diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-27 12:37:57 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-27 12:37:57 -0400 |
commit | 746b6aa3b8bd5f8482078925901f09ed0f45c0b3 (patch) | |
tree | 51af66cf8652bdb895aa9346bd085ce95741e226 | |
parent | Merge pull request #46 from iiotx/master (diff) | |
download | firejail-746b6aa3b8bd5f8482078925901f09ed0f45c0b3.tar.gz firejail-746b6aa3b8bd5f8482078925901f09ed0f45c0b3.tar.zst firejail-746b6aa3b8bd5f8482078925901f09ed0f45c0b3.zip |
testing
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/generic.profile | 38 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rwxr-xr-x | test/firemon-caps.exp | 61 | ||||
-rwxr-xr-x | test/firemon-seccomp.exp | 10 | ||||
-rwxr-xr-x | test/net_local.exp | 6 | ||||
-rwxr-xr-x | test/net_netfilter.exp | 10 | ||||
-rwxr-xr-x | test/net_noip.exp | 6 | ||||
-rwxr-xr-x | test/net_noip2.exp | 6 |
10 files changed, 57 insertions, 90 deletions
@@ -37,5 +37,7 @@ Michael Haas (https://github.com/mhaas) | |||
37 | - bugfixes | 37 | - bugfixes |
38 | mjudtmann (https://github.com/mjudtmann) | 38 | mjudtmann (https://github.com/mjudtmann) |
39 | - lock firejail configuration in disable-mgmt.inc | 39 | - lock firejail configuration in disable-mgmt.inc |
40 | iiotx (https://github.com/iiotx) | ||
41 | - use generci.profile by default | ||
40 | 42 | ||
41 | Copyright (C) 2014, 2015 Firejail Authors | 43 | Copyright (C) 2014, 2015 Firejail Authors |
@@ -9,6 +9,7 @@ firejail (0.9.29) baseline; urgency=low | |||
9 | * support ~ and blanks in blacklist option | 9 | * support ~ and blanks in blacklist option |
10 | * support "net none" command in profile files | 10 | * support "net none" command in profile files |
11 | * added "net none" to Evince PDF viewer | 11 | * added "net none" to Evince PDF viewer |
12 | * using /etc/firejail/generic.profile by default | ||
12 | * bugfixes | 13 | * bugfixes |
13 | -- netblue30 <netblue30@yahoo.com> Mon, 24 Aug 2015 20:25:00 -0500 | 14 | -- netblue30 <netblue30@yahoo.com> Mon, 24 Aug 2015 20:25:00 -0500 |
14 | 15 | ||
diff --git a/etc/generic.profile b/etc/generic.profile index 83bf59e0a..f1c6af30d 100644 --- a/etc/generic.profile +++ b/etc/generic.profile | |||
@@ -1,38 +1,10 @@ | |||
1 | ################################ | 1 | ################################ |
2 | # Generic profile based on Firefox profile | 2 | # Generic GUI application profile |
3 | ################################ | 3 | ################################ |
4 | #include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | # system directories | 5 | include /etc/firejail/disable-secret.inc |
6 | blacklist /sbin | 6 | include /etc/firejail/disable-common.inc |
7 | blacklist /usr/sbin | 7 | include /etc/firejail/disable-history.inc |
8 | # system management | ||
9 | blacklist ${PATH}/umount | ||
10 | blacklist ${PATH}/mount | ||
11 | blacklist ${PATH}/fusermount | ||
12 | blacklist ${PATH}/su | ||
13 | blacklist ${PATH}/sudo | ||
14 | blacklist ${PATH}/xinput | ||
15 | blacklist ${PATH}/strace | ||
16 | |||
17 | #include /etc/firejail/disable-secret.inc | ||
18 | # HOME directory | ||
19 | blacklist ${HOME}/.ssh | ||
20 | tmpfs ${HOME}/.gnome2_private | ||
21 | blacklist ${HOME}/.gnome2/keyrings | ||
22 | blacklist ${HOME}/kde4/share/apps/kwallet | ||
23 | blacklist ${HOME}/kde/share/apps/kwallet | ||
24 | blacklist ${HOME}/.pki/nssdb | ||
25 | blacklist ${HOME}/.gnupg | ||
26 | blacklist ${HOME}/.local/share/recently-used.xbel | ||
27 | |||
28 | blacklist ${HOME}/.adobe | ||
29 | blacklist ${HOME}/.macromedia | ||
30 | blacklist ${HOME}/.mozilla | ||
31 | blacklist ${HOME}/.icedove | ||
32 | blacklist ${HOME}/.thunderbird | ||
33 | blacklist ${HOME}/.config/opera | ||
34 | blacklist ${HOME}/.config/chromium | ||
35 | blacklist ${HOME}/.config/google-chrome | ||
36 | 8 | ||
37 | caps.drop all | 9 | caps.drop all |
38 | seccomp | 10 | seccomp |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7db18181d..e02cf6215 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1065,11 +1065,12 @@ int main(int argc, char **argv) { | |||
1065 | } | 1065 | } |
1066 | } | 1066 | } |
1067 | 1067 | ||
1068 | assert(cfg.command_name); | ||
1069 | if (arg_debug) | ||
1070 | printf("Command name #%s#\n", cfg.command_name); | ||
1071 | |||
1068 | // load the profile | 1072 | // load the profile |
1069 | if (!arg_noprofile) { | 1073 | if (!arg_noprofile) { |
1070 | assert(cfg.command_name); | ||
1071 | if (arg_debug) | ||
1072 | printf("Command name #%s#\n", cfg.command_name); | ||
1073 | if (!custom_profile) { | 1074 | if (!custom_profile) { |
1074 | // look for a profile in ~/.config/firejail directory | 1075 | // look for a profile in ~/.config/firejail directory |
1075 | char *usercfgdir; | 1076 | char *usercfgdir; |
diff --git a/test/firemon-caps.exp b/test/firemon-caps.exp index 547d04c02..3dd6384db 100755 --- a/test/firemon-caps.exp +++ b/test/firemon-caps.exp | |||
@@ -4,7 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail --name=bingo1 --caps\r" | 7 | send -- "firejail --name=bingo1 --noprofile --caps\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 10 | "Child process initialized" |
@@ -12,33 +12,33 @@ expect { | |||
12 | sleep 1 | 12 | sleep 1 |
13 | 13 | ||
14 | spawn $env(SHELL) | 14 | spawn $env(SHELL) |
15 | send -- "firejail --name=bingo2\r" | 15 | send -- "firejail --name=bingo2 --noprofile\r" |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 0\n";exit} | 17 | timeout {puts "TESTING ERROR 1\n";exit} |
18 | "Child process initialized" | 18 | "Child process initialized" |
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
21 | 21 | ||
22 | spawn $env(SHELL) | 22 | spawn $env(SHELL) |
23 | send -- "firejail --name=bingo3 --caps.drop=all\r" | 23 | send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" |
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 0\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
26 | "Child process initialized" | 26 | "Child process initialized" |
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | spawn $env(SHELL) | 30 | spawn $env(SHELL) |
31 | send -- "firejail --name=bingo4 --caps.drop=chown,kill\r" | 31 | send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" |
32 | expect { | 32 | expect { |
33 | timeout {puts "TESTING ERROR 0\n";exit} | 33 | timeout {puts "TESTING ERROR 3\n";exit} |
34 | "Child process initialized" | 34 | "Child process initialized" |
35 | } | 35 | } |
36 | sleep 1 | 36 | sleep 1 |
37 | 37 | ||
38 | spawn $env(SHELL) | 38 | spawn $env(SHELL) |
39 | send -- "firejail --name=bingo5 --caps.keep=chown,kill\r" | 39 | send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 0\n";exit} | 41 | timeout {puts "TESTING ERROR 4\n";exit} |
42 | "Child process initialized" | 42 | "Child process initialized" |
43 | } | 43 | } |
44 | sleep 1 | 44 | sleep 1 |
@@ -46,7 +46,7 @@ sleep 1 | |||
46 | spawn $env(SHELL) | 46 | spawn $env(SHELL) |
47 | send -- "firejail --name=bingo6 --profile=caps1.profile\r" | 47 | send -- "firejail --name=bingo6 --profile=caps1.profile\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 0\n";exit} | 49 | timeout {puts "TESTING ERROR 5\n";exit} |
50 | "Child process initialized" | 50 | "Child process initialized" |
51 | } | 51 | } |
52 | sleep 1 | 52 | sleep 1 |
@@ -59,77 +59,68 @@ expect { | |||
59 | } | 59 | } |
60 | sleep 1 | 60 | sleep 1 |
61 | 61 | ||
62 | |||
63 | |||
64 | |||
65 | spawn $env(SHELL) | 62 | spawn $env(SHELL) |
66 | send -- "firemon --caps\r" | 63 | send -- "firemon --caps\r" |
67 | expect { | 64 | expect { |
68 | timeout {puts "TESTING ERROR 1\n";exit} | 65 | timeout {puts "TESTING ERROR 8.1\n";exit} |
69 | "bingo1" | 66 | "bingo1" |
70 | } | 67 | } |
71 | expect { | 68 | expect { |
72 | timeout {puts "TESTING ERROR 2\n";exit} | 69 | timeout {puts "TESTING ERROR 8.2\n";exit} |
73 | "31cffff" | 70 | "31cffff" |
74 | } | 71 | } |
75 | expect { | 72 | expect { |
76 | timeout {puts "TESTING ERROR 3\n";exit} | 73 | timeout {puts "TESTING ERROR 8.3\n";exit} |
77 | "bingo2" | 74 | "bingo2" |
78 | } | 75 | } |
79 | expect { | 76 | expect { |
80 | timeout {puts "TESTING ERROR 4\n";exit} | 77 | timeout {puts "TESTING ERROR 8.4\n";exit} |
81 | "fffffff" | 78 | "fffffff" |
82 | } | 79 | } |
83 | expect { | 80 | expect { |
84 | timeout {puts "TESTING ERROR 5\n";exit} | 81 | timeout {puts "TESTING ERROR 8.5\n";exit} |
85 | "bingo3" | 82 | "bingo3" |
86 | } | 83 | } |
87 | expect { | 84 | expect { |
88 | timeout {puts "TESTING ERROR 6\n";exit} | 85 | timeout {puts "TESTING ERROR 8.6\n";exit} |
89 | "000000000000" | 86 | "000000000000" |
90 | } | 87 | } |
91 | 88 | ||
92 | expect { | 89 | expect { |
93 | timeout {puts "TESTING ERROR 7\n";exit} | 90 | timeout {puts "TESTING ERROR 8.7\n";exit} |
94 | "bingo4" | 91 | "bingo4" |
95 | } | 92 | } |
96 | expect { | 93 | expect { |
97 | timeout {puts "TESTING ERROR 8\n";exit} | 94 | timeout {puts "TESTING ERROR 8.8\n";exit} |
98 | "ffffffde" | 95 | "ffffffde" |
99 | } | 96 | } |
100 | expect { | 97 | expect { |
101 | timeout {puts "TESTING ERROR 7\n";exit} | 98 | timeout {puts "TESTING ERROR 8.9\n";exit} |
102 | "bingo5" | 99 | "bingo5" |
103 | } | 100 | } |
104 | expect { | 101 | expect { |
105 | timeout {puts "TESTING ERROR 9\n";exit} | 102 | timeout {puts "TESTING ERROR 8.10\n";exit} |
106 | "0000000000000021" | 103 | "0000000000000021" |
107 | } | 104 | } |
108 | 105 | ||
109 | expect { | 106 | expect { |
110 | timeout {puts "TESTING ERROR 10\n";exit} | 107 | timeout {puts "TESTING ERROR 8.11\n";exit} |
111 | "bingo6" | 108 | "bingo6" |
112 | } | 109 | } |
113 | expect { | 110 | expect { |
114 | timeout {puts "TESTING ERROR 11\n";exit} | 111 | timeout {puts "TESTING ERROR 8.12\n";exit} |
115 | "ffffffde" | 112 | "ffffffde" |
116 | } | 113 | } |
117 | expect { | 114 | expect { |
118 | timeout {puts "TESTING ERROR 12\n";exit} | 115 | timeout {puts "TESTING ERROR 8.13\n";exit} |
119 | "bingo7" | 116 | "bingo7" |
120 | } | 117 | } |
121 | expect { | 118 | expect { |
122 | timeout {puts "TESTING ERROR 13\n";exit} | 119 | timeout {puts "TESTING ERROR 8.14\n";exit} |
123 | "0000000000000021" | 120 | "0000000000000021" |
124 | } | 121 | } |
125 | 122 | ||
123 | after 100 | ||
126 | 124 | ||
127 | 125 | puts "all done\n" | |
128 | |||
129 | |||
130 | |||
131 | |||
132 | sleep 1 | ||
133 | |||
134 | puts "\n" | ||
135 | 126 | ||
diff --git a/test/firemon-seccomp.exp b/test/firemon-seccomp.exp index 0cf53b690..55817faf3 100755 --- a/test/firemon-seccomp.exp +++ b/test/firemon-seccomp.exp | |||
@@ -4,7 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail --name=bingo1 --seccomp\r" | 7 | send -- "firejail --noprofile --name=bingo1 --seccomp\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | timeout {puts "TESTING ERROR 0\n";exit} |
10 | "Child process initialized" | 10 | "Child process initialized" |
@@ -12,9 +12,9 @@ expect { | |||
12 | sleep 1 | 12 | sleep 1 |
13 | 13 | ||
14 | spawn $env(SHELL) | 14 | spawn $env(SHELL) |
15 | send -- "firejail --name=bingo2\r" | 15 | send -- "firejail --noprofile --name=bingo2\r" |
16 | expect { | 16 | expect { |
17 | timeout {puts "TESTING ERROR 0\n";exit} | 17 | timeout {puts "TESTING ERROR 0.1\n";exit} |
18 | "Child process initialized" | 18 | "Child process initialized" |
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
@@ -40,6 +40,6 @@ expect { | |||
40 | timeout {puts "TESTING ERROR 3\n";exit} | 40 | timeout {puts "TESTING ERROR 3\n";exit} |
41 | "Seccomp: 0" | 41 | "Seccomp: 0" |
42 | } | 42 | } |
43 | sleep 1 | 43 | after 100 |
44 | 44 | ||
45 | puts "\n" | 45 | puts "all done\n" |
diff --git a/test/net_local.exp b/test/net_local.exp index 9302ec4ef..032c0427d 100755 --- a/test/net_local.exp +++ b/test/net_local.exp | |||
@@ -5,7 +5,7 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # check ip address | 7 | # check ip address |
8 | send -- "firejail --debug\r" | 8 | send -- "firejail --noprofile --debug\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "Using the local network stack" | 11 | "Using the local network stack" |
@@ -19,7 +19,7 @@ send -- "exit\r" | |||
19 | sleep 2 | 19 | sleep 2 |
20 | 20 | ||
21 | # check loopback | 21 | # check loopback |
22 | send -- "firejail\r" | 22 | send -- "firejail --noprofile\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 9\n";exit} | 24 | timeout {puts "TESTING ERROR 9\n";exit} |
25 | "Child process initialized" | 25 | "Child process initialized" |
@@ -45,5 +45,5 @@ expect { | |||
45 | "UP" | 45 | "UP" |
46 | } | 46 | } |
47 | 47 | ||
48 | puts "\n" | 48 | puts "all done\n" |
49 | 49 | ||
diff --git a/test/net_netfilter.exp b/test/net_netfilter.exp index 8583d4625..989fcc407 100755 --- a/test/net_netfilter.exp +++ b/test/net_netfilter.exp | |||
@@ -5,7 +5,7 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # check default netfilter on br0 | 7 | # check default netfilter on br0 |
8 | send -- "firejail --debug --net=br0 --ip=10.10.20.5 --netfilter\r" | 8 | send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "Installing network filter" | 11 | "Installing network filter" |
@@ -31,7 +31,7 @@ send -- "exit\r" | |||
31 | sleep 1 | 31 | sleep 1 |
32 | 32 | ||
33 | # check default netfilter no new network | 33 | # check default netfilter no new network |
34 | send -- "firejail --debug --netfilter\r" | 34 | send -- "firejail --debug --noprofile --netfilter\r" |
35 | expect { | 35 | expect { |
36 | timeout {puts "TESTING ERROR 5\n";exit} | 36 | timeout {puts "TESTING ERROR 5\n";exit} |
37 | "Installing network filter" {puts "TESTING ERROR 5.1\n";exit} | 37 | "Installing network filter" {puts "TESTING ERROR 5.1\n";exit} |
@@ -45,7 +45,7 @@ send -- "exit\r" | |||
45 | sleep 1 | 45 | sleep 1 |
46 | 46 | ||
47 | # check file filter netfilter on br0 | 47 | # check file filter netfilter on br0 |
48 | send -- "firejail --debug --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r" | 48 | send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r" |
49 | expect { | 49 | expect { |
50 | timeout {puts "TESTING ERROR 6\n";exit} | 50 | timeout {puts "TESTING ERROR 6\n";exit} |
51 | "Installing network filter" | 51 | "Installing network filter" |
@@ -82,7 +82,7 @@ expect { | |||
82 | } | 82 | } |
83 | 83 | ||
84 | send -- "exit\r" | 84 | send -- "exit\r" |
85 | sleep 1 | 85 | after 100 |
86 | 86 | ||
87 | puts "\n" | 87 | puts "all done\n" |
88 | 88 | ||
diff --git a/test/net_noip.exp b/test/net_noip.exp index 3db67885d..8d28adb39 100755 --- a/test/net_noip.exp +++ b/test/net_noip.exp | |||
@@ -5,7 +5,7 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # check ip address | 7 | # check ip address |
8 | send -- "firejail --net=br0 --ip=none\r" | 8 | send -- "firejail --noprofile --net=br0 --ip=none\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "eth0" {puts "TESTING ERROR 1\n";exit} | 11 | "eth0" {puts "TESTING ERROR 1\n";exit} |
@@ -35,7 +35,7 @@ expect { | |||
35 | timeout {puts "TESTING ERROR 6\n";exit} | 35 | timeout {puts "TESTING ERROR 6\n";exit} |
36 | "home" | 36 | "home" |
37 | } | 37 | } |
38 | sleep 1 | 38 | after 100 |
39 | 39 | ||
40 | puts "\n" | 40 | puts "all done\n" |
41 | 41 | ||
diff --git a/test/net_noip2.exp b/test/net_noip2.exp index 234aec8a8..58f90422b 100755 --- a/test/net_noip2.exp +++ b/test/net_noip2.exp | |||
@@ -5,7 +5,7 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # check ip address | 7 | # check ip address |
8 | send -- "firejail --net=br1 --ip=none --defaultgw=10.10.30.78\r" | 8 | send -- "firejail --noprofile --net=br1 --ip=none --defaultgw=10.10.30.78\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "eth0" {puts "TESTING ERROR 1\n";exit} | 11 | "eth0" {puts "TESTING ERROR 1\n";exit} |
@@ -35,7 +35,7 @@ expect { | |||
35 | timeout {puts "TESTING ERROR 6\n";exit} | 35 | timeout {puts "TESTING ERROR 6\n";exit} |
36 | "home" | 36 | "home" |
37 | } | 37 | } |
38 | sleep 1 | 38 | after 100 |
39 | 39 | ||
40 | puts "\n" | 40 | puts "all done\n" |
41 | 41 | ||