Fix chmod test suite issue on older systems#902
Merged
Conversation
The t_stub.c shim defined max_alloc = 0 as a placeholder to satisfy the link against util2.o. This was harmless when the test helpers made no allocations, but the secure_relative_open() implementation in 3.4.0+ calls my_strdup() in its per-component O_NOFOLLOW fallback (syscall.c around line 1857), and the 3.4.3 do_*_at() hardening series added more such calls. With max_alloc=0, every allocation in that path trips the 'exceeded --max-alloc=0' check in util2.c's my_alloc(), and t_chmod_secure (which exercises do_chmod_at via secure_relative_open) fails on the very first my_strdup. The failure is invisible on Linux 5.6+ / FreeBSD 13+ / macOS 15+ / recent Cygwin because those platforms take the kernel-enforced openat2(RESOLVE_BENEATH) or openat(O_RESOLVE_BENEATH) branch and never reach the per-component fallback. It also goes unobserved on the SunOS/OpenBSD/NetBSD/CYGWIN* CI runners because the chmod-symlink-race.test script case-skips on those platforms (the legitimate dir-symlink scenario the test exercises can't pass on the per-component fallback). HPE NonStop is the first platform that lacks RESOLVE_BENEATH support AND isn't in the skip list AND has someone actually running the test suite, so it surfaced the latent bug. Raise max_alloc to SIZE_MAX so the helpers can allocate freely. A follow-up patch makes t_chmod_secure adapt at runtime so the skip list can be removed and the per-component fallback gets real CI coverage.
The chmod-symlink-race test was previously a no-op on Solaris,
OpenBSD, NetBSD, and Cygwin via a case 'uname -s' skip. The skip
was too broad: of the four scenarios the helper exercises, only
the 'legitimate within-tree dir-symlink' one actually needs
RESOLVE_BENEATH-equivalent kernel support. The other three
(attack rejection, plain relative path, top-level file) behave
identically on the per-component O_NOFOLLOW fallback and would
have caught the t_stub.c max_alloc=0 bug fixed in the previous
commit if the test had been allowed to run.
Make the helper probe the running kernel for either
openat2(RESOLVE_BENEATH) on Linux 5.6+ or openat(O_RESOLVE_BENEATH)
on FreeBSD 13+ / macOS 15+ by opening '.' under the requested
confinement. Honour the result:
- If RESOLVE_BENEATH-equivalent confinement is available, the
within-tree symlink scenario must succeed (status quo).
- If not, the per-component O_NOFOLLOW fallback rejects every
symlink including legitimate ones; expect the within-tree
symlink scenario to be rejected (rc != 0) and the file mode
to remain unchanged.
The attack-rejection, plain-path and top-level scenarios are
unchanged: they expect the same outcome on both code paths.
Drop the case-based skip from chmod-symlink-race.test so the test
runs everywhere and the per-component fallback gets the CI
coverage that the SunOS/OpenBSD/NetBSD/Cygwin runners can
provide. HPE NonStop -- which lacks RESOLVE_BENEATH but isn't in
the existing skip list -- is also covered by this change.
…endency
symlink-dirlink-basis.test and chdir-symlink-race.test both
require a multi-kilobyte non-trivial-content source file for the
rsync delta algorithm to exercise. Both used dd / head against
/dev/urandom directly, which fails on platforms that don't ship
/dev/urandom (e.g. HPE NonStop). The dd error gets swallowed by
'2>/dev/null' and the test then fails with a misleading 'failed
to create test file' that hides the real cause.
Add make_data_file <path> <size> to testsuite/rsync.fns. Prefers
/dev/urandom when readable (kernel-provided randomness, fast),
falling back to a deterministic awk LCG seeded from PID and a
POSIX cksum of the destination path. Output is constrained to
printable ASCII (33..126) so the helper survives two awk-portability
quirks:
- printf '%c', 0 terminates the string in some awks, emitting
fewer than sz bytes;
- gawk in UTF-8 locales encodes printf '%c', N for N > 127 as
a 2-byte UTF-8 sequence, emitting more than sz bytes.
The tests don't need 8-bit binary entropy -- they just need
non-trivial bytes for rsync's block-matching algorithm.
Update both call sites to use the helper. Linux/FreeBSD/macOS
still take the /dev/urandom fast path; NonStop and any other
platform missing the device get the awk fallback transparently.
Both paths verified locally with the symlink-dirlink-basis test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On systems without O_RESOLVE_BENEATH or openat2/RESOLVE_BENEATH the test suite would fail unless the system was specifically skipped in the chmod-symlink-race test. This fixes the issue and broadens the test coverage to all systems.
This fixes a testsuite issue reported on HPE NonStop