added make test-filters

12 files changed, 600 insertions, 0 deletions

diff --git a/test/filters/filters.sh b/test/filters/filters.sh
new file mode 100755
index 000000000..c21243a0f
--- /dev/null
+++ b/test/filters/filters.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: noroot (test/filters/noroot.exp)"
+./noroot.exp
+
+echo "TESTING: capabilities (test/filters/caps.exp)"
+./caps.exp
+
+echo "TESTING: protocol (test/filters/protocol.exp)"
+./protocol.exp
+
+echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
+./seccomp-bad-empty.exp
+
+echo "TESTING: seccomp debug  (test/filters/seccomp-debug.exp)"
+./seccomp-debug.exp
+
+echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)"
+./seccomp-errno.exp
+
+echo "TESTING: seccomp su (test/filters/seccomp-su.exp)"
+./seccomp-su.exp
+
+echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)"
+./seccomp-ptrace.exp
+
+echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)"
+./seccomp-chmod.exp
+
+echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)"
+./seccomp-chmod-profile.exp
+
+echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
+./seccomp-empty.exp
+
+echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
+./seccomp-bad-empty.exp
+
+echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
+./seccomp-dualfilter.exp
+
+
diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp
new file mode 100755
index 000000000..9683fad90
--- /dev/null
+++ b/test/filters/seccomp-chmod-profile.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --profile=seccomp.profile --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "touch testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+send -- "ls -l testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+send -- "chmod +x testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+
+send -- "exit\r"
+sleep 1
+puts "\n"
diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp
new file mode 100755
index 000000000..0d52122d3
--- /dev/null
+++ b/test/filters/seccomp-chmod.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --seccomp=chmod,fchmod,fchmodat --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "touch testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+send -- "ls -l testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+send -- "chmod +x testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+
+send -- "exit\r"
+sleep 1
+puts "\n"
diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp
new file mode 100755
index 000000000..4e393fea2
--- /dev/null
+++ b/test/filters/seccomp-chown.exp
@@ -0,0 +1,49 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --seccomp=chown,fchown,fchownat,lchown --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "touch testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+send -- "ls -l testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "testfile"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+send -- "chown netblue:netblue testfile;pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Bad system call"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "/root" {puts "running as root"}
+        "/home"
+}
+
+
+send -- "exit\r"
+sleep 1
+puts "\n"
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp
new file mode 100755
index 000000000..dbc0d37a9
--- /dev/null
+++ b/test/filters/seccomp-debug.exp
@@ -0,0 +1,31 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --seccomp --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "SECCOMP Filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "BLACKLIST"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "open_by_handle_at"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "exit\r"
+after 100
+puts "all done\n"
diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp
new file mode 100755
index 000000000..26b36236a
--- /dev/null
+++ b/test/filters/seccomp-dualfilter.exp
@@ -0,0 +1,41 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail ./syscall_test mount\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "after mount" {puts "TESTING ERROR 2.1\n";exit}
+        "Parent is shutting down"
+}
+sleep 1
+
+send -- "firejail ./syscall_test32 mount\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Child process initialized"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "before mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "after mount" {puts "TESTING ERROR 5.1\n";exit}
+        "Parent is shutting down"
+}
+
+puts "\nall done\n"
diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp
new file mode 100755
index 000000000..11b275c7d
--- /dev/null
+++ b/test/filters/seccomp-empty.exp
@@ -0,0 +1,148 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "VALIDATE_ARCHITECTURE"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.1\n";exit}
+        "mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.2\n";exit}
+        "ptrace"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.3\n";exit}
+        "chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.4\n";exit}
+        "fchmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.5\n";exit}
+        "fchmodat"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.6\n";exit}
+        "RETURN_ALLOW"
+}
+expect {
+        timeout {puts "TESTING ERROR 0.7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "exit\r"
+sleep 3
+puts "\n"
+
+send --  "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "VALIDATE_ARCHITECTURE"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.1\n";exit}
+        "mount" {puts "TESTING ERROR 1.2\n";exit}
+        "ptrace" {puts "TESTING ERROR 1.3\n";exit}
+        "chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.4\n";exit}
+        "fchmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.5\n";exit}
+        "fchmodat"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.6\n";exit}
+        "RETURN_ALLOW"
+}
+expect {
+        timeout {puts "TESTING ERROR 1.7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "exit\r"
+puts "\n"
+
+sleep 2
+send --  "firejail --debug --profile=seccomp.profile --private\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "VALIDATE_ARCHITECTURE"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.1\n";exit}
+        "mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.2\n";exit}
+        "ptrace"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.3\n";exit}
+        "chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.4\n";exit}
+        "fchmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.5\n";exit}
+        "fchmodat"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.6\n";exit}
+        "RETURN_ALLOW"
+}
+expect {
+        timeout {puts "TESTING ERROR 2.7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "exit\r"
+sleep 3
+puts "\n"
+
+send --  "firejail --debug --profile=seccomp-empty.profile --private\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "VALIDATE_ARCHITECTURE"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "mount" {puts "TESTING ERROR 3.2\n";exit}
+        "ptrace" {puts "TESTING ERROR 3.3\n";exit}
+        "chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.4\n";exit}
+        "fchmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.5\n";exit}
+        "fchmodat"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.6\n";exit}
+        "RETURN_ALLOW"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.7\n";exit}
+        "Child process initialized"
+}
+sleep 2
+send -- "exit\r"
+puts "\n"
+
diff --git a/test/filters/seccomp-empty.profile b/test/filters/seccomp-empty.profile
new file mode 100644
index 000000000..8f71f55a5
--- /dev/null
+++ b/test/filters/seccomp-empty.profile
@@ -0,0 +1 @@
+seccomp.drop chmod,fchmod,fchmodat
diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp
new file mode 100755
index 000000000..aefe816e1
--- /dev/null
+++ b/test/filters/seccomp-errno.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "touch seccomp-test-file\r"
+sleep 1
+
+send --  "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "No such file or directory"
+}
+sleep 1
+
+send --  "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "unlinkat 2 ENOENT"
+}
+sleep 1
+
+send --  "firejail --seccomp.enoent=unlinkat,mkdir\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+
+send -- "mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+
+send -- "exit\r"
+sleep 1
+
+
+send --  "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "errno enoent already configured"
+}
+sleep 1
+
+send --  "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "rm seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "No such file or directory"
+}
+after 100
+puts "\n"
+
+send -- "mkdir seccomp-test-dir\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "Operation not permitted"
+}
+after 100
+puts "\n"
+
+send -- "exit\r"
+sleep 1
+
+
+
+
+send -- "rm seccomp-test-file\r"
+sleep 1
+puts "all done\n"
diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp
new file mode 100755
index 000000000..fba9ea92f
--- /dev/null
+++ b/test/filters/seccomp-ptrace.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --noprofile --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "strace ls\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Bad system call" {puts "version 1\n";}
+        " unexpected signal 31" {puts "version 2\n"}
+}
+
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp
new file mode 100755
index 000000000..003f3df99
--- /dev/null
+++ b/test/filters/seccomp-su.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --noprofile --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "sudo su -\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "effective uid is not 0"
+}
+
+send -- "sudo ls\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "effective uid is not 0"
+}
+
+send -- "ping google.com\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Operation not permitted"
+}
+
+send -- "exit\r"
+sleep 1
+puts "all done\n"
diff --git a/test/filters/seccomp-umount.exp b/test/filters/seccomp-umount.exp
new file mode 100755
index 000000000..6e2f8c6c2
--- /dev/null
+++ b/test/filters/seccomp-umount.exp
@@ -0,0 +1,31 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "sudo ls; sudo whoami; sudo pwd\r"
+expect {
+        timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit}
+        "root"
+}
+
+send --  "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+
+send -- "umount /proc\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Bad system call"
+}
+
+send -- "exit\r"
+sleep 1
+puts "\n"