diff options
author | netblue30 <netblue30@protonmail.com> | 2021-02-20 10:06:58 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-02-20 10:06:58 -0500 |
commit | 42e2db1275e37bf669a074c023ea9f9a8b40db43 (patch) | |
tree | 59169acd88cbce9160b1657a7016c789559e0e20 /src/jailtest/main.c | |
parent | run sort.py (diff) | |
download | firejail-42e2db1275e37bf669a074c023ea9f9a8b40db43.tar.gz firejail-42e2db1275e37bf669a074c023ea9f9a8b40db43.tar.zst firejail-42e2db1275e37bf669a074c023ea9f9a8b40db43.zip |
jaitest - simple sandbox testing utility program
Diffstat (limited to 'src/jailtest/main.c')
-rw-r--r-- | src/jailtest/main.c | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/src/jailtest/main.c b/src/jailtest/main.c new file mode 100644 index 000000000..78f162706 --- /dev/null +++ b/src/jailtest/main.c | |||
@@ -0,0 +1,134 @@ | |||
1 | #include "jailtest.h" | ||
2 | #include "../include/firejail_user.h" | ||
3 | #include "../include/pid.h" | ||
4 | #include <sys/wait.h> | ||
5 | |||
6 | uid_t user_uid = 0; | ||
7 | gid_t user_gid = 0; | ||
8 | char *user_name = NULL; | ||
9 | char *user_home_dir = NULL; | ||
10 | int arg_debug = 0; | ||
11 | |||
12 | static char *usage_str = | ||
13 | "Usage: jailtest [options] directory [directory]\n\n" | ||
14 | "Options:\n" | ||
15 | " --debug - print debug messages.\n" | ||
16 | " --help, -? - this help screen.\n" | ||
17 | " --version - print program version and exit.\n"; | ||
18 | |||
19 | |||
20 | static void usage(void) { | ||
21 | printf("firetest - version %s\n\n", VERSION); | ||
22 | puts(usage_str); | ||
23 | } | ||
24 | |||
25 | static void cleanup(void) { | ||
26 | // running only as root | ||
27 | if (getuid() == 0) { | ||
28 | if (arg_debug) | ||
29 | printf("cleaning up!\n"); | ||
30 | access_destroy(); | ||
31 | virtual_destroy(); | ||
32 | } | ||
33 | } | ||
34 | |||
35 | int main(int argc, char **argv) { | ||
36 | int i; | ||
37 | int findex = 0; | ||
38 | |||
39 | for (i = 1; i < argc; i++) { | ||
40 | if (strcmp(argv[i], "-?") == 0 || strcmp(argv[i], "--help") == 0) { | ||
41 | usage(); | ||
42 | return 0; | ||
43 | } | ||
44 | else if (strcmp(argv[i], "--version") == 0) { | ||
45 | printf("firetest version %s\n\n", VERSION); | ||
46 | return 0; | ||
47 | } | ||
48 | else if (strncmp(argv[i], "--hello=", 8) == 0) { // used by noexec test | ||
49 | printf(" Warning: I can run programs in %s\n", argv[i] + 8); | ||
50 | return 0; | ||
51 | } | ||
52 | else if (strcmp(argv[i], "--debug") == 0) | ||
53 | arg_debug = 1; | ||
54 | else if (strncmp(argv[i], "--", 2) == 0) { | ||
55 | fprintf(stderr, "Error: invalid option\n"); | ||
56 | return 1; | ||
57 | } | ||
58 | else { | ||
59 | findex = i; | ||
60 | break; | ||
61 | } | ||
62 | } | ||
63 | |||
64 | // user setup | ||
65 | if (getuid() != 0) { | ||
66 | fprintf(stderr, "Error: you need to be root (via sudo) to run this program\n"); | ||
67 | exit(1); | ||
68 | } | ||
69 | user_name = get_sudo_user(); | ||
70 | assert(user_name); | ||
71 | user_home_dir = get_homedir(user_name, &user_uid, &user_gid); | ||
72 | if (user_uid == 0) { | ||
73 | fprintf(stderr, "Error: root user not supported\n"); | ||
74 | exit(1); | ||
75 | } | ||
76 | |||
77 | // test setup | ||
78 | atexit(cleanup); | ||
79 | if (findex > 0) { | ||
80 | for (i = findex; i < argc; i++) | ||
81 | access_setup(argv[i]); | ||
82 | } | ||
83 | |||
84 | noexec_setup(); | ||
85 | virtual_setup(user_home_dir); | ||
86 | virtual_setup("/tmp"); | ||
87 | virtual_setup("/var/tmp"); | ||
88 | virtual_setup("/dev"); | ||
89 | virtual_setup("/etc"); | ||
90 | virtual_setup("/bin"); | ||
91 | |||
92 | // print processes | ||
93 | pid_read(0); | ||
94 | for (i = 0; i < max_pids; i++) { | ||
95 | if (pids[i].level == 1) { | ||
96 | uid_t uid = pid_get_uid(i); | ||
97 | if (uid != user_uid) // not interested in other user sandboxes | ||
98 | continue; | ||
99 | |||
100 | // in case the pid is that of a firejail process, use the pid of the first child process | ||
101 | uid_t pid = switch_to_child(i); | ||
102 | pid_print_list(i, 0); // no wrapping | ||
103 | |||
104 | pid_t child = fork(); | ||
105 | if (child == -1) | ||
106 | errExit("fork"); | ||
107 | if (child == 0) { | ||
108 | int rv = join_namespace(pid, "mnt"); | ||
109 | if (rv == 0) { | ||
110 | virtual_test(); | ||
111 | noexec_test(user_home_dir); | ||
112 | noexec_test("/tmp"); | ||
113 | noexec_test("/var/tmp"); | ||
114 | access_test(); | ||
115 | } | ||
116 | else { | ||
117 | printf(" Error: I cannot join the process mount space\n"); | ||
118 | exit(1); | ||
119 | } | ||
120 | |||
121 | // drop privileges in order not to trigger cleanup() | ||
122 | if (setgid(user_gid) != 0) | ||
123 | errExit("setgid"); | ||
124 | if (setuid(user_uid) != 0) | ||
125 | errExit("setuid"); | ||
126 | return 0; | ||
127 | } | ||
128 | int status; | ||
129 | wait(&status); | ||
130 | } | ||
131 | } | ||
132 | |||
133 | return 0; | ||
134 | } | ||