profile parser testing

author: netblue30 <netblue30@yahoo.com> 2018-11-08 10:49:44 -0500
committer: netblue30 <netblue30@yahoo.com> 2018-11-08 10:49:44 -0500
commit: 2acc910daf73c284965ca96bc70b4eb980c865cf (patch)
tree: 7b5733a8ccacba4089a7a9c067b12355372c8dc9
parent: Merge pull request #2251 from glitsj16/sort (diff)
download: firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.tar.gz
firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.tar.zst
firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.zip
10 files changed, 99 insertions, 35 deletions
diff --git a/README.md b/README.md
index d6a7877ca..9e61e5633 100644
--- a/README.md
+++ b/README.md
@@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 ## Current development version: 0.9.57
-## New Long Term Support (LTS) version
+## New Long Term Support (0.9.56-LTS) version released
-We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old.
 The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely
 used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib),
 and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as
 seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened.
-We have an rc1 release out, the final version will follow in the next few weeks:
 `````
-firejail (0.9.56-LTS~rc1) baseline; urgency=low
+firejail (0.9.56-LTS) baseline; urgency=low
  * code based on Firejail version 0.9.56
  * much smaller code base for SUID executable
  * command line options removed:
@@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low
     --disable-globalcfg, --disable-network, --disable-userns,
     --disable-whitelist, --disable-suid, --enable-fatal-warnings,
     --enable-busybox-workaround
- -- netblue30 <netblue30@yahoo.com>  Wed, 3 Oct 2018 08:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sun, 21 Oct 2018 08:00:00 -0500
 `````
 The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d996e1dac..46aea4bd4 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -461,8 +461,7 @@ void fs_mnt(const int enforce);
 // profile.c
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir, int add_ext);
+//int profile_find_firejail(const char *name, int add_ext);
-int profile_find_firejail(const char *name, int add_ext);
 // read a profile file
 void profile_read(const char *fname);
 // check profile line; if line == 0, this was generated from a command line option
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a85c8f815..5f5d94ddf 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -25,7 +25,8 @@ extern char *xephyr_screen;
 #define MAX_READ 8192                             // line buffer for profile files
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir, int add_ext) {
+// return  1 if a profile was found
+static int profile_find(const char *name, const char *dir, int add_ext) {
        EUID_ASSERT();
        assert(name);
        assert(dir);
@@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) {
 }
 // search and read the profile specified by name from firejail directories
+// return  1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
        // look for a profile in ~/.config/firejail directory
        char *usercfgdir;
@@ -1438,7 +1440,13 @@ void profile_read(const char *fname) {
                                ptr2++;
                        // profile path contains no / chars, do a search
                        if (*ptr2 == '\0') {
-                                profile_find_firejail(newprofile, 0);
+                                int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory
+                                if (!rv) {
+                                        // maybe this is a file in the local working directory?
+                                        // it will stop the sandbox if not!
+                                        // Note: if the file ends in .local it will not stop the program
+                                        profile_read(newprofile);
+                                }
                        }
                        else {
                                profile_read(newprofile);
diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp
new file mode 100755
index 000000000..c70e7ad57
--- /dev/null
+++ b/test/profiles/profile_appname.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=firefox\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile /etc/firejail/firefox.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile /etc/firejail/firefox-common.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "shell=none configured, but no program specified"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp
index b3b031cb2..9f8cb54e2 100755
--- a/test/profiles/profile_noperm.exp
+++ b/test/profiles/profile_noperm.exp
@@ -7,7 +7,7 @@ match_max 100000
 send -- "firejail --profile=/etc/shadow\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
-        "cannot access profile"
+        "inaccessible profile file"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp
new file mode 100755
index 000000000..66e4510bf
--- /dev/null
+++ b/test/profiles/profile_recursivity.exp
@@ -0,0 +1,25 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2018 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --profile=test3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Reading profile test3.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Reading profile test3.profile"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "maximum profile include level was reached"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp
index 4d621f3ec..da34b67e8 100755
--- a/test/profiles/profile_syntax2.exp
+++ b/test/profiles/profile_syntax2.exp
@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --debug --profile=test2.profile\r"
+send -- "firejail --profile=test2.profile\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Reading profile test2.profile"
@@ -18,29 +18,8 @@ expect {
 }
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
-        "Mounting a new /home directory"
+        "cannot access profile file"
 }
-expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
-        "Disable /bin/rmdir" {puts "Most Linux platforms\n"}
-        "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"}
-}
-expect {
-        timeout {puts "TESTING ERROR 4\n";exit}
-        "Drop CAP_SYS_MODULE"
-}
-expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
-        "seccomp entries in /run/firejail/mnt/seccomp"
-}
-expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
-        "jeq mount"
-}
-expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
-        "Child process initialized"
-}
-send -- "exit\r"
 after 100
 puts "\nall done\n"
diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh
index 7c3549aea..a3d24ac0c 100755
--- a/test/profiles/profiles.sh
+++ b/test/profiles/profiles.sh
@@ -6,6 +6,33 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)"
+./profile_recursivity.exp
+echo "TESTING: profile application name (test/profiles/profile_appname.exp)"
+./profile_appname.exp
+echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
+./profile_syntax.exp
+echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
+./profile_syntax2.exp
+echo "TESTING: ignore command (test/profiles/ignore.exp)"
+./ignore.exp
+echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
+./profile_readonly.exp
+echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+./profile_followlnk.exp
+echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
+./profile_noperm.exp
 echo "TESTING: default profiles installed in /etc"
 PROFILES=`ls /etc/firejail/*.profile`
 for PROFILE in $PROFILES
diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile
index e219d800d..9fbd5219a 100644
--- a/test/profiles/test2.profile
+++ b/test/profiles/test2.profile
@@ -1,4 +1,6 @@
-caps    
+caps
 seccomp
  private
  include test.profile
+  include test.local
+  include test25.profile
diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile
new file mode 100644
index 000000000..c28ddadb5
--- /dev/null
+++ b/test/profiles/test3.profile
@@ -0,0 +1 @@
+include test3.profile
+\ No newline at end of file
author	netblue30 <netblue30@yahoo.com>	2018-11-08 10:49:44 -0500
committer	netblue30 <netblue30@yahoo.com>	2018-11-08 10:49:44 -0500
commit	2acc910daf73c284965ca96bc70b4eb980c865cf (patch)
tree	7b5733a8ccacba4089a7a9c067b12355372c8dc9
parent	Merge pull request #2251 from glitsj16/sort (diff)
download	firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.tar.gz firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.tar.zst firejail-2acc910daf73c284965ca96bc70b4eb980c865cf.zip

diff --git a/README.md b/README.md index d6a7877ca..9e61e5633 100644 --- a/README.md +++ b/README.md
@@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
101	`````	101	`````
102	## Current development version: 0.9.57	102	## Current development version: 0.9.57
103		103
104	## New Long Term Support (LTS) version	104	## New Long Term Support (0.9.56-LTS) version released
105		105
106	We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old.
107	The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely	106	The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely
108	used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib),	107	used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib),
109	and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as	108	and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as
110	seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened.	109	seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened.
111		110
112	We have an rc1 release out, the final version will follow in the next few weeks:
113	`````	111	`````
114	firejail (0.9.56-LTS~rc1) baseline; urgency=low	112	firejail (0.9.56-LTS) baseline; urgency=low
115	* code based on Firejail version 0.9.56	113	* code based on Firejail version 0.9.56
116	* much smaller code base for SUID executable	114	* much smaller code base for SUID executable
117	* command line options removed:	115	* command line options removed:
@@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low
124	--disable-globalcfg, --disable-network, --disable-userns,	122	--disable-globalcfg, --disable-network, --disable-userns,
125	--disable-whitelist, --disable-suid, --enable-fatal-warnings,	123	--disable-whitelist, --disable-suid, --enable-fatal-warnings,
126	--enable-busybox-workaround	124	--enable-busybox-workaround
127	-- netblue30 <netblue30@yahoo.com> Wed, 3 Oct 2018 08:00:00 -0500	125	-- netblue30 <netblue30@yahoo.com> Sun, 21 Oct 2018 08:00:00 -0500
128	`````	126	`````
129		127
130	The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase	128	The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d996e1dac..46aea4bd4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -461,8 +461,7 @@ void fs_mnt(const int enforce);
461		461
462	// profile.c	462	// profile.c
463	// find and read the profile specified by name from dir directory	463	// find and read the profile specified by name from dir directory
464	int profile_find(const char name, const char dir, int add_ext);	464	//int profile_find_firejail(const char *name, int add_ext);
465	int profile_find_firejail(const char *name, int add_ext);
466	// read a profile file	465	// read a profile file
467	void profile_read(const char *fname);	466	void profile_read(const char *fname);
468	// check profile line; if line == 0, this was generated from a command line option	467	// check profile line; if line == 0, this was generated from a command line option


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a85c8f815..5f5d94ddf 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -25,7 +25,8 @@ extern char *xephyr_screen;
25	#define MAX_READ 8192 // line buffer for profile files	25	#define MAX_READ 8192 // line buffer for profile files
26		26
27	// find and read the profile specified by name from dir directory	27	// find and read the profile specified by name from dir directory
28	int profile_find(const char name, const char dir, int add_ext) {	28	// return 1 if a profile was found
		29	static int profile_find(const char name, const char dir, int add_ext) {
29	EUID_ASSERT();	30	EUID_ASSERT();
30	assert(name);	31	assert(name);
31	assert(dir);	32	assert(dir);
@@ -64,6 +65,7 @@ int profile_find(const char name, const char dir, int add_ext) {
64	}	65	}
65		66
66	// search and read the profile specified by name from firejail directories	67	// search and read the profile specified by name from firejail directories
		68	// return 1 if a profile was found
67	int profile_find_firejail(const char *name, int add_ext) {	69	int profile_find_firejail(const char *name, int add_ext) {
68	// look for a profile in ~/.config/firejail directory	70	// look for a profile in ~/.config/firejail directory
69	char *usercfgdir;	71	char *usercfgdir;
@@ -1438,7 +1440,13 @@ void profile_read(const char *fname) {
1438	ptr2++;	1440	ptr2++;
1439	// profile path contains no / chars, do a search	1441	// profile path contains no / chars, do a search
1440	if (*ptr2 == '\0') {	1442	if (*ptr2 == '\0') {
1441	profile_find_firejail(newprofile, 0);	1443	int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory
		1444	if (!rv) {
		1445	// maybe this is a file in the local working directory?
		1446	// it will stop the sandbox if not!
		1447	// Note: if the file ends in .local it will not stop the program
		1448	profile_read(newprofile);
		1449	}
1442	}	1450	}
1443	else {	1451	else {
1444	profile_read(newprofile);	1452	profile_read(newprofile);


diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp new file mode 100755 index 000000000..c70e7ad57 --- /dev/null +++ b/test/profiles/profile_appname.exp
@@ -0,0 +1,25 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2018 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --profile=firefox\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile /etc/firejail/firefox.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Reading profile /etc/firejail/firefox-common.profile"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 2\n";exit}
		21	"shell=none configured, but no program specified"
		22	}
		23
		24	after 100
		25	puts "\nall done\n"


diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index b3b031cb2..9f8cb54e2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp
@@ -7,7 +7,7 @@ match_max 100000
7	send -- "firejail --profile=/etc/shadow\r"	7	send -- "firejail --profile=/etc/shadow\r"
8	expect {	8	expect {
9	timeout {puts "TESTING ERROR 0\n";exit}	9	timeout {puts "TESTING ERROR 0\n";exit}
10	"cannot access profile"	10	"inaccessible profile file"
11	}	11	}
12	after 100	12	after 100
13	puts "\nall done\n"	13	puts "\nall done\n"


diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp new file mode 100755 index 000000000..66e4510bf --- /dev/null +++ b/test/profiles/profile_recursivity.exp
@@ -0,0 +1,25 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2018 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --profile=test3.profile\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Reading profile test3.profile"
		14	}
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"Reading profile test3.profile"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 2\n";exit}
		21	"maximum profile include level was reached"
		22	}
		23
		24	after 100
		25	puts "\nall done\n"


diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 4d621f3ec..da34b67e8 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp
@@ -7,7 +7,7 @@ set timeout 10
7	spawn $env(SHELL)	7	spawn $env(SHELL)
8	match_max 100000	8	match_max 100000
9		9
10	send -- "firejail --debug --profile=test2.profile\r"	10	send -- "firejail --profile=test2.profile\r"
11	expect {	11	expect {
12	timeout {puts "TESTING ERROR 0\n";exit}	12	timeout {puts "TESTING ERROR 0\n";exit}
13	"Reading profile test2.profile"	13	"Reading profile test2.profile"
@@ -18,29 +18,8 @@ expect {
18	}	18	}
19	expect {	19	expect {
20	timeout {puts "TESTING ERROR 2\n";exit}	20	timeout {puts "TESTING ERROR 2\n";exit}
21	"Mounting a new /home directory"	21	"cannot access profile file"
22	}	22	}
23	expect {	23
24	timeout {puts "TESTING ERROR 3\n";exit}
25	"Disable /bin/rmdir" {puts "Most Linux platforms\n"}
26	"Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"}
27	}
28	expect {
29	timeout {puts "TESTING ERROR 4\n";exit}
30	"Drop CAP_SYS_MODULE"
31	}
32	expect {
33	timeout {puts "TESTING ERROR 5\n";exit}
34	"seccomp entries in /run/firejail/mnt/seccomp"
35	}
36	expect {
37	timeout {puts "TESTING ERROR 7\n";exit}
38	"jeq mount"
39	}
40	expect {
41	timeout {puts "TESTING ERROR 8\n";exit}
42	"Child process initialized"
43	}
44	send -- "exit\r"
45	after 100	24	after 100
46	puts "\nall done\n"	25	puts "\nall done\n"


diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 7c3549aea..a3d24ac0c 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh
@@ -6,6 +6,33 @@
6	export MALLOC_CHECK_=3	6	export MALLOC_CHECK_=3
7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))	7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
8		8
		9	echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)"
		10	./profile_recursivity.exp
		11
		12	echo "TESTING: profile application name (test/profiles/profile_appname.exp)"
		13	./profile_appname.exp
		14
		15	echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
		16	./profile_syntax.exp
		17
		18	echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
		19	./profile_syntax2.exp
		20
		21	echo "TESTING: ignore command (test/profiles/ignore.exp)"
		22	./ignore.exp
		23
		24	echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
		25	./profile_readonly.exp
		26
		27	echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
		28	./profile_followlnk.exp
		29
		30	echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
		31	./profile_noperm.exp
		32
		33
		34
		35
9	echo "TESTING: default profiles installed in /etc"	36	echo "TESTING: default profiles installed in /etc"
10	PROFILES=`ls /etc/firejail/*.profile`	37	PROFILES=`ls /etc/firejail/*.profile`
11	for PROFILE in $PROFILES	38	for PROFILE in $PROFILES


diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index e219d800d..9fbd5219a 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile
@@ -1,4 +1,6 @@
1	caps	1	caps
2	seccomp	2	seccomp
3	private	3	private
4	include test.profile	4	include test.profile
		5	include test.local
		6	include test25.profile


diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile new file mode 100644 index 000000000..c28ddadb5 --- /dev/null +++ b/test/profiles/test3.profile
@@ -0,0 +1 @@
			include test3.profile \ No newline at end of file