jailtest -> jailcheck (#4268)

10 files changed, 929 insertions, 0 deletions

diff --git a/src/jailcheck/Makefile.in b/src/jailcheck/Makefile.in
new file mode 100644
index 000000000..d218c1f90
--- /dev/null
+++ b/src/jailcheck/Makefile.in
@@ -0,0 +1,17 @@
+.PHONY: all
+all: jailcheck
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+jailcheck: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+
+.PHONY: clean
+clean:; rm -fr *.o jailcheck *.gcov *.gcda *.gcno *.plist
+
+.PHONY: distclean
+distclean: clean
+        rm -fr Makefile
diff --git a/src/jailcheck/access.c b/src/jailcheck/access.c
new file mode 100644
index 000000000..c18d64a82
--- /dev/null
+++ b/src/jailcheck/access.c
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+        char *tfile;
+        char *tdir;
+} TestDir;
+
+#define MAX_TEST_FILES 16
+TestDir td[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void access_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(user_home_dir);
+
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of test directories exceded\n");
+                exit(1);
+        }
+
+        char *fname = strdup(directory);
+        if (!fname)
+                errExit("strdup");
+        if (strncmp(fname, "~/", 2) == 0) {
+                free(fname);
+                if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1)
+                        errExit("asprintf");
+        }
+
+        char *path = realpath(fname, NULL);
+        free(fname);
+        if (path == NULL) {
+                fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory);
+                return;
+        }
+
+        // file in home directory
+        if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
+                fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory);
+                free(path);
+                return;
+        }
+
+        // try to open the dir as root
+        DIR *dir = opendir(path);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                free(path);
+                return;
+        }
+        closedir(dir);
+
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailcheck-access-%d", path, getpid()) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        int rv = chown(test_file, user_uid, user_gid);
+        if (rv)
+                errExit("chown");
+
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        td[files_cnt].tdir = dname;
+        td[files_cnt].tfile = test_file;
+        files_cnt++;
+}
+
+void access_destroy(void) {
+        // remove test files
+        int i;
+
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(td[i].tfile);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+
+void access_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+
+                for (i = 0; i < files_cnt; i++) {
+                        assert(td[i].tfile);
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(td[i].tfile, "r");
+                        if (fp) {
+
+                                printf("   Warning: I can read %s\n", td[i].tdir);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/jailcheck/apparmor.c b/src/jailcheck/apparmor.c
new file mode 100644
index 000000000..64f278046
--- /dev/null
+++ b/src/jailcheck/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+
+
+#else
+void apparmor_test(pid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
+
diff --git a/src/jailcheck/jailcheck.h b/src/jailcheck/jailcheck.h
new file mode 100644
index 000000000..32be1c978
--- /dev/null
+++ b/src/jailcheck/jailcheck.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef JAILCHECK_H
+#define JAILCHECK_H
+
+#include "../include/common.h"
+
+// main.c
+extern uid_t user_uid;
+extern gid_t user_gid;
+extern char *user_name;
+extern char *user_home_dir;
+extern char *user_run_dir;
+
+// access.c
+void access_setup(const char *directory);
+void access_test(void);
+void access_destroy(void);
+
+// noexec.c
+void noexec_setup(void);
+void noexec_test(const char *msg);
+
+// sysfiles.c
+void sysfiles_setup(const char *file);
+void sysfiles_test(void);
+
+// virtual.c
+void virtual_setup(const char *directory);
+void virtual_destroy(void);
+void virtual_test(void);
+
+// apparmor.c
+void apparmor_test(pid_t pid);
+
+// seccomp.c
+void seccomp_test(pid_t pid);
+
+// utils.c
+char *get_sudo_user(void);
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
+int find_child(pid_t pid);
+pid_t switch_to_child(pid_t pid);
+
+#endif
\ No newline at end of file
diff --git a/src/jailcheck/main.c b/src/jailcheck/main.c
new file mode 100644
index 000000000..4d642bf96
--- /dev/null
+++ b/src/jailcheck/main.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include "../include/firejail_user.h"
+#include "../include/pid.h"
+#include <sys/wait.h>
+
+uid_t user_uid = 0;
+gid_t user_gid = 0;
+char *user_name = NULL;
+char *user_home_dir = NULL;
+char *user_run_dir = NULL;
+int arg_debug = 0;
+
+static char *usage_str =
+        "Usage: jailcheck [options] directory [directory]\n\n"
+        "Options:\n"
+        "   --debug - print debug messages.\n"
+        "   --help, -? - this help screen.\n"
+        "   --version - print program version and exit.\n";
+
+
+static void usage(void) {
+        printf("firetest - version %s\n\n", VERSION);
+        puts(usage_str);
+}
+
+static void cleanup(void) {
+        // running only as root
+        if (getuid() == 0) {
+                if (arg_debug)
+                        printf("cleaning up!\n");
+                access_destroy();
+                virtual_destroy();
+        }
+}
+
+int main(int argc, char **argv) {
+        int i;
+        int findex = 0;
+
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--version") == 0) {
+                        printf("firetest version %s\n\n", VERSION);
+                        return 0;
+                }
+                else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test
+                        printf("   Warning: I can run programs in %s\n", argv[i] + 8);
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--debug") == 0)
+                        arg_debug = 1;
+                else if (strncmp(argv[i], "--", 2) == 0) {
+                        fprintf(stderr, "Error: invalid option\n");
+                        return 1;
+                }
+                else {
+                        findex = i;
+                        break;
+                }
+        }
+
+        // user setup
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n");
+                exit(1);
+        }
+        user_name = get_sudo_user();
+        assert(user_name);
+        user_home_dir = get_homedir(user_name, &user_uid, &user_gid);
+        if (user_uid == 0) {
+                fprintf(stderr, "Error: root user not supported\n");
+                exit(1);
+        }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
+
+        // test setup
+        atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
+        if (findex > 0) {
+                for (i = findex; i < argc; i++)
+                        access_setup(argv[i]);
+        }
+
+        noexec_setup();
+        virtual_setup(user_home_dir);
+        virtual_setup("/tmp");
+        virtual_setup("/var/tmp");
+        virtual_setup("/dev");
+        virtual_setup("/etc");
+        virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
+        // basic sysfiles
+        sysfiles_setup("/etc/shadow");
+        sysfiles_setup("/etc/gshadow");
+        sysfiles_setup("/usr/bin/mount");
+        sysfiles_setup("/usr/bin/su");
+        sysfiles_setup("/usr/bin/ksu");
+        sysfiles_setup("/usr/bin/sudo");
+        sysfiles_setup("/usr/bin/strace");
+        // X11
+        sysfiles_setup("/usr/bin/xev");
+        sysfiles_setup("/usr/bin/xinput");
+        // compilers
+        sysfiles_setup("/usr/bin/gcc");
+        sysfiles_setup("/usr/bin/clang");
+        // networking
+        sysfiles_setup("/usr/bin/dig");
+        sysfiles_setup("/usr/bin/nslookup");
+        sysfiles_setup("/usr/bin/resolvectl");
+        sysfiles_setup("/usr/bin/nc");
+        sysfiles_setup("/usr/bin/ncat");
+        sysfiles_setup("/usr/bin/nmap");
+        sysfiles_setup("/usr/sbin/tcpdump");
+        // terminals
+        sysfiles_setup("/usr/bin/gnome-terminal");
+        sysfiles_setup("/usr/bin/xfce4-terminal");
+        sysfiles_setup("/usr/bin/lxterminal");
+
+        // print processes
+        pid_read(0);
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 1) {
+                        uid_t uid = pid_get_uid(i);
+                        if (uid != user_uid) // not interested in other user sandboxes
+                                continue;
+
+                        // in case the pid is that of a firejail process, use the pid of the first child process
+                        uid_t pid = find_child(i);
+                        printf("\n");
+                        pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
+
+                        pid_t child = fork();
+                        if (child == -1)
+                                errExit("fork");
+                        if (child == 0) {
+                                int rv = join_namespace(pid, "mnt");
+                                if (rv == 0) {
+                                        virtual_test();
+                                        noexec_test(user_home_dir);
+                                        noexec_test("/tmp");
+                                        noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
+                                        access_test();
+                                        sysfiles_test();
+                                }
+                                else {
+                                        printf("   Error: I cannot join the process mount space\n");
+                                        exit(1);
+                                }
+
+                                // drop privileges in order not to trigger cleanup()
+                                if (setgid(user_gid) != 0)
+                                        errExit("setgid");
+                                if (setuid(user_uid) != 0)
+                                        errExit("setuid");
+                                return 0;
+                        }
+                        int status;
+                        wait(&status);
+                }
+        }
+
+        return 0;
+}
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
new file mode 100644
index 000000000..7f994d6a1
--- /dev/null
+++ b/src/jailcheck/noexec.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+static unsigned char *execfile = NULL;
+static int execfile_len = 0;
+
+void noexec_setup(void) {
+        // grab a copy of myself
+        char *self = realpath("/proc/self/exe", NULL);
+        if (self) {
+                struct stat s;
+                if (access(self, X_OK) == 0 && stat(self, &s) == 0) {
+                        assert(s.st_size);
+                        execfile = malloc(s.st_size);
+
+                        int fd = open(self, O_RDONLY);
+                        if (fd == -1)
+                                errExit("open");
+                        int len = 0;
+                        do {
+                                int rv = read(fd, execfile + len, s.st_size - len);
+                                if (rv == -1)
+                                        errExit("read");
+                                if (rv == 0) {
+                                        // something went wrong!
+                                        free(execfile);
+                                        execfile = NULL;
+                                        printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n");
+                                        break;
+                                }
+                                len += rv;
+                        }
+                        while (len < s.st_size);
+                        execfile_len = s.st_size;
+                        close(fd);
+                }
+        }
+}
+
+
+void noexec_test(const char *path) {
+        assert(user_uid);
+
+        // I am root in sandbox mount namespace
+        if (!execfile)
+                return;
+
+        char *fname;
+        if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1)
+                errExit("asprintf");
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700);
+                if (fd == -1) {
+                        printf("   I cannot create files in %s, skipping noexec...\n", path);
+                        exit(1);
+                }
+
+                int len = 0;
+                while (len < execfile_len) {
+                        int rv = write(fd, execfile + len, execfile_len - len);
+                        if (rv == -1 || rv == 0) {
+                                printf("   I cannot create files in %s, skipping noexec....\n", path);
+                                exit(1);
+                        }
+                        len += rv;
+                }
+                fchmod(fd, 0700);
+                close(fd);
+
+                char *arg;
+                if (asprintf(&arg, "--hello=%s", path) == -1)
+                        errExit("asprintf");
+                int rv = execl(fname, fname, arg, NULL);
+                (void) rv; // if we get here execl failed
+                exit(0);
+        }
+
+        int status;
+        wait(&status);
+        int rv = unlink(fname);
+        (void) rv;
+}
\ No newline at end of file
diff --git a/src/jailcheck/seccomp.c b/src/jailcheck/seccomp.c
new file mode 100644
index 000000000..9345eb970
--- /dev/null
+++ b/src/jailcheck/seccomp.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#define MAXBUF 4096
+
+void seccomp_test(pid_t pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
+                        int val = -1;
+                        int rv = sscanf(buf + 8, "\t%d", &val);
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
+                        break;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c
new file mode 100644
index 000000000..caeb580af
--- /dev/null
+++ b/src/jailcheck/sysfiles.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+        char *tfile;
+} TestFile;
+
+#define MAX_TEST_FILES 32
+TestFile tf[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void sysfiles_setup(const char *file) {
+        // I am root!
+        assert(file);
+
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                exit(1);
+        }
+
+        if (access(file, F_OK)) {
+                // no such file
+                return;
+        }
+
+
+        char *fname = strdup(file);
+        if (!fname)
+                errExit("strdup");
+
+        tf[files_cnt].tfile = fname;
+        files_cnt++;
+}
+
+void sysfiles_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+
+                for (i = 0; i < files_cnt; i++) {
+                        assert(tf[i].tfile);
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(tf[i].tfile, "r");
+                        if (fp) {
+
+                                printf("   Warning: I can access %s\n", tf[i].tfile);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}
diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c
new file mode 100644
index 000000000..c3aaae298
--- /dev/null
+++ b/src/jailcheck/utils.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include "../include/pid.h"
+#include <errno.h>
+#include <pwd.h>
+#include <dirent.h>
+
+#define BUFLEN 4096
+
+char *get_sudo_user(void) {
+        char *user = getenv("SUDO_USER");
+        if (!user) {
+                user = getpwuid(getuid())->pw_name;
+                if (!user) {
+                        fprintf(stderr, "Error: cannot detect login user\n");
+                        exit(1);
+                }
+        }
+
+        return user;
+}
+
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid) {
+        // find home directory
+        struct passwd *pw = getpwnam(user);
+        if (!pw)
+                goto errexit;
+
+        char *home = pw->pw_dir;
+        if (!home)
+                goto errexit;
+
+        *uid = pw->pw_uid;
+        *gid = pw->pw_gid;
+
+        return home;
+
+errexit:
+        fprintf(stderr, "Error: cannot find home directory for user %s\n", user);
+        exit(1);
+}
+
+// find the second child process for the specified pid
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
+
+        // find the first child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 2 && pids[i].parent == id) {
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
+                        char *cmdline = pid_proc_cmdline(i);
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
+                                free(cmdline);
+                                continue;
+                        }
+                        free(cmdline);
+                        first_child = i;
+                        break;
+                }
+        }
+
+        if (first_child == -1)
+                return -1;
+
+        // find the second-level child
+        for (i = 0; i < max_pids; i++) {
+                if (pids[i].level == 3 && pids[i].parent == first_child)
+                        return i;
+        }
+
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
+}
+
diff --git a/src/jailcheck/virtual.c b/src/jailcheck/virtual.c
new file mode 100644
index 000000000..09092f9ce
--- /dev/null
+++ b/src/jailcheck/virtual.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+
+#define MAX_TEST_FILES 16
+static char *dirs[MAX_TEST_FILES];
+static char *files[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void virtual_setup(const char *directory) {
+        // I am root!
+        assert(directory);
+        assert(*directory == '/');
+        assert(files_cnt < MAX_TEST_FILES);
+
+        // try to open the dir as root
+        DIR *dir = opendir(directory);
+        if (!dir) {
+                fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+                return;
+        }
+        closedir(dir);
+
+        // create a test file
+        char *test_file;
+        if (asprintf(&test_file, "%s/jailcheck-private-%d", directory, getpid()) == -1)
+                errExit("asprintf");
+
+        FILE *fp = fopen(test_file, "w");
+        if (!fp) {
+                printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+                return;
+        }
+        fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+        fclose(fp);
+        if (strcmp(directory, user_home_dir) == 0) {
+                int rv = chown(test_file, user_uid, user_gid);
+                if (rv)
+                        errExit("chown");
+        }
+
+        char *dname = strdup(directory);
+        if (!dname)
+                errExit("strdup");
+        dirs[files_cnt] = dname;
+        files[files_cnt] = test_file;
+        files_cnt++;
+}
+
+void virtual_destroy(void) {
+        // remove test files
+        int i;
+
+        for (i = 0; i < files_cnt; i++) {
+                int rv = unlink(files[i]);
+                (void) rv;
+        }
+        files_cnt = 0;
+}
+
+void virtual_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
+
+        for (i = 0; i < files_cnt; i++) {
+                assert(files[i]);
+
+                // I am root!
+                pid_t child = fork();
+                if (child == -1)
+                        errExit("fork");
+
+                if (child == 0) { // child
+                        // drop privileges
+                        if (setgid(user_gid) != 0)
+                                errExit("setgid");
+                        if (setuid(user_uid) != 0)
+                                errExit("setuid");
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(files[i], "r");
+                        if (fp)
+                                fclose(fp);
+                        else {
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
+                        fflush(0);
+                        exit(cnt);
+                }
+
+                // wait for the child to finish
+                int status;
+                wait(&status);
+                cnt = WEXITSTATUS(status);
+        }
+        printf("\n");
+}