more jailtest

3 files changed, 119 insertions, 2 deletions

diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
index 10174cc9a..0c4883061 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailtest/jailtest.h
@@ -38,6 +38,10 @@ void access_destroy(void);
 void noexec_setup(void);
 void noexec_test(const char *msg);
 
+// sysfiles.c
+void sysfiles_setup(const char *file);
+void sysfiles_test(void);
+
 // virtual.c
 void virtual_setup(const char *directory);
 void virtual_destroy(void);
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
index 850277bc5..3369dca39 100644
--- a/src/jailtest/main.c
+++ b/src/jailtest/main.c
@@ -114,8 +114,32 @@ int main(int argc, char **argv) {
         virtual_setup("/bin");
         virtual_setup("/usr/share");
         virtual_setup(user_run_dir);
-
-
+        // basic sysfiles
+        sysfiles_setup("/etc/shadow");
+        sysfiles_setup("/etc/gshadow");
+        sysfiles_setup("/usr/bin/mount");
+        sysfiles_setup("/usr/bin/su");
+        sysfiles_setup("/usr/bin/ksu");
+        sysfiles_setup("/usr/bin/sudo");
+        sysfiles_setup("/usr/bin/strace");
+        // X11
+        sysfiles_setup("/usr/bin/xev");
+        sysfiles_setup("/usr/bin/xinput");
+        // compilers
+        sysfiles_setup("/usr/bin/gcc");
+        sysfiles_setup("/usr/bin/clang");
+        // networking
+        sysfiles_setup("/usr/bin/dig");
+        sysfiles_setup("/usr/bin/nslookup");
+        sysfiles_setup("/usr/bin/resolvectl");
+        sysfiles_setup("/usr/bin/nc");
+        sysfiles_setup("/usr/bin/ncat");
+        sysfiles_setup("/usr/bin/nmap");
+        sysfiles_setup("/usr/sbin/tcpdump");
+        // terminals
+        sysfiles_setup("/usr/bin/gnome-terminal");
+        sysfiles_setup("/usr/bin/xfce4-terminal");
+        sysfiles_setup("/usr/bin/lxterminal");
 
         // print processes
         pid_read(0);
@@ -145,6 +169,7 @@ int main(int argc, char **argv) {
                                         noexec_test("/var/tmp");
                                         noexec_test(user_run_dir);
                                         access_test();
+                                        sysfiles_test();
                                 }
                                 else {
                                         printf("   Error: I cannot join the process mount space\n");
diff --git a/src/jailtest/sysfiles.c b/src/jailtest/sysfiles.c
new file mode 100644
index 000000000..7e4709453
--- /dev/null
+++ b/src/jailtest/sysfiles.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+        char *tfile;
+} TestFile;
+
+#define MAX_TEST_FILES 32
+TestFile tf[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void sysfiles_setup(const char *file) {
+        // I am root!
+        assert(file);
+
+        if (files_cnt >= MAX_TEST_FILES) {
+                fprintf(stderr, "Error: maximum number of system test files exceded\n");
+                exit(1);
+        }
+
+        if (access(file, F_OK)) {
+                // no such file
+                return;
+        }
+
+
+        char *fname = strdup(file);
+        if (!fname)
+                errExit("strdup");
+
+        tf[files_cnt].tfile = fname;
+        files_cnt++;
+}
+
+void sysfiles_test(void) {
+        // I am root in sandbox mount namespace
+        assert(user_uid);
+        int i;
+
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+
+                for (i = 0; i < files_cnt; i++) {
+                        assert(tf[i].tfile);
+
+                        // try to open the file for reading
+                        FILE *fp = fopen(tf[i].tfile, "r");
+                        if (fp) {
+
+                                printf("   Warning: I can access %s\n", tf[i].tfile);
+                                fclose(fp);
+                        }
+                }
+                exit(0);
+        }
+
+        // wait for the child to finish
+        int status;
+        wait(&status);
+}