diff options
author | netblue30 <netblue30@yahoo.com> | 2018-11-08 10:49:44 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-11-08 10:49:44 -0500 |
commit | 2acc910daf73c284965ca96bc70b4eb980c865cf (patch) | |
tree | 7b5733a8ccacba4089a7a9c067b12355372c8dc9 | |
parent | Merge pull request #2251 from glitsj16/sort (diff) | |
download | firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.tar.gz firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.tar.zst firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.zip |
profile parser testing
-rw-r--r-- | README.md | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rwxr-xr-x | test/profiles/profile_appname.exp | 25 | ||||
-rwxr-xr-x | test/profiles/profile_noperm.exp | 2 | ||||
-rwxr-xr-x | test/profiles/profile_recursivity.exp | 25 | ||||
-rwxr-xr-x | test/profiles/profile_syntax2.exp | 27 | ||||
-rwxr-xr-x | test/profiles/profiles.sh | 27 | ||||
-rw-r--r-- | test/profiles/test2.profile | 4 | ||||
-rw-r--r-- | test/profiles/test3.profile | 1 |
10 files changed, 99 insertions, 35 deletions
@@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
101 | ````` | 101 | ````` |
102 | ## Current development version: 0.9.57 | 102 | ## Current development version: 0.9.57 |
103 | 103 | ||
104 | ## New Long Term Support (LTS) version | 104 | ## New Long Term Support (0.9.56-LTS) version released |
105 | 105 | ||
106 | We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old. | ||
107 | The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely | 106 | The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely |
108 | used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), | 107 | used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), |
109 | and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as | 108 | and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as |
110 | seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. | 109 | seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. |
111 | 110 | ||
112 | We have an rc1 release out, the final version will follow in the next few weeks: | ||
113 | ````` | 111 | ````` |
114 | firejail (0.9.56-LTS~rc1) baseline; urgency=low | 112 | firejail (0.9.56-LTS) baseline; urgency=low |
115 | * code based on Firejail version 0.9.56 | 113 | * code based on Firejail version 0.9.56 |
116 | * much smaller code base for SUID executable | 114 | * much smaller code base for SUID executable |
117 | * command line options removed: | 115 | * command line options removed: |
@@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low | |||
124 | --disable-globalcfg, --disable-network, --disable-userns, | 122 | --disable-globalcfg, --disable-network, --disable-userns, |
125 | --disable-whitelist, --disable-suid, --enable-fatal-warnings, | 123 | --disable-whitelist, --disable-suid, --enable-fatal-warnings, |
126 | --enable-busybox-workaround | 124 | --enable-busybox-workaround |
127 | -- netblue30 <netblue30@yahoo.com> Wed, 3 Oct 2018 08:00:00 -0500 | 125 | -- netblue30 <netblue30@yahoo.com> Sun, 21 Oct 2018 08:00:00 -0500 |
128 | ````` | 126 | ````` |
129 | 127 | ||
130 | The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase | 128 | The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d996e1dac..46aea4bd4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -461,8 +461,7 @@ void fs_mnt(const int enforce); | |||
461 | 461 | ||
462 | // profile.c | 462 | // profile.c |
463 | // find and read the profile specified by name from dir directory | 463 | // find and read the profile specified by name from dir directory |
464 | int profile_find(const char *name, const char *dir, int add_ext); | 464 | //int profile_find_firejail(const char *name, int add_ext); |
465 | int profile_find_firejail(const char *name, int add_ext); | ||
466 | // read a profile file | 465 | // read a profile file |
467 | void profile_read(const char *fname); | 466 | void profile_read(const char *fname); |
468 | // check profile line; if line == 0, this was generated from a command line option | 467 | // check profile line; if line == 0, this was generated from a command line option |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a85c8f815..5f5d94ddf 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -25,7 +25,8 @@ extern char *xephyr_screen; | |||
25 | #define MAX_READ 8192 // line buffer for profile files | 25 | #define MAX_READ 8192 // line buffer for profile files |
26 | 26 | ||
27 | // find and read the profile specified by name from dir directory | 27 | // find and read the profile specified by name from dir directory |
28 | int profile_find(const char *name, const char *dir, int add_ext) { | 28 | // return 1 if a profile was found |
29 | static int profile_find(const char *name, const char *dir, int add_ext) { | ||
29 | EUID_ASSERT(); | 30 | EUID_ASSERT(); |
30 | assert(name); | 31 | assert(name); |
31 | assert(dir); | 32 | assert(dir); |
@@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) { | |||
64 | } | 65 | } |
65 | 66 | ||
66 | // search and read the profile specified by name from firejail directories | 67 | // search and read the profile specified by name from firejail directories |
68 | // return 1 if a profile was found | ||
67 | int profile_find_firejail(const char *name, int add_ext) { | 69 | int profile_find_firejail(const char *name, int add_ext) { |
68 | // look for a profile in ~/.config/firejail directory | 70 | // look for a profile in ~/.config/firejail directory |
69 | char *usercfgdir; | 71 | char *usercfgdir; |
@@ -1438,7 +1440,13 @@ void profile_read(const char *fname) { | |||
1438 | ptr2++; | 1440 | ptr2++; |
1439 | // profile path contains no / chars, do a search | 1441 | // profile path contains no / chars, do a search |
1440 | if (*ptr2 == '\0') { | 1442 | if (*ptr2 == '\0') { |
1441 | profile_find_firejail(newprofile, 0); | 1443 | int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory |
1444 | if (!rv) { | ||
1445 | // maybe this is a file in the local working directory? | ||
1446 | // it will stop the sandbox if not! | ||
1447 | // Note: if the file ends in .local it will not stop the program | ||
1448 | profile_read(newprofile); | ||
1449 | } | ||
1442 | } | 1450 | } |
1443 | else { | 1451 | else { |
1444 | profile_read(newprofile); | 1452 | profile_read(newprofile); |
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp new file mode 100755 index 000000000..c70e7ad57 --- /dev/null +++ b/test/profiles/profile_appname.exp | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --profile=firefox\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/firefox.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Reading profile /etc/firejail/firefox-common.profile" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "shell=none configured, but no program specified" | ||
22 | } | ||
23 | |||
24 | after 100 | ||
25 | puts "\nall done\n" | ||
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index b3b031cb2..9f8cb54e2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp | |||
@@ -7,7 +7,7 @@ match_max 100000 | |||
7 | send -- "firejail --profile=/etc/shadow\r" | 7 | send -- "firejail --profile=/etc/shadow\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "cannot access profile" | 10 | "inaccessible profile file" |
11 | } | 11 | } |
12 | after 100 | 12 | after 100 |
13 | puts "\nall done\n" | 13 | puts "\nall done\n" |
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp new file mode 100755 index 000000000..66e4510bf --- /dev/null +++ b/test/profiles/profile_recursivity.exp | |||
@@ -0,0 +1,25 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --profile=test3.profile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile test3.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Reading profile test3.profile" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "maximum profile include level was reached" | ||
22 | } | ||
23 | |||
24 | after 100 | ||
25 | puts "\nall done\n" | ||
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 4d621f3ec..da34b67e8 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --debug --profile=test2.profile\r" | 10 | send -- "firejail --profile=test2.profile\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Reading profile test2.profile" | 13 | "Reading profile test2.profile" |
@@ -18,29 +18,8 @@ expect { | |||
18 | } | 18 | } |
19 | expect { | 19 | expect { |
20 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
21 | "Mounting a new /home directory" | 21 | "cannot access profile file" |
22 | } | 22 | } |
23 | expect { | 23 | |
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Disable /bin/rmdir" {puts "Most Linux platforms\n"} | ||
26 | "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"} | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 4\n";exit} | ||
30 | "Drop CAP_SYS_MODULE" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 5\n";exit} | ||
34 | "seccomp entries in /run/firejail/mnt/seccomp" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 7\n";exit} | ||
38 | "jeq mount" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 8\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | send -- "exit\r" | ||
45 | after 100 | 24 | after 100 |
46 | puts "\nall done\n" | 25 | puts "\nall done\n" |
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 7c3549aea..a3d24ac0c 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh | |||
@@ -6,6 +6,33 @@ | |||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | 8 | ||
9 | echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)" | ||
10 | ./profile_recursivity.exp | ||
11 | |||
12 | echo "TESTING: profile application name (test/profiles/profile_appname.exp)" | ||
13 | ./profile_appname.exp | ||
14 | |||
15 | echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" | ||
16 | ./profile_syntax.exp | ||
17 | |||
18 | echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" | ||
19 | ./profile_syntax2.exp | ||
20 | |||
21 | echo "TESTING: ignore command (test/profiles/ignore.exp)" | ||
22 | ./ignore.exp | ||
23 | |||
24 | echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" | ||
25 | ./profile_readonly.exp | ||
26 | |||
27 | echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" | ||
28 | ./profile_followlnk.exp | ||
29 | |||
30 | echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" | ||
31 | ./profile_noperm.exp | ||
32 | |||
33 | |||
34 | |||
35 | |||
9 | echo "TESTING: default profiles installed in /etc" | 36 | echo "TESTING: default profiles installed in /etc" |
10 | PROFILES=`ls /etc/firejail/*.profile` | 37 | PROFILES=`ls /etc/firejail/*.profile` |
11 | for PROFILE in $PROFILES | 38 | for PROFILE in $PROFILES |
diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index e219d800d..9fbd5219a 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile | |||
@@ -1,4 +1,6 @@ | |||
1 | caps | 1 | caps |
2 | seccomp | 2 | seccomp |
3 | private | 3 | private |
4 | include test.profile | 4 | include test.profile |
5 | include test.local | ||
6 | include test25.profile | ||
diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile new file mode 100644 index 000000000..c28ddadb5 --- /dev/null +++ b/test/profiles/test3.profile | |||
@@ -0,0 +1 @@ | |||
include test3.profile \ No newline at end of file | |||