diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-11 07:47:46 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-11 07:47:46 -0500 |
commit | a8b23c83998c7964f8898c39784ac186a0216c3f (patch) | |
tree | eeccf98bab92b5b3818f0b30af688d736a92a599 | |
parent | testing (diff) | |
download | firejail-a8b23c83998c7964f8898c39784ac186a0216c3f.tar.gz firejail-a8b23c83998c7964f8898c39784ac186a0216c3f.tar.zst firejail-a8b23c83998c7964f8898c39784ac186a0216c3f.zip |
testing
-rw-r--r-- | Makefile.in | 45 | ||||
-rw-r--r-- | src/firejail/fs.c | 6 | ||||
-rw-r--r-- | src/fnet/interface.c | 76 | ||||
-rwxr-xr-x | test/overlay/firefox-x11-xorg.exp | 90 | ||||
-rwxr-xr-x | test/overlay/firefox-x11.exp | 90 | ||||
-rwxr-xr-x | test/overlay/firefox.exp | 99 | ||||
-rwxr-xr-x | test/overlay/fs.exp (renamed from test/fs_overlay.exp) | 42 | ||||
-rwxr-xr-x | test/overlay/overlay.sh | 57 |
8 files changed, 408 insertions, 97 deletions
diff --git a/Makefile.in b/Makefile.in index 64970d4a5..03b6befbe 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -161,6 +161,8 @@ dist: | |||
161 | tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION) | 161 | tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION) |
162 | rm -fr $(NAME)-$(VERSION) | 162 | rm -fr $(NAME)-$(VERSION) |
163 | 163 | ||
164 | asc:; ./mkasc.sh $(VERSION) | ||
165 | |||
164 | deb: dist | 166 | deb: dist |
165 | ./mkdeb.sh $(NAME) $(VERSION) | 167 | ./mkdeb.sh $(NAME) $(VERSION) |
166 | 168 | ||
@@ -173,9 +175,6 @@ install-snap: snap | |||
173 | test-compile: dist | 175 | test-compile: dist |
174 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) | 176 | cd test/compile; ./compile.sh $(NAME)-$(VERSION) |
175 | 177 | ||
176 | test-root: | ||
177 | cd test/root; su -c ./root.sh | grep TESTING | ||
178 | |||
179 | .PHONY: rpms | 178 | .PHONY: rpms |
180 | rpms: | 179 | rpms: |
181 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) | 180 | ./platform/rpm/mkrpm.sh $(NAME) $(VERSION) |
@@ -189,7 +188,19 @@ cppcheck: clean | |||
189 | scan-build: clean | 188 | scan-build: clean |
190 | scan-build make | 189 | scan-build make |
191 | 190 | ||
192 | asc:; ./mkasc.sh $(VERSION) | 191 | gcov-test-initialized: |
192 | ./gcov-test-init.sh | ||
193 | |||
194 | gcov: gcov-test-initialized | ||
195 | lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file | ||
196 | rm -fr gcov-dir | ||
197 | genhtml gcov-file --output-directory gcov-dir | ||
198 | |||
199 | |||
200 | # | ||
201 | # make test | ||
202 | # | ||
203 | |||
193 | 204 | ||
194 | test-profiles: | 205 | test-profiles: |
195 | cd test/profiles; ./profiles.sh | grep TESTING | 206 | cd test/profiles; ./profiles.sh | grep TESTING |
@@ -218,21 +229,25 @@ test-filters: | |||
218 | test-arguments: | 229 | test-arguments: |
219 | cd test/arguments; ./arguments.sh | grep TESTING | 230 | cd test/arguments; ./arguments.sh | grep TESTING |
220 | 231 | ||
221 | test-network: | ||
222 | cd test/network; ./network.sh | grep TESTING | ||
223 | |||
224 | test-fs: | 232 | test-fs: |
225 | cd test/fs; ./fs.sh | grep TESTING | 233 | cd test/fs; ./fs.sh | grep TESTING |
226 | 234 | ||
227 | test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | 235 | test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments |
228 | echo "TEST COMPLETE" | 236 | echo "TEST COMPLETE" |
229 | 237 | ||
230 | gcov-test-initialized: | 238 | # |
231 | ./gcov-test-init.sh | 239 | # individual tests, some of them requiring root access |
232 | 240 | # | |
233 | gcov: gcov-test-initialized | 241 | |
234 | lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file | 242 | # root access, network devices are created before the test |
235 | rm -fr gcov-dir | 243 | test-network: |
236 | genhtml gcov-file --output-directory gcov-dir | 244 | cd test/network; ./network.sh | grep TESTING |
245 | |||
246 | # all the tests are run as root | ||
247 | test-root: | ||
248 | cd test/root; su -c ./root.sh | grep TESTING | ||
237 | 249 | ||
238 | \ No newline at end of file | 250 | # runs as regular user |
251 | test-overlay: | ||
252 | cd test/overlay; ./overlay.sh | grep TESTING | ||
253 | |||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4556f0a82..65b0773ca 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -919,6 +919,9 @@ void fs_overlayfs(void) { | |||
919 | } | 919 | } |
920 | 920 | ||
921 | // chroot in the new filesystem | 921 | // chroot in the new filesystem |
922 | #ifdef HAVE_GCOV | ||
923 | __gcov_flush(); | ||
924 | #endif | ||
922 | if (chroot(oroot) == -1) | 925 | if (chroot(oroot) == -1) |
923 | errExit("chroot"); | 926 | errExit("chroot"); |
924 | 927 | ||
@@ -1102,6 +1105,9 @@ void fs_chroot(const char *rootdir) { | |||
1102 | } | 1105 | } |
1103 | 1106 | ||
1104 | // chroot into the new directory | 1107 | // chroot into the new directory |
1108 | #ifdef HAVE_GCOV | ||
1109 | __gcov_flush(); | ||
1110 | #endif | ||
1105 | if (arg_debug) | 1111 | if (arg_debug) |
1106 | printf("Chrooting into %s\n", rootdir); | 1112 | printf("Chrooting into %s\n", rootdir); |
1107 | if (chroot(rootdir) < 0) | 1113 | if (chroot(rootdir) < 0) |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 046b2c972..3958efddd 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -29,13 +29,18 @@ | |||
29 | #include <net/route.h> | 29 | #include <net/route.h> |
30 | #include <linux/if_bridge.h> | 30 | #include <linux/if_bridge.h> |
31 | 31 | ||
32 | // add a veth device to a bridge | 32 | static void check_if_name(const char *ifname) { |
33 | void net_bridge_add_interface(const char *bridge, const char *dev) { | 33 | if (strlen(ifname) > IFNAMSIZ) { |
34 | if (strlen(bridge) > IFNAMSIZ) { | 34 | fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); |
35 | fprintf(stderr, "Error fnet: invalid network device name %s\n", bridge); | ||
36 | exit(1); | 35 | exit(1); |
37 | } | 36 | } |
37 | } | ||
38 | 38 | ||
39 | // add a veth device to a bridge | ||
40 | void net_bridge_add_interface(const char *bridge, const char *dev) { | ||
41 | check_if_name(bridge); | ||
42 | check_if_name(dev); | ||
43 | |||
39 | // somehow adding the interface to the bridge resets MTU on bridge device!!! | 44 | // somehow adding the interface to the bridge resets MTU on bridge device!!! |
40 | // workaround: restore MTU on the bridge device | 45 | // workaround: restore MTU on the bridge device |
41 | // todo: put a real fix in | 46 | // todo: put a real fix in |
@@ -69,18 +74,14 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
69 | close(sock); | 74 | close(sock); |
70 | 75 | ||
71 | int mtu2 = net_get_mtu(bridge); | 76 | int mtu2 = net_get_mtu(bridge); |
72 | if (mtu1 != mtu2) { | 77 | if (mtu1 != mtu2) |
73 | net_set_mtu(bridge, mtu1); | 78 | net_set_mtu(bridge, mtu1); |
74 | } | ||
75 | } | 79 | } |
76 | 80 | ||
77 | 81 | ||
78 | // bring interface up | 82 | // bring interface up |
79 | void net_if_up(const char *ifname) { | 83 | void net_if_up(const char *ifname) { |
80 | if (strlen(ifname) > IFNAMSIZ) { | 84 | check_if_name(ifname); |
81 | fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); | ||
82 | exit(1); | ||
83 | } | ||
84 | 85 | ||
85 | int sock = socket(AF_INET,SOCK_DGRAM,0); | 86 | int sock = socket(AF_INET,SOCK_DGRAM,0); |
86 | if (sock < 0) | 87 | if (sock < 0) |
@@ -93,28 +94,19 @@ void net_if_up(const char *ifname) { | |||
93 | ifr.ifr_addr.sa_family = AF_INET; | 94 | ifr.ifr_addr.sa_family = AF_INET; |
94 | 95 | ||
95 | // read the existing flags | 96 | // read the existing flags |
96 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 97 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) |
97 | close(sock); | ||
98 | printf("Error fnet: cannot bring up interface %s\n", ifname); | ||
99 | errExit("ioctl"); | 98 | errExit("ioctl"); |
100 | } | ||
101 | 99 | ||
102 | ifr.ifr_flags |= IFF_UP; | 100 | ifr.ifr_flags |= IFF_UP; |
103 | 101 | ||
104 | // set the new flags | 102 | // set the new flags |
105 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) { | 103 | if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) |
106 | close(sock); | ||
107 | printf("Error fnet: cannot bring up interface %s\n", ifname); | ||
108 | errExit("ioctl"); | 104 | errExit("ioctl"); |
109 | } | ||
110 | 105 | ||
111 | // checking | 106 | // checking |
112 | // read the existing flags | 107 | // read the existing flags |
113 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 108 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) |
114 | close(sock); | ||
115 | printf("Error fnet: cannot bring up interface %s\n", ifname); | ||
116 | errExit("ioctl"); | 109 | errExit("ioctl"); |
117 | } | ||
118 | 110 | ||
119 | // wait not more than 500ms for the interface to come up | 111 | // wait not more than 500ms for the interface to come up |
120 | int cnt = 0; | 112 | int cnt = 0; |
@@ -122,11 +114,8 @@ void net_if_up(const char *ifname) { | |||
122 | usleep(10000); // sleep 10ms | 114 | usleep(10000); // sleep 10ms |
123 | 115 | ||
124 | // read the existing flags | 116 | // read the existing flags |
125 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) { | 117 | if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) |
126 | close(sock); | ||
127 | printf("Error fnet: cannot bring up interface %s\n", ifname); | ||
128 | errExit("ioctl"); | 118 | errExit("ioctl"); |
129 | } | ||
130 | if (ifr.ifr_flags & IFF_RUNNING) | 119 | if (ifr.ifr_flags & IFF_RUNNING) |
131 | break; | 120 | break; |
132 | cnt++; | 121 | cnt++; |
@@ -136,12 +125,8 @@ void net_if_up(const char *ifname) { | |||
136 | } | 125 | } |
137 | 126 | ||
138 | int net_get_mtu(const char *ifname) { | 127 | int net_get_mtu(const char *ifname) { |
128 | check_if_name(ifname); | ||
139 | int mtu = 0; | 129 | int mtu = 0; |
140 | if (strlen(ifname) > IFNAMSIZ) { | ||
141 | fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); | ||
142 | exit(1); | ||
143 | } | ||
144 | |||
145 | int s; | 130 | int s; |
146 | struct ifreq ifr; | 131 | struct ifreq ifr; |
147 | 132 | ||
@@ -160,11 +145,7 @@ int net_get_mtu(const char *ifname) { | |||
160 | } | 145 | } |
161 | 146 | ||
162 | void net_set_mtu(const char *ifname, int mtu) { | 147 | void net_set_mtu(const char *ifname, int mtu) { |
163 | if (strlen(ifname) > IFNAMSIZ) { | 148 | check_if_name(ifname); |
164 | fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname); | ||
165 | exit(1); | ||
166 | } | ||
167 | |||
168 | int s; | 149 | int s; |
169 | struct ifreq ifr; | 150 | struct ifreq ifr; |
170 | 151 | ||
@@ -246,6 +227,7 @@ void net_ifprint(int scan) { | |||
246 | } | 227 | } |
247 | 228 | ||
248 | int net_get_mac(const char *ifname, unsigned char mac[6]) { | 229 | int net_get_mac(const char *ifname, unsigned char mac[6]) { |
230 | check_if_name(ifname); | ||
249 | 231 | ||
250 | struct ifreq ifr; | 232 | struct ifreq ifr; |
251 | int sock; | 233 | int sock; |
@@ -267,11 +249,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
267 | 249 | ||
268 | // configure interface ipv4 address | 250 | // configure interface ipv4 address |
269 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | 251 | void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { |
270 | if (strlen(ifname) > IFNAMSIZ) { | 252 | check_if_name(ifname); |
271 | fprintf(stderr, "Error: invalid network device name %s\n", ifname); | ||
272 | exit(1); | ||
273 | } | ||
274 | |||
275 | int sock = socket(AF_INET,SOCK_DGRAM,0); | 253 | int sock = socket(AF_INET,SOCK_DGRAM,0); |
276 | if (sock < 0) | 254 | if (sock < 0) |
277 | errExit("socket"); | 255 | errExit("socket"); |
@@ -282,34 +260,29 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | |||
282 | ifr.ifr_addr.sa_family = AF_INET; | 260 | ifr.ifr_addr.sa_family = AF_INET; |
283 | 261 | ||
284 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); | 262 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); |
285 | if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { | 263 | if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) |
286 | close(sock); | ||
287 | fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname); | ||
288 | errExit("ioctl"); | 264 | errExit("ioctl"); |
289 | } | ||
290 | 265 | ||
291 | if (ip != 0) { | 266 | if (ip != 0) { |
292 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(mask); | 267 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(mask); |
293 | if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) { | 268 | if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) |
294 | close(sock); | ||
295 | errExit("ioctl"); | 269 | errExit("ioctl"); |
296 | } | ||
297 | } | 270 | } |
298 | 271 | ||
299 | // configure mtu | 272 | // configure mtu |
300 | if (mtu > 0) { | 273 | if (mtu > 0) { |
301 | ifr.ifr_mtu = mtu; | 274 | ifr.ifr_mtu = mtu; |
302 | if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) { | 275 | if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) |
303 | close(sock); | ||
304 | errExit("ioctl"); | 276 | errExit("ioctl"); |
305 | } | ||
306 | } | 277 | } |
307 | 278 | ||
308 | close(sock); | 279 | close(sock); |
309 | usleep(10000); // sleep 10ms | 280 | usleep(10000); // sleep 10ms |
281 | return; | ||
310 | } | 282 | } |
311 | 283 | ||
312 | int net_if_mac(const char *ifname, const unsigned char mac[6]) { | 284 | int net_if_mac(const char *ifname, const unsigned char mac[6]) { |
285 | check_if_name(ifname); | ||
313 | struct ifreq ifr; | 286 | struct ifreq ifr; |
314 | int sock; | 287 | int sock; |
315 | 288 | ||
@@ -335,6 +308,7 @@ struct ifreq6 { | |||
335 | unsigned int ifr6_ifindex; | 308 | unsigned int ifr6_ifindex; |
336 | }; | 309 | }; |
337 | void net_if_ip6(const char *ifname, const char *addr6) { | 310 | void net_if_ip6(const char *ifname, const char *addr6) { |
311 | check_if_name(ifname); | ||
338 | if (strchr(addr6, ':') == NULL) { | 312 | if (strchr(addr6, ':') == NULL) { |
339 | fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); | 313 | fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); |
340 | exit(1); | 314 | exit(1); |
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp new file mode 100755 index 000000000..76c0e55fc --- /dev/null +++ b/test/overlay/firefox-x11-xorg.exp | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "firefox" {puts "firefox detected\n";} | ||
22 | "iceweasel" {puts "iceweasel detected\n";} | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
26 | "no-remote" | ||
27 | } | ||
28 | sleep 1 | ||
29 | # grsecurity exit | ||
30 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
33 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
34 | "cannot open" {puts "grsecurity not present\n"} | ||
35 | } | ||
36 | send -- "firejail --overlay --name=blablabla\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 2 | ||
42 | |||
43 | spawn $env(SHELL) | ||
44 | send -- "firemon --seccomp\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5\n";exit} | ||
47 | " firefox" {puts "firefox detected\n";} | ||
48 | " iceweasel" {puts "iceweasel detected\n";} | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
52 | "no-remote" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | " firefox" {puts "firefox detected\n";} | ||
67 | " iceweasel" {puts "iceweasel detected\n";} | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
71 | "no-remote" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
75 | "CapBnd:" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
79 | "0000000000000000" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
83 | "name=blablabla" | ||
84 | } | ||
85 | sleep 1 | ||
86 | send -- "firejail --shutdown=test\r" | ||
87 | sleep 3 | ||
88 | |||
89 | puts "\nall done\n" | ||
90 | |||
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp new file mode 100755 index 000000000..aa248f328 --- /dev/null +++ b/test/overlay/firefox-x11.exp | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --overlay --name=test --x11 firefox -no-remote www.gentoo.org\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "firefox" {puts "firefox detected\n";} | ||
22 | "iceweasel" {puts "iceweasel detected\n";} | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
26 | "no-remote" | ||
27 | } | ||
28 | sleep 1 | ||
29 | # grsecurity exit | ||
30 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
33 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
34 | "cannot open" {puts "grsecurity not present\n"} | ||
35 | } | ||
36 | send -- "firejail --name=blablabla --overlay\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 2 | ||
42 | |||
43 | spawn $env(SHELL) | ||
44 | send -- "firemon --seccomp\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5\n";exit} | ||
47 | " firefox" {puts "firefox detected\n";} | ||
48 | " iceweasel" {puts "iceweasel detected\n";} | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
52 | "no-remote" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | " firefox" {puts "firefox detected\n";} | ||
67 | " iceweasel" {puts "iceweasel detected\n";} | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
71 | "no-remote" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
75 | "CapBnd:" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
79 | "0000000000000000" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
83 | "name=blablabla" | ||
84 | } | ||
85 | sleep 1 | ||
86 | send -- "firejail --shutdown=test\r" | ||
87 | sleep 3 | ||
88 | |||
89 | puts "\nall done\n" | ||
90 | |||
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp new file mode 100755 index 000000000..6ef23558d --- /dev/null +++ b/test/overlay/firefox.exp | |||
@@ -0,0 +1,99 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --overlay firefox -no-remote www.gentoo.org\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/firefox.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 10 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "firefox" {puts "firefox detected\n";} | ||
30 | "iceweasel" {puts "iceweasel detected\n";} | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
34 | "no-remote" | ||
35 | } | ||
36 | after 100 | ||
37 | |||
38 | # grsecurity exit | ||
39 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
42 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
43 | "cannot open" {puts "grsecurity not present\n"} | ||
44 | } | ||
45 | |||
46 | |||
47 | send -- "firejail --name=blablabla --overlay\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 4\n";exit} | ||
50 | "Child process initialized" | ||
51 | } | ||
52 | sleep 2 | ||
53 | |||
54 | spawn $env(SHELL) | ||
55 | send -- "firemon --seccomp\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 5\n";exit} | ||
58 | " firefox" {puts "firefox detected\n";} | ||
59 | " iceweasel" {puts "iceweasel detected\n";} | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
63 | "no-remote" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
67 | "Seccomp: 2" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
71 | "name=blablabla" | ||
72 | } | ||
73 | after 100 | ||
74 | send -- "firemon --caps\r" | ||
75 | expect { | ||
76 | timeout {puts "TESTING ERROR 6\n";exit} | ||
77 | " firefox" {puts "firefox detected\n";} | ||
78 | " iceweasel" {puts "iceweasel detected\n";} | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
82 | "no-remote" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
86 | "CapBnd:" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
90 | "0000000000000000" | ||
91 | } | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
94 | "name=blablabla" | ||
95 | } | ||
96 | after 100 | ||
97 | |||
98 | puts "\nall done\n" | ||
99 | |||
diff --git a/test/fs_overlay.exp b/test/overlay/fs.exp index b7eeba80f..15ada9203 100755 --- a/test/fs_overlay.exp +++ b/test/overlay/fs.exp | |||
@@ -4,19 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "rm -f /tmp/firejail-overlay-test;pwd\r" | 7 | send -- "firejail --overlay\r" |
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "home" | ||
11 | } | ||
12 | |||
13 | send -- "ls > /tmp/firejail-overlay-test;pwd\r" | ||
14 | expect { | ||
15 | timeout {puts "TESTING ERROR 1\n";exit} | ||
16 | "home" | ||
17 | } | ||
18 | |||
19 | send -- "firejail --noprofile --overlay\r" | ||
20 | expect { | 8 | expect { |
21 | timeout {puts "TESTING ERROR 2\n";exit} | 9 | timeout {puts "TESTING ERROR 2\n";exit} |
22 | "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} | 10 | "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} |
@@ -25,42 +13,34 @@ expect { | |||
25 | } | 13 | } |
26 | sleep 1 | 14 | sleep 1 |
27 | 15 | ||
28 | send -- "echo xyzxyzxyz > /tmp/firejail-overlay-test;pwd\r" | 16 | send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" |
29 | expect { | 17 | expect { |
30 | timeout {puts "TESTING ERROR 3\n";exit} | 18 | timeout {puts "TESTING ERROR 3\n";exit} |
31 | "home" | 19 | "done" |
32 | } | 20 | } |
33 | sleep 1 | 21 | after 100 |
34 | 22 | ||
35 | send -- "cat /tmp/firejail-overlay-test;pwd\r" | 23 | send -- "cat ~/_firejail_test_file; echo done\r" |
36 | expect { | 24 | expect { |
37 | timeout {puts "TESTING ERROR 4\n";exit} | 25 | timeout {puts "TESTING ERROR 4\n";exit} |
38 | "xyzxyzxyz" | 26 | "xyzxyzxyz" |
39 | } | 27 | } |
40 | expect { | 28 | expect { |
41 | timeout {puts "TESTING ERROR 4.1\n";exit} | 29 | timeout {puts "TESTING ERROR 4.1\n";exit} |
42 | "home" | 30 | "done" |
43 | } | 31 | } |
44 | sleep 1 | 32 | after 100 |
45 | 33 | ||
46 | send -- "exit\r" | 34 | send -- "exit\r" |
47 | sleep 2 | 35 | sleep 2 |
48 | 36 | ||
49 | send -- "cat /tmp/firejail-overlay-test;pwd\r" | 37 | send -- "cat ~/_firejail_test_file; echo done\r" |
50 | expect { | 38 | expect { |
51 | timeout {puts "TESTING ERROR 5\n";exit} | 39 | timeout {puts "TESTING ERROR 5\n";exit} |
52 | "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} | 40 | "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} |
53 | "home" | 41 | "done" |
54 | } | 42 | } |
55 | 43 | ||
56 | sleep 1 | 44 | after 100 |
57 | send -- "rm -f /tmp/firejail-overlay-test;pwd\r" | 45 | puts "\nall done\n" |
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 0\n";exit} | ||
60 | "home" | ||
61 | } | ||
62 | |||
63 | |||
64 | sleep 1 | ||
65 | puts "all done \n" | ||
66 | 46 | ||
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh new file mode 100755 index 000000000..971adddfe --- /dev/null +++ b/test/overlay/overlay.sh | |||
@@ -0,0 +1,57 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: overlay fs (test/overlay/fs.exp)" | ||
10 | rm -fr ~/_firejail_test_* | ||
11 | ./fs.exp | ||
12 | rm -fr ~/_firejail_test_* | ||
13 | |||
14 | which firefox | ||
15 | if [ "$?" -eq 0 ]; | ||
16 | then | ||
17 | echo "TESTING: overlay firefox" | ||
18 | ./firefox.exp | ||
19 | else | ||
20 | echo "TESTING SKIP: firefox not found" | ||
21 | fi | ||
22 | |||
23 | which firefox | ||
24 | if [ "$?" -eq 0 ]; | ||
25 | then | ||
26 | echo "TESTING: overlay firefox x11 xorg" | ||
27 | ./firefox.exp | ||
28 | else | ||
29 | echo "TESTING SKIP: firefox not found" | ||
30 | fi | ||
31 | |||
32 | |||
33 | # check xpra/xephyr | ||
34 | which xpra | ||
35 | if [ "$?" -eq 0 ]; | ||
36 | then | ||
37 | echo "xpra found" | ||
38 | else | ||
39 | echo "xpra not found" | ||
40 | which Xephyr | ||
41 | if [ "$?" -eq 0 ]; | ||
42 | then | ||
43 | echo "Xephyr found" | ||
44 | else | ||
45 | echo "TESTING SKIP: xpra and/or Xephyr not found" | ||
46 | exit | ||
47 | fi | ||
48 | fi | ||
49 | |||
50 | which firefox | ||
51 | if [ "$?" -eq 0 ]; | ||
52 | then | ||
53 | echo "TESTING: overlay firefox x11" | ||
54 | ./firefox.exp | ||
55 | else | ||
56 | echo "TESTING SKIP: firefox not found" | ||
57 | fi | ||