diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-11-29 10:04:43 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-11-29 10:04:43 -0500 |
| commit | d3b6581db7fcd0fb0897ada9910140f0e43f4ed1 (patch) | |
| tree | 1c4409a84665834736370f89dcf915a12f173ef5 | |
| parent | Merge pull request #945 from Fred-Barclay/cryptocat (diff) | |
| download | firejail-d3b6581db7fcd0fb0897ada9910140f0e43f4ed1.tar.gz firejail-d3b6581db7fcd0fb0897ada9910140f0e43f4ed1.tar.zst firejail-d3b6581db7fcd0fb0897ada9910140f0e43f4ed1.zip | |
testing and cleanup
| -rw-r--r-- | src/firejail/fs_var.c | 9 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 98 | ||||
| -rw-r--r-- | src/firejail/netfilter.c | 12 | ||||
| -rwxr-xr-x | test/environment/dns.exp | 27 | ||||
| -rw-r--r-- | test/environment/dns.profile | 3 | ||||
| -rwxr-xr-x | test/fs/fs.sh | 3 | ||||
| -rwxr-xr-x | test/fs/whitelist-dev.exp | 47 | ||||
| -rwxr-xr-x | test/fs/whitelist.exp | 26 | ||||
| -rwxr-xr-x | test/network/ip6.exp | 40 | ||||
| -rw-r--r-- | test/network/ip6.profile | 3 | ||||
| -rwxr-xr-x | test/network/iprange.exp | 103 | ||||
| -rw-r--r-- | test/network/iprange.profile | 2 | ||||
| -rwxr-xr-x | test/network/network.sh | 6 | ||||
| -rwxr-xr-x | test/network/veth-name.exp | 77 | ||||
| -rw-r--r-- | test/network/veth-name.profile | 3 | ||||
| -rwxr-xr-x | test/root/root.sh | 3 | ||||
| -rwxr-xr-x | test/root/whitelist-mnt.exp | 86 |
17 files changed, 454 insertions, 94 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 2aa4a1b54..bdc5ecaf3 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
| @@ -65,10 +65,9 @@ static void build_list(const char *srcdir) { | |||
| 65 | struct stat s; | 65 | struct stat s; |
| 66 | char *name; | 66 | char *name; |
| 67 | if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) | 67 | if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) |
| 68 | continue; | 68 | errExit("asprintf"); |
| 69 | if (stat(name, &s) == -1) | 69 | if (stat(name, &s) == -1 || |
| 70 | continue; | 70 | S_ISLNK(s.st_mode)) { |
| 71 | if (S_ISLNK(s.st_mode)) { | ||
| 72 | free(name); | 71 | free(name); |
| 73 | continue; | 72 | continue; |
| 74 | } | 73 | } |
| @@ -143,7 +142,7 @@ void fs_var_log(void) { | |||
| 143 | fs_logger("touch /var/log/btmp"); | 142 | fs_logger("touch /var/log/btmp"); |
| 144 | } | 143 | } |
| 145 | else | 144 | else |
| 146 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); | 145 | fprintf(stderr, "Warning: cannot hide /var/log directory\n"); |
| 147 | } | 146 | } |
| 148 | 147 | ||
| 149 | void fs_var_lib(void) { | 148 | void fs_var_lib(void) { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7b32021be..b10858411 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -95,34 +95,29 @@ static char *resolve_downloads(void) { | |||
| 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
| 96 | errExit("asprintf"); | 96 | errExit("asprintf"); |
| 97 | 97 | ||
| 98 | if (stat(fname, &s) == -1) { | 98 | if (stat(fname, &s) == -1) |
| 99 | fprintf(stderr, "***\n"); | ||
| 100 | fprintf(stderr, "*** Error: directory %s not found.\n", fname); | ||
| 101 | fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n"); | ||
| 102 | fprintf(stderr, "*** \tPlease create a Downloads directory.\n"); | ||
| 103 | fprintf(stderr, "***\n"); | ||
| 104 | free(fname); | 99 | free(fname); |
| 105 | return NULL; | 100 | goto errout; |
| 106 | } | ||
| 107 | 101 | ||
| 108 | char *rv; | 102 | char *rv; |
| 109 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) | 103 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) |
| 110 | errExit("asprintf"); | 104 | errExit("asprintf"); |
| 111 | return rv; | 105 | return rv; |
| 112 | } | 106 | } |
| 113 | else { | 107 | else |
| 114 | fprintf(stderr, "***\n"); | 108 | goto errout; |
| 115 | fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n"); | ||
| 116 | fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n"); | ||
| 117 | fprintf(stderr, "***\n"); | ||
| 118 | fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n"); | ||
| 119 | fprintf(stderr, "***\n"); | ||
| 120 | return NULL; | ||
| 121 | } | ||
| 122 | } | 109 | } |
| 123 | } | 110 | } |
| 124 | } | 111 | } |
| 112 | |||
| 125 | fclose(fp); | 113 | fclose(fp); |
| 114 | return NULL; | ||
| 115 | |||
| 116 | errout: | ||
| 117 | fprintf(stderr, "***\n"); | ||
| 118 | fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); | ||
| 119 | fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); | ||
| 120 | fprintf(stderr, "***\n"); | ||
| 126 | 121 | ||
| 127 | return NULL; | 122 | return NULL; |
| 128 | } | 123 | } |
| @@ -181,10 +176,8 @@ static void whitelist_path(ProfileEntry *entry) { | |||
| 181 | if (entry->home_dir) { | 176 | if (entry->home_dir) { |
| 182 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 177 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
| 183 | fname = path + strlen(cfg.homedir); | 178 | fname = path + strlen(cfg.homedir); |
| 184 | if (*fname == '\0') { | 179 | if (*fname == '\0') |
| 185 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 180 | goto errexit; |
| 186 | exit(1); | ||
| 187 | } | ||
| 188 | } | 181 | } |
| 189 | else | 182 | else |
| 190 | fname = path; | 183 | fname = path; |
| @@ -194,70 +187,56 @@ static void whitelist_path(ProfileEntry *entry) { | |||
| 194 | } | 187 | } |
| 195 | else if (entry->tmp_dir) { | 188 | else if (entry->tmp_dir) { |
| 196 | fname = path + 4; // strlen("/tmp") | 189 | fname = path + 4; // strlen("/tmp") |
| 197 | if (*fname == '\0') { | 190 | if (*fname == '\0') |
| 198 | fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path); | 191 | goto errexit; |
| 199 | exit(1); | ||
| 200 | } | ||
| 201 | 192 | ||
| 202 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) | 193 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
| 203 | errExit("asprintf"); | 194 | errExit("asprintf"); |
| 204 | } | 195 | } |
| 205 | else if (entry->media_dir) { | 196 | else if (entry->media_dir) { |
| 206 | fname = path + 6; // strlen("/media") | 197 | fname = path + 6; // strlen("/media") |
| 207 | if (*fname == '\0') { | 198 | if (*fname == '\0') |
| 208 | fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path); | 199 | goto errexit; |
| 209 | exit(1); | ||
| 210 | } | ||
| 211 | 200 | ||
| 212 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) | 201 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) |
| 213 | errExit("asprintf"); | 202 | errExit("asprintf"); |
| 214 | } | 203 | } |
| 215 | else if (entry->mnt_dir) { | 204 | else if (entry->mnt_dir) { |
| 216 | fname = path + 4; // strlen("/mnt") | 205 | fname = path + 4; // strlen("/mnt") |
| 217 | if (*fname == '\0') { | 206 | if (*fname == '\0') |
| 218 | fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path); | 207 | goto errexit; |
| 219 | exit(1); | ||
| 220 | } | ||
| 221 | 208 | ||
| 222 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) | 209 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) |
| 223 | errExit("asprintf"); | 210 | errExit("asprintf"); |
| 224 | } | 211 | } |
| 225 | else if (entry->var_dir) { | 212 | else if (entry->var_dir) { |
| 226 | fname = path + 4; // strlen("/var") | 213 | fname = path + 4; // strlen("/var") |
| 227 | if (*fname == '\0') { | 214 | if (*fname == '\0') |
| 228 | fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path); | 215 | goto errexit; |
| 229 | exit(1); | ||
| 230 | } | ||
| 231 | 216 | ||
| 232 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) | 217 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
| 233 | errExit("asprintf"); | 218 | errExit("asprintf"); |
| 234 | } | 219 | } |
| 235 | else if (entry->dev_dir) { | 220 | else if (entry->dev_dir) { |
| 236 | fname = path + 4; // strlen("/dev") | 221 | fname = path + 4; // strlen("/dev") |
| 237 | if (*fname == '\0') { | 222 | if (*fname == '\0') |
| 238 | fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path); | 223 | goto errexit; |
| 239 | exit(1); | ||
| 240 | } | ||
| 241 | 224 | ||
| 242 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) | 225 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
| 243 | errExit("asprintf"); | 226 | errExit("asprintf"); |
| 244 | } | 227 | } |
| 245 | else if (entry->opt_dir) { | 228 | else if (entry->opt_dir) { |
| 246 | fname = path + 4; // strlen("/opt") | 229 | fname = path + 4; // strlen("/opt") |
| 247 | if (*fname == '\0') { | 230 | if (*fname == '\0') |
| 248 | fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path); | 231 | goto errexit; |
| 249 | exit(1); | ||
| 250 | } | ||
| 251 | 232 | ||
| 252 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) | 233 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
| 253 | errExit("asprintf"); | 234 | errExit("asprintf"); |
| 254 | } | 235 | } |
| 255 | else if (entry->srv_dir) { | 236 | else if (entry->srv_dir) { |
| 256 | fname = path + 4; // strlen("/srv") | 237 | fname = path + 4; // strlen("/srv") |
| 257 | if (*fname == '\0') { | 238 | if (*fname == '\0') |
| 258 | fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); | 239 | goto errexit; |
| 259 | exit(1); | ||
| 260 | } | ||
| 261 | 240 | ||
| 262 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) | 241 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) |
| 263 | errExit("asprintf"); | 242 | errExit("asprintf"); |
| @@ -305,6 +284,11 @@ static void whitelist_path(ProfileEntry *entry) { | |||
| 305 | errExit("mount bind"); | 284 | errExit("mount bind"); |
| 306 | 285 | ||
| 307 | free(wfile); | 286 | free(wfile); |
| 287 | return; | ||
| 288 | |||
| 289 | errexit: | ||
| 290 | fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path); | ||
| 291 | exit(1); | ||
| 308 | } | 292 | } |
| 309 | 293 | ||
| 310 | 294 | ||
| @@ -432,8 +416,6 @@ void fs_whitelist(void) { | |||
| 432 | tmp_dir = 1; | 416 | tmp_dir = 1; |
| 433 | // both path and absolute path are under /tmp | 417 | // both path and absolute path are under /tmp |
| 434 | if (strncmp(fname, "/tmp/", 5) != 0) { | 418 | if (strncmp(fname, "/tmp/", 5) != 0) { |
| 435 | if (arg_debug) | ||
| 436 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 437 | goto errexit; | 419 | goto errexit; |
| 438 | } | 420 | } |
| 439 | } | 421 | } |
| @@ -442,8 +424,6 @@ void fs_whitelist(void) { | |||
| 442 | media_dir = 1; | 424 | media_dir = 1; |
| 443 | // both path and absolute path are under /media | 425 | // both path and absolute path are under /media |
| 444 | if (strncmp(fname, "/media/", 7) != 0) { | 426 | if (strncmp(fname, "/media/", 7) != 0) { |
| 445 | if (arg_debug) | ||
| 446 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 447 | goto errexit; | 427 | goto errexit; |
| 448 | } | 428 | } |
| 449 | } | 429 | } |
| @@ -452,8 +432,6 @@ void fs_whitelist(void) { | |||
| 452 | mnt_dir = 1; | 432 | mnt_dir = 1; |
| 453 | // both path and absolute path are under /mnt | 433 | // both path and absolute path are under /mnt |
| 454 | if (strncmp(fname, "/mnt/", 5) != 0) { | 434 | if (strncmp(fname, "/mnt/", 5) != 0) { |
| 455 | if (arg_debug) | ||
| 456 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 457 | goto errexit; | 435 | goto errexit; |
| 458 | } | 436 | } |
| 459 | } | 437 | } |
| @@ -467,8 +445,6 @@ void fs_whitelist(void) { | |||
| 467 | else if (strcmp(new_name, "/var/lock")== 0) | 445 | else if (strcmp(new_name, "/var/lock")== 0) |
| 468 | ; | 446 | ; |
| 469 | else if (strncmp(fname, "/var/", 5) != 0) { | 447 | else if (strncmp(fname, "/var/", 5) != 0) { |
| 470 | if (arg_debug) | ||
| 471 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 472 | goto errexit; | 448 | goto errexit; |
| 473 | } | 449 | } |
| 474 | } | 450 | } |
| @@ -477,8 +453,6 @@ void fs_whitelist(void) { | |||
| 477 | dev_dir = 1; | 453 | dev_dir = 1; |
| 478 | // both path and absolute path are under /dev | 454 | // both path and absolute path are under /dev |
| 479 | if (strncmp(fname, "/dev/", 5) != 0) { | 455 | if (strncmp(fname, "/dev/", 5) != 0) { |
| 480 | if (arg_debug) | ||
| 481 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 482 | goto errexit; | 456 | goto errexit; |
| 483 | } | 457 | } |
| 484 | } | 458 | } |
| @@ -487,8 +461,6 @@ void fs_whitelist(void) { | |||
| 487 | opt_dir = 1; | 461 | opt_dir = 1; |
| 488 | // both path and absolute path are under /dev | 462 | // both path and absolute path are under /dev |
| 489 | if (strncmp(fname, "/opt/", 5) != 0) { | 463 | if (strncmp(fname, "/opt/", 5) != 0) { |
| 490 | if (arg_debug) | ||
| 491 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 492 | goto errexit; | 464 | goto errexit; |
| 493 | } | 465 | } |
| 494 | } | 466 | } |
| @@ -497,14 +469,10 @@ void fs_whitelist(void) { | |||
| 497 | srv_dir = 1; | 469 | srv_dir = 1; |
| 498 | // both path and absolute path are under /srv | 470 | // both path and absolute path are under /srv |
| 499 | if (strncmp(fname, "/srv/", 5) != 0) { | 471 | if (strncmp(fname, "/srv/", 5) != 0) { |
| 500 | if (arg_debug) | ||
| 501 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 502 | goto errexit; | 472 | goto errexit; |
| 503 | } | 473 | } |
| 504 | } | 474 | } |
| 505 | else { | 475 | else { |
| 506 | if (arg_debug) | ||
| 507 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
| 508 | goto errexit; | 476 | goto errexit; |
| 509 | } | 477 | } |
| 510 | 478 | ||
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ef4915f15..ed411313a 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
| @@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) { | |||
| 47 | EUID_ASSERT(); | 47 | EUID_ASSERT(); |
| 48 | invalid_filename(fname); | 48 | invalid_filename(fname); |
| 49 | 49 | ||
| 50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { | 50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { |
| 51 | fprintf(stderr, "Error: invalid network filter file\n"); | 51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); |
| 52 | exit(1); | ||
| 53 | } | ||
| 54 | |||
| 55 | // access call checks as real UID/GID, not as effective UID/GID | ||
| 56 | if (access(fname, R_OK)) { | ||
| 57 | fprintf(stderr, "Error: cannot access network filter file\n"); | ||
| 58 | exit(1); | 52 | exit(1); |
| 59 | } | 53 | } |
| 60 | } | 54 | } |
| @@ -138,7 +132,7 @@ void netfilter6(const char *fname) { | |||
| 138 | char *filter = read_text_file_or_exit(fname); | 132 | char *filter = read_text_file_or_exit(fname); |
| 139 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); | 133 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); |
| 140 | if (!fp) { | 134 | if (!fp) { |
| 141 | fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); | 135 | fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); |
| 142 | exit(1); | 136 | exit(1); |
| 143 | } | 137 | } |
| 144 | fprintf(fp, "%s\n", filter); | 138 | fprintf(fp, "%s\n", filter); |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 40403aade..d00e9fb94 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
| @@ -26,10 +26,33 @@ expect { | |||
| 26 | } | 26 | } |
| 27 | after 100 | 27 | after 100 |
| 28 | send -- "exit\r" | 28 | send -- "exit\r" |
| 29 | after 100 | 29 | sleep 1 |
| 30 | |||
| 30 | 31 | ||
| 32 | send -- "firejail --profile=dns.profile\r" | ||
| 33 | expect { | ||
| 34 | timeout {puts "TESTING ERROR 12.1\n";exit} | ||
| 35 | "Child process initialized" | ||
| 36 | } | ||
| 37 | sleep 1 | ||
| 38 | |||
| 39 | send -- "cat /etc/resolv.conf\r" | ||
| 40 | expect { | ||
| 41 | timeout {puts "TESTING ERROR 12.2\n";exit} | ||
| 42 | "nameserver 8.8.4.4" | ||
| 43 | } | ||
| 44 | expect { | ||
| 45 | timeout {puts "TESTING ERROR 12.3\n";exit} | ||
| 46 | "nameserver 8.8.8.8" | ||
| 47 | } | ||
| 48 | expect { | ||
| 49 | timeout {puts "TESTING ERROR 12.4\n";exit} | ||
| 50 | "nameserver 4.2.2.1" | ||
| 51 | } | ||
| 52 | after 100 | ||
| 53 | send -- "exit\r" | ||
| 54 | sleep 1 | ||
| 31 | 55 | ||
| 32 | # no chroot | ||
| 33 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | 56 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" |
| 34 | expect { | 57 | expect { |
| 35 | timeout {puts "TESTING ERROR 1.1\n";exit} | 58 | timeout {puts "TESTING ERROR 1.1\n";exit} |
diff --git a/test/environment/dns.profile b/test/environment/dns.profile new file mode 100644 index 000000000..d1b842c86 --- /dev/null +++ b/test/environment/dns.profile | |||
| @@ -0,0 +1,3 @@ | |||
| 1 | dns 8.8.4.4 | ||
| 2 | dns 8.8.8.8 | ||
| 3 | dns 4.2.2.1 | ||
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d9a425661..611b62b09 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
| @@ -88,6 +88,9 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" | |||
| 88 | echo "TESTING: whitelist (test/fs/whitelist.exp)" | 88 | echo "TESTING: whitelist (test/fs/whitelist.exp)" |
| 89 | ./whitelist.exp | 89 | ./whitelist.exp |
| 90 | 90 | ||
| 91 | echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | ||
| 92 | ./whitelist-dev.exp | ||
| 93 | |||
| 91 | echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" | 94 | echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" |
| 92 | ./fscheck-bindnoroot.exp | 95 | ./fscheck-bindnoroot.exp |
| 93 | 96 | ||
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp new file mode 100755 index 000000000..a19d5cedf --- /dev/null +++ b/test/fs/whitelist-dev.exp | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2016 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | send -- "firejail --whitelist=/dev/null --debug\r" | ||
| 11 | expect { | ||
| 12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 13 | "Child process initialized" | ||
| 14 | } | ||
| 15 | sleep 1 | ||
| 16 | |||
| 17 | send -- "ls -l /dev | find /dev | wc -l\r" | ||
| 18 | expect { | ||
| 19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 20 | "2" | ||
| 21 | } | ||
| 22 | after 100 | ||
| 23 | send -- "exit\r" | ||
| 24 | sleep 1 | ||
| 25 | |||
| 26 | send -- "firejail --whitelist=/var/tmp --debug\r" | ||
| 27 | expect { | ||
| 28 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 29 | "Child process initialized" | ||
| 30 | } | ||
| 31 | sleep 1 | ||
| 32 | |||
| 33 | send -- "ls -l /dev | find /dev | wc -l\r" | ||
| 34 | expect { | ||
| 35 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 36 | "2" | ||
| 37 | } | ||
| 38 | after 100 | ||
| 39 | send -- "exit\r" | ||
| 40 | sleep 1 | ||
| 41 | |||
| 42 | |||
| 43 | |||
| 44 | |||
| 45 | after 100 | ||
| 46 | puts "\nall done\n" | ||
| 47 | |||
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9a9a0f353..9b631b884 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp | |||
| @@ -36,7 +36,7 @@ after 200 | |||
| 36 | send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" | 36 | send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" |
| 37 | after 200 | 37 | after 200 |
| 38 | 38 | ||
| 39 | send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" | 39 | send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r" |
| 40 | expect { | 40 | expect { |
| 41 | timeout {puts "TESTING ERROR 0\n";exit} | 41 | timeout {puts "TESTING ERROR 0\n";exit} |
| 42 | "Child process initialized" | 42 | "Child process initialized" |
| @@ -49,19 +49,19 @@ expect { | |||
| 49 | "2" | 49 | "2" |
| 50 | } | 50 | } |
| 51 | 51 | ||
| 52 | send -- "cat fjtest-file\r" | 52 | send -- "cat ~/fjtest-file\r" |
| 53 | expect { | 53 | expect { |
| 54 | timeout {puts "TESTING ERROR 2\n";exit} | 54 | timeout {puts "TESTING ERROR 2\n";exit} |
| 55 | "123" | 55 | "123" |
| 56 | } | 56 | } |
| 57 | 57 | ||
| 58 | send -- "cat fjtest-dir/fjtest-file\r" | 58 | send -- "cat ~/fjtest-dir/fjtest-file\r" |
| 59 | expect { | 59 | expect { |
| 60 | timeout {puts "TESTING ERROR 3\n";exit} | 60 | timeout {puts "TESTING ERROR 3\n";exit} |
| 61 | "123" | 61 | "123" |
| 62 | } | 62 | } |
| 63 | 63 | ||
| 64 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 64 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
| 65 | expect { | 65 | expect { |
| 66 | timeout {puts "TESTING ERROR 4\n";exit} | 66 | timeout {puts "TESTING ERROR 4\n";exit} |
| 67 | "123" | 67 | "123" |
| @@ -86,7 +86,7 @@ expect { | |||
| 86 | "1" | 86 | "1" |
| 87 | } | 87 | } |
| 88 | 88 | ||
| 89 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 89 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
| 90 | expect { | 90 | expect { |
| 91 | timeout {puts "TESTING ERROR 12\n";exit} | 91 | timeout {puts "TESTING ERROR 12\n";exit} |
| 92 | "123" | 92 | "123" |
| @@ -111,37 +111,37 @@ expect { | |||
| 111 | "4" | 111 | "4" |
| 112 | } | 112 | } |
| 113 | 113 | ||
| 114 | send -- "cat fjtest-file\r" | 114 | send -- "cat ~/fjtest-file\r" |
| 115 | expect { | 115 | expect { |
| 116 | timeout {puts "TESTING ERROR 22\n";exit} | 116 | timeout {puts "TESTING ERROR 22\n";exit} |
| 117 | "123" | 117 | "123" |
| 118 | } | 118 | } |
| 119 | 119 | ||
| 120 | send -- "cat fjtest-dir/fjtest-file\r" | 120 | send -- "cat ~/fjtest-dir/fjtest-file\r" |
| 121 | expect { | 121 | expect { |
| 122 | timeout {puts "TESTING ERROR 23\n";exit} | 122 | timeout {puts "TESTING ERROR 23\n";exit} |
| 123 | "123" | 123 | "123" |
| 124 | } | 124 | } |
| 125 | 125 | ||
| 126 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 126 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
| 127 | expect { | 127 | expect { |
| 128 | timeout {puts "TESTING ERROR 24\n";exit} | 128 | timeout {puts "TESTING ERROR 24\n";exit} |
| 129 | "123" | 129 | "123" |
| 130 | } | 130 | } |
| 131 | 131 | ||
| 132 | send -- "cat fjtest-file-lnk\r" | 132 | send -- "cat ~/fjtest-file-lnk\r" |
| 133 | expect { | 133 | expect { |
| 134 | timeout {puts "TESTING ERROR 25\n";exit} | 134 | timeout {puts "TESTING ERROR 25\n";exit} |
| 135 | "123" | 135 | "123" |
| 136 | } | 136 | } |
| 137 | 137 | ||
| 138 | send -- "cat fjtest-dir-lnk/fjtest-file\r" | 138 | send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" |
| 139 | expect { | 139 | expect { |
| 140 | timeout {puts "TESTING ERROR 26\n";exit} | 140 | timeout {puts "TESTING ERROR 26\n";exit} |
| 141 | "123" | 141 | "123" |
| 142 | } | 142 | } |
| 143 | 143 | ||
| 144 | send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" | 144 | send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r" |
| 145 | expect { | 145 | expect { |
| 146 | timeout {puts "TESTING ERROR 27\n";exit} | 146 | timeout {puts "TESTING ERROR 27\n";exit} |
| 147 | "123" | 147 | "123" |
| @@ -193,13 +193,13 @@ expect { | |||
| 193 | "2" | 193 | "2" |
| 194 | } | 194 | } |
| 195 | 195 | ||
| 196 | send -- "cat fjtest-file-lnk\r" | 196 | send -- "cat ~/fjtest-file-lnk\r" |
| 197 | expect { | 197 | expect { |
| 198 | timeout {puts "TESTING ERROR 42\n";exit} | 198 | timeout {puts "TESTING ERROR 42\n";exit} |
| 199 | "123" | 199 | "123" |
| 200 | } | 200 | } |
| 201 | 201 | ||
| 202 | send -- "cat fjtest-dir-lnk/fjtest-file\r" | 202 | send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" |
| 203 | expect { | 203 | expect { |
| 204 | timeout {puts "TESTING ERROR 43\n";exit} | 204 | timeout {puts "TESTING ERROR 43\n";exit} |
| 205 | "123" | 205 | "123" |
diff --git a/test/network/ip6.exp b/test/network/ip6.exp index f0fcebcf8..1db16c28a 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp | |||
| @@ -43,6 +43,46 @@ expect { | |||
| 43 | } | 43 | } |
| 44 | 44 | ||
| 45 | send -- "exit\r" | 45 | send -- "exit\r" |
| 46 | sleep 2 | ||
| 47 | |||
| 48 | |||
| 49 | send -- "firejail --debug --profile=ip6.profile\r" | ||
| 50 | expect { | ||
| 51 | timeout {puts "TESTING ERROR 10\n";exit} | ||
| 52 | "Installing network filter" | ||
| 53 | } | ||
| 54 | expect { | ||
| 55 | timeout {puts "TESTING ERROR 11\n";exit} | ||
| 56 | "DROP" | ||
| 57 | } | ||
| 58 | expect { | ||
| 59 | timeout {puts "TESTING ERROR 12\n";exit} | ||
| 60 | "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} | ||
| 61 | "2001:db8:1f0a:3ec::2" | ||
| 62 | } | ||
| 63 | expect { | ||
| 64 | timeout {puts "TESTING ERROR 13\n";exit} | ||
| 65 | "Child process initialized" | ||
| 66 | } | ||
| 67 | sleep 2 | ||
| 68 | |||
| 69 | send -- "/sbin/ifconfig\r" | ||
| 70 | expect { | ||
| 71 | timeout {puts "TESTING ERROR 14\n";exit} | ||
| 72 | "inet6" | ||
| 73 | } | ||
| 74 | expect { | ||
| 75 | timeout {puts "TESTING ERROR 15\n";exit} | ||
| 76 | "2001:db8:0:f101::1" | ||
| 77 | } | ||
| 78 | expect { | ||
| 79 | timeout {puts "TESTING ERROR 16\n";exit} | ||
| 80 | "Scope:Global" { puts "Debian\n"} | ||
| 81 | "scopeid 0x0<global>" { puts "Arch\n"} | ||
| 82 | } | ||
| 83 | |||
| 84 | send -- "exit\r" | ||
| 85 | |||
| 46 | after 100 | 86 | after 100 |
| 47 | 87 | ||
| 48 | puts "\nall done\n" | 88 | puts "\nall done\n" |
diff --git a/test/network/ip6.profile b/test/network/ip6.profile new file mode 100644 index 000000000..87afa3941 --- /dev/null +++ b/test/network/ip6.profile | |||
| @@ -0,0 +1,3 @@ | |||
| 1 | net br0 | ||
| 2 | ip6 2001:0db8:0:f101::1/64 | ||
| 3 | netfilter6 ipv6.net | ||
diff --git a/test/network/iprange.exp b/test/network/iprange.exp new file mode 100755 index 000000000..a1b2ccab4 --- /dev/null +++ b/test/network/iprange.exp | |||
| @@ -0,0 +1,103 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2016 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r" | ||
| 11 | expect { | ||
| 12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 13 | "eth0" | ||
| 14 | } | ||
| 15 | expect { | ||
| 16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 17 | "10.10.30.50" {puts "10.10.30.50\n"} | ||
| 18 | "10.10.30.51" {puts "10.10.30.51\n"} | ||
| 19 | "10.10.30.52" {puts "10.10.30.52\n"} | ||
| 20 | "10.10.30.53" {puts "10.10.30.53\n"} | ||
| 21 | "10.10.30.54" {puts "10.10.30.54\n"} | ||
| 22 | "10.10.30.55" {puts "10.10.30.55\n"} | ||
| 23 | } | ||
| 24 | expect { | ||
| 25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
| 26 | "255.255.255.0" | ||
| 27 | } | ||
| 28 | expect { | ||
| 29 | timeout {puts "TESTING ERROR 3\n";exit} | ||
| 30 | "Child process initialized" | ||
| 31 | } | ||
| 32 | sleep 1 | ||
| 33 | send -- "exit\r" | ||
| 34 | sleep 2 | ||
| 35 | |||
| 36 | send -- "firejail --profile=iprange.profile\r" | ||
| 37 | expect { | ||
| 38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
| 39 | "eth0" | ||
| 40 | } | ||
| 41 | expect { | ||
| 42 | timeout {puts "TESTING ERROR 6\n";exit} | ||
| 43 | "10.10.30.50" {puts "10.10.30.50\n"} | ||
| 44 | "10.10.30.51" {puts "10.10.30.51\n"} | ||
| 45 | "10.10.30.52" {puts "10.10.30.52\n"} | ||
| 46 | "10.10.30.53" {puts "10.10.30.53\n"} | ||
| 47 | "10.10.30.54" {puts "10.10.30.54\n"} | ||
| 48 | "10.10.30.55" {puts "10.10.30.55\n"} | ||
| 49 | } | ||
| 50 | expect { | ||
| 51 | timeout {puts "TESTING ERROR 7\n";exit} | ||
| 52 | "255.255.255.0" | ||
| 53 | } | ||
| 54 | expect { | ||
| 55 | timeout {puts "TESTING ERROR 8\n";exit} | ||
| 56 | "Child process initialized" | ||
| 57 | } | ||
| 58 | sleep 1 | ||
| 59 | send -- "exit\r" | ||
| 60 | sleep 2 | ||
| 61 | |||
| 62 | |||
| 63 | |||
| 64 | send -- "firejail --iprange=10.10.30.50,10.10.30.55\r" | ||
| 65 | expect { | ||
| 66 | timeout {puts "TESTING ERROR 9\n";exit} | ||
| 67 | "no network device configured" | ||
| 68 | } | ||
| 69 | after 100 | ||
| 70 | |||
| 71 | send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r" | ||
| 72 | expect { | ||
| 73 | timeout {puts "TESTING ERROR 10\n";exit} | ||
| 74 | "cannot configure the IP range twice for the same interface" | ||
| 75 | } | ||
| 76 | after 100 | ||
| 77 | |||
| 78 | send -- "firejail --net=br1 --iprange=10.10.30.50\r" | ||
| 79 | expect { | ||
| 80 | timeout {puts "TESTING ERROR 11\n";exit} | ||
| 81 | "invalid IP range" | ||
| 82 | } | ||
| 83 | after 100 | ||
| 84 | |||
| 85 | send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r" | ||
| 86 | expect { | ||
| 87 | timeout {puts "TESTING ERROR 12\n";exit} | ||
| 88 | "IP range addresses not in network range" | ||
| 89 | } | ||
| 90 | after 100 | ||
| 91 | |||
| 92 | send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r" | ||
| 93 | expect { | ||
| 94 | timeout {puts "TESTING ERROR 12\n";exit} | ||
| 95 | "invalid IP range" | ||
| 96 | } | ||
| 97 | after 100 | ||
| 98 | |||
| 99 | |||
| 100 | after 100 | ||
| 101 | |||
| 102 | puts "\nall done\n" | ||
| 103 | |||
diff --git a/test/network/iprange.profile b/test/network/iprange.profile new file mode 100644 index 000000000..ecc01cd93 --- /dev/null +++ b/test/network/iprange.profile | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | net br1 | ||
| 2 | iprange 10.10.30.50,10.10.30.55 | ||
diff --git a/test/network/network.sh b/test/network/network.sh index e1646d64a..bea5dfb26 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
| @@ -78,6 +78,12 @@ echo "TESTING: veth (net_veth.exp)" | |||
| 78 | echo "TESTING: netfilter (net_netfilter.exp)" | 78 | echo "TESTING: netfilter (net_netfilter.exp)" |
| 79 | ./net_netfilter.exp | 79 | ./net_netfilter.exp |
| 80 | 80 | ||
| 81 | echo "TESTING: iprange (iprange.exp)" | ||
| 82 | ./iprange.exp | ||
| 83 | |||
| 84 | echo "TESTING: veth-name (veth-name.exp)" | ||
| 85 | ./veth-name.exp | ||
| 86 | |||
| 81 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" | 87 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" |
| 82 | ./4bridges_arp.exp | 88 | ./4bridges_arp.exp |
| 83 | 89 | ||
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp new file mode 100755 index 000000000..36ed41d92 --- /dev/null +++ b/test/network/veth-name.exp | |||
| @@ -0,0 +1,77 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2016 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | # | ||
| 11 | send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r" | ||
| 12 | expect { | ||
| 13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 14 | "eth0" | ||
| 15 | } | ||
| 16 | expect { | ||
| 17 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 18 | "10.10.30.50" | ||
| 19 | } | ||
| 20 | expect { | ||
| 21 | timeout {puts "TESTING ERROR 2\n";exit} | ||
| 22 | "255.255.255.0" | ||
| 23 | } | ||
| 24 | expect { | ||
| 25 | timeout {puts "TESTING ERROR 3\n";exit} | ||
| 26 | "Child process initialized" | ||
| 27 | } | ||
| 28 | sleep 1 | ||
| 29 | |||
| 30 | spawn $env(SHELL) | ||
| 31 | send -- "ip link show\r" | ||
| 32 | expect { | ||
| 33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
| 34 | "blablabla" | ||
| 35 | } | ||
| 36 | expect { | ||
| 37 | timeout {puts "TESTING ERROR 5\n";exit} | ||
| 38 | "master br1 state UP" | ||
| 39 | } | ||
| 40 | sleep 1 | ||
| 41 | |||
| 42 | |||
| 43 | send -- "firejail --profile=veth-name.profile\r" | ||
| 44 | expect { | ||
| 45 | timeout {puts "TESTING ERROR 6\n";exit} | ||
| 46 | "eth0" | ||
| 47 | } | ||
| 48 | expect { | ||
| 49 | timeout {puts "TESTING ERROR 7\n";exit} | ||
| 50 | "10.10.60.51" | ||
| 51 | } | ||
| 52 | expect { | ||
| 53 | timeout {puts "TESTING ERROR 8\n";exit} | ||
| 54 | "255.255.255.0" | ||
| 55 | } | ||
| 56 | expect { | ||
| 57 | timeout {puts "TESTING ERROR 9\n";exit} | ||
| 58 | "Child process initialized" | ||
| 59 | } | ||
| 60 | sleep 1 | ||
| 61 | |||
| 62 | spawn $env(SHELL) | ||
| 63 | send -- "ip link show\r" | ||
| 64 | expect { | ||
| 65 | timeout {puts "TESTING ERROR 10\n";exit} | ||
| 66 | "bingo" | ||
| 67 | } | ||
| 68 | expect { | ||
| 69 | timeout {puts "TESTING ERROR 11\n";exit} | ||
| 70 | "master br4 state UP" | ||
| 71 | } | ||
| 72 | sleep 1 | ||
| 73 | |||
| 74 | |||
| 75 | after 100 | ||
| 76 | puts "\nall done\n" | ||
| 77 | |||
diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile new file mode 100644 index 000000000..f00a74d63 --- /dev/null +++ b/test/network/veth-name.profile | |||
| @@ -0,0 +1,3 @@ | |||
| 1 | net br4 | ||
| 2 | ip 10.10.60.51 | ||
| 3 | veth-name bingo | ||
diff --git a/test/root/root.sh b/test/root/root.sh index 494bd4fe7..01c372f68 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
| @@ -53,6 +53,9 @@ fi | |||
| 53 | echo "TESTING: fs private (test/root/private.exp)" | 53 | echo "TESTING: fs private (test/root/private.exp)" |
| 54 | ./private.exp | 54 | ./private.exp |
| 55 | 55 | ||
| 56 | echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)" | ||
| 57 | ./whitelist-mnt.exp | ||
| 58 | |||
| 56 | #******************************** | 59 | #******************************** |
| 57 | # seccomp | 60 | # seccomp |
| 58 | #******************************** | 61 | #******************************** |
diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp new file mode 100755 index 000000000..58ae4fffc --- /dev/null +++ b/test/root/whitelist-mnt.exp | |||
| @@ -0,0 +1,86 @@ | |||
| 1 | #!/usr/bin/expect -f | ||
| 2 | # This file is part of Firejail project | ||
| 3 | # Copyright (C) 2014-2016 Firejail Authors | ||
| 4 | # License GPL v2 | ||
| 5 | |||
| 6 | set timeout 10 | ||
| 7 | spawn $env(SHELL) | ||
| 8 | match_max 100000 | ||
| 9 | |||
| 10 | send -- "touch /mnt/firejail-test-file\r" | ||
| 11 | after 100 | ||
| 12 | send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r" | ||
| 13 | expect { | ||
| 14 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 15 | "Child process initialized" | ||
| 16 | } | ||
| 17 | sleep 1 | ||
| 18 | |||
| 19 | send -- "find /mnt | wc -l\r" | ||
| 20 | expect { | ||
| 21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 22 | "2" | ||
| 23 | } | ||
| 24 | after 100 | ||
| 25 | send -- "exit\r" | ||
| 26 | sleep 1 | ||
| 27 | |||
| 28 | |||
| 29 | send -- "touch /opt/firejail-test-file\r" | ||
| 30 | after 100 | ||
| 31 | send -- "firejail --whitelist=/opt/firejail-test-file --debug\r" | ||
| 32 | expect { | ||
| 33 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 34 | "Child process initialized" | ||
| 35 | } | ||
| 36 | sleep 1 | ||
| 37 | |||
| 38 | send -- "find /opt | wc -l\r" | ||
| 39 | expect { | ||
| 40 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 41 | "2" | ||
| 42 | } | ||
| 43 | after 100 | ||
| 44 | send -- "exit\r" | ||
| 45 | sleep 1 | ||
| 46 | |||
| 47 | send -- "touch /media/firejail-test-file\r" | ||
| 48 | after 100 | ||
| 49 | send -- "firejail --whitelist=/media/firejail-test-file --debug\r" | ||
| 50 | expect { | ||
| 51 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 52 | "Child process initialized" | ||
| 53 | } | ||
| 54 | sleep 1 | ||
| 55 | |||
| 56 | send -- "find /media | wc -l\r" | ||
| 57 | expect { | ||
| 58 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 59 | "2" | ||
| 60 | } | ||
| 61 | after 100 | ||
| 62 | send -- "exit\r" | ||
| 63 | sleep 1 | ||
| 64 | |||
| 65 | |||
| 66 | send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" | ||
| 67 | expect { | ||
| 68 | timeout {puts "TESTING ERROR 0\n";exit} | ||
| 69 | "Child process initialized" | ||
| 70 | } | ||
| 71 | sleep 1 | ||
| 72 | |||
| 73 | send -- "find /var | wc -l\r" | ||
| 74 | expect { | ||
| 75 | timeout {puts "TESTING ERROR 1\n";exit} | ||
| 76 | "" | ||
| 77 | } | ||
| 78 | after 100 | ||
| 79 | send -- "exit\r" | ||
| 80 | sleep 1 | ||
| 81 | |||
| 82 | |||
| 83 | |||
| 84 | after 100 | ||
| 85 | puts "\nall done\n" | ||
| 86 | |||