Skip Menu |
 

Subject: OS X SIP breaks some tests in "make check"
By default, OS X 10.11 enables a hardening feature called System
Integrity Protection. One of the consequences of SIP is that each
/bin/sh process unsets the DYLD_LIBRARY_PATH variable.

We have a few tests in make check which are implemented as shell
scripts, including (but probably not limited to) lib/krb5/krb/transit-
tests and lib/krb5/krb/walktree-tests. These test scripts will not
correctly find libraries in the build tree with SIP turned on. A
workaround is to run "make install" before "make check", but we should
try to work around the SIP protections, either by setting
DYLD_LIBRARY_PATH from within testing shell scripts or by avoiding the
use of shell scripts in make check.
Running "make install" before "make check" does not fully work around
this issue, because we don't install libdb2, but do build a shared
libdb2 and test it via a shell script
(plugins/kdb/db2/libdb2/test/run.test).
t_iprop.py also hangs in this version of macOS with SIP enabled, right
after starting the first kpropd process and waiting for sync:

*** [20] Started with pid 32658
*** Waiting for sync from kpropd
kpropd: Incremental propagation enabled
kpropd: waiting for a kprop connection
kpropd: Initializing kadm5 as client kiprop/localhost@KRBTEST.COM
kpropd: kadm5 initialization succeeded
kpropd: Calling iprop_get_updates_1 (sno=1 sec=1502837269 usec=765479)
kpropd: Full resync needed
kpropd: Full resync request granted
kpropd: Waiting for 600 seconds before checking for updates again

A possible theory is that the listener child is unable to signal its
parent that the dump completed. Most likely we will need to find a
way to detect this restriction and skip t_iprop.py if it is in force,
since rearchitecting kpropd and its tests not to use signals would be
a tall order.