Testing Capsicum

[Ben Laurie]

As previously mentioned, I'm (slowly) working on Capsicum support.

A problem I'm running into is that capsicum tests need to switch into capability mode (https://www.freebsd.org/cgi/man.cgi?query=cap_enter&sektion=2) and once in that mode, all sorts of syscalls no longer work - and it is impossible to get back out of it.

This means that the tests have to each run in their own executables, but that doesn't really seem to fit in very well.

I tried forking before calling cap_enter(), but of course that doesn't work, because the child tries to continue with the next test, which fails.

Any suggestions? I guess I could re-invoke go on a single-test executable, but that doesn't seem to easily fit with how go is built.

[Ian Lance Taylor]

One common technique that may work here is to write a special purpose
sub-test for each test that requires special capabilities. Make the
sub-test do nothing unless some environment variable is set. Have the
real test exec the test program itself with the environment variable
set and with -test.run pointing to the subtest and with whatever
special operation you need.

One example: TestFcntlFlock in syscall/syscall_unix_test.go (slightly
different from the above because it uses the same test). Another
example: TestStdPipe in os/pipe_test.go.

Ian

[minux]

The runtime also has this problem (because some of the test will either deadlock or panic), so it builds an executable with all tests and then execute one test at a time with a fresh process.

Please see runtime/testdata.