diff options
author | netblue30 <netblue30@yahoo.com> | 2016-12-19 10:24:25 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-12-19 10:24:25 -0500 |
commit | 759dc6ade2bcb7408dbbf3dc31230fc7534ca29d (patch) | |
tree | dd7cf13f3002fd1c247e25ff53faa70240bc263c | |
parent | Merge pull request #988 from KOLANICH/symlink_fix (diff) | |
download | firejail-759dc6ade2bcb7408dbbf3dc31230fc7534ca29d.tar.gz firejail-759dc6ade2bcb7408dbbf3dc31230fc7534ca29d.tar.zst firejail-759dc6ade2bcb7408dbbf3dc31230fc7534ca29d.zip |
testing
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | README.md | 9 | ||||
-rw-r--r-- | RELNOTES | 4 | ||||
-rw-r--r-- | contrib/fix_private-bin_for_symlinked_sh.py (renamed from etc/fix_private-bin_for_symlinked_sh.py) | 0 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 | ||||
-rwxr-xr-x | test/appimage/appimage-args.exp | 97 | ||||
-rwxr-xr-x | test/appimage/appimage.sh | 6 | ||||
-rwxr-xr-x | test/fs/private-home-dir.exp | 62 |
9 files changed, 191 insertions, 5 deletions
@@ -97,6 +97,10 @@ valoq (https://github.com/valoq) | |||
97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
98 | - added wget profile | 98 | - added wget profile |
99 | - disable gnupg and systemd directories under /run/user | 99 | - disable gnupg and systemd directories under /run/user |
100 | thewisenerd (https://github.com/thewisenerd) | ||
101 | - appimage: pass commandline arguments | ||
102 | KOLANICH (https://github.com/KOLANICH) | ||
103 | - added symlink fixer | ||
100 | Jesse Smith (https://github.com/slicer69) | 104 | Jesse Smith (https://github.com/slicer69) |
101 | - added QupZilla profile | 105 | - added QupZilla profile |
102 | Lari Rauno (https://github.com/tuutti) | 106 | Lari Rauno (https://github.com/tuutti) |
@@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip) | |||
317 | - support for files and directories starting with ~ in blacklist option | 321 | - support for files and directories starting with ~ in blacklist option |
318 | - support for files and directories with spaces in blacklist option | 322 | - support for files and directories with spaces in blacklist option |
319 | - lots of other fixes | 323 | - lots of other fixes |
324 | - implement the --allow-private-blacklist option | ||
320 | sarneaud (https://github.com/sarneaud) | 325 | sarneaud (https://github.com/sarneaud) |
321 | - rewrite globbing code to fix various minor issues | 326 | - rewrite globbing code to fix various minor issues |
322 | - added noblacklist command for profile files | 327 | - added noblacklist command for profile files |
@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is | |||
81 | 81 | ||
82 | Example: | 82 | Example: |
83 | $ firejail --machine-id | 83 | $ firejail --machine-id |
84 | |||
85 | --allow-private-blacklist | ||
86 | Allow blacklisting files in private home directory. By default | ||
87 | these blacklists are disabled. | ||
88 | |||
89 | Example: | ||
90 | $ firejail --allow-private-blacklist --private=~/priv-dir | ||
91 | --blacklist=~/.mozilla | ||
92 | |||
84 | ````` | 93 | ````` |
85 | ## New Profiles | 94 | ## New Profiles |
86 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, | 95 | xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, |
@@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low | |||
13 | * feature: private /opt directory (--private-opt, profile support) | 13 | * feature: private /opt directory (--private-opt, profile support) |
14 | * feature: private /srv directory (--private-srv, profile support) | 14 | * feature: private /srv directory (--private-srv, profile support) |
15 | * feature: spoof machine-id | 15 | * feature: spoof machine-id |
16 | * feature: config support for firejail prompt in terminal | 16 | * feature: config support for firejail prompt in terminals |
17 | * feature: pass command line arguments to appimages | ||
18 | * feature: --allow-private-blacklist option | ||
17 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 19 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
18 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 20 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
19 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 21 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/etc/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py index 705e46e46..705e46e46 100644 --- a/etc/fix_private-bin_for_symlinked_sh.py +++ b/contrib/fix_private-bin_for_symlinked_sh.py | |||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1131abe5f..9f4dfd44c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,8 +30,8 @@ void usage(void) { | |||
30 | printf("Options:\n"); | 30 | printf("Options:\n"); |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | printf(" -- - signal the end of options and disables further option processing.\n"); |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); |
33 | printf(" --allow-private-blacklist - allow blacklisting things in private\n"); | 33 | printf(" --allow-private-blacklist - allow blacklisting files in private\n"); |
34 | printf("\tdirectories.\n"); | 34 | printf("\thome directories.\n"); |
35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
36 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
37 | printf(" --appimage - sandbox an AppImage application.\n"); | 37 | printf(" --appimage - sandbox an AppImage application.\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5b43b1ca5..60c21cbc1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -84,6 +84,15 @@ Example: | |||
84 | .br | 84 | .br |
85 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox | 85 | $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox |
86 | .TP | 86 | .TP |
87 | \fB\-\-allow-private-blacklist | ||
88 | Allow blacklisting files in private home directory. By default these blacklists are disabled. | ||
89 | .br | ||
90 | |||
91 | .br | ||
92 | Example: | ||
93 | .br | ||
94 | $ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla | ||
95 | .TP | ||
87 | \fB\-\-allusers | 96 | \fB\-\-allusers |
88 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. | 97 | All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. |
89 | .br | 98 | .br |
diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp new file mode 100755 index 000000000..93dba69ad --- /dev/null +++ b/test/appimage/appimage-args.exp | |||
@@ -0,0 +1,97 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "execvp argument 2" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "AppRun" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3\n";exit} | ||
21 | "testfile" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 4\n";exit} | ||
25 | "Child process initialized" | ||
26 | } | ||
27 | sleep 2 | ||
28 | |||
29 | spawn $env(SHELL) | ||
30 | send -- "firejail --list\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | ":firejail" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 6\n";exit} | ||
37 | "appimage Leafpad" | ||
38 | } | ||
39 | after 100 | ||
40 | |||
41 | # grsecurity exit | ||
42 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
45 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
46 | "cannot open" {puts "grsecurity not present\n"} | ||
47 | } | ||
48 | |||
49 | |||
50 | send -- "firejail --name=blablabla\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 7\n";exit} | ||
53 | "Child process initialized" | ||
54 | } | ||
55 | sleep 2 | ||
56 | |||
57 | spawn $env(SHELL) | ||
58 | send -- "firemon --seccomp\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
61 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
62 | "appimage Leafpad" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 9 (seccomp)\n";exit} | ||
66 | "Seccomp: 2" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 10\n";exit} | ||
70 | "name=blablabla" | ||
71 | } | ||
72 | after 100 | ||
73 | send -- "firemon --caps\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 11\n";exit} | ||
76 | "appimage Leafpad" | ||
77 | } | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 12\n";exit} | ||
80 | "CapBnd:" | ||
81 | } | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 13\n";exit} | ||
84 | "0000000000000000" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 14\n";exit} | ||
88 | "name=blablabla" | ||
89 | } | ||
90 | after 100 | ||
91 | |||
92 | spawn $env(SHELL) | ||
93 | send -- "firejail --shutdown=appimage-test\r" | ||
94 | sleep 3 | ||
95 | |||
96 | puts "\nall done\n" | ||
97 | |||
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index db221ec8a..bb646e189 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh | |||
@@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" | |||
13 | ./appimage-v2.exp | 13 | ./appimage-v2.exp |
14 | 14 | ||
15 | echo "TESTING: AppImage file name (test/appimage/filename.exp)"; | 15 | echo "TESTING: AppImage file name (test/appimage/filename.exp)"; |
16 | ./filename.exp \ No newline at end of file | 16 | ./filename.exp |
17 | |||
18 | echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" | ||
19 | ./appimage-args.exp | ||
20 | |||
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 5491be834..f85a939b1 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp | |||
@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} { | |||
21 | send -- "touch ~/.Xauthority\r" | 21 | send -- "touch ~/.Xauthority\r" |
22 | } | 22 | } |
23 | after 100 | 23 | after 100 |
24 | send -- "rm -fr ~/_firejail_test_dir_\r" | ||
25 | after 100 | ||
24 | send -- "mkdir ~/_firejail_test_dir_\r" | 26 | send -- "mkdir ~/_firejail_test_dir_\r" |
25 | sleep 1 | 27 | sleep 1 |
26 | 28 | ||
@@ -65,6 +67,64 @@ expect { | |||
65 | "private directory should be owned by the current user" | 67 | "private directory should be owned by the current user" |
66 | } | 68 | } |
67 | sleep 1 | 69 | sleep 1 |
70 | send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" | ||
71 | after 100 | ||
72 | send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r" | ||
73 | sleep 1 | ||
68 | 74 | ||
75 | send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6\n";exit} | ||
78 | "Not blacklist" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 7\n";exit} | ||
82 | "test_dir_2" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 8\n";exit} | ||
86 | "Child process initialized" | ||
87 | } | ||
88 | |||
89 | sleep 1 | ||
90 | |||
91 | send -- "find ~\r" | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 9\n";exit} | ||
94 | "testfile" | ||
95 | } | ||
96 | after 100 | ||
97 | |||
98 | send -- "exit\r" | ||
99 | sleep 1 | ||
100 | |||
101 | send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 10\n";exit} | ||
104 | "Disable" | ||
105 | } | ||
106 | expect { | ||
107 | timeout {puts "TESTING ERROR 11\n";exit} | ||
108 | "test_dir_2" | ||
109 | } | ||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 12\n";exit} | ||
112 | "Child process initialized" | ||
113 | } | ||
114 | |||
115 | sleep 1 | ||
116 | |||
117 | send -- "ls ~/test_dir_2\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 13\n";exit} | ||
120 | "cannot open directory" | ||
121 | } | ||
122 | after 100 | ||
123 | |||
124 | send "exit\r" | ||
125 | sleep 1 | ||
126 | |||
127 | send -- "rm -fr ~/_firejail_test_dir_\r" | ||
128 | after 100 | ||
69 | 129 | ||
70 | puts "all done\n" | 130 | puts "\nall done\n" |