testing

7 files changed, 364 insertions, 0 deletions

diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh
new file mode 100755
index 000000000..50279cd4f
--- /dev/null
+++ b/test/capabilities/capabilities.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+
+#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
+        echo "TESTING: capabilities (test/filters/caps.exp)"
+        ./caps.exp
+#else
+#       echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
+#fi
+
+echo "TESTING: capabilities print (test/filters/caps-print.exp)"
+./caps-print.exp
+
+echo "TESTING: capabilities join (test/filters/caps-join.exp)"
+./caps-join.exp
+
diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp
new file mode 100755
index 000000000..1830143fb
--- /dev/null
+++ b/test/capabilities/caps-join.exp
@@ -0,0 +1,96 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+match_max 100000
+spawn $env(SHELL)
+set id1 $spawn_id
+spawn $env(SHELL)
+set id2 $spawn_id
+
+send -- "stty -echo\r"
+after 100
+
+#
+# regular run
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+sleep 1
+
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "fffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "CapAmb:"
+}
+sleep 1
+
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
+expect {
+        timeout {puts "TESTING ERROR20\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+set spawn_id $id2
+
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "CapBnd:        0000000000000009"
+}
+sleep 1
+
+set spawn_id $id1
+send -- "exit\r"
+after 100
+
+puts "all done\n"
diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp
new file mode 100755
index 000000000..b403f9ffe
--- /dev/null
+++ b/test/capabilities/caps-print.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --noprofile --caps --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Drop CAP_SYS_RAWIO"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Drop CAP_SYS_BOOT"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Drop CAP_SYS_NICE"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Drop CAP_SYS_TTY_CONFIG"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Drop CAP_SYSLOG"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Drop CAP_MKNOD"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+spawn $env(SHELL)
+send -- "firejail --caps.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "chown               - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "setgid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "setuid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mknod               - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "syslog              - disabled"
+}
+after 100
+
+send -- "firejail --debug-caps\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "21     - sys_admin"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "22     - sys_boot"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "23     - sys_nice"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "24     - sys_resource"
+}
+after 100
+
+send -- "firejail --caps.keep=\"bla bla bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "capability"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "not found"
+}
+
+after 100
+puts "\nall done\n"
diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp
new file mode 100755
index 000000000..dbd63efda
--- /dev/null
+++ b/test/capabilities/caps.exp
@@ -0,0 +1,139 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 100
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:        0000000000000009"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --caps.drop=all --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 100
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 100
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+
+send -- "firejail --profile=caps1.profile --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+## tofix: possible problem with caps.keep in profile files
+##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+#send -- "firejail --profile=caps2.profile\r"
+#expect {
+#       timeout {puts "TESTING ERROR 15\n";exit}
+#       -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+#}
+#after 100
+#
+#send -- "cat /proc/self/status\r"
+#expect {
+#       timeout {puts "TESTING ERROR 16\n";exit}
+#       "CapBnd:        0000000000000009"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 17\n";exit}
+#       "Seccomp:"
+#}
+#send -- "exit\r"
+#sleep 1
+
+#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+send -- "firejail --profile=caps3.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 100
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+
+
+after 100
+puts "\nall done\n"
diff --git a/test/capabilities/caps1.profile b/test/capabilities/caps1.profile
new file mode 100644
index 000000000..8b0c3b340
--- /dev/null
+++ b/test/capabilities/caps1.profile
@@ -0,0 +1 @@
+caps
diff --git a/test/capabilities/caps2.profile b/test/capabilities/caps2.profile
new file mode 100644
index 000000000..ad49719f1
--- /dev/null
+++ b/test/capabilities/caps2.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
diff --git a/test/capabilities/caps3.profile b/test/capabilities/caps3.profile
new file mode 100644
index 000000000..ad49719f1
--- /dev/null
+++ b/test/capabilities/caps3.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner