File: 0012-Skip-keyring-tests-if-keyring-blocked-by-seccomp.patch

package info (click to toggle)
krb5 1.22.1-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 52,652 kB
  • sloc: ansic: 293,109; python: 10,357; cpp: 9,477; makefile: 7,035; sh: 6,189; perl: 1,650; asm: 1,212; yacc: 933; javascript: 789; awk: 344; csh: 147; xml: 135; lisp: 104
file content (77 lines) | stat: -rw-r--r-- 3,231 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
From: Sam Hartman <hartmans@debian.org>
Date: Fri, 14 Jun 2024 16:36:25 -0600
Subject: Skip keyring tests if keyring blocked by seccomp

Skip keyring tests if we cannot successfully add a key because add_key
returns ENOSYS, presumably because it is blocked by seccomp policy in
a container environment.

* Move keyring support detection code duplicated between t_cccol.py
  and t_ccache.py to k5test.py

* Expand that code to call keyctl and confirm it works to add a key.
---
 src/lib/krb5/ccache/t_cccol.py |  4 +---
 src/tests/t_ccache.py          |  4 +---
 src/util/k5test.py             | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py
index 7dfe05b..7c5e448 100755
--- a/src/lib/krb5/ccache/t_cccol.py
+++ b/src/lib/krb5/ccache/t_cccol.py
@@ -3,9 +3,7 @@ from k5test import *
 realm = K5Realm(create_kdb=False)
 
 keyctl = which('keyctl')
-out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
-test_keyring = (keyctl is not None and
-                'Unknown credential cache type' not in out)
+test_keyring = realm.is_keyring_available()
 if not test_keyring:
     skipped('keyring collection tests', 'keyring support not built')
 
diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py
index 11c9497..e382bbd 100755
--- a/src/tests/t_ccache.py
+++ b/src/tests/t_ccache.py
@@ -35,9 +35,7 @@ realm.run(['./conccache', realm.ccache + '.contest', 'contest',
            realm.host_princ])
 
 keyctl = which('keyctl')
-out = realm.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
-test_keyring = (keyctl is not None and
-                'Unknown credential cache type' not in out)
+test_keyring = realm.is_keyring_available()
 if not test_keyring:
     skipped('keyring ccache tests', 'keyring support not built')
 
diff --git a/src/util/k5test.py b/src/util/k5test.py
index d22cb5c..bea28e3 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1229,6 +1229,24 @@ class K5Realm(object):
     def run_kadmin(self, args, **keywords):
         return self.run([kadmin, '-c', self.kadmin_ccache] + args, **keywords)
 
+    def is_keyring_available(self):
+        '''
+        Confirm that keyctl is available, keyring caches are built in, and adding keys is not masked by seccomp filters.
+        '''
+        keyctl = which('keyctl')
+        out = self.run([klist, '-c', 'KEYRING:process:abcd'], expected_code=1)
+        if (keyctl is None or
+            'Unknown credential cache type' in out):
+            return False
+        try: subprocess.check_output(['keyctl', 'add', 'user', 'some_key', 'data', '@p'], stderr=subprocess.STDOUT)
+        except subprocess.CalledProcessError as e:
+            out = str(e.output, 'utf-8')
+            if 'Function not implemented' in out and e.returncode == 1:
+                return False # masked by seccomp
+            fail('Unexpected output from keyctl: '+e.output)
+            raise
+        return True
+    
     def special_env(self, name, has_kdc_conf, krb5_conf=None, kdc_conf=None):
         krb5_conf_path = os.path.join(self.testdir, 'krb5.conf.%s' % name)
         krb5_conf = _cfg_merge(self._krb5_conf, krb5_conf)