x11 fixes

author: netblue30 <netblue30@yahoo.com> 2016-04-15 15:34:19 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-15 15:34:19 -0400
commit: 3ee0df541e284074662c7c916951fb37aac4abef (patch)
tree: b176830d33d229d83426314b639d55d72874ac68
parent: merged 0ad profile from Fred-Barclay (diff)
download: firejail-3ee0df541e284074662c7c916951fb37aac4abef.tar.gz
firejail-3ee0df541e284074662c7c916951fb37aac4abef.tar.zst
firejail-3ee0df541e284074662c7c916951fb37aac4abef.zip
4 files changed, 186 insertions, 4 deletions
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index ef1095a49..985ca9337 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -170,7 +170,7 @@ void x11_start_xephyr(int argc, char **argv) {
        // unfortunately, xephyr does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
@@ -292,7 +292,7 @@ void x11_start_xpra(int argc, char **argv) {
        // unfortunately, xpra does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
@@ -410,7 +410,7 @@ void x11_start(int argc, char **argv) {
        // unfortunately, xpra does a number of weird things when started by root user!!!
        if (getuid() == 0) {
-                fprintf(stderr, "Error: this feature is not available when running as root\n");
+                fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
                exit(1);
        }
diff --git a/test/icedove-x11.exp b/test/icedove-x11.exp
new file mode 100755
index 000000000..6f8eee90d
--- /dev/null
+++ b/test/icedove-x11.exp
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --net=br0 --x11 icedove\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh
index 6521fa2b0..93d984501 100755
--- a/test/test-apps-x11.sh
+++ b/test/test-apps-x11.sh
@@ -1,5 +1,14 @@
 #!/bin/bash
+which xterm
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: xterm x11"
+        ./xterm-x11.exp
+else
+        echo "TESTING: xterm not found"
+fi
 which firefox
 if [ "$?" -eq 0 ];
 then
@@ -22,8 +31,17 @@ which transmission-gtk
 if [ "$?" -eq 0 ];
 then
        echo "TESTING: transmission-gtk x11"
-        ./transmission-gtk.exp
+        ./transmission-gtk-x11.exp
 else
        echo "TESTING: transmission-gtk not found"
 fi
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11"
+        ./icedove-x11.exp
+else
+        echo "TESTING: chromium not found"
+fi
diff --git a/test/xterm-x11.exp b/test/xterm-x11.exp
new file mode 100755
index 000000000..592f77659
--- /dev/null
+++ b/test/xterm-x11.exp
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --net=br0 --x11 xterm\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "xterm"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "xterm"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
author	netblue30 <netblue30@yahoo.com>	2016-04-15 15:34:19 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-15 15:34:19 -0400
commit	3ee0df541e284074662c7c916951fb37aac4abef (patch)
tree	b176830d33d229d83426314b639d55d72874ac68
parent	merged 0ad profile from Fred-Barclay (diff)
download	firejail-3ee0df541e284074662c7c916951fb37aac4abef.tar.gz firejail-3ee0df541e284074662c7c916951fb37aac4abef.tar.zst firejail-3ee0df541e284074662c7c916951fb37aac4abef.zip

diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ef1095a49..985ca9337 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -170,7 +170,7 @@ void x11_start_xephyr(int argc, char **argv) {
170		170
171	// unfortunately, xephyr does a number of weird things when started by root user!!!	171	// unfortunately, xephyr does a number of weird things when started by root user!!!
172	if (getuid() == 0) {	172	if (getuid() == 0) {
173	fprintf(stderr, "Error: this feature is not available when running as root\n");	173	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
174	exit(1);	174	exit(1);
175	}	175	}
176		176
@@ -292,7 +292,7 @@ void x11_start_xpra(int argc, char **argv) {
292		292
293	// unfortunately, xpra does a number of weird things when started by root user!!!	293	// unfortunately, xpra does a number of weird things when started by root user!!!
294	if (getuid() == 0) {	294	if (getuid() == 0) {
295	fprintf(stderr, "Error: this feature is not available when running as root\n");	295	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
296	exit(1);	296	exit(1);
297	}	297	}
298		298
@@ -410,7 +410,7 @@ void x11_start(int argc, char **argv) {
410		410
411	// unfortunately, xpra does a number of weird things when started by root user!!!	411	// unfortunately, xpra does a number of weird things when started by root user!!!
412	if (getuid() == 0) {	412	if (getuid() == 0) {
413	fprintf(stderr, "Error: this feature is not available when running as root\n");	413	fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n");
414	exit(1);	414	exit(1);
415	}	415	}
416		416


diff --git a/test/icedove-x11.exp b/test/icedove-x11.exp new file mode 100755 index 000000000..6f8eee90d --- /dev/null +++ b/test/icedove-x11.exp
@@ -0,0 +1,82 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	send -- "firejail --name=test --net=br0 --x11 icedove\r"
		8	sleep 10
		9
		10	spawn $env(SHELL)
		11	send -- "firejail --list\r"
		12	expect {
		13	timeout {puts "TESTING ERROR 3\n";exit}
		14	":firejail"
		15	}
		16	expect {
		17	timeout {puts "TESTING ERROR 3.1\n";exit}
		18	"icedove"
		19	}
		20	sleep 1
		21
		22	# grsecurity exit
		23	send -- "file /proc/sys/kernel/grsecurity\r"
		24	expect {
		25	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		26	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		27	"cannot open" {puts "grsecurity not present\n"}
		28	}
		29
		30	send -- "firejail --name=blablabla\r"
		31	expect {
		32	timeout {puts "TESTING ERROR 4\n";exit}
		33	"Child process initialized"
		34	}
		35	sleep 2
		36
		37	spawn $env(SHELL)
		38	send -- "firemon --seccomp\r"
		39	expect {
		40	timeout {puts "TESTING ERROR 5\n";exit}
		41	":firejail"
		42	}
		43	expect {
		44	timeout {puts "TESTING ERROR 5.0\n";exit}
		45	"icedove"
		46	}
		47	expect {
		48	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		49	"Seccomp: 2"
		50	}
		51	expect {
		52	timeout {puts "TESTING ERROR 5.1\n";exit}
		53	"name=blablabla"
		54	}
		55	sleep 2
		56	send -- "firemon --caps\r"
		57	expect {
		58	timeout {puts "TESTING ERROR 6\n";exit}
		59	":firejail"
		60	}
		61	expect {
		62	timeout {puts "TESTING ERROR 6.0\n";exit}
		63	"icedove"
		64	}
		65	expect {
		66	timeout {puts "TESTING ERROR 6.1\n";exit}
		67	"CapBnd"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.2\n";exit}
		71	"0000000000000000"
		72	}
		73	expect {
		74	timeout {puts "TESTING ERROR 6.3\n";exit}
		75	"name=blablabla"
		76	}
		77	sleep 1
		78	send -- "firejail --shutdown=test\r"
		79	sleep 3
		80
		81	puts "\nall done\n"
		82


diff --git a/test/test-apps-x11.sh b/test/test-apps-x11.sh index 6521fa2b0..93d984501 100755 --- a/test/test-apps-x11.sh +++ b/test/test-apps-x11.sh
@@ -1,5 +1,14 @@
1	#!/bin/bash	1	#!/bin/bash
2		2
		3	which xterm
		4	if [ "$?" -eq 0 ];
		5	then
		6	echo "TESTING: xterm x11"
		7	./xterm-x11.exp
		8	else
		9	echo "TESTING: xterm not found"
		10	fi
		11
3	which firefox	12	which firefox
4	if [ "$?" -eq 0 ];	13	if [ "$?" -eq 0 ];
5	then	14	then
@@ -22,8 +31,17 @@ which transmission-gtk
22	if [ "$?" -eq 0 ];	31	if [ "$?" -eq 0 ];
23	then	32	then
24	echo "TESTING: transmission-gtk x11"	33	echo "TESTING: transmission-gtk x11"
25	./transmission-gtk.exp	34	./transmission-gtk-x11.exp
26	else	35	else
27	echo "TESTING: transmission-gtk not found"	36	echo "TESTING: transmission-gtk not found"
28	fi	37	fi
29		38
		39	which icedove
		40	if [ "$?" -eq 0 ];
		41	then
		42	echo "TESTING: icedove x11"
		43	./icedove-x11.exp
		44	else
		45	echo "TESTING: chromium not found"
		46	fi
		47


diff --git a/test/xterm-x11.exp b/test/xterm-x11.exp new file mode 100755 index 000000000..592f77659 --- /dev/null +++ b/test/xterm-x11.exp
@@ -0,0 +1,82 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	send -- "firejail --name=test --net=br0 --x11 xterm\r"
		8	sleep 10
		9
		10	spawn $env(SHELL)
		11	send -- "firejail --list\r"
		12	expect {
		13	timeout {puts "TESTING ERROR 3\n";exit}
		14	":firejail"
		15	}
		16	expect {
		17	timeout {puts "TESTING ERROR 3.1\n";exit}
		18	"xterm"
		19	}
		20	sleep 1
		21
		22	# grsecurity exit
		23	send -- "file /proc/sys/kernel/grsecurity\r"
		24	expect {
		25	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		26	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		27	"cannot open" {puts "grsecurity not present\n"}
		28	}
		29
		30	send -- "firejail --name=blablabla\r"
		31	expect {
		32	timeout {puts "TESTING ERROR 4\n";exit}
		33	"Child process initialized"
		34	}
		35	sleep 2
		36
		37	spawn $env(SHELL)
		38	send -- "firemon --seccomp\r"
		39	expect {
		40	timeout {puts "TESTING ERROR 5\n";exit}
		41	":firejail"
		42	}
		43	expect {
		44	timeout {puts "TESTING ERROR 5.0\n";exit}
		45	"xterm"
		46	}
		47	expect {
		48	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		49	"Seccomp: 2"
		50	}
		51	expect {
		52	timeout {puts "TESTING ERROR 5.1\n";exit}
		53	"name=blablabla"
		54	}
		55	sleep 1
		56	send -- "firemon --caps\r"
		57	expect {
		58	timeout {puts "TESTING ERROR 6\n";exit}
		59	":firejail"
		60	}
		61	expect {
		62	timeout {puts "TESTING ERROR 6.0\n";exit}
		63	"xterm"
		64	}
		65	expect {
		66	timeout {puts "TESTING ERROR 6.1\n";exit}
		67	"CapBnd"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.2\n";exit}
		71	"0000000000000000"
		72	}
		73	expect {
		74	timeout {puts "TESTING ERROR 6.3\n";exit}
		75	"name=blablabla"
		76	}
		77	sleep 1
		78	send -- "firejail --shutdown=test\r"
		79	sleep 3
		80
		81	puts "\nall done\n"
		82