diff options
author | netblue30 <netblue30@protonmail.com> | 2021-12-19 13:05:16 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-12-19 13:05:16 -0500 |
commit | 96cec210f8bd86667722b09beb5a3a67b21ec50f (patch) | |
tree | aa3df5777eb784bec3f8535b92ee4eba00bdbef9 | |
parent | testing (diff) | |
download | firejail-96cec210f8bd86667722b09beb5a3a67b21ec50f.tar.gz firejail-96cec210f8bd86667722b09beb5a3a67b21ec50f.tar.zst firejail-96cec210f8bd86667722b09beb5a3a67b21ec50f.zip |
fix make test-filter
-rwxr-xr-x | test/filters/filters.sh | 7 | ||||
-rwxr-xr-x | test/filters/fseccomp.exp | 2 | ||||
-rwxr-xr-x | test/filters/noroot.exp | 4 | ||||
-rwxr-xr-x | test/filters/protocol.exp | 171 | ||||
-rwxr-xr-x | test/filters/seccomp-dualfilter.exp | 55 | ||||
-rwxr-xr-x | test/filters/seccomp-postexec.exp | 19 | ||||
-rwxr-xr-x | test/filters/seccomp-ptrace.exp | 3 | ||||
-rwxr-xr-x | test/filters/syscall_test | bin | 9552 -> 0 bytes | |||
-rw-r--r-- | test/filters/syscall_test.c | 82 | ||||
-rwxr-xr-x | test/filters/syscall_test32 | bin | 6868 -> 0 bytes |
10 files changed, 27 insertions, 316 deletions
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index a9f06b60a..eb4e4702c 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -115,13 +115,6 @@ echo "TESTING: seccomp numeric (test/filters/seccomp-numeric.exp)" | |||
115 | ./seccomp-numeric.exp | 115 | ./seccomp-numeric.exp |
116 | 116 | ||
117 | if [ "$(uname -m)" = "x86_64" ]; then | 117 | if [ "$(uname -m)" = "x86_64" ]; then |
118 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" | ||
119 | ./seccomp-dualfilter.exp | ||
120 | else | ||
121 | echo "TESTING SKIP: seccomp dual, not running on x86_64" | ||
122 | fi | ||
123 | |||
124 | if [ "$(uname -m)" = "x86_64" ]; then | ||
125 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" | 118 | echo "TESTING: seccomp join (test/filters/seccomp-join.exp)" |
126 | ./seccomp-join.exp | 119 | ./seccomp-join.exp |
127 | else | 120 | else |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp index 59f812d6d..6becbff22 100755 --- a/test/filters/fseccomp.exp +++ b/test/filters/fseccomp.exp | |||
@@ -111,7 +111,7 @@ expect { | |||
111 | } | 111 | } |
112 | expect { | 112 | expect { |
113 | timeout {puts "TESTING ERROR 9.3\n";exit} | 113 | timeout {puts "TESTING ERROR 9.3\n";exit} |
114 | "ret KILL" | 114 | "ret ERRNO" |
115 | } | 115 | } |
116 | 116 | ||
117 | 117 | ||
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 64f72f610..5fc16c47f 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -72,7 +72,7 @@ expect { | |||
72 | send -- "cat /proc/self/gid_map | wc -l\r" | 72 | send -- "cat /proc/self/gid_map | wc -l\r" |
73 | expect { | 73 | expect { |
74 | timeout {puts "TESTING ERROR 12\n";exit} | 74 | timeout {puts "TESTING ERROR 12\n";exit} |
75 | "5" | 75 | "9" |
76 | } | 76 | } |
77 | 77 | ||
78 | 78 | ||
@@ -104,7 +104,7 @@ expect { | |||
104 | send -- "cat /proc/self/gid_map | wc -l\r" | 104 | send -- "cat /proc/self/gid_map | wc -l\r" |
105 | expect { | 105 | expect { |
106 | timeout {puts "TESTING ERROR 17\n";exit} | 106 | timeout {puts "TESTING ERROR 17\n";exit} |
107 | "5" | 107 | "9" |
108 | } | 108 | } |
109 | 109 | ||
110 | # check seccomp disabled and all caps enabled | 110 | # check seccomp disabled and all caps enabled |
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 071460e4c..09c742378 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -7,179 +7,38 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" | 10 | send -- "firejail --noprofile --protocol=unix --debug\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | 13 | "0009: 20 00 00 00000000 ld data.syscall-number" |
14 | "Child process initialized" | ||
15 | } | 14 | } |
16 | expect { | 15 | expect { |
17 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
18 | "Permission denied" {puts "TESTING SKIP: permission denied\n"; exit} | ||
19 | "socket AF_INET" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1.2\n";exit} | ||
23 | "Operation not supported" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1.3\n";exit} | ||
27 | "socket AF_INET6" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
31 | "Operation not supported" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
35 | "socket AF_NETLINK" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
39 | "Operation not supported" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
43 | "socket AF_UNIX" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 1.8\n";exit} | ||
47 | "socket AF_PACKETX" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 1.9\n";exit} | ||
51 | "Operation not supported" | ||
52 | } | ||
53 | sleep 1 | ||
54 | |||
55 | send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
58 | "Child process initialized" | 17 | "000a: 15 01 00 00000029 jeq socket 000c (false 000b)" |
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
62 | "socket AF_INET" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
66 | "Operation not supported" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 2.3\n";exit} | ||
70 | "socket AF_INET6" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 2.4\n";exit} | ||
74 | "socket AF_NETLINK" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 2.5\n";exit} | ||
78 | "Operation not supported" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 2.6\n";exit} | ||
82 | "socket AF_UNIX" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 2.7\n";exit} | ||
86 | "Operation not supported" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 2.8\n";exit} | ||
90 | "socket AF_PACKETX" | ||
91 | } | ||
92 | expect { | ||
93 | timeout {puts "TESTING ERROR 2.9\n";exit} | ||
94 | "after socket" | ||
95 | } | 18 | } |
96 | sleep 1 | ||
97 | |||
98 | # profile testing | ||
99 | send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" | ||
100 | expect { | 19 | expect { |
101 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
102 | "Child process initialized" | 21 | "000b: 06 00 00 7fff0000 ret ALLOW" |
103 | } | ||
104 | expect { | ||
105 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
106 | "socket AF_INET" | ||
107 | } | ||
108 | expect { | ||
109 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
110 | "Operation not supported" | ||
111 | } | ||
112 | expect { | ||
113 | timeout {puts "TESTING ERROR 3.3\n";exit} | ||
114 | "socket AF_INET6" | ||
115 | } | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
118 | "Operation not supported" | ||
119 | } | ||
120 | expect { | ||
121 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
122 | "socket AF_NETLINK" | ||
123 | } | ||
124 | expect { | ||
125 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
126 | "Operation not supported" | ||
127 | } | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
130 | "socket AF_UNIX" | ||
131 | } | ||
132 | expect { | ||
133 | timeout {puts "TESTING ERROR 3.8\n";exit} | ||
134 | "socket AF_PACKETX" | ||
135 | } | 22 | } |
136 | expect { | 23 | expect { |
137 | timeout {puts "TESTING ERROR 3.9\n";exit} | ||
138 | "Operation not supported" | ||
139 | } | ||
140 | sleep 1 | ||
141 | |||
142 | send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" | ||
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 4\n";exit} | 24 | timeout {puts "TESTING ERROR 4\n";exit} |
145 | "Child process initialized" | 25 | "000c: 20 00 00 00000010 ld data.args" |
146 | } | ||
147 | expect { | ||
148 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
149 | "socket AF_INET" | ||
150 | } | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 4.2\n";exit} | ||
153 | "Operation not supported" | ||
154 | } | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 4.3\n";exit} | ||
157 | "socket AF_INET6" | ||
158 | } | 26 | } |
159 | expect { | 27 | expect { |
160 | timeout {puts "TESTING ERROR 4.4\n";exit} | 28 | timeout {puts "TESTING ERROR 5\n";exit} |
161 | "socket AF_NETLINK" | 29 | "000d: 15 00 01 00000001 jeq 1 000e (false 000f)" |
162 | } | 30 | } |
163 | expect { | 31 | expect { |
164 | timeout {puts "TESTING ERROR 4.5\n";exit} | 32 | timeout {puts "TESTING ERROR 6\n";exit} |
165 | "Operation not supported" | 33 | "000e: 06 00 00 7fff0000 ret ALLOW" |
34 | "" | ||
166 | } | 35 | } |
167 | expect { | 36 | expect { |
168 | timeout {puts "TESTING ERROR 4.6\n";exit} | 37 | timeout {puts "TESTING ERROR 7\n";exit} |
169 | "socket AF_UNIX" | 38 | "000f: 06 00 00 0005005f ret ERRNO(95)" |
170 | } | 39 | } |
171 | expect { | ||
172 | timeout {puts "TESTING ERROR 4.7\n";exit} | ||
173 | "Operation not supported" | ||
174 | } | ||
175 | expect { | ||
176 | timeout {puts "TESTING ERROR 4.8\n";exit} | ||
177 | "socket AF_PACKETX" | ||
178 | } | ||
179 | expect { | ||
180 | timeout {puts "TESTING ERROR 4.9\n";exit} | ||
181 | "after socket" | ||
182 | } | ||
183 | after 100 | ||
184 | 40 | ||
41 | after 100 | ||
42 | send -- "exit\r" | ||
43 | after 100 | ||
185 | puts "\nall done\n" | 44 | puts "\nall done\n" |
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp deleted file mode 100755 index e655be848..000000000 --- a/test/filters/seccomp-dualfilter.exp +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2021 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 1 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "./syscall_test\r" | ||
11 | expect { | ||
12 | timeout {puts "\nTESTING SKIP: 64-bit support missing\n";exit} | ||
13 | "Usage" | ||
14 | } | ||
15 | |||
16 | send -- "./syscall_test32\r" | ||
17 | expect { | ||
18 | timeout {puts "\nTESTING SKIP: 32-bit support missing\n";exit} | ||
19 | "Usage" | ||
20 | } | ||
21 | |||
22 | set timeout 10 | ||
23 | send -- "firejail ./syscall_test mount\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 0\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "before mount" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2\n";exit} | ||
34 | "after mount" {puts "TESTING ERROR 3\n";exit} | ||
35 | "Parent is shutting down" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "firejail ./syscall_test32 mount\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 4\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "before mount" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "after mount" {puts "TESTING ERROR 7\n";exit} | ||
51 | "Parent is shutting down" | ||
52 | } | ||
53 | |||
54 | after 100 | ||
55 | puts "\nall done\n" | ||
diff --git a/test/filters/seccomp-postexec.exp b/test/filters/seccomp-postexec.exp index 18263520a..fe0e40e60 100755 --- a/test/filters/seccomp-postexec.exp +++ b/test/filters/seccomp-postexec.exp | |||
@@ -14,20 +14,17 @@ expect { | |||
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "data.architecture" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "monitoring pid" | 17 | "monitoring pid" |
22 | } | 18 | } |
19 | sleep 1 | ||
20 | |||
21 | send -- "ls\r" | ||
23 | expect { | 22 | expect { |
24 | timeout {puts "TESTING ERROR 3\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
25 | "Sandbox monitor: waitpid" | 24 | "not permitted" |
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "Parent is shutting down" | ||
30 | } | 25 | } |
31 | sleep 1 | ||
32 | 26 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | after 100 | ||
33 | puts "all done\n" | 30 | puts "all done\n" |
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index ec8ab615c..05fd6eabb 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp | |||
@@ -17,8 +17,7 @@ sleep 2 | |||
17 | send -- "strace ls\r" | 17 | send -- "strace ls\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "Bad system call" {puts "version 1\n";} | 20 | "not permitted" |
21 | " unexpected signal 31" {puts "version 2\n"} | ||
22 | } | 21 | } |
23 | 22 | ||
24 | send -- "exit\r" | 23 | send -- "exit\r" |
diff --git a/test/filters/syscall_test b/test/filters/syscall_test deleted file mode 100755 index bf29c5b99..000000000 --- a/test/filters/syscall_test +++ /dev/null | |||
Binary files differ | |||
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c deleted file mode 100644 index 55ee31afb..000000000 --- a/test/filters/syscall_test.c +++ /dev/null | |||
@@ -1,82 +0,0 @@ | |||
1 | // This file is part of Firejail project | ||
2 | // Copyright (C) 2014-2021 Firejail Authors | ||
3 | // License GPL v2 | ||
4 | |||
5 | #include <stdlib.h> | ||
6 | #include <stdio.h> | ||
7 | #include <unistd.h> | ||
8 | #include <sys/types.h> | ||
9 | #include <sys/socket.h> | ||
10 | #include <linux/netlink.h> | ||
11 | #include <net/ethernet.h> | ||
12 | #include <sys/mount.h> | ||
13 | |||
14 | int main(int argc, char **argv) { | ||
15 | if (argc != 2) { | ||
16 | printf("Usage: test [sleep|socket|mkdir|mount]\n"); | ||
17 | return 1; | ||
18 | } | ||
19 | |||
20 | if (strcmp(argv[1], "sleep") == 0) { | ||
21 | printf("before sleep\n"); | ||
22 | sleep(1); | ||
23 | printf("after sleep\n"); | ||
24 | } | ||
25 | else if (strcmp(argv[1], "socket") == 0) { | ||
26 | int sock; | ||
27 | |||
28 | printf("testing socket AF_INET\n"); | ||
29 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { | ||
30 | perror("socket"); | ||
31 | } | ||
32 | else | ||
33 | close(sock); | ||
34 | |||
35 | printf("testing socket AF_INET6\n"); | ||
36 | if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { | ||
37 | perror("socket"); | ||
38 | } | ||
39 | else | ||
40 | close(sock); | ||
41 | |||
42 | printf("testing socket AF_NETLINK\n"); | ||
43 | if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { | ||
44 | perror("socket"); | ||
45 | } | ||
46 | else | ||
47 | close(sock); | ||
48 | |||
49 | printf("testing socket AF_UNIX\n"); | ||
50 | if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { | ||
51 | perror("socket"); | ||
52 | } | ||
53 | else | ||
54 | close(sock); | ||
55 | |||
56 | // root needed to be able to handle this | ||
57 | printf("testing socket AF_PACKETX\n"); | ||
58 | if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { | ||
59 | perror("socket"); | ||
60 | } | ||
61 | else | ||
62 | close(sock); | ||
63 | printf("after socket\n"); | ||
64 | } | ||
65 | else if (strcmp(argv[1], "mkdir") == 0) { | ||
66 | printf("before mkdir\n"); | ||
67 | mkdir("tmp", 0777); | ||
68 | printf("after mkdir\n"); | ||
69 | } | ||
70 | else if (strcmp(argv[1], "mount") == 0) { | ||
71 | printf("before mount\n"); | ||
72 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) { | ||
73 | perror("mount"); | ||
74 | } | ||
75 | printf("after mount\n"); | ||
76 | } | ||
77 | else { | ||
78 | fprintf(stderr, "Error: invalid argument\n"); | ||
79 | return 1; | ||
80 | } | ||
81 | return 0; | ||
82 | } | ||
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32 deleted file mode 100755 index 8d72f58c4..000000000 --- a/test/filters/syscall_test32 +++ /dev/null | |||
Binary files differ | |||