Fix FreeBSD CI: use nobody user, improve smoke test error reporting

renaudallard · renaudallard · commit 6d11750b69eb · 2026-03-20T11:55:12.000+01:00
diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml
@@ -69,9 +69,10 @@ jobs:
             # Verify rc.d script is distributed
             test -f scripts/sniproxy.rc
 
-            # Smoke test: start sniproxy briefly with a test config
+            # Smoke test: start sniproxy with a test config
+            echo "Running as: $(whoami) (uid=$(id -u))"
             printf '%s\n' \
-              'user daemon' \
+              'user nobody' \
               'error_log { syslog daemon }' \
               'listener 127.0.0.1:18443 {' \
               '    protocol tls' \
@@ -82,38 +83,44 @@ jobs:
               '}' > /tmp/sniproxy-test.conf
             chmod 600 /tmp/sniproxy-test.conf
 
-            timeout 3 src/sniproxy -f -c /tmp/sniproxy-test.conf || test $? -eq 124
+            # Test config parsing
+            src/sniproxy -t -c /tmp/sniproxy-test.conf
 
-            # Verify Capsicum is active: start as daemon and check
+            # Start as daemon and verify Capsicum
             src/sniproxy -c /tmp/sniproxy-test.conf
-            sleep 1
+            sleep 2
+
+            ps aux | grep sniproxy | grep -v grep
 
             # Check process flags for capability mode (0x100 bit)
+            set +e
             mainpid=$(ps ax -o pid,flags,args | grep 'sniproxy-mainloop' | grep -v grep | awk '{print $1}')
             binderpid=$(ps ax -o pid,flags,args | grep 'sniproxy-binder' | grep -v grep | awk '{print $1}')
-            if [ -n "$mainpid" ]; then
-              mainflags=$(ps -o flags= -p "$mainpid" | tr -d ' ')
-              binderflags=$(ps -o flags= -p "$binderpid" | tr -d ' ')
-              echo "mainloop flags=$mainflags binder flags=$binderflags"
-
-              # Mainloop must be in capability mode (flag 0x100 set)
-              if [ $(( 0x$mainflags & 0x100 )) -eq 0 ]; then
-                echo "::error::Main process is NOT in Capsicum capability mode"
-                pkill sniproxy || true
-                exit 1
-              fi
-
-              # Binder must NOT be in capability mode
-              if [ $(( 0x$binderflags & 0x100 )) -ne 0 ]; then
-                echo "::error::Binder process should NOT be in capability mode"
-                pkill sniproxy || true
-                exit 1
-              fi
-
-              echo "Capsicum verified: mainloop in cap mode, binder not"
-            else
+
+            if [ -z "$mainpid" ]; then
               echo "::error::sniproxy-mainloop process not found"
               pkill sniproxy || true
               exit 1
             fi
+
+            mainflags=$(ps -o flags= -p "$mainpid" | tr -d ' ')
+            binderflags=$(ps -o flags= -p "$binderpid" | tr -d ' ')
+            echo "mainloop pid=$mainpid flags=$mainflags"
+            echo "binder pid=$binderpid flags=$binderflags"
+
+            # Mainloop must be in capability mode (flag 0x100 set)
+            if [ $(( 0x$mainflags & 0x100 )) -eq 0 ]; then
+              echo "::error::Main process is NOT in Capsicum capability mode"
+              pkill sniproxy || true
+              exit 1
+            fi
+
+            # Binder must NOT be in capability mode
+            if [ $(( 0x$binderflags & 0x100 )) -ne 0 ]; then
+              echo "::error::Binder process should NOT be in capability mode"
+              pkill sniproxy || true
+              exit 1
+            fi
+
+            echo "Capsicum verified: mainloop in cap mode, binder not"
             pkill sniproxy || true
