgid="$temp_root/entry-subgid"
printf 'sloptrap:100000:65536\n' >"$entry_subuid"
printf 'sloptrap:100000:65536\n' >"$entry_subgid"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_HOST_UID="1337" SLOPTRAP_HOST_GID="1337" SLOPTRAP_HOST_USER="$caller_user" \
SLOPTRAP_PODMAN_SUBUID_FILE="$entry_subuid" SLOPTRAP_PODMAN_SUBGID_FILE="$entry_subgid" \
SLOPTRAP_PODMAN_SUBID_START="200000" SLOPTRAP_PODMAN_SUBID_COUNT="65536" \
SLOPTRAP_PODMAN_SUBGID_START="200000" SLOPTRAP_PODMAN_SUBGID_COUNT="65536" \
SLOPTRAP_HELPERD_BIN="$temp_root/entrypoint-helperd" \
"$helper_bin/sloptrap-entrypoint" true >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: entrypoint did not synthesize subid files for the host user"
fi
if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subuid" 2>/dev/null || true) ]]; then
record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subuid synthesis"
fi
if [[ -z $(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$entry_subgid" 2>/dev/null || true) ]]; then
record_failure "embedded_capability_helpers: entrypoint did not prefer SLOPTRAP_HOST_USER for subgid synthesis"
fi
local caller_subuid root_subuid caller_subgid root_subgid
local helper_subuid_file helper_subgid_file
helper_subuid_file="$temp_root/helper-subuid"
helper_subgid_file="$temp_root/helper-subgid"
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_ACTIVE_CAPABILITIES="nested-podman" \
SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_INNER_PODMAN_ROOT="$inner_podman_root" \
SLOPTRAP_INNER_PODMAN_RUNROOT="$inner_podman_runroot" \
XDG_RUNTIME_DIR="$inner_runtime_dir" \
SLOPTRAP_PODMAN_ESCALATED=1 \
SLOPTRAP_PODMAN_CALLER_UID="$caller_uid" \
SLOPTRAP_PODMAN_CALLER_GID="$caller_gid" \
SLOPTRAP_PODMAN_CALLER_USER="$caller_user" \
SLOPTRAP_PODMAN_SUBUID_FILE="$helper_subuid_file" \
SLOPTRAP_PODMAN_SUBGID_FILE="$helper_subgid_file" \
"$helper_bin/sloppodman" image inspect example/image >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: sloppodman did not synthesize caller and root subid files"
fi
caller_subuid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true)
root_subuid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subuid_file" 2>/dev/null || true)
caller_subgid=$(awk -F: -v account="$caller_user" '$1 == account { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true)
root_subgid=$(awk -F: '$1 == "root" { print $2 ":" $3 }' "$helper_subgid_file" 2>/dev/null || true)
if [[ -z $caller_subuid || $caller_subuid != "$root_subuid" ]]; then
record_failure "embedded_capability_helpers: sloppodman did not mirror caller subuid data onto root"
fi
if [[ -z $caller_subgid || $caller_subgid != "$root_subgid" ]]; then
record_failure "embedded_capability_helpers: sloppodman did not mirror caller subgid data onto root"
fi
TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_ACTIVE_CAPABILITIES="apt-install packet-capture" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
SLOPTRAP_AUDIT_LOG="$temp_root/audit.log" "$helper_bin/sloptrap-helperd" >/dev/null 2>&1 &
helper_pid=$!
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
"$helper_bin/slop-apt" install jq >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slop-apt failed against the embedded helper daemon"
fi
if ! grep -q -- 'apt-get install -y --no-install-recommends jq' "$tool_log"; then
record_failure "embedded_capability_helpers: slop-apt did not reach apt-get install"
fi
local bad_apt_request
bad_apt_request=$(mktemp -d "$helper_dir/queue/request.XXXXXX.req")
printf 'apt-install\n' >"$bad_apt_request/op"
printf '%s\n' '--allow-unauthenticated' >"$bad_apt_request/packages"
if ! wait_for_path "$bad_apt_request/status"; then
record_failure "embedded_capability_helpers: helper daemon did not answer the invalid apt request"
elif [[ $(<"$bad_apt_request/status") != "2" ]]; then
record_failure "embedded_capability_helpers: invalid apt request returned the wrong status"
fi
if [[ -s "$bad_apt_request/stderr" ]] && ! grep -q -- 'invalid package name' "$bad_apt_request/stderr"; then
record_failure "embedded_capability_helpers: invalid apt request did not explain the rejection"
fi
if TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
"$helper_bin/slopcap" capture --interface eth0 --output /tmp/escape.pcap >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slopcap accepted an out-of-bounds output path"
fi
if ! TEST_TOOL_LOG="$tool_log" PATH="$helper_bin:$PATH" SLOPTRAP_HELPER_DIR="$helper_dir" \
SLOPTRAP_CAPTURE_DIR="$capture_dir" SLOPTRAP_WORKDIR="$workspace_dir" \
"$helper_bin/slopcap" capture --interface eth0 --filter 'tcp port 80' \
--output "$workspace_dir/capture.pcap" >/dev/null 2>&1; then
record_failure "embedded_capability_helpers: slopcap failed for a workspace-local capture file"
fi
if ! grep -q -- "tcpdump -i eth0 -w $workspace_dir/capture.pcap -- tcp port 80" "$tool_log"; then
record_failure "embedded_capability_helpers: slopcap did not invoke tcpdump with the expected guarded arguments"
fi
local bad_capture_request
bad_capture_request=$(mktemp -d "$helper_dir/queue/request.XXXXXX.req")
printf 'packet-capture\n' >"$bad_capture_request/op"
printf 'eth0\n' >"$bad_capture_request/interface"
printf '\n' >"$bad_capture_request/filter"
printf '/tmp/escape.pcap\n' >"$bad_capture_request/output"
printf '0\n' >"$bad_capture_request/stdout_mode"
if ! wait_for_path "$bad_capture_request/status"; then
record_failure "embedded_capability_helpers: helper daemon did not answer the invalid capture request"
elif [[ $(<"$bad_capture_request/status") != "2" ]]; then
record_failure "embedded_capability_helpers: invalid capture request returned the wrong status"
fi
if [[ -s "$bad_capture_request/stderr" ]] && ! grep -q -- 'output path must stay within' "$bad_capture_request/stderr"; then
record_failure "embedded_capability_helpers: invalid capture request did not explain the rejection"
fi
if [[ -n $helper_pid ]]; then
kill "$helper_pid" >/dev/null 2>&1 || true
wait "$helper_pid" >/dev/null 2>&1 || true
fi
rm -rf "$temp_root"
}
run_make_install_single_file() { run_make_install_single_file() {
local scenario_dir="$TEST_ROOT/resume_target" local scenario_dir="$TEST_ROOT/resume_target"
printf '==> make_install_single_file\n' printf '==> make_install_single_file\n'
@@ -768,11 +1402,15 @@ run_symlink_escape
run_manifest_injection run_manifest_injection
run_helper_symlink run_helper_symlink
run_secret_mask run_secret_mask
run_git_ignore_mask
run_resume_target run_resume_target
run_runtime_context_prompt run_runtime_context_prompt
run_sh_reexec run_sh_reexec
run_resume_omits_runtime_context run_resume_omits_runtime_context
run_auth_file_mount run_auth_file_mount
run_codex_home_override
run_recursive_slopsloptrap
run_recursive_parent_image_fallback
run_project_state_isolation run_project_state_isolation
run_auto_login_empty_auth run_auto_login_empty_auth
run_codex_symlink_home run_codex_symlink_home
@@ -791,6 +1429,7 @@ run_wizard_existing_defaults
run_wizard_build_trigger run_wizard_build_trigger
run_capability_trust_required run_capability_trust_required
run_capability_profiles run_capability_profiles
run_embedded_capability_helpers
run_make_install_single_file run_make_install_single_file
if [[ ${#failures[@]} -gt 0 ]]; then if [[ ${#failures[@]} -gt 0 ]]; then