sysutils

14 files changed, 235 insertions, 21 deletions

diff --git a/Makefile.in b/Makefile.in
index cb166aa33..5204fc34a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -53,6 +53,7 @@ clean:
         rm -f test/environment/wget-log*
         rm -fr test/environment/-testdir
         rm -f test/environment/logfile*
+        rm -f test/sysutils/firejail_t*
         cd test/compile; ./compile.sh --clean; cd ../..
         cd test/dist-compile; ./compile.sh --clean; cd ../..
 
@@ -213,6 +214,7 @@ realinstall:
         install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/.
+        install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/.
         sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;"
         install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/.
         rm -fr .etc
@@ -327,6 +329,9 @@ test-apps:
 test-apps-x11:
         cd test/apps-x11; ./apps-x11.sh | grep TESTING
 
+test-sysutils:
+        cd test/sysutils; ./sysutils.sh | grep TESTING
+        
 test-utils:
         cd test/utils; ./utils.sh | grep TESTING
 
@@ -342,5 +347,5 @@ test-network:
 test-fs:
         cd test/fs; ./fs.sh | grep TESTING
 
-test: test-profiles test-fs test-utils  test-environment test-apps test-apps-x11 test-filters
+test: test-profiles test-fs test-utils  test-environment test-sysutils test-apps test-apps-x11 test-filters
         echo "TEST COMPLETE"
diff --git a/etc/cpio.profile b/etc/cpio.profile
index f10b82962..b0e59c106 100644
--- a/etc/cpio.profile
+++ b/etc/cpio.profile
@@ -1,10 +1,21 @@
 # cpio profile
-# testing: find . -print -depth | cpio -ov > tree.cpio
-include /etc/firejail/default.profile
-tracelog
+# /sbin and /usr/sbin are visible inside the sandbox
+# /boot is not visible and /var is heavily modified 
+
+noblacklist /sbin
+noblacklist /usr/sbin
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+private-dev
+private-tmp
+seccomp
+caps.drop all
 net none
 shell none
-private-bin cpio
-private-dev
+tracelog
+net none
+
 
 
diff --git a/etc/gzip.profile b/etc/gzip.profile
index 3c9e8a9bf..8d35c9f66 100644
--- a/etc/gzip.profile
+++ b/etc/gzip.profile
@@ -4,3 +4,4 @@ tracelog
 net none
 shell none
 private-dev
+private-tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 8be9a5719..9bc67cfb8 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -4,3 +4,4 @@ tracelog
 net none
 shell none
 private-dev
+private-tmp
diff --git a/etc/xz.profile b/etc/xz.profile
new file mode 100644
index 000000000..709585acd
--- /dev/null
+++ b/etc/xz.profile
@@ -0,0 +1,2 @@
+# xz profile
+include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
index ade46dddd..1bff66965 100644
--- a/etc/xzdec.profile
+++ b/etc/xzdec.profile
@@ -1,7 +1,7 @@
-# XZ decompressor profile
+# xzdec profile
 include /etc/firejail/default.profile
 tracelog
 net none
 shell none
 private-dev
-
+private-tmp
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index a09df0c29..34ab8cd81 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -123,4 +123,5 @@
 /etc/firejail/gzip.profile
 /etc/firejail/xzdec.profile
 /etc/firejail/strings.profile
+/etc/firejail/xz.profile
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c6fbd584e..f149dd376 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -693,6 +693,52 @@ static void delete_x11_file(pid_t pid) {
         free(fname);
 }
 
+static void detect_quiet(int argc, char **argv) {
+        int i;
+        char *progs[] = {
+                "cpio",
+                "strings",
+                "gzip",
+                "xz",
+                "xzdec",
+                NULL
+        };
+        
+        // detect --quiet
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--quiet") == 0) {
+                        arg_quiet = 1;
+                        break;
+                }
+                
+                // detect end of firejail params
+                if (strcmp(argv[i], "--") == 0)
+                        break;
+                if (strncmp(argv[i], "--", 2) != 0)
+                        break;
+        }
+
+        // argv[i] is the program name if --quiet was not already detected
+        if (arg_quiet || i == argc)
+                return;
+
+        // extract the name of the program without the leading path
+        char *ptr = strrchr(argv[i], '/');
+        char *name = (ptr)? (ptr + 1): argv[i];
+        if (*name == '\0')
+                return;
+
+        // look for the program in the list     
+        int j = 0;
+        while (progs[j] != NULL) {
+                if (strcmp(name, progs[j]) == 0) {
+                        arg_quiet = 1;
+                        return;
+                }
+                j++;
+        }
+}
+
 //*******************************************
 // Main program
 //*******************************************
@@ -709,6 +755,8 @@ int main(int argc, char **argv) {
         int highest_errno = errno_highest_nr();
 #endif
 
+        detect_quiet(argc, argv);
+
         // drop permissions by default and rise them when required
         EUID_INIT();
         EUID_USER();
@@ -717,19 +765,6 @@ int main(int argc, char **argv) {
         if (*argv[0] != '-')
                 run_symlink(argc, argv);
 
-        // detect --quiet
-        for (i = 1; i < argc; i++) {
-                if (strcmp(argv[i], "--quiet") == 0) {
-                        arg_quiet = 1;
-                        break;
-                }
-                
-                // detect end of firejail params
-                if (strcmp(argv[i], "--") == 0)
-                        break;
-                if (strncmp(argv[i], "--", 2) != 0)
-                        break;
-        }
 
         // check if we already have a sandbox running
         // If LXC is detected, start firejail sandbox
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp
new file mode 100755
index 000000000..9755d8737
--- /dev/null
+++ b/test/sysutils/cpio.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r"
+sleep 1
+
+send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp
new file mode 100755
index 000000000..ab0e727de
--- /dev/null
+++ b/test/sysutils/gzip.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r"
+sleep 1
+
+send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp
new file mode 100755
index 000000000..1fd0f5dc0
--- /dev/null
+++ b/test/sysutils/strings.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r"
+sleep 1
+
+send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+}
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh
new file mode 100755
index 000000000..f230c9a6b
--- /dev/null
+++ b/test/sysutils/sysutils.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+which cpio
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: cpio"
+        ./cpio.exp
+else
+        echo "TESTING SKIP: cpio not found"
+fi
+
+which strings
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: strings"
+        ./strings.exp
+else
+        echo "TESTING SKIP: strings not found"
+fi
+
+which gzip
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: gzip"
+        ./gzip.exp
+else
+        echo "TESTING SKIP: gzip not found"
+fi
+
+which xzdec
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xzdec"
+        ./xzdec.exp
+else
+        echo "TESTING SKIP: xzdec not found"
+fi
+
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp
new file mode 100755
index 000000000..0ea6f5fb0
--- /dev/null
+++ b/test/sysutils/xzdec.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r"
+sleep 1
+
+send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r"
+sleep 1
+
+send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r"
+sleep 1
+
+send -- "diff -s firejail_t1 firejail_t2\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "firejail_t1 and firejail_t2 are identical"
+} 
+
+send -- "rm firejail_t*\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/todo b/todo
index cd36b5f11..a5c311562 100644
--- a/todo
+++ b/todo
@@ -101,3 +101,10 @@ firejail.src: E: no-changelogname-tag
 firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
 1 packages and 0 specfiles checked; 1 errors, 1 warnings.
 
+15. Testing:
+find /usr/share/doc/firejail | cpio -ov > t1
+strings /usr/bin/firejail > t1
+gzip -c /usr/bin/firejail > t1
+
+use diff -s to compare the files
+