Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command-line verbs for test_tool_info and check_cgroups #1053

Open
PhilippWendler opened this issue Jun 12, 2024 · 1 comment
Open

Command-line verbs for test_tool_info and check_cgroups #1053

PhilippWendler opened this issue Jun 12, 2024 · 1 comment

Comments

@PhilippWendler
Copy link
Member

Right now, to use our test_tool_info and check_cgroups functionality, users have to use commands like python3 -m benchexec.test_tool_info .... This is documented, but not easy to remember. We could make this easier by providing a direct entry point.

One way would be to drop more executables in the user's PATH, like test-benchexec-tool-info or so. But this is also hard to discover and clutters the global namespace.

A common way to have one executable with several distinct personalities / modes is to use tool verb args. We could use this and have something like benchexec test-tool-info ....
It is somewhat uncommon to have a tool with some modes that use such verbs and one mode that does not use a verb (the standard benchmarking mode), but we can live with that.

For check_cgroups, both benchexec and runexec could gain that verb.
PhilippWendler added a commit that referenced this issue Jun 13, 2024
@PhilippWendler
Add an AppArmor profile for BenchExec to its .deb package
7753c4a 
On Ubuntu since 24.04, user namespaces are forbidden for regular users
(cf. #1041 and #1042).
There is a global sysctl switch to enable them again,
but applications whose AppArmor profile allows this can also use it.
(Typically, AppArmor only restricts application,
but in this case an AppArmor profile can actually provide a privilege
than an unconfined application does not have.)
More explanations are at
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

In order to make BenchExec usable out-of-the-box after installing
the .deb package we want to ship such an AppArmor profile.
This is made complicated by the fact that the AppArmor profile
that is necessary on Ubuntu 24.04+
breaks AppArmor on previous Ubuntu versions.
So we have to install this profile conditionally.
I found a way to do so using ucf (a tool for handling config files)
and this seems to work in my tests on Ubuntu 22.04 (old AppArmor),
Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor),
as well as installation without AppArmor present.

There are two known remaining problems:
- If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having
  BenchExec installed, the AppArmor profile will not be installed,
  so BenchExec will not work.
  Upgrading or reinstalling the BenchExec package makes it work.
- The command "python3 -m benchexec.test_tool_info" will not work,
  because the AppArmor profile won't match it.
  One has to either disable container mode or temporarily allow
  the use of user namespaces for the whole system.
  If we implement #1053 this would just work.

Part of #1041.
@PhilippWendler
Copy link
Member Author

Doing this would also make test_tool_info work out-of-the-box again on Ubuntu 24.04 (cf. #1041 (comment)).

EshaanAgg pushed a commit to EshaanAgg/benchexec that referenced this issue Jun 28, 2024
@PhilippWendler @EshaanAgg
Add an AppArmor profile for BenchExec to its .deb package
5ba66e9 
On Ubuntu since 24.04, user namespaces are forbidden for regular users
(cf. sosy-lab#1041 and sosy-lab#1042).
There is a global sysctl switch to enable them again,
but applications whose AppArmor profile allows this can also use it.
(Typically, AppArmor only restricts application,
but in this case an AppArmor profile can actually provide a privilege
than an unconfined application does not have.)
More explanations are at
https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

In order to make BenchExec usable out-of-the-box after installing
the .deb package we want to ship such an AppArmor profile.
This is made complicated by the fact that the AppArmor profile
that is necessary on Ubuntu 24.04+
breaks AppArmor on previous Ubuntu versions.
So we have to install this profile conditionally.
I found a way to do so using ucf (a tool for handling config files)
and this seems to work in my tests on Ubuntu 22.04 (old AppArmor),
Ubuntu 24.04 (new AppArmor), and Debian 12 (old AppArmor),
as well as installation without AppArmor present.

There are two known remaining problems:
- If one upgrades from Ubuntu 22.04 to Ubuntu 24.04 while having
  BenchExec installed, the AppArmor profile will not be installed,
  so BenchExec will not work.
  Upgrading or reinstalling the BenchExec package makes it work.
- The command "python3 -m benchexec.test_tool_info" will not work,
  because the AppArmor profile won't match it.
  One has to either disable container mode or temporarily allow
  the use of user namespaces for the whole system.
  If we implement sosy-lab#1053 this would just work.

Part of sosy-lab#1041.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PhilippWendler