added make test-filters

12 files changed, 533 insertions, 0 deletions

diff --git a/test/filters/caps.exp b/test/filters/caps.exp
new file mode 100755
index 000000000..034d6a733
--- /dev/null
+++ b/test/filters/caps.exp
@@ -0,0 +1,72 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:        0000000000000009"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --caps.drop=all --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Seccomp:"
+}
+send -- "exit\r"
+sleep 1
+
+
+puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
new file mode 100755
index 000000000..a1f6ce88d
--- /dev/null
+++ b/test/filters/noroot.exp
@@ -0,0 +1,156 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "2"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Operation not permitted"
+}
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "3"
+}
+
+puts "\n"
+send -- "exit\r"
+sleep 2
+
+
+
+send -- "firejail --name=test --noroot --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "ffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "0"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+send -- "ping 0\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "Operation not permitted"
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "3"
+}
+
+
+
+spawn $env(SHELL)
+send -- "firejail --debug --join=test\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "User namespace detected"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Joining user namespace"
+}
+sleep 1
+
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        "3"
+}
+puts "\nall done\n"
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp
new file mode 100755
index 000000000..cf552da56
--- /dev/null
+++ b/test/filters/protocol.exp
@@ -0,0 +1,180 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "socket AF_INET"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.2\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.3\n";exit}
+        "socket AF_INET6"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "socket AF_NETLINK"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.7\n";exit}
+        "socket AF_UNIX"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.8\n";exit}
+        "socket AF_PACKETX"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.9\n";exit}
+        "Operation not supported"
+}
+sleep 1
+
+send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "socket AF_INET"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.2\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3\n";exit}
+        "socket AF_INET6"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4\n";exit}
+        "socket AF_NETLINK"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6\n";exit}
+        "socket AF_UNIX"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.7\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.8\n";exit}
+        "socket AF_PACKETX"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.9\n";exit}
+        "after socket"
+}
+sleep 1
+
+# profile testing
+send -- "firejail --profile=protocol1.profile ./syscall_test socket\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "socket AF_INET"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.3\n";exit}
+        "socket AF_INET6"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5\n";exit}
+        "socket AF_NETLINK"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.7\n";exit}
+        "socket AF_UNIX"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.8\n";exit}
+        "socket AF_PACKETX"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.9\n";exit}
+        "Operation not supported"
+}
+sleep 1
+
+send -- "firejail --profile=protocol2.profile ./syscall_test socket\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "socket AF_INET"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.2\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.3\n";exit}
+        "socket AF_INET6"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.4\n";exit}
+        "socket AF_NETLINK"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.5\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.6\n";exit}
+        "socket AF_UNIX"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.7\n";exit}
+        "Operation not supported"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.8\n";exit}
+        "socket AF_PACKETX"
+}
+expect {
+        timeout {puts "TESTING ERROR 4.9\n";exit}
+        "after socket"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/filters/protocol1.profile b/test/filters/protocol1.profile
new file mode 100644
index 000000000..3e1ea2a29
--- /dev/null
+++ b/test/filters/protocol1.profile
@@ -0,0 +1 @@
+protocol unix
diff --git a/test/filters/protocol2.profile b/test/filters/protocol2.profile
new file mode 100644
index 000000000..b7eb4ab91
--- /dev/null
+++ b/test/filters/protocol2.profile
@@ -0,0 +1 @@
+protocol inet6,packet
diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp
new file mode 100755
index 000000000..631d67743
--- /dev/null
+++ b/test/filters/seccomp-bad-empty.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --seccomp=\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Error: empty syscall lists are not allowed"
+}
+
+send --  "firejail --seccomp.drop=\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Error: empty syscall lists are not allowed"
+}
+
+send --  "firejail --seccomp.keep=\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Error: empty syscall lists are not allowed"
+}
+
+send --  "firejail --profile=seccomp-bad-empty.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Error: line 1 in seccomp-bad-empty.profile is invalid"
+}
+
+send --  "firejail --profile=seccomp-bad-empty2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Error: line 1 in seccomp-bad-empty2.profile is invalid"
+}
+sleep 1
+puts "\nall done\n"
+
diff --git a/test/filters/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile
new file mode 100644
index 000000000..2d4fcde7c
--- /dev/null
+++ b/test/filters/seccomp-bad-empty.profile
@@ -0,0 +1 @@
+seccomp.drop
diff --git a/test/filters/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile
new file mode 100644
index 000000000..c4e6c9f74
--- /dev/null
+++ b/test/filters/seccomp-bad-empty2.profile
@@ -0,0 +1 @@
+seccomp.keep
diff --git a/test/filters/seccomp.profile b/test/filters/seccomp.profile
new file mode 100644
index 000000000..cb0b15aee
--- /dev/null
+++ b/test/filters/seccomp.profile
@@ -0,0 +1 @@
+seccomp chmod,fchmod,fchmodat
diff --git a/test/filters/syscall_test b/test/filters/syscall_test
new file mode 100755
index 000000000..bf29c5b99
--- /dev/null
+++ b/test/filters/syscall_test
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c
new file mode 100644
index 000000000..422af619d
--- /dev/null
+++ b/test/filters/syscall_test.c
@@ -0,0 +1,82 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2016 Firejail Authors
+// License GPL v2
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <net/ethernet.h>
+#include <sys/mount.h>
+
+int main(int argc, char **argv) {
+        if (argc != 2) {
+                printf("Usage: test [sleep|socket|mkdir|mount]\n");
+                return 1;
+        }
+
+        if (strcmp(argv[1], "sleep") == 0) {
+                printf("before sleep\n");
+                sleep(1);
+                printf("after sleep\n");
+        }
+        else if (strcmp(argv[1], "socket") == 0) {
+                int sock;
+
+                printf("testing socket AF_INET\n");
+                if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+                        perror("socket");
+                }
+                else
+                        close(sock);
+
+                printf("testing socket AF_INET6\n");
+                if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) {
+                        perror("socket");
+                }
+                else
+                        close(sock);
+
+                printf("testing socket AF_NETLINK\n");
+                if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) {
+                        perror("socket");
+                }
+                else
+                        close(sock);
+                        
+                printf("testing socket AF_UNIX\n");
+                if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
+                        perror("socket");
+                }
+                else
+                        close(sock);
+                        
+                // root needed to be able to handle this
+                printf("testing socket AF_PACKETX\n");
+                if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) {
+                        perror("socket");
+                }
+                else
+                        close(sock);
+                printf("after socket\n");
+        }
+        else if (strcmp(argv[1], "mkdir") == 0) {
+                printf("before mkdir\n");
+                mkdir("tmp", 0777);
+                printf("after mkdir\n");
+        }
+        else if (strcmp(argv[1], "mount") == 0) {
+                printf("before mount\n");
+                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0) {
+                        perror("mount");
+                }
+                printf("after mount\n");
+        }
+        else {
+                fprintf(stderr, "Error: invalid argument\n");
+                return 1;
+        }
+        return 0;
+}
diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32
new file mode 100755
index 000000000..8d72f58c4
--- /dev/null
+++ b/test/filters/syscall_test32