diff options
author | netblue30 <netblue30@yahoo.com> | 2019-01-09 09:46:48 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2019-01-09 09:46:48 -0500 |
commit | 2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b (patch) | |
tree | 24728cf8ac3c919dba72af93f9f688f336d33f6e | |
parent | mainline merge: fix join/seccomp #2296 (diff) | |
download | firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.tar.gz firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.tar.zst firejail-2e8a13800a2ea3d2fa3760ba3bb2f984b6ce738b.zip |
mainline merge: test caps join, testing seccomp/join
-rwxr-xr-x | test/filters/caps-join.exp | 96 | ||||
-rwxr-xr-x | test/filters/filters.sh | 13 | ||||
-rwxr-xr-x | test/filters/seccomp-join.exp | 159 |
3 files changed, 266 insertions, 2 deletions
diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp new file mode 100755 index 000000000..2e29ef763 --- /dev/null +++ b/test/filters/caps-join.exp | |||
@@ -0,0 +1,96 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | match_max 100000 | ||
8 | spawn $env(SHELL) | ||
9 | set id1 $spawn_id | ||
10 | spawn $env(SHELL) | ||
11 | set id2 $spawn_id | ||
12 | |||
13 | send -- "stty -echo\r" | ||
14 | after 100 | ||
15 | |||
16 | # | ||
17 | # regular run | ||
18 | # | ||
19 | set spawn_id $id1 | ||
20 | send -- "firejail --name=jointesting\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 0\n";exit} | ||
23 | "Child process initialized" | ||
24 | } | ||
25 | sleep 1 | ||
26 | |||
27 | set spawn_id $id2 | ||
28 | |||
29 | send -- "firejail --join=jointesting cat /proc/self/status\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 1\n";exit} | ||
32 | "CapBnd: 0000000000000000" | ||
33 | } | ||
34 | sleep 1 | ||
35 | |||
36 | set spawn_id $id1 | ||
37 | send -- "exit\r" | ||
38 | after 100 | ||
39 | |||
40 | # | ||
41 | # no caps | ||
42 | # | ||
43 | set spawn_id $id1 | ||
44 | send -- "firejail --name=jointesting --noprofile\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 10\n";exit} | ||
47 | "Child process initialized" | ||
48 | } | ||
49 | sleep 1 | ||
50 | |||
51 | set spawn_id $id2 | ||
52 | |||
53 | send -- "firejail --join=jointesting cat /proc/self/status\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 11\n";exit} | ||
56 | "CapBnd:" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 12\n";exit} | ||
60 | "fffffffff" | ||
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 13\n";exit} | ||
64 | "CapAmb:" | ||
65 | } | ||
66 | sleep 1 | ||
67 | |||
68 | set spawn_id $id1 | ||
69 | send -- "exit\r" | ||
70 | after 100 | ||
71 | |||
72 | # | ||
73 | # no caps | ||
74 | # | ||
75 | set spawn_id $id1 | ||
76 | send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r" | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR20\n";exit} | ||
79 | "Child process initialized" | ||
80 | } | ||
81 | sleep 1 | ||
82 | |||
83 | set spawn_id $id2 | ||
84 | |||
85 | send -- "firejail --join=jointesting cat /proc/self/status\r" | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 21\n";exit} | ||
88 | "CapBnd: 0000000000000009" | ||
89 | } | ||
90 | sleep 1 | ||
91 | |||
92 | set spawn_id $id1 | ||
93 | send -- "exit\r" | ||
94 | after 100 | ||
95 | |||
96 | puts "all done\n" | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 3d1211b8e..33f205e05 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -12,7 +12,6 @@ if [ -f /etc/debian_version ]; then | |||
12 | fi | 12 | fi |
13 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 13 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
14 | 14 | ||
15 | |||
16 | if [ -f /sys/kernel/security/apparmor/profiles ]; then | 15 | if [ -f /sys/kernel/security/apparmor/profiles ]; then |
17 | echo "TESTING: apparmor (test/filters/apparmor.exp)" | 16 | echo "TESTING: apparmor (test/filters/apparmor.exp)" |
18 | ./apparmor.exp | 17 | ./apparmor.exp |
@@ -42,7 +41,7 @@ echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" | |||
42 | echo "TESTING: noroot (test/filters/noroot.exp)" | 41 | echo "TESTING: noroot (test/filters/noroot.exp)" |
43 | ./noroot.exp | 42 | ./noroot.exp |
44 | 43 | ||
45 | echo "TESTING: capabilities (test/filters/caps.exp)" | 44 | |
46 | if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | 45 | if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then |
47 | echo "TESTING: capabilities (test/filters/caps.exp)" | 46 | echo "TESTING: capabilities (test/filters/caps.exp)" |
48 | ./caps.exp | 47 | ./caps.exp |
@@ -53,6 +52,9 @@ fi | |||
53 | echo "TESTING: capabilities print (test/filters/caps-print.exp)" | 52 | echo "TESTING: capabilities print (test/filters/caps-print.exp)" |
54 | ./caps-print.exp | 53 | ./caps-print.exp |
55 | 54 | ||
55 | echo "TESTING: capabilities join (test/filters/caps-join.exp)" | ||
56 | ./caps-join.exp | ||
57 | |||
56 | rm -f seccomp-test-file | 58 | rm -f seccomp-test-file |
57 | if [ "$(uname -m)" = "x86_64" ]; then | 59 | if [ "$(uname -m)" = "x86_64" ]; then |
58 | echo "TESTING: fseccomp (test/filters/fseccomp.exp)" | 60 | echo "TESTING: fseccomp (test/filters/fseccomp.exp)" |
@@ -114,3 +116,10 @@ if [ "$(uname -m)" = "x86_64" ]; then | |||
114 | else | 116 | else |
115 | echo "TESTING SKIP: seccomp dual, not running on x86_64" | 117 | echo "TESTING SKIP: seccomp dual, not running on x86_64" |
116 | fi | 118 | fi |
119 | |||
120 | if [ "$(uname -m)" = "x86_64" ]; then | ||
121 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" | ||
122 | ./seccomp-join.exp | ||
123 | else | ||
124 | echo "TESTING SKIP: seccomp join test implemented only for x86_64" | ||
125 | fi | ||
diff --git a/test/filters/seccomp-join.exp b/test/filters/seccomp-join.exp new file mode 100755 index 000000000..7a869b85f --- /dev/null +++ b/test/filters/seccomp-join.exp | |||
@@ -0,0 +1,159 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | match_max 100000 | ||
8 | spawn $env(SHELL) | ||
9 | set id1 $spawn_id | ||
10 | spawn $env(SHELL) | ||
11 | set id2 $spawn_id | ||
12 | |||
13 | send -- "stty -echo\r" | ||
14 | after 100 | ||
15 | |||
16 | # | ||
17 | # regular run | ||
18 | # | ||
19 | set spawn_id $id1 | ||
20 | send -- "firejail --name=jointesting --debug\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 0\n";exit} | ||
23 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1\n";exit} | ||
27 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 2\n";exit} | ||
31 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
32 | } | ||
33 | sleep 1 | ||
34 | |||
35 | set spawn_id $id2 | ||
36 | |||
37 | send -- "firejail --debug --join=jointesting\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 3\n";exit} | ||
40 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5\n";exit} | ||
48 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
49 | } | ||
50 | sleep 1 | ||
51 | |||
52 | send -- "exit\r" | ||
53 | after 100 | ||
54 | set spawn_id $id1 | ||
55 | send -- "exit\r" | ||
56 | after 100 | ||
57 | |||
58 | |||
59 | |||
60 | # | ||
61 | # block secondary | ||
62 | # | ||
63 | set spawn_id $id1 | ||
64 | send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 10\n";exit} | ||
67 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 11\n";exit} | ||
71 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit} | ||
72 | "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 13\n";exit} | ||
76 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
77 | } | ||
78 | sleep 1 | ||
79 | |||
80 | set spawn_id $id2 | ||
81 | send -- "firejail --debug --join=jointesting\r" | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 14\n";exit} | ||
84 | "Installing /run/firejail/mnt/seccomp seccomp filter" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 15\n";exit} | ||
88 | "Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter" | ||
89 | } | ||
90 | expect { | ||
91 | timeout {puts "TESTING ERROR 16\n";exit} | ||
92 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
93 | } | ||
94 | sleep 1 | ||
95 | |||
96 | send -- "exit\r" | ||
97 | after 100 | ||
98 | set spawn_id $id1 | ||
99 | send -- "exit\r" | ||
100 | after 100 | ||
101 | |||
102 | # | ||
103 | # protocol | ||
104 | # | ||
105 | set spawn_id $id1 | ||
106 | send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r" | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 22\n";exit} | ||
109 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
110 | } | ||
111 | sleep 1 | ||
112 | |||
113 | set spawn_id $id2 | ||
114 | |||
115 | send -- "firejail --debug --join=jointesting\r" | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 23\n";exit} | ||
118 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit} | ||
119 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit} | ||
120 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" | ||
121 | } | ||
122 | sleep 1 | ||
123 | |||
124 | send -- "exit\r" | ||
125 | after 100 | ||
126 | set spawn_id $id1 | ||
127 | send -- "exit\r" | ||
128 | after 100 | ||
129 | |||
130 | # | ||
131 | # memory deny write execute | ||
132 | # | ||
133 | set spawn_id $id1 | ||
134 | send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r" | ||
135 | expect { | ||
136 | timeout {puts "TESTING ERROR 32\n";exit} | ||
137 | "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" | ||
138 | } | ||
139 | sleep 1 | ||
140 | |||
141 | set spawn_id $id2 | ||
142 | |||
143 | send -- "firejail --debug --join=jointesting\r" | ||
144 | expect { | ||
145 | timeout {puts "TESTING ERROR 33\n";exit} | ||
146 | "Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit} | ||
147 | "Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} | ||
148 | "Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit} | ||
149 | "Installing /run/firejail/mnt/seccomp.mdwx seccomp filter" | ||
150 | } | ||
151 | sleep 1 | ||
152 | |||
153 | send -- "exit\r" | ||
154 | after 100 | ||
155 | set spawn_id $id1 | ||
156 | send -- "exit\r" | ||
157 | after 100 | ||
158 | |||
159 | puts "all done\n" | ||