mainline merge: test caps join, testing seccomp/join

author: netblue30 <netblue30@yahoo.com> 2019-01-09 09:46:48 -0500
committer: netblue30 <netblue30@yahoo.com> 2019-01-09 09:46:48 -0500
commit: 2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b (patch)
tree: 24728cf8ac3c919dba72af93f9f688f336d33f6e
parent: mainline merge: fix join/seccomp #2296 (diff)
download: firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.tar.gz
firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.tar.zst
firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.zip
3 files changed, 266 insertions, 2 deletions
diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp
new file mode 100755
index 000000000..2e29ef763
--- /dev/null
+++ b/test/filters/caps-join.exp
@@ -0,0 +1,96 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+match_max 100000
+spawn $env(SHELL)
+set id1 $spawn_id
+spawn $env(SHELL)
+set id2 $spawn_id
+send -- "stty -echo\r"
+after 100
+#
+# regular run
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+sleep 1
+set spawn_id $id1
+send -- "exit\r"
+after 100
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "fffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "CapAmb:"
+}
+sleep 1
+set spawn_id $id1
+send -- "exit\r"
+after 100
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
+expect {
+        timeout {puts "TESTING ERROR20\n";exit}
+        "Child process initialized"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "CapBnd:        0000000000000009"
+}
+sleep 1
+set spawn_id $id1
+send -- "exit\r"
+after 100
+puts "all done\n"
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 3d1211b8e..33f205e05 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -12,7 +12,6 @@ if [ -f /etc/debian_version ]; then
 fi
 export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
 if [ -f /sys/kernel/security/apparmor/profiles ]; then
        echo "TESTING: apparmor (test/filters/apparmor.exp)"
        ./apparmor.exp
@@ -42,7 +41,7 @@ echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
 echo "TESTING: noroot (test/filters/noroot.exp)"
 ./noroot.exp
-echo "TESTING: capabilities (test/filters/caps.exp)"
 if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
        echo "TESTING: capabilities (test/filters/caps.exp)"
        ./caps.exp
@@ -53,6 +52,9 @@ fi
 echo "TESTING: capabilities print (test/filters/caps-print.exp)"
 ./caps-print.exp
+echo "TESTING: capabilities join (test/filters/caps-join.exp)"
+./caps-join.exp
 rm -f seccomp-test-file
 if [ "$(uname -m)" = "x86_64" ]; then
       echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
@@ -114,3 +116,10 @@ if [ "$(uname -m)" = "x86_64" ]; then
 else
        echo "TESTING SKIP: seccomp dual, not running on x86_64"
 fi
+if [ "$(uname -m)" = "x86_64" ]; then
+       echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
+        ./seccomp-join.exp
+else
+        echo "TESTING SKIP: seccomp join test implemented only for x86_64"
+fi
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp
new file mode 100755
index 000000000..7a869b85f
--- /dev/null
+++ b/test/filters/seccomp-join.exp
@@ -0,0 +1,159 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+match_max 100000
+spawn $env(SHELL)
+set id1 $spawn_id
+spawn $env(SHELL)
+set id2 $spawn_id
+send -- "stty -echo\r"
+after 100
+#
+# regular run
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp.32 seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+sleep 1
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+#
+# block secondary
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --seccomp.block-secondary --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
+        "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+sleep 1
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+#
+# protocol
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --protocol=inet --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
+        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
+}
+sleep 1
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+#
+# memory deny write execute
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 32\n";exit}
+        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --debug --join=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
+        "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
+        "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
+        "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
+}
+sleep 1
+send -- "exit\r"
+after 100
+set spawn_id $id1
+send -- "exit\r"
+after 100
+puts "all done\n"
author	netblue30 <netblue30@yahoo.com>	2019-01-09 09:46:48 -0500
committer	netblue30 <netblue30@yahoo.com>	2019-01-09 09:46:48 -0500
commit	2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b (patch)
tree	24728cf8ac3c919dba72af93f9f688f336d33f6e
parent	mainline merge: fix join/seccomp #2296 (diff)
download	firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.tar.gz firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.tar.zst firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.zip

diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp new file mode 100755 index 000000000..2e29ef763 --- /dev/null +++ b/test/filters/caps-join.exp
@@ -0,0 +1,96 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2018 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	match_max 100000
		8	spawn $env(SHELL)
		9	set id1 $spawn_id
		10	spawn $env(SHELL)
		11	set id2 $spawn_id
		12
		13	send -- "stty -echo\r"
		14	after 100
		15
		16	#
		17	# regular run
		18	#
		19	set spawn_id $id1
		20	send -- "firejail --name=jointesting\r"
		21	expect {
		22	timeout {puts "TESTING ERROR 0\n";exit}
		23	"Child process initialized"
		24	}
		25	sleep 1
		26
		27	set spawn_id $id2
		28
		29	send -- "firejail --join=jointesting cat /proc/self/status\r"
		30	expect {
		31	timeout {puts "TESTING ERROR 1\n";exit}
		32	"CapBnd: 0000000000000000"
		33	}
		34	sleep 1
		35
		36	set spawn_id $id1
		37	send -- "exit\r"
		38	after 100
		39
		40	#
		41	# no caps
		42	#
		43	set spawn_id $id1
		44	send -- "firejail --name=jointesting --noprofile\r"
		45	expect {
		46	timeout {puts "TESTING ERROR 10\n";exit}
		47	"Child process initialized"
		48	}
		49	sleep 1
		50
		51	set spawn_id $id2
		52
		53	send -- "firejail --join=jointesting cat /proc/self/status\r"
		54	expect {
		55	timeout {puts "TESTING ERROR 11\n";exit}
		56	"CapBnd:"
		57	}
		58	expect {
		59	timeout {puts "TESTING ERROR 12\n";exit}
		60	"fffffffff"
		61	}
		62	expect {
		63	timeout {puts "TESTING ERROR 13\n";exit}
		64	"CapAmb:"
		65	}
		66	sleep 1
		67
		68	set spawn_id $id1
		69	send -- "exit\r"
		70	after 100
		71
		72	#
		73	# no caps
		74	#
		75	set spawn_id $id1
		76	send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
		77	expect {
		78	timeout {puts "TESTING ERROR20\n";exit}
		79	"Child process initialized"
		80	}
		81	sleep 1
		82
		83	set spawn_id $id2
		84
		85	send -- "firejail --join=jointesting cat /proc/self/status\r"
		86	expect {
		87	timeout {puts "TESTING ERROR 21\n";exit}
		88	"CapBnd: 0000000000000009"
		89	}
		90	sleep 1
		91
		92	set spawn_id $id1
		93	send -- "exit\r"
		94	after 100
		95
		96	puts "all done\n"


diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 3d1211b8e..33f205e05 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh
@@ -12,7 +12,6 @@ if [ -f /etc/debian_version ]; then
12	fi	12	fi
13	export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"	13	export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
14		14
15
16	if [ -f /sys/kernel/security/apparmor/profiles ]; then	15	if [ -f /sys/kernel/security/apparmor/profiles ]; then
17	echo "TESTING: apparmor (test/filters/apparmor.exp)"	16	echo "TESTING: apparmor (test/filters/apparmor.exp)"
18	./apparmor.exp	17	./apparmor.exp
@@ -42,7 +41,7 @@ echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
42	echo "TESTING: noroot (test/filters/noroot.exp)"	41	echo "TESTING: noroot (test/filters/noroot.exp)"
43	./noroot.exp	42	./noroot.exp
44		43
45	echo "TESTING: capabilities (test/filters/caps.exp)"	44
46	if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then	45	if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
47	echo "TESTING: capabilities (test/filters/caps.exp)"	46	echo "TESTING: capabilities (test/filters/caps.exp)"
48	./caps.exp	47	./caps.exp
@@ -53,6 +52,9 @@ fi
53	echo "TESTING: capabilities print (test/filters/caps-print.exp)"	52	echo "TESTING: capabilities print (test/filters/caps-print.exp)"
54	./caps-print.exp	53	./caps-print.exp
55		54
		55	echo "TESTING: capabilities join (test/filters/caps-join.exp)"
		56	./caps-join.exp
		57
56	rm -f seccomp-test-file	58	rm -f seccomp-test-file
57	if [ "$(uname -m)" = "x86_64" ]; then	59	if [ "$(uname -m)" = "x86_64" ]; then
58	echo "TESTING: fseccomp (test/filters/fseccomp.exp)"	60	echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
@@ -114,3 +116,10 @@ if [ "$(uname -m)" = "x86_64" ]; then
114	else	116	else
115	echo "TESTING SKIP: seccomp dual, not running on x86_64"	117	echo "TESTING SKIP: seccomp dual, not running on x86_64"
116	fi	118	fi
		119
		120	if [ "$(uname -m)" = "x86_64" ]; then
		121	echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
		122	./seccomp-join.exp
		123	else
		124	echo "TESTING SKIP: seccomp join test implemented only for x86_64"
		125	fi


diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp new file mode 100755 index 000000000..7a869b85f --- /dev/null +++ b/test/filters/seccomp-join.exp
@@ -0,0 +1,159 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2018 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	match_max 100000
		8	spawn $env(SHELL)
		9	set id1 $spawn_id
		10	spawn $env(SHELL)
		11	set id2 $spawn_id
		12
		13	send -- "stty -echo\r"
		14	after 100
		15
		16	#
		17	# regular run
		18	#
		19	set spawn_id $id1
		20	send -- "firejail --name=jointesting --debug\r"
		21	expect {
		22	timeout {puts "TESTING ERROR 0\n";exit}
		23	"Installing /run/firejail/mnt/seccomp seccomp filter"
		24	}
		25	expect {
		26	timeout {puts "TESTING ERROR 1\n";exit}
		27	"Installing /run/firejail/mnt/seccomp.32 seccomp filter"
		28	}
		29	expect {
		30	timeout {puts "TESTING ERROR 2\n";exit}
		31	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		32	}
		33	sleep 1
		34
		35	set spawn_id $id2
		36
		37	send -- "firejail --debug --join=jointesting\r"
		38	expect {
		39	timeout {puts "TESTING ERROR 3\n";exit}
		40	"Installing /run/firejail/mnt/seccomp seccomp filter"
		41	}
		42	expect {
		43	timeout {puts "TESTING ERROR 4\n";exit}
		44	"Installing /run/firejail/mnt/seccomp.32 seccomp filter"
		45	}
		46	expect {
		47	timeout {puts "TESTING ERROR 5\n";exit}
		48	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		49	}
		50	sleep 1
		51
		52	send -- "exit\r"
		53	after 100
		54	set spawn_id $id1
		55	send -- "exit\r"
		56	after 100
		57
		58
		59
		60	#
		61	# block secondary
		62	#
		63	set spawn_id $id1
		64	send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r"
		65	expect {
		66	timeout {puts "TESTING ERROR 10\n";exit}
		67	"Installing /run/firejail/mnt/seccomp seccomp filter"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 11\n";exit}
		71	"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
		72	"Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
		73	}
		74	expect {
		75	timeout {puts "TESTING ERROR 13\n";exit}
		76	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		77	}
		78	sleep 1
		79
		80	set spawn_id $id2
		81	send -- "firejail --debug --join=jointesting\r"
		82	expect {
		83	timeout {puts "TESTING ERROR 14\n";exit}
		84	"Installing /run/firejail/mnt/seccomp seccomp filter"
		85	}
		86	expect {
		87	timeout {puts "TESTING ERROR 15\n";exit}
		88	"Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
		89	}
		90	expect {
		91	timeout {puts "TESTING ERROR 16\n";exit}
		92	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		93	}
		94	sleep 1
		95
		96	send -- "exit\r"
		97	after 100
		98	set spawn_id $id1
		99	send -- "exit\r"
		100	after 100
		101
		102	#
		103	# protocol
		104	#
		105	set spawn_id $id1
		106	send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r"
		107	expect {
		108	timeout {puts "TESTING ERROR 22\n";exit}
		109	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		110	}
		111	sleep 1
		112
		113	set spawn_id $id2
		114
		115	send -- "firejail --debug --join=jointesting\r"
		116	expect {
		117	timeout {puts "TESTING ERROR 23\n";exit}
		118	"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
		119	"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
		120	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
		121	}
		122	sleep 1
		123
		124	send -- "exit\r"
		125	after 100
		126	set spawn_id $id1
		127	send -- "exit\r"
		128	after 100
		129
		130	#
		131	# memory deny write execute
		132	#
		133	set spawn_id $id1
		134	send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r"
		135	expect {
		136	timeout {puts "TESTING ERROR 32\n";exit}
		137	"Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
		138	}
		139	sleep 1
		140
		141	set spawn_id $id2
		142
		143	send -- "firejail --debug --join=jointesting\r"
		144	expect {
		145	timeout {puts "TESTING ERROR 33\n";exit}
		146	"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
		147	"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
		148	"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
		149	"Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
		150	}
		151	sleep 1
		152
		153	send -- "exit\r"
		154	after 100
		155	set spawn_id $id1
		156	send -- "exit\r"
		157	after 100
		158
		159	puts "all done\n"