diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-22 15:12:47 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-22 15:13:26 -0500 |
commit | d8bcb4583cdffeefb052dbacb2441cd545ccf9eb (patch) | |
tree | 69096f63d0a8ac3adf6c7a442fa625cb3d4c7c18 | |
parent | feature testing (diff) | |
download | firejail-d8bcb4583cdffeefb052dbacb2441cd545ccf9eb.tar.gz firejail-d8bcb4583cdffeefb052dbacb2441cd545ccf9eb.tar.zst firejail-d8bcb4583cdffeefb052dbacb2441cd545ccf9eb.zip |
feature testing
-rw-r--r-- | src/firejail/fs.c | 10 | ||||
-rwxr-xr-x | test/configure | 2 | ||||
-rwxr-xr-x | test/features/1.1.exp | 14 | ||||
-rw-r--r-- | test/features/features.txt | 6 | ||||
-rwxr-xr-x | test/features/test.sh | 5 |
5 files changed, 22 insertions, 15 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index a0a7d9342..5ddbcec34 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -533,17 +533,15 @@ void fs_proc_sys_dev_boot(void) { | |||
533 | // disable /boot | 533 | // disable /boot |
534 | if (stat("/boot", &s) == 0) { | 534 | if (stat("/boot", &s) == 0) { |
535 | if (arg_debug) | 535 | if (arg_debug) |
536 | printf("Mounting a new /boot directory\n"); | 536 | printf("Disable /boot directory\n"); |
537 | if (mount("tmpfs", "/boot", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 537 | disable_file(BLACKLIST_FILE, "/boot"); |
538 | errExit("mounting /boot directory"); | ||
539 | } | 538 | } |
540 | 539 | ||
541 | // disable /selinux | 540 | // disable /selinux |
542 | if (stat("/selinux", &s) == 0) { | 541 | if (stat("/selinux", &s) == 0) { |
543 | if (arg_debug) | 542 | if (arg_debug) |
544 | printf("Mounting a new /selinux directory\n"); | 543 | printf("Disable /selinux directory\n"); |
545 | if (mount("tmpfs", "/selinux", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 544 | disable_file(BLACKLIST_FILE, "/selinux"); |
546 | errExit("mounting /selinux directory"); | ||
547 | } | 545 | } |
548 | 546 | ||
549 | // disable /dev/port | 547 | // disable /dev/port |
diff --git a/test/configure b/test/configure index 95a6e664a..ae6a49eeb 100755 --- a/test/configure +++ b/test/configure | |||
@@ -29,6 +29,8 @@ mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,v | |||
29 | mkdir -p $ROOTDIR/etc/firejail | 29 | mkdir -p $ROOTDIR/etc/firejail |
30 | mkdir -p $ROOTDIR/home/netblue/.config/firejail | 30 | mkdir -p $ROOTDIR/home/netblue/.config/firejail |
31 | mkdir $ROOTDIR/home/someotheruser | 31 | mkdir $ROOTDIR/home/someotheruser |
32 | mkdir $ROOTDIR/boot | ||
33 | mkdir $ROOTDIR/selinux | ||
32 | cp /etc/passwd $ROOTDIR/etc/. | 34 | cp /etc/passwd $ROOTDIR/etc/. |
33 | cp /etc/group $ROOTDIR/etc/. | 35 | cp /etc/group $ROOTDIR/etc/. |
34 | touch $ROOTDIR/var/log/syslog | 36 | touch $ROOTDIR/var/log/syslog |
diff --git a/test/features/1.1.exp b/test/features/1.1.exp index 5ba123107..06c42c815 100755 --- a/test/features/1.1.exp +++ b/test/features/1.1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # | 2 | # |
3 | # new /boot | 3 | # disable /boot |
4 | # | 4 | # |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
@@ -17,10 +17,10 @@ expect { | |||
17 | } | 17 | } |
18 | sleep 1 | 18 | sleep 1 |
19 | 19 | ||
20 | send -- "ls -l /boot | wc -l\r" | 20 | send -- "ls -l /boot\r" |
21 | expect { | 21 | expect { |
22 | timeout {puts "TESTING ERROR 1\n";exit} | 22 | timeout {puts "TESTING ERROR 1\n";exit} |
23 | "1" | 23 | "Permission denied" |
24 | } | 24 | } |
25 | after 100 | 25 | after 100 |
26 | send -- "exit\r" | 26 | send -- "exit\r" |
@@ -37,10 +37,10 @@ expect { | |||
37 | } | 37 | } |
38 | sleep 1 | 38 | sleep 1 |
39 | 39 | ||
40 | send -- "ls -l /boot | wc -l\r" | 40 | send -- "ls -l /boot\r" |
41 | expect { | 41 | expect { |
42 | timeout {puts "TESTING ERROR 3\n";exit} | 42 | timeout {puts "TESTING ERROR 3\n";exit} |
43 | "1" | 43 | "Permission denied" |
44 | } | 44 | } |
45 | after 100 | 45 | after 100 |
46 | send -- "exit\r" | 46 | send -- "exit\r" |
@@ -56,10 +56,10 @@ expect { | |||
56 | } | 56 | } |
57 | sleep 1 | 57 | sleep 1 |
58 | 58 | ||
59 | send -- "ls -l /boot | wc -l\r" | 59 | send -- "ls -l /boot\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 5\n";exit} | 61 | timeout {puts "TESTING ERROR 5\n";exit} |
62 | "1" | 62 | "Permission denied" |
63 | } | 63 | } |
64 | after 100 | 64 | after 100 |
65 | send -- "exit\r" | 65 | send -- "exit\r" |
diff --git a/test/features/features.txt b/test/features/features.txt index 01941e8f8..3342a1635 100644 --- a/test/features/features.txt +++ b/test/features/features.txt | |||
@@ -8,7 +8,7 @@ C - chroot filesystem | |||
8 | 8 | ||
9 | 1. Default features (tesing with --noprofile) | 9 | 1. Default features (tesing with --noprofile) |
10 | 10 | ||
11 | 1.1 new /boot | 11 | 1.1 disable /boot |
12 | - N, O, C | 12 | - N, O, C |
13 | 13 | ||
14 | 1.2 new /proc | 14 | 1.2 new /proc |
@@ -36,6 +36,10 @@ C - chroot filesystem | |||
36 | 36 | ||
37 | 1.9 mount namespace | 37 | 1.9 mount namespace |
38 | 38 | ||
39 | 1.10 disable /selinux | ||
40 | - N, O, C | ||
41 | |||
42 | |||
39 | 43 | ||
40 | 2. Networking features | 44 | 2. Networking features |
41 | 45 | ||
diff --git a/test/features/test.sh b/test/features/test.sh index ab00f7f29..341126a09 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -4,7 +4,7 @@ | |||
4 | # Feature testing | 4 | # Feature testing |
5 | # | 5 | # |
6 | 6 | ||
7 | echo "TESTING: 1.1 new /boot" | 7 | echo "TESTING: 1.1 disable /boot" |
8 | ./1.1.exp | 8 | ./1.1.exp |
9 | 9 | ||
10 | echo "TESTING: 1.2 new /proc" | 10 | echo "TESTING: 1.2 new /proc" |
@@ -25,3 +25,6 @@ echo "TESTING: 1.7 new /var/tmp" | |||
25 | echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail" | 25 | echo "TESTING: 1.8 disable /etc/firejail and ~/.config/firejail" |
26 | ./1.8.exp | 26 | ./1.8.exp |
27 | 27 | ||
28 | echo "TESTING: 1.10 disable /selinux" | ||
29 | ./1.10.exp | ||
30 | |||