From 23df78054433b7a18a512c649a76e426d275c05a Mon Sep 17 00:00:00 2001
From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Thu, 23 Jan 2025 13:31:59 +0100
Subject: [PATCH 1/2] tests: add tool for observing the profile of a given
 command

Using gdb in batch mode, put a breakpoint on _start and spawn the
process.  Then using the built-in python interpreter print the
confinement label on the process and terminate everything.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
---
 .image-garden.mk            | 3 +++
 tests/bin/actual-profile-of | 9 +++++++++
 2 files changed, 12 insertions(+)
 create mode 100755 tests/bin/actual-profile-of

diff --git a/.image-garden.mk b/.image-garden.mk
index e46488143..04d12ab3f 100644
--- a/.image-garden.mk
+++ b/.image-garden.mk
@@ -19,6 +19,7 @@ packages:
 - dosfstools
 - flake8
 - flex
+- gdb
 - gettext
 - libdbus-1-dev
 - libpam0g-dev
@@ -57,6 +58,7 @@ packages:
 - flex
 - gcc
 - gcc-c++
+- gdb
 - gettext
 - gobject-introspection
 - libtool
@@ -88,6 +90,7 @@ packages:
 - dejagnu
 - dosfstools
 - flex
+- gdb
 - gettext
 - libstdc++-static
 - libtool
diff --git a/tests/bin/actual-profile-of b/tests/bin/actual-profile-of
new file mode 100755
index 000000000..4c717072c
--- /dev/null
+++ b/tests/bin/actual-profile-of
@@ -0,0 +1,9 @@
+#!/bin/sh
+exec gdb \
+	--quiet \
+	--batch \
+	--eval-command='set breakpoint pending on' \
+	--eval-command='break _start' \
+	--eval-command='run' \
+	--eval-command='python import os; os.fdopen(3, "wt").write(open("/proc/{}/attr/current".format(gdb.selected_inferior().pid), "rt").read())' \
+	"$@" 3>/dev/stdout 1>/dev/null 2>/dev/null

From ffd38b7ac40b70f37a4e7dacf30a80fb496557f3 Mon Sep 17 00:00:00 2001
From: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Date: Thu, 23 Jan 2025 13:34:15 +0100
Subject: [PATCH 2/2] tests: measure toybox with actual-profile-of

This should be a more readable example to follow in other tests.  The
toybox test was special given the fact that it is a shell itself, and is
fairly programmable.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
---
 tests/profiles/toybox/task.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/tests/profiles/toybox/task.yaml b/tests/profiles/toybox/task.yaml
index 44e2f6ea1..6c8217c8b 100644
--- a/tests/profiles/toybox/task.yaml
+++ b/tests/profiles/toybox/task.yaml
@@ -5,7 +5,6 @@ systems:
 execute: |
     # Toybox works (this is a very basic test).
     test "$(toybox id -u)" -eq 0
-    # The profile may be used explicitly.
-    aa-exec -p toybox toybox cat /proc/self/attr/current | MATCH 'toybox \(unconfined\)'
-    # The profile is attached implicitly based on path name.
-    toybox cat /proc/self/attr/current | MATCH 'toybox \(unconfined\)'
+
+    # The profile is attached based on the program path.
+    "$SPREAD_PATH"/tests/bin/actual-profile-of toybox | MATCH 'toybox \(unconfined\)'