diff options
author | netblue30 <netblue30@protonmail.com> | 2023-02-28 09:51:26 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-02-28 09:51:26 -0500 |
commit | 27c4d069f322fbeca07c88e0e96208233103a5db (patch) | |
tree | fb4b4fdc75eb5e633ab55b8228a60f54176446a0 /test/chroot | |
parent | fix cppcheck/scan-build problems (diff) | |
download | firejail-27c4d069f322fbeca07c88e0e96208233103a5db.tar.gz firejail-27c4d069f322fbeca07c88e0e96208233103a5db.tar.zst firejail-27c4d069f322fbeca07c88e0e96208233103a5db.zip |
chroot testing
Diffstat (limited to 'test/chroot')
-rwxr-xr-x | test/chroot/chroot.sh | 5 | ||||
-rwxr-xr-x | test/chroot/configure | 2 | ||||
-rwxr-xr-x | test/chroot/fs_chroot.exp | 48 | ||||
-rwxr-xr-x | test/chroot/fs_chroot_disabled.exp | 17 | ||||
-rwxr-xr-x | test/chroot/unchroot-as-root.exp | 2 |
5 files changed, 51 insertions, 23 deletions
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 840f162cc..a1fb3ee38 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh | |||
@@ -11,6 +11,11 @@ rm -f unchroot | |||
11 | gcc -o unchroot unchroot.c | 11 | gcc -o unchroot unchroot.c |
12 | sudo ./configure | 12 | sudo ./configure |
13 | 13 | ||
14 | echo "TESTING: chroot disabled (test/chroot/fs_chroot_disabled.exp)" | ||
15 | ./fs_chroot_disabled.exp | ||
16 | |||
17 | sudo sed -i s/"# chroot no"/"chroot yes"/g /etc/firejail/firejail.config | ||
18 | |||
14 | echo "TESTING: chroot (test/chroot/fs_chroot.exp)" | 19 | echo "TESTING: chroot (test/chroot/fs_chroot.exp)" |
15 | ./fs_chroot.exp | 20 | ./fs_chroot.exp |
16 | 21 | ||
diff --git a/test/chroot/configure b/test/chroot/configure index a817f6566..af511f9c7 100755 --- a/test/chroot/configure +++ b/test/chroot/configure | |||
@@ -8,7 +8,7 @@ ROOTDIR="/tmp/chroot" # default chroot directory | |||
8 | DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files | 8 | DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files |
9 | DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " | 9 | DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " |
10 | DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc | 10 | DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc |
11 | DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" | 11 | DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /usr/bin/touch /bin/grep" |
12 | 12 | ||
13 | rm -fr $ROOTDIR | 13 | rm -fr $ROOTDIR |
14 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc,sys} | 14 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc,sys} |
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index 545de0c66..eb1349112 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp | |||
@@ -10,55 +10,61 @@ match_max 100000 | |||
10 | send -- "firejail --chroot=/tmp/chroot\r" | 10 | send -- "firejail --chroot=/tmp/chroot\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} | ||
14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"}; | 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"}; |
15 | } | 14 | } |
16 | sleep 1 | 15 | sleep 1 |
17 | 16 | ||
18 | send -- "cd /home;pwd\r" | 17 | send -- "pwd\r" |
19 | expect { | 18 | expect { |
20 | timeout {puts "TESTING ERROR 0.1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "home" | 20 | "/home" |
22 | } | 21 | } |
23 | sleep 1 | 22 | after 100 |
24 | send -- "bash\r" | ||
25 | sleep 1 | ||
26 | send -- "ls /\r" | 23 | send -- "ls /\r" |
27 | expect { | 24 | expect { |
28 | timeout {puts "TESTING ERROR 0.2\n";exit} | 25 | timeout {puts "TESTING ERROR 2\n";exit} |
29 | "this-is-my-chroot" | 26 | "this-is-my-chroot" |
30 | } | 27 | } |
31 | after 100 | 28 | after 100 |
32 | 29 | ||
33 | send -- "ps aux\r" | 30 | send -- "ps aux\r" |
34 | expect { | 31 | expect { |
35 | timeout {puts "TESTING ERROR 1\n";exit} | 32 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "/bin/bash" | 33 | "/bin/bash" |
37 | } | 34 | } |
38 | expect { | 35 | expect { |
39 | timeout {puts "TESTING ERROR 2\n";exit} | 36 | timeout {puts "TESTING ERROR 4\n";exit} |
40 | "bash" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 3\n";exit} | ||
44 | "ps aux" | 37 | "ps aux" |
45 | } | 38 | } |
46 | after 100 | 39 | after 100 |
47 | 40 | ||
48 | send -- "ps aux | wc -l; pwd\r" | 41 | # check /sys directory |
42 | send -- "ls /sys\r" | ||
49 | expect { | 43 | expect { |
50 | timeout {puts "TESTING ERROR 5\n";exit} | 44 | timeout {puts "TESTING ERROR 5\n";exit} |
51 | "6" | 45 | "block" |
52 | } | 46 | } |
53 | after 100 | ||
54 | |||
55 | # check /sys directory | ||
56 | send -- "ls /sys\r" | ||
57 | expect { | 47 | expect { |
58 | timeout {puts "TESTING ERROR 6\n";exit} | 48 | timeout {puts "TESTING ERROR 6\n";exit} |
59 | "block" | 49 | "class" |
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 7\n";exit} | ||
53 | "dev" | ||
60 | } | 54 | } |
61 | after 100 | 55 | after 100 |
62 | 56 | ||
57 | # check /bin directory | ||
58 | send -- "ls /bin/find\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 8\n";exit} | ||
61 | "No such file or directory" | ||
62 | } | ||
63 | after 100 | ||
64 | send -- "/bin/ping 1.1.1.1\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 9\n";exit} | ||
67 | "Operation not permitted" | ||
68 | } | ||
63 | 69 | ||
64 | puts "all done\n" | 70 | puts "all done\n" |
diff --git a/test/chroot/fs_chroot_disabled.exp b/test/chroot/fs_chroot_disabled.exp new file mode 100755 index 000000000..e6cfe85f3 --- /dev/null +++ b/test/chroot/fs_chroot_disabled.exp | |||
@@ -0,0 +1,17 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --chroot=/tmp/chroot\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "feature is disabled" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | puts "all done\n" | ||
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp index eccb400c0..7614ed406 100755 --- a/test/chroot/unchroot-as-root.exp +++ b/test/chroot/unchroot-as-root.exp | |||
@@ -22,7 +22,7 @@ after 100 | |||
22 | send -- "./unchroot\r" | 22 | send -- "./unchroot\r" |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 1\n";exit} | 24 | timeout {puts "TESTING ERROR 1\n";exit} |
25 | "Bad system call" | 25 | "Operation not permitted" |
26 | } | 26 | } |
27 | after 100 | 27 | after 100 |
28 | 28 | ||