diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-23 15:02:35 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-03-23 15:02:35 -0400 |
commit | ad14d091b2babc7a429f922844a8fc1d8523846f (patch) | |
tree | 72be213a8cb5dcda65ad0e144cfa828c5337a1af | |
parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
download | firejail-ad14d091b2babc7a429f922844a8fc1d8523846f.tar.gz firejail-ad14d091b2babc7a429f922844a8fc1d8523846f.tar.zst firejail-ad14d091b2babc7a429f922844a8fc1d8523846f.zip |
merge #1100 from zackw: xvfb support in /etc/firejail/firejail.config
-rw-r--r-- | etc/firejail.config | 10 | ||||
-rwxr-xr-x | test/root/checkcfg.exp | 67 | ||||
-rw-r--r-- | test/root/firejail.config | 1 | ||||
-rwxr-xr-x | test/root/root.sh | 1 |
4 files changed, 54 insertions, 25 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 1db734f77..121f2dd74 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -103,3 +103,13 @@ | |||
103 | # Xephyr command extra parameters. None by default; these are examples. | 103 | # Xephyr command extra parameters. None by default; these are examples. |
104 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | 104 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev |
105 | # xephyr-extra-params -grayscale | 105 | # xephyr-extra-params -grayscale |
106 | |||
107 | # Screen size for --x11=xvfb, default 800x600x24. The third dimension is | ||
108 | # color depth; use 24 unless you know exactly what you're doing. | ||
109 | # xvfb-screen 640x480x24 | ||
110 | # xvfb-screen 800x600x24 | ||
111 | # xvfb-screen 1024x768x24 | ||
112 | # xvfb-screen 1280x1024x24 | ||
113 | |||
114 | # Xvfb command extra parameters. None by default; this is an example. | ||
115 | # xvfb-extra-params -pixdepths 8 24 32 | ||
diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp index 5ec1c4e77..205ef1e0c 100755 --- a/test/root/checkcfg.exp +++ b/test/root/checkcfg.exp | |||
@@ -8,13 +8,6 @@ cd /home | |||
8 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
9 | match_max 100000 | 9 | match_max 100000 |
10 | 10 | ||
11 | send -- "firejail --noprofile --overlay\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 2 | ||
17 | |||
18 | send -- "rm /etc/firejail/firejail.config\r" | 11 | send -- "rm /etc/firejail/firejail.config\r" |
19 | after 100 | 12 | after 100 |
20 | 13 | ||
@@ -27,18 +20,16 @@ expect { | |||
27 | # seccomp | 20 | # seccomp |
28 | send -- "echo \"seccomp no\" > /etc/firejail/firejail.config\r" | 21 | send -- "echo \"seccomp no\" > /etc/firejail/firejail.config\r" |
29 | after 100 | 22 | after 100 |
30 | send -- "firejail --noprofile --seccomp --force\r" | 23 | send -- "firejail --noprofile --seccomp\r" |
31 | expect { | 24 | expect { |
32 | timeout {puts "TESTING ERROR 2\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
33 | "seccomp feature is disabled in Firejail configuration file\r" | 26 | "seccomp feature is disabled in Firejail configuration file\r" |
34 | } | 27 | } |
35 | send -- "exit\r" | ||
36 | after 100 | ||
37 | 28 | ||
38 | # whitelist | 29 | # whitelist |
39 | send -- "echo \"whitelist no\" > /etc/firejail/firejail.config\r" | 30 | send -- "echo \"whitelist no\" > /etc/firejail/firejail.config\r" |
40 | after 100 | 31 | after 100 |
41 | send -- "firejail --noprofile --whitelist=~/.config --force\r" | 32 | send -- "firejail --noprofile --whitelist=~/.config\r" |
42 | expect { | 33 | expect { |
43 | timeout {puts "TESTING ERROR 3\n";exit} | 34 | timeout {puts "TESTING ERROR 3\n";exit} |
44 | "whitelist feature is disabled in Firejail configuration file\r" | 35 | "whitelist feature is disabled in Firejail configuration file\r" |
@@ -47,7 +38,7 @@ expect { | |||
47 | # network | 38 | # network |
48 | send -- "echo \"network no\" > /etc/firejail/firejail.config\r" | 39 | send -- "echo \"network no\" > /etc/firejail/firejail.config\r" |
49 | after 100 | 40 | after 100 |
50 | send -- "firejail --noprofile --net=eth0 --force\r" | 41 | send -- "firejail --noprofile --net=eth0\r" |
51 | expect { | 42 | expect { |
52 | timeout {puts "TESTING ERROR 4\n";exit} | 43 | timeout {puts "TESTING ERROR 4\n";exit} |
53 | "networking feature is disabled in Firejail configuration file\r" | 44 | "networking feature is disabled in Firejail configuration file\r" |
@@ -56,7 +47,7 @@ expect { | |||
56 | # bind | 47 | # bind |
57 | send -- "echo \"bind no\" > /etc/firejail/firejail.config\r" | 48 | send -- "echo \"bind no\" > /etc/firejail/firejail.config\r" |
58 | after 100 | 49 | after 100 |
59 | send -- "firejail --noprofile --bind=/tmp,/var/tmp --force\r" | 50 | send -- "firejail --noprofile --bind=/tmp,/var/tmp\r" |
60 | expect { | 51 | expect { |
61 | timeout {puts "TESTING ERROR 5\n";exit} | 52 | timeout {puts "TESTING ERROR 5\n";exit} |
62 | "bind feature is disabled in Firejail configuration file\r" | 53 | "bind feature is disabled in Firejail configuration file\r" |
@@ -65,7 +56,7 @@ expect { | |||
65 | # overlay | 56 | # overlay |
66 | send -- "echo \"overlayfs no\" > /etc/firejail/firejail.config\r" | 57 | send -- "echo \"overlayfs no\" > /etc/firejail/firejail.config\r" |
67 | after 100 | 58 | after 100 |
68 | send -- "firejail --noprofile --overlay --force\r" | 59 | send -- "firejail --noprofile --overlay\r" |
69 | expect { | 60 | expect { |
70 | timeout {puts "TESTING ERROR 6\n";exit} | 61 | timeout {puts "TESTING ERROR 6\n";exit} |
71 | "overlayfs feature is disabled in Firejail configuration file\r" | 62 | "overlayfs feature is disabled in Firejail configuration file\r" |
@@ -74,7 +65,7 @@ expect { | |||
74 | # private-home | 65 | # private-home |
75 | send -- "echo \"private-home no\" > /etc/firejail/firejail.config\r" | 66 | send -- "echo \"private-home no\" > /etc/firejail/firejail.config\r" |
76 | after 100 | 67 | after 100 |
77 | send -- "firejail --noprofile --private-home=/tmp --force\r" | 68 | send -- "firejail --noprofile --private-home=/tmp\r" |
78 | expect { | 69 | expect { |
79 | timeout {puts "TESTING ERROR 7\n";exit} | 70 | timeout {puts "TESTING ERROR 7\n";exit} |
80 | "private-home feature is disabled in Firejail configuration file\r" | 71 | "private-home feature is disabled in Firejail configuration file\r" |
@@ -83,7 +74,7 @@ expect { | |||
83 | # chroot | 74 | # chroot |
84 | send -- "echo \"chroot no\" > /etc/firejail/firejail.config\r" | 75 | send -- "echo \"chroot no\" > /etc/firejail/firejail.config\r" |
85 | after 100 | 76 | after 100 |
86 | send -- "firejail --noprofile --chroot=/tmp --force\r" | 77 | send -- "firejail --noprofile --chroot=/tmp\r" |
87 | expect { | 78 | expect { |
88 | timeout {puts "TESTING ERROR 8\n";exit} | 79 | timeout {puts "TESTING ERROR 8\n";exit} |
89 | "chroot feature is disabled in Firejail configuration file\r" | 80 | "chroot feature is disabled in Firejail configuration file\r" |
@@ -92,12 +83,37 @@ expect { | |||
92 | # userns | 83 | # userns |
93 | send -- "echo \"userns no\" > /etc/firejail/firejail.config\r" | 84 | send -- "echo \"userns no\" > /etc/firejail/firejail.config\r" |
94 | after 100 | 85 | after 100 |
95 | send -- "firejail --noprofile --noroot --force\r" | 86 | send -- "firejail --noprofile --noroot\r" |
96 | expect { | 87 | expect { |
97 | timeout {puts "TESTING ERROR 9\n";exit} | 88 | timeout {puts "TESTING ERROR 9\n";exit} |
98 | "noroot feature is disabled in Firejail configuration file\r" | 89 | "noroot feature is disabled in Firejail configuration file\r" |
99 | } | 90 | } |
100 | 91 | ||
92 | # netfilter-default | ||
93 | send -- "echo \"netfilter-default blablabla\" > /etc/firejail/firejail.config\r" | ||
94 | after 100 | ||
95 | send -- "firejail --noprofile\r" | ||
96 | expect { | ||
97 | timeout {puts "TESTING ERROR 10\n";exit} | ||
98 | "netfilter-default file blablabla not available\r" | ||
99 | } | ||
100 | |||
101 | # strings | ||
102 | send -- "echo \"xephyr-screen 800x600\" > /etc/firejail/firejail.config\r" | ||
103 | after 100 | ||
104 | send -- "echo \"xvfb-screen 800x600x24\" >> /etc/firejail/firejail.config\r" | ||
105 | after 100 | ||
106 | send -- "echo \"xvfb-extra-params blablabla\" >> /etc/firejail/firejail.config\r" | ||
107 | after 100 | ||
108 | send -- "firejail --noprofile\r" | ||
109 | expect { | ||
110 | timeout {puts "TESTING ERROR 11\n";exit} | ||
111 | "Child process initialized\r" | ||
112 | } | ||
113 | after 100 | ||
114 | send -- "exit\r" | ||
115 | after 100 | ||
116 | |||
101 | # error exit | 117 | # error exit |
102 | send -- "echo \"join no\" > /etc/firejail/firejail.config\r" | 118 | send -- "echo \"join no\" > /etc/firejail/firejail.config\r" |
103 | after 100 | 119 | after 100 |
@@ -129,17 +145,18 @@ send -- "echo \"private-bin-no-local yes\" >> /etc/firejail/firejail.config\r" | |||
129 | after 100 | 145 | after 100 |
130 | send -- "echo \"disable-mnt yes\" >> /etc/firejail/firejail.config\r" | 146 | send -- "echo \"disable-mnt yes\" >> /etc/firejail/firejail.config\r" |
131 | after 100 | 147 | after 100 |
148 | send -- "echo \"xephyr-window-title no\" >> /etc/firejail/firejail.config\r" | ||
149 | after 100 | ||
150 | send -- "echo \"remount-proc-sys no\" >> /etc/firejail/firejail.config\r" | ||
151 | after 100 | ||
152 | send -- "echo \"disable-mnt no\" >> /etc/firejail/firejail.config\r" | ||
153 | after 100 | ||
132 | send -- "echo \"blablabla\" >> /etc/firejail/firejail.config\r" | 154 | send -- "echo \"blablabla\" >> /etc/firejail/firejail.config\r" |
133 | after 100 | 155 | after 100 |
134 | send -- "firejail --noprofile --force\r" | 156 | send -- "firejail --noprofile\r" |
135 | expect { | 157 | expect { |
136 | timeout {puts "TESTING ERROR 10\n";exit} | 158 | timeout {puts "TESTING ERROR 12\n";exit} |
137 | "invalid line\r" | 159 | "" |
138 | } | 160 | } |
139 | |||
140 | send -- "exit\r" | ||
141 | after 100 | ||
142 | |||
143 | |||
144 | after 100 | 161 | after 100 |
145 | puts "\nall done\n" | 162 | puts "\nall done\n" |
diff --git a/test/root/firejail.config b/test/root/firejail.config index 9b57f5126..4ad5edd4d 100644 --- a/test/root/firejail.config +++ b/test/root/firejail.config | |||
@@ -1,3 +1,4 @@ | |||
1 | |||
1 | bind yes | 2 | bind yes |
2 | chroot yes | 3 | chroot yes |
3 | chroot-desktop yes | 4 | chroot-desktop yes |
diff --git a/test/root/root.sh b/test/root/root.sh index e23499d2a..82fdc90b5 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -82,6 +82,7 @@ echo "TESTING: seccomp chown (test/root/seccomp-chown.exp)" | |||
82 | #******************************** | 82 | #******************************** |
83 | echo "TESTING: firejail configuration (test/root/checkcfg.exp)" | 83 | echo "TESTING: firejail configuration (test/root/checkcfg.exp)" |
84 | ./checkcfg.exp | 84 | ./checkcfg.exp |
85 | cp ../../etc/firejail.config /etc/firejail/. | ||
85 | 86 | ||
86 | echo "TESTING: tmpfs (test/root/option_tmpfs.exp)" | 87 | echo "TESTING: tmpfs (test/root/option_tmpfs.exp)" |
87 | ./option_tmpfs.exp | 88 | ./option_tmpfs.exp |