diff options
author | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:06:46 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:08:31 +0100 |
commit | 5116c1ceddf1966c852cbe2d81a2b2672dc3ba90 (patch) | |
tree | e906d805ab72e9de41328cfdd7089ee4c17c66a6 | |
parent | chroot: make search permission check explicit (diff) | |
download | firejail-5116c1ceddf1966c852cbe2d81a2b2672dc3ba90.tar.gz firejail-5116c1ceddf1966c852cbe2d81a2b2672dc3ba90.tar.zst firejail-5116c1ceddf1966c852cbe2d81a2b2672dc3ba90.zip |
testing
-rwxr-xr-x | test/filters/filters.sh | 10 | ||||
-rwxr-xr-x | test/filters/namespaces | bin | 0 -> 17392 bytes | |||
-rwxr-xr-x | test/filters/namespaces-32 | bin | 0 -> 16104 bytes | |||
-rwxr-xr-x | test/filters/namespaces-32.exp | 173 | ||||
-rw-r--r-- | test/filters/namespaces.c | 96 | ||||
-rwxr-xr-x | test/filters/namespaces.exp | 173 |
6 files changed, 452 insertions, 0 deletions
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 3b4a6b492..c313b80ed 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -30,6 +30,16 @@ else | |||
30 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." | 30 | echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." |
31 | fi | 31 | fi |
32 | 32 | ||
33 | if [[ $(uname -m) == "x86_64" ]]; then | ||
34 | echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)" | ||
35 | ./namespaces.exp | ||
36 | elif [[ $(uname -m) == "i686" ]]; then | ||
37 | echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)" | ||
38 | ./namespaces-32.exp | ||
39 | else | ||
40 | echo "TESTING SKIP: namespaces binary only running on x86_64 and i686." | ||
41 | fi | ||
42 | |||
33 | echo "TESTING: debug options (test/filters/debug.exp)" | 43 | echo "TESTING: debug options (test/filters/debug.exp)" |
34 | ./debug.exp | 44 | ./debug.exp |
35 | 45 | ||
diff --git a/test/filters/namespaces b/test/filters/namespaces new file mode 100755 index 000000000..721ba092e --- /dev/null +++ b/test/filters/namespaces | |||
Binary files differ | |||
diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 new file mode 100755 index 000000000..4df674d1b --- /dev/null +++ b/test/filters/namespaces-32 | |||
Binary files differ | |||
diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp new file mode 100755 index 000000000..b643a28d3 --- /dev/null +++ b/test/filters/namespaces-32.exp | |||
@@ -0,0 +1,173 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # | ||
11 | # clone | ||
12 | # | ||
13 | |||
14 | send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
17 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "clone successful" | ||
22 | } | ||
23 | after 100 | ||
24 | |||
25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 3\n";exit} | ||
32 | "Error: clone: Operation not permitted" | ||
33 | } | ||
34 | after 100 | ||
35 | |||
36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
43 | "Error: clone: Operation not permitted" | ||
44 | } | ||
45 | after 100 | ||
46 | |||
47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 7\n";exit} | ||
54 | "Error: clone: Operation not permitted" | ||
55 | } | ||
56 | after 100 | ||
57 | |||
58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 9\n";exit} | ||
65 | "Error: clone: Operation not permitted" | ||
66 | } | ||
67 | after 100 | ||
68 | |||
69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 10\n";exit} | ||
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 11\n";exit} | ||
76 | "Error: clone: Operation not permitted" | ||
77 | } | ||
78 | after 100 | ||
79 | |||
80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 12\n";exit} | ||
83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 13\n";exit} | ||
87 | "clone successful" | ||
88 | } | ||
89 | after 100 | ||
90 | |||
91 | # | ||
92 | # unshare | ||
93 | # | ||
94 | |||
95 | send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
96 | expect { | ||
97 | timeout {puts "TESTING ERROR 14\n";exit} | ||
98 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
99 | } | ||
100 | expect { | ||
101 | timeout {puts "TESTING ERROR 15\n";exit} | ||
102 | "unshare successful" | ||
103 | } | ||
104 | after 100 | ||
105 | |||
106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 16\n";exit} | ||
109 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
110 | } | ||
111 | expect { | ||
112 | timeout {puts "TESTING ERROR 17\n";exit} | ||
113 | "Error: unshare: Operation not permitted" | ||
114 | } | ||
115 | after 100 | ||
116 | |||
117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 18\n";exit} | ||
120 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
121 | } | ||
122 | expect { | ||
123 | timeout {puts "TESTING ERROR 19\n";exit} | ||
124 | "Error: unshare: Operation not permitted" | ||
125 | } | ||
126 | after 100 | ||
127 | |||
128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 20\n";exit} | ||
131 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 21\n";exit} | ||
135 | "Error: unshare: Operation not permitted" | ||
136 | } | ||
137 | after 100 | ||
138 | |||
139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" | ||
140 | expect { | ||
141 | timeout {puts "TESTING ERROR 22\n";exit} | ||
142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
143 | } | ||
144 | expect { | ||
145 | timeout {puts "TESTING ERROR 23\n";exit} | ||
146 | "Error: unshare: Operation not permitted" | ||
147 | } | ||
148 | after 100 | ||
149 | |||
150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 24\n";exit} | ||
153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 25\n";exit} | ||
157 | "Error: unshare: Operation not permitted" | ||
158 | } | ||
159 | after 100 | ||
160 | |||
161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" | ||
162 | expect { | ||
163 | timeout {puts "TESTING ERROR 26\n";exit} | ||
164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
165 | } | ||
166 | expect { | ||
167 | timeout {puts "TESTING ERROR 27\n";exit} | ||
168 | "unshare successful" | ||
169 | } | ||
170 | |||
171 | |||
172 | after 100 | ||
173 | puts "\nall done\n" | ||
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c new file mode 100644 index 000000000..06dfa4edf --- /dev/null +++ b/test/filters/namespaces.c | |||
@@ -0,0 +1,96 @@ | |||
1 | #define _GNU_SOURCE | ||
2 | #include <errno.h> | ||
3 | #include <sched.h> | ||
4 | #include <signal.h> | ||
5 | #include <stdio.h> | ||
6 | #include <stdlib.h> | ||
7 | #include <string.h> | ||
8 | #include <sys/mman.h> | ||
9 | #include <unistd.h> | ||
10 | |||
11 | #ifndef CLONE_NEWTIME | ||
12 | #define CLONE_NEWTIME 0x00000080 | ||
13 | #endif | ||
14 | |||
15 | #define STACK_SIZE 1024 * 1024 | ||
16 | |||
17 | static int usage() { | ||
18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | ||
19 | exit(1); | ||
20 | } | ||
21 | |||
22 | static void die(const char *msg) { | ||
23 | fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); | ||
24 | exit(1); | ||
25 | } | ||
26 | |||
27 | static int ns_flags(const char *list) { | ||
28 | int flags = 0; | ||
29 | |||
30 | char *dup = strdup(list); | ||
31 | if (!dup) | ||
32 | die("cannot allocate memory"); | ||
33 | |||
34 | char *token = strtok(dup, ","); | ||
35 | while (token) { | ||
36 | if (strcmp(token, "cgroup") == 0) | ||
37 | flags |= CLONE_NEWCGROUP; | ||
38 | else if (strcmp(token, "ipc") == 0) | ||
39 | flags |= CLONE_NEWIPC; | ||
40 | else if (strcmp(token, "net") == 0) | ||
41 | flags |= CLONE_NEWNET; | ||
42 | else if (strcmp(token, "mnt") == 0) | ||
43 | flags |= CLONE_NEWNS; | ||
44 | else if (strcmp(token, "pid") == 0) | ||
45 | flags |= CLONE_NEWPID; | ||
46 | else if (strcmp(token, "time") == 0) | ||
47 | flags |= CLONE_NEWTIME; | ||
48 | else if (strcmp(token, "user") == 0) | ||
49 | flags |= CLONE_NEWUSER; | ||
50 | else if (strcmp(token, "uts") == 0) | ||
51 | flags |= CLONE_NEWUTS; | ||
52 | else | ||
53 | usage(); | ||
54 | |||
55 | token = strtok(NULL, ","); | ||
56 | } | ||
57 | |||
58 | free(dup); | ||
59 | return flags; | ||
60 | } | ||
61 | |||
62 | static int child(void *arg) { | ||
63 | (void) arg; | ||
64 | |||
65 | fprintf(stderr, "clone successful\n"); | ||
66 | return 0; | ||
67 | } | ||
68 | |||
69 | int main (int argc, char **argv) { | ||
70 | if (argc != 3) | ||
71 | usage(); | ||
72 | |||
73 | int flags = ns_flags(argv[2]); | ||
74 | if (getuid() != 0) | ||
75 | flags |= CLONE_NEWUSER; | ||
76 | |||
77 | if (strcmp(argv[1], "clone") == 0) { | ||
78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | ||
79 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | ||
80 | if (stack == MAP_FAILED) | ||
81 | die("mmap"); | ||
82 | |||
83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | ||
84 | die("clone"); | ||
85 | } | ||
86 | else if (strcmp(argv[1], "unshare") == 0) { | ||
87 | if (unshare(flags)) | ||
88 | die("unshare"); | ||
89 | |||
90 | fprintf(stderr, "unshare successful\n"); | ||
91 | } | ||
92 | else | ||
93 | usage(); | ||
94 | |||
95 | return 0; | ||
96 | } | ||
diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp new file mode 100755 index 000000000..cfa92f0ba --- /dev/null +++ b/test/filters/namespaces.exp | |||
@@ -0,0 +1,173 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # | ||
11 | # clone | ||
12 | # | ||
13 | |||
14 | send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0\n";exit} | ||
17 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "clone successful" | ||
22 | } | ||
23 | after 100 | ||
24 | |||
25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 3\n";exit} | ||
32 | "Error: clone: Operation not permitted" | ||
33 | } | ||
34 | after 100 | ||
35 | |||
36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
43 | "Error: clone: Operation not permitted" | ||
44 | } | ||
45 | after 100 | ||
46 | |||
47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 7\n";exit} | ||
54 | "Error: clone: Operation not permitted" | ||
55 | } | ||
56 | after 100 | ||
57 | |||
58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 9\n";exit} | ||
65 | "Error: clone: Operation not permitted" | ||
66 | } | ||
67 | after 100 | ||
68 | |||
69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 10\n";exit} | ||
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 11\n";exit} | ||
76 | "Error: clone: Operation not permitted" | ||
77 | } | ||
78 | after 100 | ||
79 | |||
80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 12\n";exit} | ||
83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 13\n";exit} | ||
87 | "clone successful" | ||
88 | } | ||
89 | after 100 | ||
90 | |||
91 | # | ||
92 | # unshare | ||
93 | # | ||
94 | |||
95 | send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
96 | expect { | ||
97 | timeout {puts "TESTING ERROR 14\n";exit} | ||
98 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
99 | } | ||
100 | expect { | ||
101 | timeout {puts "TESTING ERROR 15\n";exit} | ||
102 | "unshare successful" | ||
103 | } | ||
104 | after 100 | ||
105 | |||
106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 16\n";exit} | ||
109 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
110 | } | ||
111 | expect { | ||
112 | timeout {puts "TESTING ERROR 17\n";exit} | ||
113 | "Error: unshare: Operation not permitted" | ||
114 | } | ||
115 | after 100 | ||
116 | |||
117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 18\n";exit} | ||
120 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
121 | } | ||
122 | expect { | ||
123 | timeout {puts "TESTING ERROR 19\n";exit} | ||
124 | "Error: unshare: Operation not permitted" | ||
125 | } | ||
126 | after 100 | ||
127 | |||
128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 20\n";exit} | ||
131 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 21\n";exit} | ||
135 | "Error: unshare: Operation not permitted" | ||
136 | } | ||
137 | after 100 | ||
138 | |||
139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" | ||
140 | expect { | ||
141 | timeout {puts "TESTING ERROR 22\n";exit} | ||
142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
143 | } | ||
144 | expect { | ||
145 | timeout {puts "TESTING ERROR 23\n";exit} | ||
146 | "Error: unshare: Operation not permitted" | ||
147 | } | ||
148 | after 100 | ||
149 | |||
150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 24\n";exit} | ||
153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 25\n";exit} | ||
157 | "Error: unshare: Operation not permitted" | ||
158 | } | ||
159 | after 100 | ||
160 | |||
161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" | ||
162 | expect { | ||
163 | timeout {puts "TESTING ERROR 26\n";exit} | ||
164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
165 | } | ||
166 | expect { | ||
167 | timeout {puts "TESTING ERROR 27\n";exit} | ||
168 | "unshare successful" | ||
169 | } | ||
170 | |||
171 | |||
172 | after 100 | ||
173 | puts "\nall done\n" | ||