diff options
author | netblue30 <netblue30@yahoo.com> | 2018-04-01 10:41:00 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-04-01 10:41:00 -0400 |
commit | 80d0d452d660f2c77af94fc35d2caaea7cfd1cae (patch) | |
tree | 6887b38cef478cf917cc99b56e1d622635e78e02 | |
parent | testing (diff) | |
download | firejail-80d0d452d660f2c77af94fc35d2caaea7cfd1cae.tar.gz firejail-80d0d452d660f2c77af94fc35d2caaea7cfd1cae.tar.zst firejail-80d0d452d660f2c77af94fc35d2caaea7cfd1cae.zip |
testing
-rwxr-xr-x | gcov.sh | 2 | ||||
-rw-r--r-- | src/firecfg/desktop_files.c | 10 | ||||
-rw-r--r-- | src/firecfg/main.c | 63 | ||||
-rw-r--r-- | src/firejail/usage.c | 407 | ||||
-rw-r--r-- | src/firemon/usage.c | 111 | ||||
-rwxr-xr-x | test/root/firecfg.exp | 6 | ||||
-rwxr-xr-x | test/root/root.sh | 28 | ||||
-rwxr-xr-x | test/utils/build.exp | 33 | ||||
-rwxr-xr-x | test/utils/utils.sh | 4 |
9 files changed, 355 insertions, 309 deletions
@@ -34,7 +34,7 @@ generate() { | |||
34 | gcov_init | 34 | gcov_init |
35 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old | 35 | lcov -q --capture -d src/firejail -d src/firemon -d src/faudit -d src/fbuilder -d src/fcopy -d src/fnetfilter -d src/fsec-print -d src/fsec-optimize -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old |
36 | 36 | ||
37 | #make test-environment | 37 | #make test-utils |
38 | #generate | 38 | #generate |
39 | #sleep 2 | 39 | #sleep 2 |
40 | #exit | 40 | #exit |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 0a6a0bbf0..49e58528c 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -136,15 +136,9 @@ void fix_desktop_files(char *homedir) { | |||
136 | 136 | ||
137 | // source | 137 | // source |
138 | DIR *dir = opendir("/usr/share/applications"); | 138 | DIR *dir = opendir("/usr/share/applications"); |
139 | if (!dir) { | 139 | if (!dir || chdir("/usr/share/applications")) { |
140 | perror("opendir"); | 140 | perror("opendir"); |
141 | fprintf(stderr, "Warning: cannot open /usr/share/applications directory, desktop files fixing skipped...\n"); | 141 | fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n"); |
142 | free(user_apps_dir); | ||
143 | return; | ||
144 | } | ||
145 | if (chdir("/usr/share/applications")) { | ||
146 | perror("chdir"); | ||
147 | fprintf(stderr, "Warning: cannot chdir to /usr/share/applications, desktop files fixing skipped...\n"); | ||
148 | free(user_apps_dir); | 142 | free(user_apps_dir); |
149 | return; | 143 | return; |
150 | } | 144 | } |
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index ab0fd53e3..e636dc385 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -21,38 +21,41 @@ | |||
21 | #include "firecfg.h" | 21 | #include "firecfg.h" |
22 | int arg_debug = 0; | 22 | int arg_debug = 0; |
23 | 23 | ||
24 | static char *usage_str = | ||
25 | "Firecfg is the desktop configuration utility for Firejail software. The utility\n" | ||
26 | "creates several symbolic links to firejail executable. This allows the user to\n" | ||
27 | "sandbox applications automatically, just by clicking on a regular desktop\n" | ||
28 | "menus and icons.\n\n" | ||
29 | "The symbolic links are placed in /usr/local/bin. For more information, see\n" | ||
30 | "DESKTOP INTEGRATION section in man 1 firejail.\n\n" | ||
31 | "Usage: firecfg [OPTIONS]\n\n" | ||
32 | " --clean - remove all firejail symbolic links.\n\n" | ||
33 | " --debug - print debug messages.\n\n" | ||
34 | " --fix - fix .desktop files.\n\n" | ||
35 | " --fix-sound - create ~/.config/pulse/client.conf file.\n\n" | ||
36 | " --help, -? - this help screen.\n\n" | ||
37 | " --list - list all firejail symbolic links.\n\n" | ||
38 | " --version - print program version and exit.\n\n" | ||
39 | "Example:\n\n" | ||
40 | " $ sudo firecfg\n" | ||
41 | " /usr/local/bin/firefox created\n" | ||
42 | " /usr/local/bin/vlc created\n" | ||
43 | " [...]\n" | ||
44 | " $ firecfg --list\n" | ||
45 | " /usr/local/bin/firefox\n" | ||
46 | " /usr/local/bin/vlc\n" | ||
47 | " [...]\n" | ||
48 | " $ sudo firecfg --clean\n" | ||
49 | " /usr/local/bin/firefox removed\n" | ||
50 | " /usr/local/bin/vlc removed\n" | ||
51 | " [...]\n" | ||
52 | "\n" | ||
53 | "License GPL version 2 or later\n" | ||
54 | "Homepage: http://firejail.wordpress.com\n\n"; | ||
55 | |||
24 | static void usage(void) { | 56 | static void usage(void) { |
25 | printf("firecfg - version %s\n\n", VERSION); | 57 | printf("firecfg - version %s\n\n", VERSION); |
26 | printf("Firecfg is the desktop configuration utility for Firejail software. The utility\n"); | 58 | puts(usage_str); |
27 | printf("creates several symbolic links to firejail executable. This allows the user to\n"); | ||
28 | printf("sandbox applications automatically, just by clicking on a regular desktop\n"); | ||
29 | printf("menus and icons.\n\n"); | ||
30 | printf("The symbolic links are placed in /usr/local/bin. For more information, see\n"); | ||
31 | printf("DESKTOP INTEGRATION section in man 1 firejail.\n\n"); | ||
32 | printf("Usage: firecfg [OPTIONS]\n\n"); | ||
33 | printf(" --clean - remove all firejail symbolic links.\n\n"); | ||
34 | printf(" --debug - print debug messages.\n\n"); | ||
35 | printf(" --fix - fix .desktop files.\n\n"); | ||
36 | printf(" --fix-sound - create ~/.config/pulse/client.conf file.\n\n"); | ||
37 | printf(" --help, -? - this help screen.\n\n"); | ||
38 | printf(" --list - list all firejail symbolic links.\n\n"); | ||
39 | printf(" --version - print program version and exit.\n\n"); | ||
40 | printf("Example:\n\n"); | ||
41 | printf(" $ sudo firecfg\n"); | ||
42 | printf(" /usr/local/bin/firefox created\n"); | ||
43 | printf(" /usr/local/bin/vlc created\n"); | ||
44 | printf(" [...]\n"); | ||
45 | printf(" $ firecfg --list\n"); | ||
46 | printf(" /usr/local/bin/firefox\n"); | ||
47 | printf(" /usr/local/bin/vlc\n"); | ||
48 | printf(" [...]\n"); | ||
49 | printf(" $ sudo firecfg --clean\n"); | ||
50 | printf(" /usr/local/bin/firefox removed\n"); | ||
51 | printf(" /usr/local/bin/vlc removed\n"); | ||
52 | printf(" [...]\n"); | ||
53 | printf("\n"); | ||
54 | printf("License GPL version 2 or later\n"); | ||
55 | printf("Homepage: http://firejail.wordpress.com\n\n"); | ||
56 | } | 59 | } |
57 | 60 | ||
58 | 61 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d0292f524..e35549398 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -19,242 +19,245 @@ | |||
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | 21 | ||
22 | void usage(void) { | 22 | static char *usage_str = |
23 | printf("firejail - version %s\n\n", VERSION); | 23 | "Firejail is a SUID sandbox program that reduces the risk of security breaches by\n" |
24 | printf("Firejail is a SUID sandbox program that reduces the risk of security breaches by\n"); | 24 | "restricting the running environment of untrusted applications using Linux\n" |
25 | printf("restricting the running environment of untrusted applications using Linux\n"); | 25 | "namespaces.\n" |
26 | printf("namespaces.\n"); | 26 | "\n" |
27 | printf("\n"); | 27 | "Usage: firejail [options] [program and arguments]\n" |
28 | printf("Usage: firejail [options] [program and arguments]\n"); | 28 | "\n" |
29 | printf("\n"); | 29 | "Options:\n" |
30 | printf("Options:\n"); | 30 | " -- - signal the end of options and disables further option processing.\n" |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | " --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n" |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | " --allow-private-blacklist - allow blacklisting files in private\n" |
33 | printf(" --allow-private-blacklist - allow blacklisting files in private\n"); | 33 | "\thome directories.\n" |
34 | printf("\thome directories.\n"); | 34 | " --allusers - all user home directories are visible inside the sandbox.\n" |
35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | " --apparmor - enable AppArmor confinement.\n" |
36 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | " --apparmor.print=name|pid - print apparmor status.\n" |
37 | printf(" --apparmor.print=name|pid - print apparmor status.\n"); | 37 | " --appimage - sandbox an AppImage application.\n" |
38 | printf(" --appimage - sandbox an AppImage application.\n"); | 38 | " --audit[=test-program] - audit the sandbox.\n" |
39 | printf(" --audit[=test-program] - audit the sandbox.\n"); | ||
40 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
41 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); | 40 | " --bandwidth=name|pid - set bandwidth limits.\n" |
42 | #endif | 41 | #endif |
43 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
44 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | " --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n" |
45 | printf(" --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n"); | 44 | " --bind=filename1,filename2 - mount-bind filename1 on top of filename2.\n" |
46 | #endif | 45 | #endif |
47 | printf(" --blacklist=filename - blacklist directory or file.\n"); | 46 | " --blacklist=filename - blacklist directory or file.\n" |
48 | printf(" --build - build a whitelisted profile for the application.\n"); | 47 | " --build - build a whitelisted profile for the application.\n" |
49 | printf(" --build=filename - build a whitelisted profile for the application.\n"); | 48 | " --build=filename - build a whitelisted profile for the application.\n" |
50 | printf(" -c - execute command and exit.\n"); | 49 | " -c - execute command and exit.\n" |
51 | printf(" --caps - enable default Linux capabilities filter.\n"); | 50 | " --caps - enable default Linux capabilities filter.\n" |
52 | printf(" --caps.drop=all - drop all capabilities.\n"); | 51 | " --caps.drop=all - drop all capabilities.\n" |
53 | printf(" --caps.drop=capability,capability - blacklist capabilities filter.\n"); | 52 | " --caps.drop=capability,capability - blacklist capabilities filter.\n" |
54 | printf(" --caps.keep=capability,capability - whitelist capabilities filter.\n"); | 53 | " --caps.keep=capability,capability - whitelist capabilities filter.\n" |
55 | printf(" --caps.print=name|pid - print the caps filter.\n"); | 54 | " --caps.print=name|pid - print the caps filter.\n" |
56 | printf(" --cgroup=tasks-file - place the sandbox in the specified control group.\n"); | 55 | " --cgroup=tasks-file - place the sandbox in the specified control group.\n" |
57 | #ifdef HAVE_CHROOT | 56 | #ifdef HAVE_CHROOT |
58 | printf(" --chroot=dirname - chroot into directory.\n"); | 57 | " --chroot=dirname - chroot into directory.\n" |
59 | #endif | 58 | #endif |
60 | printf(" --cpu=cpu-number,cpu-number - set cpu affinity.\n"); | 59 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
61 | printf(" --cpu.print=name|pid - print the cpus in use.\n"); | 60 | " --cpu.print=name|pid - print the cpus in use.\n" |
62 | printf(" --csh - use /bin/csh as default shell.\n"); | 61 | " --csh - use /bin/csh as default shell.\n" |
63 | printf(" --debug - print sandbox debug messages.\n"); | 62 | " --debug - print sandbox debug messages.\n" |
64 | printf(" --debug-blacklists - debug blacklisting.\n"); | 63 | " --debug-blacklists - debug blacklisting.\n" |
65 | printf(" --debug-caps - print all recognized capabilities.\n"); | 64 | " --debug-caps - print all recognized capabilities.\n" |
66 | printf(" --debug-check-filename - debug filename checking.\n"); | 65 | " --debug-check-filename - debug filename checking.\n" |
67 | printf(" --debug-errnos - print all recognized error numbers.\n"); | 66 | " --debug-errnos - print all recognized error numbers.\n" |
68 | printf(" --debug-private-lib - debug for --private-lib option.\n"); | 67 | " --debug-private-lib - debug for --private-lib option.\n" |
69 | printf(" --debug-protocols - print all recognized protocols.\n"); | 68 | " --debug-protocols - print all recognized protocols.\n" |
70 | printf(" --debug-syscalls - print all recognized system calls.\n"); | 69 | " --debug-syscalls - print all recognized system calls.\n" |
71 | #ifdef HAVE_WHITELIST | 70 | #ifdef HAVE_WHITELIST |
72 | printf(" --debug-whitelists - debug whitelisting.\n"); | 71 | " --debug-whitelists - debug whitelisting.\n" |
73 | #endif | 72 | #endif |
74 | #ifdef HAVE_NETWORK | 73 | #ifdef HAVE_NETWORK |
75 | printf(" --defaultgw=address - configure default gateway.\n"); | 74 | " --defaultgw=address - configure default gateway.\n" |
76 | #endif | 75 | #endif |
77 | printf(" --dns=address - set DNS server.\n"); | 76 | " --dns=address - set DNS server.\n" |
78 | printf(" --dns.print=name|pid - print DNS configuration.\n"); | 77 | " --dns.print=name|pid - print DNS configuration.\n" |
79 | 78 | " --env=name=value - set environment variable.\n" | |
80 | printf(" --env=name=value - set environment variable.\n"); | 79 | " --force - attempt to start a new sandbox inside the existing sandbox.\n" |
81 | printf(" --force - attempt to start a new sandbox inside the existing sandbox.\n"); | 80 | " --fs.print=name|pid - print the filesystem log.\n" |
82 | printf(" --fs.print=name|pid - print the filesystem log.\n"); | 81 | " --get=name|pid filename - get a file from sandbox container.\n" |
83 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); | ||
84 | #ifdef HAVE_GIT_INSTALL | 82 | #ifdef HAVE_GIT_INSTALL |
85 | printf(" --git-install - download, compile and install mainline git version\n"); | 83 | " --git-install - download, compile and install mainline git version\n" |
86 | printf("\tof Firejail.\n"); | 84 | "\tof Firejail.\n" |
87 | printf(" --git-uninstall - uninstall mainline git version of Firejail\n"); | 85 | " --git-uninstall - uninstall mainline git version of Firejail\n" |
88 | #endif | 86 | #endif |
89 | printf(" --help, -? - this help screen.\n"); | 87 | " --help, -? - this help screen.\n" |
90 | printf(" --hostname=name - set sandbox hostname.\n"); | 88 | " --hostname=name - set sandbox hostname.\n" |
91 | printf(" --hosts-file=file - use file as /etc/hosts.\n"); | 89 | " --hosts-file=file - use file as /etc/hosts.\n" |
92 | printf(" --ignore=command - ignore command in profile files.\n"); | 90 | " --ignore=command - ignore command in profile files.\n" |
93 | #ifdef HAVE_NETWORK | 91 | #ifdef HAVE_NETWORK |
94 | printf(" --interface=name - move interface in sandbox.\n"); | 92 | " --interface=name - move interface in sandbox.\n" |
95 | printf(" --ip=address - set interface IP address.\n"); | 93 | " --ip=address - set interface IP address.\n" |
96 | printf(" --ip=none - no IP address and no default gateway are configured.\n"); | 94 | " --ip=none - no IP address and no default gateway are configured.\n" |
97 | printf(" --ip6=address - set interface IPv6 address.\n"); | 95 | " --ip6=address - set interface IPv6 address.\n" |
98 | printf(" --iprange=address,address - configure an IP address in this range.\n"); | 96 | " --iprange=address,address - configure an IP address in this range.\n" |
99 | #endif | 97 | #endif |
100 | printf(" --ipc-namespace - enable a new IPC namespace.\n"); | 98 | " --ipc-namespace - enable a new IPC namespace.\n" |
101 | printf(" --join=name|pid - join the sandbox.\n"); | 99 | " --join=name|pid - join the sandbox.\n" |
102 | printf(" --join-filesystem=name|pid - join the mount namespace.\n"); | 100 | " --join-filesystem=name|pid - join the mount namespace.\n" |
103 | #ifdef HAVE_NETWORK | 101 | #ifdef HAVE_NETWORK |
104 | printf(" --join-network=name|pid - join the network namespace.\n"); | 102 | " --join-network=name|pid - join the network namespace.\n" |
105 | #endif | 103 | #endif |
106 | printf(" --join-or-start=name|pid - join the sandbox or start a new one.\n"); | 104 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
107 | printf(" --list - list all sandboxes.\n"); | 105 | " --list - list all sandboxes.\n" |
108 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); | 106 | " --ls=name|pid dir_or_filename - list files in sandbox container.\n" |
109 | #ifdef HAVE_NETWORK | 107 | #ifdef HAVE_NETWORK |
110 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 108 | " --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n" |
111 | #endif | 109 | #endif |
112 | printf(" --machine-id - preserve /etc/machine-id\n"); | 110 | " --machine-id - preserve /etc/machine-id\n" |
113 | #ifdef HAVE_SECCOMP | 111 | #ifdef HAVE_SECCOMP |
114 | printf(" --memory-deny-write-execute - seccomp filter to block attempts to create\n"); | 112 | " --memory-deny-write-execute - seccomp filter to block attempts to create\n" |
115 | printf("\tmemory mappings that are both writable and executable.\n"); | 113 | "\tmemory mappings that are both writable and executable.\n" |
116 | #endif | 114 | #endif |
117 | #ifdef HAVE_NETWORK | 115 | #ifdef HAVE_NETWORK |
118 | printf(" --mtu=number - set interface MTU.\n"); | 116 | " --mtu=number - set interface MTU.\n" |
119 | #endif | 117 | #endif |
120 | printf(" --name=name - set sandbox name.\n"); | 118 | " --name=name - set sandbox name.\n" |
121 | #ifdef HAVE_NETWORK | 119 | #ifdef HAVE_NETWORK |
122 | printf(" --net=bridgename - enable network namespaces and connect to this bridge.\n"); | 120 | " --net=bridgename - enable network namespaces and connect to this bridge.\n" |
123 | printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); | 121 | " --net=ethernet_interface - enable network namespaces and connect to this\n" |
124 | printf("\tEthernet interface.\n"); | 122 | "\tEthernet interface.\n" |
125 | printf(" --net=none - enable a new, unconnected network namespace.\n"); | 123 | " --net=none - enable a new, unconnected network namespace.\n" |
126 | printf(" --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"); | 124 | " --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n" |
127 | printf(" --netfilter.print=name|pid - print the firewall.\n"); | 125 | " --netfilter.print=name|pid - print the firewall.\n" |
128 | printf(" --netfilter6=filename - enable IPv6 firewall.\n"); | 126 | " --netfilter6=filename - enable IPv6 firewall.\n" |
129 | printf(" --netfilter6.print=name|pid - print the IPv6 firewall.\n"); | 127 | " --netfilter6.print=name|pid - print the IPv6 firewall.\n" |
130 | printf(" --netns=name - Run the program in a named, persistent network namespace.\n"); | 128 | " --netns=name - Run the program in a named, persistent network namespace.\n" |
131 | printf(" --netstats - monitor network statistics.\n"); | 129 | " --netstats - monitor network statistics.\n" |
132 | #endif | 130 | #endif |
133 | printf(" --nice=value - set nice value.\n"); | 131 | " --nice=value - set nice value.\n" |
134 | printf(" --no3d - disable 3D hardware acceleration.\n"); | 132 | " --no3d - disable 3D hardware acceleration.\n" |
135 | printf(" --noblacklist=filename - disable blacklist for file or directory.\n"); | 133 | " --noblacklist=filename - disable blacklist for file or directory.\n" |
136 | printf(" --nodbus - disable D-Bus access.\n"); | 134 | " --nodbus - disable D-Bus access.\n" |
137 | printf(" --nodvd - disable DVD and audio CD devices.\n"); | 135 | " --nodvd - disable DVD and audio CD devices.\n" |
138 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); | 136 | " --noexec=filename - remount the file or directory noexec nosuid and nodev.\n" |
139 | printf(" --nogroups - disable supplementary groups.\n"); | 137 | " --nogroups - disable supplementary groups.\n" |
140 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); | 138 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
141 | printf(" --noprofile - do not use a security profile.\n"); | 139 | " --noprofile - do not use a security profile.\n" |
142 | #ifdef HAVE_USERNS | 140 | #ifdef HAVE_USERNS |
143 | printf(" --noroot - install a user namespace with only the current user.\n"); | 141 | " --noroot - install a user namespace with only the current user.\n" |
144 | #endif | 142 | #endif |
145 | printf(" --nosound - disable sound system.\n"); | 143 | " --nosound - disable sound system.\n" |
146 | printf(" --novideo - disable video devices.\n"); | 144 | " --novideo - disable video devices.\n" |
147 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); | 145 | " --nowhitelist=filename - disable whitelist for file or directory .\n" |
148 | printf(" --output=logfile - stdout logging and log rotation.\n"); | 146 | " --output=logfile - stdout logging and log rotation.\n" |
149 | printf(" --output-stderr=logfile - stdout and stderr logging and log rotation.\n"); | 147 | " --output-stderr=logfile - stdout and stderr logging and log rotation.\n" |
150 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); | 148 | " --overlay - mount a filesystem overlay on top of the current filesystem.\n" |
151 | printf(" --overlay-named=name - mount a filesystem overlay on top of the current\n"); | 149 | " --overlay-named=name - mount a filesystem overlay on top of the current\n" |
152 | printf("\tfilesystem, and store it in name directory.\n"); | 150 | "\tfilesystem, and store it in name directory.\n" |
153 | printf(" --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n"); | 151 | " --overlay-tmpfs - mount a temporary filesystem overlay on top of the\n" |
154 | printf("\tcurrent filesystem.\n"); | 152 | "\tcurrent filesystem.\n" |
155 | printf(" --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n"); | 153 | " --overlay-clean - clean all overlays stored in $HOME/.firejail directory.\n" |
156 | printf(" --private - temporary home directory.\n"); | 154 | " --private - temporary home directory.\n" |
157 | printf(" --private=directory - use directory as user home.\n"); | 155 | " --private=directory - use directory as user home.\n" |
158 | printf(" --private-home=file,directory - build a new user home in a temporary\n"); | 156 | " --private-home=file,directory - build a new user home in a temporary\n" |
159 | printf("\tfilesystem, and copy the files and directories in the list in\n"); | 157 | "\tfilesystem, and copy the files and directories in the list in\n" |
160 | printf("\tthe new home.\n"); | 158 | "\tthe new home.\n" |
161 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); | 159 | " --private-bin=file,file - build a new /bin in a temporary filesystem,\n" |
162 | printf("\tand copy the programs in the list.\n"); | 160 | "\tand copy the programs in the list.\n" |
163 | printf(" --private-dev - create a new /dev directory with a small number of\n"); | 161 | " --private-dev - create a new /dev directory with a small number of\n" |
164 | printf("\tcommon device files.\n"); | 162 | "\tcommon device files.\n" |
165 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); | 163 | " --private-etc=file,directory - build a new /etc in a temporary\n" |
166 | printf("\tfilesystem, and copy the files and directories in the list.\n"); | 164 | "\tfilesystem, and copy the files and directories in the list.\n" |
167 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); | 165 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
168 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); | 166 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
169 | printf(" --profile=filename - use a custom profile.\n"); | 167 | " --profile=filename - use a custom profile.\n" |
170 | printf(" --profile.print=name|pid - print the name of profile file.\n"); | 168 | " --profile.print=name|pid - print the name of profile file.\n" |
171 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); | 169 | " --profile-path=directory - use this directory to look for profile files.\n" |
172 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
173 | printf(" --protocol.print=name|pid - print the protocol filter.\n"); | 171 | " --protocol.print=name|pid - print the protocol filter.\n" |
174 | printf(" --put=name|pid src-filename dest-filename - put a file in sandbox\n"); | 172 | " --put=name|pid src-filename dest-filename - put a file in sandbox\n" |
175 | printf("\tcontainer.\n"); | 173 | "\tcontainer.\n" |
176 | printf(" --quiet - turn off Firejail's output.\n"); | 174 | " --quiet - turn off Firejail's output.\n" |
177 | printf(" --read-only=filename - set directory or file read-only..\n"); | 175 | " --read-only=filename - set directory or file read-only..\n" |
178 | printf(" --read-write=filename - set directory or file read-write.\n"); | 176 | " --read-write=filename - set directory or file read-write.\n" |
179 | printf(" --rlimit-as=number - set the maximum size of the process's virtual memory\n"); | 177 | " --rlimit-as=number - set the maximum size of the process's virtual memory\n" |
180 | printf("\t(address space) in bytes.\n"); | 178 | "\t(address space) in bytes.\n" |
181 | printf(" --rlimit-cpu=number - set the maximum CPU time in seconds.\n"); | 179 | " --rlimit-cpu=number - set the maximum CPU time in seconds.\n" |
182 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 180 | " --rlimit-fsize=number - set the maximum file size that can be created\n" |
183 | printf("\tby a process.\n"); | 181 | "\tby a process.\n" |
184 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 182 | " --rlimit-nofile=number - set the maximum number of files that can be\n" |
185 | printf("\topened by a process.\n"); | 183 | "\topened by a process.\n" |
186 | printf(" --rlimit-nproc=number - set the maximum number of processes that can be\n"); | 184 | " --rlimit-nproc=number - set the maximum number of processes that can be\n" |
187 | printf("\tcreated for the real user ID of the calling process.\n"); | 185 | "\tcreated for the real user ID of the calling process.\n" |
188 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 186 | " --rlimit-sigpending=number - set the maximum number of pending signals\n" |
189 | printf("\tfor a process.\n"); | 187 | "\tfor a process.\n" |
190 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n"); | 188 | " --rmenv=name - remove environment variable in the new sandbox.\n" |
191 | #ifdef HAVE_NETWORK | 189 | #ifdef HAVE_NETWORK |
192 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 190 | " --scan - ARP-scan all the networks from inside a network namespace.\n" |
193 | #endif | 191 | #endif |
194 | #ifdef HAVE_SECCOMP | 192 | #ifdef HAVE_SECCOMP |
195 | printf(" --seccomp - enable seccomp filter and apply the default blacklist.\n"); | 193 | " --seccomp - enable seccomp filter and apply the default blacklist.\n" |
196 | printf(" --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"); | 194 | " --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n" |
197 | printf("\tdefault syscall list and the syscalls specified by the command.\n"); | 195 | "\tdefault syscall list and the syscalls specified by the command.\n" |
198 | printf(" --seccomp.block-secondary - build only the native architecture filters.\n"); | 196 | " --seccomp.block-secondary - build only the native architecture filters.\n" |
199 | printf(" --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n"); | 197 | " --seccomp.drop=syscall,syscall,syscall - enable seccomp filter, and\n" |
200 | printf("\tblacklist the syscalls specified by the command.\n"); | 198 | "\tblacklist the syscalls specified by the command.\n" |
201 | printf(" --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n"); | 199 | " --seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and\n" |
202 | printf("\twhitelist the syscalls specified by the command.\n"); | 200 | "\twhitelist the syscalls specified by the command.\n" |
203 | printf(" --seccomp.print=name|pid - print the seccomp filter for the sandbox\n"); | 201 | " --seccomp.print=name|pid - print the seccomp filter for the sandbox\n" |
204 | printf("\tidentified by name or PID.\n"); | 202 | "\tidentified by name or PID.\n" |
205 | #endif | 203 | #endif |
206 | printf(" --shell=none - run the program directly without a user shell.\n"); | 204 | " --shell=none - run the program directly without a user shell.\n" |
207 | printf(" --shell=program - set default user shell.\n"); | 205 | " --shell=program - set default user shell.\n" |
208 | printf(" --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"); | 206 | " --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n" |
209 | printf(" --timeout=hh:mm:ss - kill the sandbox automatically after the time\n"); | 207 | " --timeout=hh:mm:ss - kill the sandbox automatically after the time\n" |
210 | printf("\thas elapsed.\n"); | 208 | "\thas elapsed.\n" |
211 | printf(" --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n"); | 209 | " --tmpfs=dirname - mount a tmpfs filesystem on directory dirname.\n" |
212 | printf(" --top - monitor the most CPU-intensive sandboxes.\n"); | 210 | " --top - monitor the most CPU-intensive sandboxes.\n" |
213 | printf(" --trace - trace open, access and connect system calls.\n"); | 211 | " --trace - trace open, access and connect system calls.\n" |
214 | printf(" --tracelog - add a syslog message for every access to files or\n"); | 212 | " --tracelog - add a syslog message for every access to files or\n" |
215 | printf("\tdirectoires blacklisted by the security profile.\n"); | 213 | "\tdirectoires blacklisted by the security profile.\n" |
216 | printf(" --tree - print a tree of all sandboxed processes.\n"); | 214 | " --tree - print a tree of all sandboxed processes.\n" |
217 | printf(" --version - print program version and exit.\n"); | 215 | " --version - print program version and exit.\n" |
218 | #ifdef HAVE_NETWORK | 216 | #ifdef HAVE_NETWORK |
219 | printf(" --veth-name=name - use this name for the interface connected to the bridge.\n"); | 217 | " --veth-name=name - use this name for the interface connected to the bridge.\n" |
220 | #endif | 218 | #endif |
221 | #ifdef HAVE_WHITELIST | 219 | #ifdef HAVE_WHITELIST |
222 | printf(" --whitelist=filename - whitelist directory or file.\n"); | 220 | " --whitelist=filename - whitelist directory or file.\n" |
223 | #endif | 221 | #endif |
224 | printf(" --writable-etc - /etc directory is mounted read-write.\n"); | 222 | " --writable-etc - /etc directory is mounted read-write.\n" |
225 | printf(" --writable-run-user - allow access to /run/user/$UID/systemd and\n"); | 223 | " --writable-run-user - allow access to /run/user/$UID/systemd and\n" |
226 | printf("\t/run/user/$UID/gnupg.\n"); | 224 | "\t/run/user/$UID/gnupg.\n" |
227 | printf(" --writable-var - /var directory is mounted read-write.\n"); | 225 | " --writable-var - /var directory is mounted read-write.\n" |
228 | printf(" --writable-var-log - use the real /var/log directory, not a clone.\n"); | 226 | " --writable-var-log - use the real /var/log directory, not a clone.\n" |
229 | #ifdef HAVE_X11 | 227 | #ifdef HAVE_X11 |
230 | printf(" --x11 - enable X11 sandboxing. The software checks first if Xpra is\n"); | 228 | " --x11 - enable X11 sandboxing. The software checks first if Xpra is\n" |
231 | printf("\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n"); | 229 | "\tinstalled, then it checks if Xephyr is installed. If all fails, it will\n" |
232 | printf("\tattempt to use X11 security extension.\n"); | 230 | "\tattempt to use X11 security extension.\n" |
233 | printf(" --x11=none - disable access to X11 sockets.\n"); | 231 | " --x11=none - disable access to X11 sockets.\n" |
234 | printf(" --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n"); | 232 | " --x11=xephyr - enable Xephyr X11 server. The window size is 800x600.\n" |
235 | printf(" --x11=xorg - enable X11 security extension.\n"); | 233 | " --x11=xorg - enable X11 security extension.\n" |
236 | printf(" --x11=xpra - enable Xpra X11 server.\n"); | 234 | " --x11=xpra - enable Xpra X11 server.\n" |
237 | printf(" --x11=xvfb - enable Xvfb X11 server.\n"); | 235 | " --x11=xvfb - enable Xvfb X11 server.\n" |
238 | printf(" --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n"); | 236 | " --xephyr-screen=WIDTHxHEIGHT - set screen size for --x11=xephyr.\n" |
239 | #endif | 237 | #endif |
240 | printf(" --zsh - use /usr/bin/zsh as default shell.\n"); | 238 | " --zsh - use /usr/bin/zsh as default shell.\n" |
241 | printf("\n"); | 239 | "\n" |
242 | printf("Examples:\n"); | 240 | "Examples:\n" |
243 | printf(" $ firejail firefox\n"); | 241 | " $ firejail firefox\n" |
244 | printf("\tstart Mozilla Firefox\n"); | 242 | "\tstart Mozilla Firefox\n" |
245 | printf(" $ firejail --debug firefox\n"); | 243 | " $ firejail --debug firefox\n" |
246 | printf("\tdebug Firefox sandbox\n"); | 244 | "\tdebug Firefox sandbox\n" |
247 | printf(" $ firejail --private --dns=8.8.8.8 firefox\n"); | 245 | " $ firejail --private --dns=8.8.8.8 firefox\n" |
248 | printf("\tstart Firefox with a new, empty home directory, and a well-known DNS\n"); | 246 | "\tstart Firefox with a new, empty home directory, and a well-known DNS\n" |
249 | printf("\tserver setting.\n"); | 247 | "\tserver setting.\n" |
250 | printf(" $ firejail --net=eth0 firefox\n"); | 248 | " $ firejail --net=eth0 firefox\n" |
251 | printf("\tstart Firefox in a new network namespace\n"); | 249 | "\tstart Firefox in a new network namespace\n" |
252 | printf(" $ firejail --x11=xorg firefox\n"); | 250 | " $ firejail --x11=xorg firefox\n" |
253 | printf("\tstart Firefox and sandbox X11\n"); | 251 | "\tstart Firefox and sandbox X11\n" |
254 | printf(" $ firejail --list\n"); | 252 | " $ firejail --list\n" |
255 | printf("\tlist all running sandboxes\n"); | 253 | "\tlist all running sandboxes\n" |
256 | printf("\n"); | 254 | "\n" |
257 | printf("License GPL version 2 or later\n"); | 255 | "License GPL version 2 or later\n" |
258 | printf("Homepage: http://firejail.wordpress.com\n"); | 256 | "Homepage: http://firejail.wordpress.com\n" |
259 | printf("\n"); | 257 | "\n"; |
258 | |||
259 | |||
260 | void usage(void) { | ||
261 | printf("firejail - version %s\n\n", VERSION); | ||
262 | puts(usage_str); | ||
260 | } | 263 | } |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 617f4dacd..37bd4e874 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -19,62 +19,65 @@ | |||
19 | */ | 19 | */ |
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | 21 | ||
22 | void usage(void) { | 22 | static char *help_str = |
23 | printf("firemon - version %s\n", VERSION); | 23 | "Usage: firemon [OPTIONS] [PID]\n\n" |
24 | printf("Usage: firemon [OPTIONS] [PID]\n\n"); | 24 | "Monitor processes started in a Firejail sandbox. Without any PID specified,\n" |
25 | printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); | 25 | "all processes started by Firejail are monitored. Descendants of these processes\n" |
26 | printf("all processes started by Firejail are monitored. Descendants of these processes\n"); | 26 | "are also being monitored. On Grsecurity systems only root user\n" |
27 | printf("are also being monitored. On Grsecurity systems only root user\n"); | 27 | "can run this program.\n\n" |
28 | printf("can run this program.\n\n"); | 28 | "Options:\n" |
29 | printf("Options:\n"); | 29 | "\t--apparmor - print AppArmor confinement status for each sandbox.\n\n" |
30 | printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"); | 30 | "\t--arp - print ARP table for each sandbox.\n\n" |
31 | printf("\t--arp - print ARP table for each sandbox.\n\n"); | 31 | "\t--caps - print capabilities configuration for each sandbox.\n\n" |
32 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); | 32 | "\t--cgroup - print control group information for each sandbox.\n\n" |
33 | printf("\t--cgroup - print control group information for each sandbox.\n\n"); | 33 | "\t--cpu - print CPU affinity for each sandbox.\n\n" |
34 | printf("\t--cpu - print CPU affinity for each sandbox.\n\n"); | 34 | "\t--help, -? - this help screen.\n\n" |
35 | printf("\t--help, -? - this help screen.\n\n"); | 35 | "\t--interface - print network interface information for each sandbox.\n\n" |
36 | printf("\t--interface - print network interface information for each sandbox.\n\n"); | 36 | "\t--list - list all sandboxes.\n\n" |
37 | printf("\t--list - list all sandboxes.\n\n"); | 37 | "\t--name=name - print information only about named sandbox.\n\n" |
38 | printf("\t--name=name - print information only about named sandbox.\n\n"); | 38 | "\t--netstats - monitor network statistics for sandboxes creating a new\n" |
39 | printf("\t--netstats - monitor network statistics for sandboxes creating a new\n"); | 39 | "\t\tnetwork namespace.\n\n" |
40 | printf("\t\tnetwork namespace.\n\n"); | 40 | "\t--nowrap - enable line wrapping in terminals.\n\n" |
41 | printf("\t--nowrap - enable line wrapping in terminals.\n\n"); | 41 | "\t--route - print route table for each sandbox.\n\n" |
42 | printf("\t--route - print route table for each sandbox.\n\n"); | 42 | "\t--seccomp - print seccomp configuration for each sandbox.\n\n" |
43 | printf("\t--seccomp - print seccomp configuration for each sandbox.\n\n"); | 43 | "\t--tree - print a tree of all sandboxed processes.\n\n" |
44 | printf("\t--tree - print a tree of all sandboxed processes.\n\n"); | 44 | "\t--top - monitor the most CPU-intensive sandboxes.\n\n" |
45 | printf("\t--top - monitor the most CPU-intensive sandboxes.\n\n"); | 45 | "\t--version - print program version and exit.\n\n" |
46 | printf("\t--version - print program version and exit.\n\n"); | 46 | |
47 | "Without any options, firemon monitors all fork, exec, id change, and exit\n" | ||
48 | "events in the sandbox. Monitoring a specific PID is also supported.\n\n" | ||
47 | 49 | ||
48 | printf("Without any options, firemon monitors all fork, exec, id change, and exit events\n"); | 50 | "Option --list prints a list of all sandboxes. The format for each entry is as\n" |
49 | printf("in the sandbox. Monitoring a specific PID is also supported.\n\n"); | 51 | "follows:\n\n" |
52 | "\tPID:USER:Command\n\n" | ||
50 | 53 | ||
51 | printf("Option --list prints a list of all sandboxes. The format for each entry is as\n"); | 54 | "Option --tree prints the tree of processes running in the sandbox. The format\n" |
52 | printf("follows:\n\n"); | 55 | "for each process entry is as follows:\n\n" |
53 | printf("\tPID:USER:Command\n\n"); | 56 | "\tPID:USER:Command\n\n" |
54 | 57 | ||
55 | printf("Option --tree prints the tree of processes running in the sandbox. The format\n"); | 58 | "Option --top is similar to the UNIX top command, however it applies only to\n" |
56 | printf("for each process entry is as follows:\n\n"); | 59 | "sandboxes. Listed below are the available fields (columns) in alphabetical\n" |
57 | printf("\tPID:USER:Command\n\n"); | 60 | "order:\n\n" |
61 | "\tCommand - command used to start the sandbox.\n" | ||
62 | "\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n" | ||
63 | "\t last screen update\n" | ||
64 | "\tPID - Unique process ID for the task controlling the sandbox.\n" | ||
65 | "\tPrcs - number of processes running in sandbox, including the\n" | ||
66 | "\t controlling process.\n" | ||
67 | "\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n" | ||
68 | "\t It is a sum of the RES values for all processes running in the\n" | ||
69 | "\t sandbox.\n" | ||
70 | "\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n" | ||
71 | "\t processes. It is a sum of the SHR values for all processes\n" | ||
72 | "\t running in the sandbox, including the controlling process.\n" | ||
73 | "\tUptime - sandbox running time in hours:minutes:seconds format.\n" | ||
74 | "\tUser - The owner of the sandbox.\n" | ||
75 | "\n" | ||
76 | "License GPL version 2 or later\n" | ||
77 | "Homepage: http://firejail.wordpress.com\n" | ||
78 | "\n"; | ||
58 | 79 | ||
59 | printf("Option --top is similar to the UNIX top command, however it applies only to\n"); | 80 | void usage(void) { |
60 | printf("sandboxes. Listed below are the available fields (columns) in alphabetical\n"); | 81 | printf("firemon - version %s\n", VERSION); |
61 | printf("order:\n\n"); | 82 | puts(help_str); |
62 | printf("\tCommand - command used to start the sandbox.\n"); | ||
63 | printf("\tCPU%% - CPU usage, the sandbox share of the elapsed CPU time since the\n"); | ||
64 | printf("\t last screen update\n"); | ||
65 | printf("\tPID - Unique process ID for the task controlling the sandbox.\n"); | ||
66 | printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); | ||
67 | printf("\t process.\n"); | ||
68 | printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); | ||
69 | printf("\t It is a sum of the RES values for all processes running in the\n"); | ||
70 | printf("\t sandbox.\n"); | ||
71 | printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); | ||
72 | printf("\t processes. It is a sum of the SHR values for all processes running\n"); | ||
73 | printf("\t in the sandbox, including the controlling process.\n"); | ||
74 | printf("\tUptime - sandbox running time in hours:minutes:seconds format.\n"); | ||
75 | printf("\tUser - The owner of the sandbox.\n"); | ||
76 | printf("\n"); | ||
77 | printf("License GPL version 2 or later\n"); | ||
78 | printf("Homepage: http://firejail.wordpress.com\n"); | ||
79 | printf("\n"); | ||
80 | } | 83 | } |
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index 656b8e215..b73167bd1 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp | |||
@@ -7,10 +7,10 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firecfg\r" | 10 | send -- "firecfg --debug\r" |
11 | sleep 1 | 11 | sleep 1 |
12 | 12 | ||
13 | send -- "firecfg --clean\r" | 13 | send -- "firecfg --debug --clean\r" |
14 | expect { | 14 | expect { |
15 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "less removed" | 16 | "less removed" |
@@ -27,7 +27,7 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | send -- "firecfg\r" | 30 | send -- "firecfg --debug\r" |
31 | expect { | 31 | expect { |
32 | timeout {puts "TESTING ERROR 3\n";exit} | 32 | timeout {puts "TESTING ERROR 3\n";exit} |
33 | "less created" | 33 | "less created" |
diff --git a/test/root/root.sh b/test/root/root.sh index 22b12cf86..d77982993 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -3,6 +3,23 @@ | |||
3 | # set a new firejail config file | 3 | # set a new firejail config file |
4 | #cp firejail.config /etc/firejail/firejail.config | 4 | #cp firejail.config /etc/firejail/firejail.config |
5 | 5 | ||
6 | |||
7 | #******************************** | ||
8 | # firecfg | ||
9 | #******************************** | ||
10 | which less | ||
11 | if [ "$?" -eq 0 ]; | ||
12 | then | ||
13 | echo "TESTING: firecfg (test/root/firecfg.exp)" | ||
14 | rm -fr /home/netblue/.local/share/applications-store | ||
15 | mv /home/netblue/.local/share/applications /home/netblue/.local/share/applications-store | ||
16 | ./firecfg.exp | ||
17 | rm -fr /home/netblue/.local/share/applications | ||
18 | mv /home/netblue/.local/share/applications-store /home/netblue/.local/share/applications | ||
19 | else | ||
20 | echo "TESTING SKIP: firecfg, less not found" | ||
21 | fi | ||
22 | |||
6 | #******************************** | 23 | #******************************** |
7 | # servers | 24 | # servers |
8 | #******************************** | 25 | #******************************** |
@@ -107,17 +124,6 @@ rm -f tmpfile | |||
107 | echo "TESTING: firemon events (test/root/firemon-events.exp)" | 124 | echo "TESTING: firemon events (test/root/firemon-events.exp)" |
108 | ./firemon-events.exp | 125 | ./firemon-events.exp |
109 | 126 | ||
110 | #******************************** | ||
111 | # firecfg | ||
112 | #******************************** | ||
113 | which less | ||
114 | if [ "$?" -eq 0 ]; | ||
115 | then | ||
116 | echo "TESTING: firecfg (test/root/firecfg.exp)" | ||
117 | ./firecfg.exp | ||
118 | else | ||
119 | echo "TESTING SKIP: firecfg, less not found" | ||
120 | fi | ||
121 | 127 | ||
122 | # restore the default config file | 128 | # restore the default config file |
123 | #cp ../../etc/firejail.config /etc/firejail/firejail.config | 129 | #cp ../../etc/firejail.config /etc/firejail/firejail.config |
diff --git a/test/utils/build.exp b/test/utils/build.exp index de2a9b6ae..5e883e4ba 100755 --- a/test/utils/build.exp +++ b/test/utils/build.exp | |||
@@ -54,5 +54,38 @@ expect { | |||
54 | } | 54 | } |
55 | after 100 | 55 | after 100 |
56 | 56 | ||
57 | send -- "firejail --build cat /etc/passwd\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 10\n";exit} | ||
60 | "private-etc passwd," | ||
61 | } | ||
62 | after 100 | ||
63 | |||
64 | send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 11\n";exit} | ||
67 | "whitelist /var/tmp/firejail-test-file-7699" | ||
68 | } | ||
69 | after 100 | ||
70 | |||
71 | send -- "firejail --build man firejail\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 12\n";exit} | ||
74 | "whitelist /usr/share/man" | ||
75 | } | ||
76 | after 100 | ||
77 | |||
78 | send -- "firejail --build wget blablabla\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 13\n";exit} | ||
81 | "protocol inet" | ||
82 | } | ||
83 | after 100 | ||
84 | |||
85 | |||
86 | send -- "firejail --build cat /tmp/firejail-test-file-7699\r" | ||
87 | #todo - bug: it comes back with private-tmp | ||
88 | sleep 1 | ||
89 | |||
57 | 90 | ||
58 | puts "all done\n" | 91 | puts "all done\n" |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 9259ee33a..5438e11a8 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -13,9 +13,13 @@ fi | |||
13 | export PATH="$PATH:/usr/lib/firejail" | 13 | export PATH="$PATH:/usr/lib/firejail" |
14 | 14 | ||
15 | echo "testing" > ~/firejail-test-file-7699 | 15 | echo "testing" > ~/firejail-test-file-7699 |
16 | echo "testing" > /tmp/firejail-test-file-7699 | ||
17 | echo "testing" > /var/tmp/firejail-test-file-7699 | ||
16 | echo "TESTING: build (test/utils/build.exp)" | 18 | echo "TESTING: build (test/utils/build.exp)" |
17 | ./build.exp | 19 | ./build.exp |
18 | rm -f ~/firejail-test-file-7699 | 20 | rm -f ~/firejail-test-file-7699 |
21 | rm -f /tmp/firejail-test-file-7699 | ||
22 | rm -f /var/tmp/firejail-test-file-7699 | ||
19 | 23 | ||
20 | echo "TESTING: audit (test/utils/audit.exp)" | 24 | echo "TESTING: audit (test/utils/audit.exp)" |
21 | ./audit.exp | 25 | ./audit.exp |