diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-30 11:08:37 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-30 11:08:37 -0400 |
commit | 12d64e7151e633f50e86b283c24cf85db7f1db41 (patch) | |
tree | d41ca03cfc415abf85bf7057258307ee448dd158 | |
parent | fix seccomp secondary filter printing on i386 platform (diff) | |
download | firejail-12d64e7151e633f50e86b283c24cf85db7f1db41.tar.gz firejail-12d64e7151e633f50e86b283c24cf85db7f1db41.tar.zst firejail-12d64e7151e633f50e86b283c24cf85db7f1db41.zip |
removed zsh from travis test suite, fixed handling of /dev/shm whitelist for Debian wheezy and Ubuntu 14.04
-rw-r--r-- | .travis.yml | 2 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 19 | ||||
-rwxr-xr-x | test/fs/whitelist-dev.exp | 8 |
3 files changed, 18 insertions, 11 deletions
diff --git a/.travis.yml b/.travis.yml index 9a2c68361..4c6e41980 100644 --- a/.travis.yml +++ b/.travis.yml | |||
@@ -3,7 +3,7 @@ dist: trusty | |||
3 | sudo: true | 3 | sudo: true |
4 | 4 | ||
5 | script: | 5 | script: |
6 | - sudo apt-get -y install expect csh zsh | 6 | - sudo apt-get -y install expect csh |
7 | - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) | 7 | - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) |
8 | - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) | 8 | - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) |
9 | - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) | 9 | - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 480df1766..dad8545a0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -368,12 +368,12 @@ void fs_whitelist(void) { | |||
368 | // replace ~/ or ${HOME} into /home/username | 368 | // replace ~/ or ${HOME} into /home/username |
369 | new_name = expand_home(dataptr, cfg.homedir); | 369 | new_name = expand_home(dataptr, cfg.homedir); |
370 | assert(new_name); | 370 | assert(new_name); |
371 | if (arg_debug) | 371 | if (arg_debug || arg_debug_whitelists) |
372 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); | 372 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); |
373 | 373 | ||
374 | // valid path referenced to filesystem root | 374 | // valid path referenced to filesystem root |
375 | if (*new_name != '/') { | 375 | if (*new_name != '/') { |
376 | if (arg_debug) | 376 | if (arg_debug || arg_debug_whitelists) |
377 | fprintf(stderr, "Debug %d: \n", __LINE__); | 377 | fprintf(stderr, "Debug %d: \n", __LINE__); |
378 | goto errexit; | 378 | goto errexit; |
379 | } | 379 | } |
@@ -417,6 +417,8 @@ void fs_whitelist(void) { | |||
417 | entry->data = EMPTY_STRING; | 417 | entry->data = EMPTY_STRING; |
418 | continue; | 418 | continue; |
419 | } | 419 | } |
420 | else if (arg_debug_whitelists) | ||
421 | printf("real path %s\n", fname); | ||
420 | 422 | ||
421 | if (nowhitelist_flag) { | 423 | if (nowhitelist_flag) { |
422 | // store the path in nowhitelist array | 424 | // store the path in nowhitelist array |
@@ -501,9 +503,15 @@ void fs_whitelist(void) { | |||
501 | else if (strncmp(new_name, "/dev/", 5) == 0) { | 503 | else if (strncmp(new_name, "/dev/", 5) == 0) { |
502 | entry->dev_dir = 1; | 504 | entry->dev_dir = 1; |
503 | dev_dir = 1; | 505 | dev_dir = 1; |
504 | // both path and absolute path are under /dev | 506 | |
505 | if (strncmp(fname, "/dev/", 5) != 0) { | 507 | // special handling for /dev/shm |
506 | goto errexit; | 508 | // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm |
509 | if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); | ||
510 | else { | ||
511 | // both path and absolute path are under /dev | ||
512 | if (strncmp(fname, "/dev/", 5) != 0) { | ||
513 | goto errexit; | ||
514 | } | ||
507 | } | 515 | } |
508 | } | 516 | } |
509 | else if (strncmp(new_name, "/opt/", 5) == 0) { | 517 | else if (strncmp(new_name, "/opt/", 5) == 0) { |
@@ -708,7 +716,6 @@ void fs_whitelist(void) { | |||
708 | } | 716 | } |
709 | 717 | ||
710 | 718 | ||
711 | |||
712 | // go through profile rules again, and interpret whitelist commands | 719 | // go through profile rules again, and interpret whitelist commands |
713 | entry = cfg.profile; | 720 | entry = cfg.profile; |
714 | while (entry) { | 721 | while (entry) { |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index b064671b6..b6ae6319f 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -25,14 +25,14 @@ sleep 1 | |||
25 | 25 | ||
26 | send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r" | 26 | send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r" |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 0\n";exit} | 28 | timeout {puts "TESTING ERROR 2\n";exit} |
29 | "Child process initialized" | 29 | "Child process initialized" |
30 | } | 30 | } |
31 | sleep 1 | 31 | sleep 1 |
32 | 32 | ||
33 | send -- "find /dev | wc -l\r" | 33 | send -- "find /dev | wc -l\r" |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 0.1\n";exit} | 35 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "4" | 36 | "4" |
37 | } | 37 | } |
38 | after 100 | 38 | after 100 |
@@ -41,14 +41,14 @@ sleep 1 | |||
41 | 41 | ||
42 | send -- "firejail --private-dev --debug\r" | 42 | send -- "firejail --private-dev --debug\r" |
43 | expect { | 43 | expect { |
44 | timeout {puts "TESTING ERROR 2\n";exit} | 44 | timeout {puts "TESTING ERROR 4\n";exit} |
45 | "Child process initialized" | 45 | "Child process initialized" |
46 | } | 46 | } |
47 | sleep 1 | 47 | sleep 1 |
48 | 48 | ||
49 | send -- "ls -l /dev | wc -l\r" | 49 | send -- "ls -l /dev | wc -l\r" |
50 | expect { | 50 | expect { |
51 | timeout {puts "TESTING ERROR 3\n";exit} | 51 | timeout {puts "TESTING ERROR 5\n";exit} |
52 | "12" {puts "OK\n"} | 52 | "12" {puts "OK\n"} |
53 | "13" {puts "OK\n"} | 53 | "13" {puts "OK\n"} |
54 | "14" {puts "OK\n"} | 54 | "14" {puts "OK\n"} |