runtime: add the checkPtraceScope to skip certain tests

When the kernel parameter ptrace_scope is set to 2 or 3,
certain test cases in runtime-gdb_test.go will fail.
We should skip these tests.

Fixes #69932

Change-Id: I685d1217f1521d7f8801680cf6b71d8e7a265188
GitHub-Last-Rev: 063759e04cfc5ea750ed1d381d8586134488a96b
GitHub-Pull-Request: golang/go#69933
Reviewed-on: https://go-review.googlesource.com/c/go/+/620857
Auto-Submit: Michael Knyszek <mknyszek@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

diff --git a/src/runtime/runtime-gdb_test.go b/src/runtime/runtime-gdb_test.go
index d31db52234cc5d6060447f165cdf973b1a5c0a9b..ec878bb045d22dcd0c490450f6a5e75da5d4382a 100644 (file)
--- a/src/runtime/runtime-gdb_test.go
+++ b/src/runtime/runtime-gdb_test.go
@@ -112,6 +112,44 @@ func checkCleanBacktrace(t *testing.T, backtrace string) {
        // TODO(mundaym): check for unknown frames (e.g. "??").
 }
 
+// checkPtraceScope checks the value of the kernel parameter ptrace_scope,
+// skips the test when gdb cannot attach to the target process via ptrace.
+// See issue 69932
+//
+// 0 - Default attach security permissions.
+// 1 - Restricted attach. Only child processes plus normal permissions.
+// 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+// 3 - No attach. No process may call ptrace at all. Irrevocable.
+func checkPtraceScope(t *testing.T) {
+       if runtime.GOOS != "linux" {
+               return
+       }
+
+       // If the Linux kernel does not have the YAMA module enabled,
+       // there will be no ptrace_scope file, which does not affect the tests.
+       path := "/proc/sys/kernel/yama/ptrace_scope"
+       if _, err := os.Stat(path); os.IsNotExist(err) {
+               return
+       }
+
+       data, err := os.ReadFile(path)
+       if err != nil {
+               t.Fatalf("failed to read file: %v", err)
+       }
+       value, err := strconv.Atoi(strings.TrimSpace(string(data)))
+       if err != nil {
+               t.Fatalf("failed converting value to int: %v", err)
+       }
+       switch value {
+       case 3:
+               t.Skip("skipping ptrace: Operation not permitted")
+       case 2:
+               if os.Geteuid() != 0 {
+                       t.Skip("skipping ptrace: Operation not permitted with non-root user")
+               }
+       }
+}
+
 // NOTE: the maps below are allocated larger than abi.MapBucketCount
 // to ensure that they are not "optimized out".
 
@@ -194,6 +232,7 @@ func testGdbPython(t *testing.T, cgo bool) {
        t.Parallel()
        checkGdbVersion(t)
        checkGdbPython(t)
+       checkPtraceScope(t)
 
        dir := t.TempDir()
 
@@ -417,6 +456,7 @@ func TestGdbBacktrace(t *testing.T) {
        checkGdbEnvironment(t)
        t.Parallel()
        checkGdbVersion(t)
+       checkPtraceScope(t)
 
        dir := t.TempDir()
 
@@ -531,6 +571,7 @@ func TestGdbAutotmpTypes(t *testing.T) {
        checkGdbEnvironment(t)
        t.Parallel()
        checkGdbVersion(t)
+       checkPtraceScope(t)
 
        if runtime.GOOS == "aix" && testing.Short() {
                t.Skip("TestGdbAutotmpTypes is too slow on aix/ppc64")
@@ -616,6 +657,7 @@ func TestGdbConst(t *testing.T) {
        checkGdbEnvironment(t)
        t.Parallel()
        checkGdbVersion(t)
+       checkPtraceScope(t)
 
        dir := t.TempDir()
 
@@ -680,6 +722,7 @@ func TestGdbPanic(t *testing.T) {
        checkGdbEnvironment(t)
        t.Parallel()
        checkGdbVersion(t)
+       checkPtraceScope(t)
 
        if runtime.GOOS == "windows" {
                t.Skip("no signals on windows")
@@ -759,6 +802,7 @@ func TestGdbInfCallstack(t *testing.T) {
 
        t.Parallel()
        checkGdbVersion(t)
+       checkPtraceScope(t)
 
        dir := t.TempDir()