From b43a935caec0cc4ae1abef7851d67ba3d135411d Mon Sep 17 00:00:00 2001
From: Alan Somers <asomers@FreeBSD.org>
Date: Sat, 2 May 2020 20:14:59 +0000
Subject: [PATCH] Resolve conflict between the fusefs(5) and mac_bsdextended(4)
 tests

mac_bsdextended(4), when enabled, causes ordinary operations to send many
more VOP_GETATTRs to file system. The fusefs tests expectations aren't
written with those in mind. Optionally expecting them would greatly
obfuscate the fusefs tests. Worse, certain fusefs functionality (like
attribute caching) would be impossible to test if the tests couldn't expect
an exact number of GETATTR operations.

This commit resolves that conflict by making two changes:

1. The fusefs tests will now check for mac_bsdextended, and skip if it's
   enabled.
2. The mac_bsdextended tests will now check whether the module is enabled, not
   merely loaded. If it's loaded but disabled, the tests will automatically
   enable it for the duration of the tests.

With these changes, a CI system can achieve best coverage by loading both
fusefs and mac_bsdextended at boot, and setting
security.mac.bsdextended.enabled=0

PR:		244229
Reported by:	lwhsu
Reviewed by:	cem
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24577
---
 tests/sys/fs/fusefs/utils.cc              | 16 +++++++++++++++-
 tests/sys/mac/bsdextended/matches_test.sh |  9 +++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/tests/sys/fs/fusefs/utils.cc b/tests/sys/fs/fusefs/utils.cc
index c07e7b177a2..ef638523d03 100644
--- a/tests/sys/fs/fusefs/utils.cc
+++ b/tests/sys/fs/fusefs/utils.cc
@@ -70,6 +70,10 @@ const uint32_t default_max_write = MIN(libfuse_max_write, MAXPHYS / 2);
 void check_environment()
 {
 	const char *devnode = "/dev/fuse";
+	const char *bsdextended_node = "security.mac.bsdextended.enabled";
+	int bsdextended_val = 0;
+	size_t bsdextended_size = sizeof(bsdextended_val);
+	int bsdextended_found;
 	const char *usermount_node = "vfs.usermount";
 	int usermount_val = 0;
 	size_t usermount_size = sizeof(usermount_val);
@@ -83,9 +87,19 @@ void check_environment()
 			GTEST_SKIP() << strerror(errno);
 		}
 	}
+	// mac_bsdextended(4), when enabled, generates many more GETATTR
+	// operations. The fusefs tests' expectations don't account for those,
+	// and adding extra code to handle them obfuscates the real purpose of
+	// the tests.  Better just to skip the fusefs tests if mac_bsdextended
+	// is enabled.
+	bsdextended_found = sysctlbyname(bsdextended_node, &bsdextended_val,
+					 &bsdextended_size, NULL, 0);
+	if (bsdextended_found == 0 && bsdextended_val != 0)
+		GTEST_SKIP() <<
+		    "The fusefs tests are incompatible with mac_bsdextended.";
 	ASSERT_EQ(sysctlbyname(usermount_node, &usermount_val, &usermount_size,
 			       NULL, 0),
-		  0);;
+		  0);
 	if (geteuid() != 0 && !usermount_val)
 		GTEST_SKIP() << "current user is not allowed to mount";
 }
diff --git a/tests/sys/mac/bsdextended/matches_test.sh b/tests/sys/mac/bsdextended/matches_test.sh
index 4cfbaeb130a..c799dd92f07 100644
--- a/tests/sys/mac/bsdextended/matches_test.sh
+++ b/tests/sys/mac/bsdextended/matches_test.sh
@@ -16,6 +16,12 @@ check_ko()
 	if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
 		atf_skip "mac_bsdextended(4) support isn't available"
 	fi
+	if [ $(sysctl -n security.mac.bsdextended.enabled) = "0" ]; then
+		# The kernel module is loaded but disabled.  Enable it for the
+		# duration of the test.
+		touch enabled_bsdextended
+		sysctl security.mac.bsdextended.enabled=1
+	fi
 }
 
 setup()
@@ -69,6 +75,9 @@ cleanup()
 	if [ -f md_device ]; then
 		mdconfig -d -u $( cat md_device )
 	fi
+	if [ -f enabled_bsdextended ]; then
+		sysctl security.mac.bsdextended.enabled=0
+	fi
 }
 
 atf_test_case no_rules cleanup