Baseline firejail 0.9.28

6 files changed, 445 insertions, 0 deletions

diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh
new file mode 100755
index 000000000..13525677b
--- /dev/null
+++ b/src/tools/check-caps.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+if [ $# -eq 0 ]
+then
+        echo "Usage: check-caps.sh program-and-arguments"
+        echo
+fi
+
+set -x
+
+firejail --caps.drop=chown "$1"
+firejail --caps.drop=dac_override "$1"
+firejail --caps.drop=dac_read_search "$1"
+firejail --caps.drop=fowner "$1"
+firejail --caps.drop=fsetid "$1"
+firejail --caps.drop=kill "$1"
+firejail --caps.drop=setgid "$1"
+firejail --caps.drop=setuid "$1"
+firejail --caps.drop=setpcap "$1"
+firejail --caps.drop=linux_immutable "$1"
+firejail --caps.drop=net_bind_service "$1"
+firejail --caps.drop=net_broadcast "$1"
+firejail --caps.drop=net_admin "$1"
+firejail --caps.drop=net_raw "$1"
+firejail --caps.drop=ipc_lock "$1"
+firejail --caps.drop=ipc_owner "$1"
+firejail --caps.drop=sys_module "$1"
+firejail --caps.drop=sys_rawio "$1"
+firejail --caps.drop=sys_chroot "$1"
+firejail --caps.drop=sys_ptrace "$1"
+firejail --caps.drop=sys_pacct "$1"
+firejail --caps.drop=sys_admin "$1"
+firejail --caps.drop=sys_boot "$1"
+firejail --caps.drop=sys_nice "$1"
+firejail --caps.drop=sys_resource "$1"
+firejail --caps.drop=sys_time "$1"
+firejail --caps.drop=sys_tty_config "$1"
+firejail --caps.drop=mknod "$1"
+firejail --caps.drop=lease "$1"
+firejail --caps.drop=audit_write "$1"
+firejail --caps.drop=audit_control "$1"
+firejail --caps.drop=setfcap "$1"
+firejail --caps.drop=mac_override "$1"
+firejail --caps.drop=mac_admin "$1"
+firejail --caps.drop=syslog "$1"
+firejail --caps.drop=wake_alarm "$1"
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
new file mode 100644
index 000000000..94a062ccb
--- /dev/null
+++ b/src/tools/extract_caps.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#define BUFMAX 4096
+
+int main(int argc, char **argv) {
+        if (argc != 2) {
+                printf("usage: %s /usr/include/linux/capability.h\n", argv[0]);
+                return 1;
+        }
+        
+        //open file
+        FILE *fp = fopen(argv[1], "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open file\n");
+                return 1;
+        }
+        
+        // read file
+        char buf[BUFMAX];
+        while (fgets(buf, BUFMAX, fp)) {
+                // cleanup
+                char *start = buf;
+                while (*start == ' ' || *start == '\t')
+                        start++;
+                char *end = strchr(start, '\n');
+                if (end)
+                        *end = '\0';
+                
+                // parsing
+                if (strncmp(start, "#define CAP_", 12) == 0) {
+                        if (strstr(start, "CAP_LAST_CAP"))
+                                break;
+                        
+                        char *ptr1 = start + 8;
+                        char *ptr2 = ptr1;
+                        while (*ptr2 == ' ' || *ptr2 == '\t')
+                                ptr2++;
+                        while (*ptr2 != ' ' && *ptr2 != '\t')
+                                ptr2++;
+                        *ptr2 = '\0';
+                        
+                        ptr2 = strdup(ptr1);
+                        assert(ptr2);
+                        ptr2 += 4;
+                        char *ptr3 = ptr2;
+                        while (*ptr3 != '\0') {
+                                *ptr3 = tolower(*ptr3);
+                                ptr3++;
+                        }
+                        
+                        
+                        printf("#ifdef %s\n", ptr1);
+                        printf("\t{\"%s\", %s },\n", ptr2, ptr1);
+                        printf("#endif\n");
+                        
+                }
+                
+        }
+        fclose(fp);
+        return 0;
+}
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c
new file mode 100644
index 000000000..0e064a49e
--- /dev/null
+++ b/src/tools/extract_syscalls.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include <stdio.h>
+#include <stdlib.h>6
+#include <string.h>
+
+#define BUFMAX 4096
+
+int main(int argc, char **argv) {
+        if (argc != 2) {
+                printf("usage: %s /media/ubuntu/usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]);
+                return 1;
+        }
+        
+        //open file
+        FILE *fp = fopen(argv[1], "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open file\n");
+                return 1;
+        }
+        
+        // read file
+        char buf[BUFMAX];
+        while (fgets(buf, BUFMAX, fp)) {
+                // cleanup
+                char *start = buf;
+                while (*start == ' ' || *start == '\t')
+                        start++;
+                char *end = strchr(start, '\n');
+                if (end)
+                        *end = '\0';
+                
+                // parsing
+                if (strncmp(start, "#endif", 6) == 0)
+                        printf("%s\n", start);
+                if (strncmp(start, "#endif", 6) == 0)
+                        printf("%s\n", start);
+                else if (strncmp(start, "#if", 3) == 0)
+                        printf("%s\n", start);
+                else if (strncmp(start, "#define", 7) == 0) {
+                        // extract data
+                        char *ptr1 = strstr(start, "SYS_");
+                        char *ptr2 = strstr(start, "__NR_");
+                        if (!ptr1 || !ptr2) {
+                                fprintf(stderr, "Error: cannot parse \"%s\"\n", start);
+                                fclose(fp);
+                                return 1;
+                        }
+                        *(ptr2 - 1) = '\0';
+                        
+                        char *ptr3 = ptr1;
+                        while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0')
+                                ptr3++;
+                        *ptr3 = '\0';
+                        ptr3 = ptr2;
+                        while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0')
+                                ptr3++;
+                        *ptr3 = '\0';
+                        
+                        ptr3 = ptr1;
+                        while (*ptr3 != '_')
+                                ptr3++;
+                        ptr3++;
+                        
+                        printf("#ifdef %s\n", ptr1);
+                        printf("#ifdef %s\n", ptr2);
+                        printf("\t{\"%s\", %s},\n", ptr3, ptr2);
+                        printf("#endif\n");                     
+                        printf("#endif\n");                     
+                }
+        }
+        fclose(fp);
+        return 0;
+}
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
new file mode 100755
index 000000000..4af84a7a1
--- /dev/null
+++ b/src/tools/mkcoverit.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# unpack firejail archive
+ARCFIREJAIL=`ls *.tar.bz2| grep firejail`
+if [ "$?" -eq 0 ];
+then
+        echo "preparing $ARCFIREJAIL"
+        DIRFIREJAIL=`basename $ARCFIREJAIL  .tar.bz2`
+        rm -fr $DIRFIREJAIL
+        tar -xjvf $ARCFIREJAIL
+        cd $DIRFIREJAIL
+        ./configure --prefix=/usr
+        cd ..
+else
+        echo "Error: firejail source archive missing"
+        exit 1
+fi
+
+
+# unpack firetools archive
+ARCFIRETOOLS=`ls *.tar.bz2 | grep firetools`
+if [ "$?" -eq 0 ];
+then
+        echo "preparing $ARCFIRETOOLS"
+        DIRFIRETOOLS=`basename $ARCFIRETOOLS .tar.bz2`
+        rm -fr $DIRFIRETOOLS
+        tar -xjvf $ARCFIRETOOLS
+        cd $DIRFIRETOOLS
+        pwd
+        ./configure --prefix=/usr
+        cd ..
+        
+else
+        echo "Error: firetools source archive missing"
+        exit 1
+fi
+
+# move firetools in firejail source tree
+mkdir -p $DIRFIREJAIL/extras
+mv $DIRFIRETOOLS $DIRFIREJAIL/extras/firetools
+
+# build
+cd $DIRFIREJAIL
+cov-build --dir cov-int make -j 4 extras
+tar czvf myproject.tgz cov-int
diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c
new file mode 100644
index 000000000..95050e671
--- /dev/null
+++ b/src/tools/rvtest.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com)
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+// run it as "rvtest 2>/dev/null | grep TESTING"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <signal.h>
+
+#define MAXBUF 1024     // line buffer
+#define TIMEOUT 30      // timeout time in seconds
+
+static pid_t pid;
+static void catch_alarm(int sig) {
+        kill(pid, SIGTERM);
+        sleep(1);
+        kill(pid, SIGKILL);
+        printf("TESTING ERROR: SIGALARM triggered\n");
+        exit(1);
+}
+
+static void usage(void) {
+        printf("Usage: rvtest testfile\n");
+        printf("\n");
+        printf("Testfile format:\n");
+        printf("\tretval command\n");
+        printf("\n");
+        printf("Testfile example:\n");
+        printf("\n");
+        printf("0 firejail --net=none exit\n");
+        printf("1 firejail --private=/etc sleep 1\n");
+        printf("1 firejail --blablabla\n");
+}
+
+int main(int argc, char **argv) {
+        if (argc != 2) {
+                fprintf(stderr, "Error: test file missing\n");
+                usage();
+                return 1;
+        }
+
+        signal (SIGALRM, catch_alarm);
+
+        // open test file
+        char *fname = argv[1];
+        FILE *fp = fopen(fname, "r");
+        
+        // read test file
+        char buf[MAXBUF];
+        int line = 0;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+                // skip blanks
+                char *start = buf;
+                while (*start == ' ' || *start == '\t')
+                        start++;
+                // remove '\n'
+                char *ptr = strchr(start, '\n');
+                if (ptr)
+                        *ptr ='\0';
+                if (*start == '\0')
+                        continue;
+                
+                // skip comments
+                if (*start == '#')
+                        continue;
+                ptr = strchr(start, '#');
+                if (ptr)
+                        *ptr = '\0';
+                                        
+                // extract exit status          
+                int status;
+                int rv = sscanf(start, "%d\n", &status);
+                if (rv != 1) {
+                        fprintf(stderr, "Error: invalid line %d in %s\n", line, fname);
+                        exit(1);
+                }
+                
+                // extract command
+                char *cmd = strchr(start, ' ');
+                if (!cmd) {
+                        fprintf(stderr, "Error: invalid line %d in %s\n", line, fname);
+                        exit(1);
+                }
+
+                // execute command
+                printf("TESTING %s\n", cmd);
+                fflush(0);
+                pid = fork();
+                if (pid == -1) {
+                        perror("fork");
+                        exit(1);
+                }
+
+                // child
+                if (pid == 0) {
+                        char *earg[50];
+                        earg[0] = "/bin/bash";
+                        earg[1] = "-c";
+                        earg[2] = cmd;
+                        earg[3] = NULL;
+                        execvp(earg[0], earg);
+                }
+                // parent
+                else {
+                        int exit_status;
+                        
+                        alarm(TIMEOUT);
+                        pid = waitpid(pid, &exit_status, 0);
+                        if (pid == -1) {
+                                perror("waitpid");
+                                exit(1);
+                        }
+                        
+                        if (WEXITSTATUS(exit_status) != status)
+                                printf("ERROR TESTING: %s\n", cmd);
+                }
+                
+                fflush(0);
+        }
+        fclose(fp);
+        
+        return 0;
+}
\ No newline at end of file
diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c
new file mode 100644
index 000000000..a449bf9ba
--- /dev/null
+++ b/src/tools/ttytest.c
@@ -0,0 +1,36 @@
+#define _XOPEN_SOURCE 600
+#include <stdlib.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <errno.h>
+
+int main(void) {
+        int fdm;
+        int rc;
+
+        // initial
+        system("ls -l /dev/pts");
+
+        fdm = posix_openpt(O_RDWR);
+        if (fdm < 0) {
+                perror("posix_openpt");
+                return 1;
+        }
+
+        rc = grantpt(fdm);
+        if (rc != 0) {
+                perror("grantpt");
+                return 1;
+        }
+
+        rc = unlockpt(fdm);
+        if (rc != 0) {
+                perror("unlockpt");
+                return 1;
+        }
+
+        // final
+        system("ls -l /dev/pts");
+
+        return 0;
+}