testing

6 files changed, 452 insertions, 0 deletions

diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 3b4a6b492..c313b80ed 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -30,6 +30,16 @@ else
         echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686."
 fi
 
+if [[ $(uname -m) == "x86_64" ]]; then
+        echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)"
+        ./namespaces.exp
+elif [[ $(uname -m) == "i686" ]]; then
+        echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)"
+        ./namespaces-32.exp
+else
+        echo "TESTING SKIP: namespaces binary only running on x86_64 and i686."
+fi
+
 echo "TESTING: debug options (test/filters/debug.exp)"
 ./debug.exp
 
diff --git a/test/filters/namespaces b/test/filters/namespaces
new file mode 100755
index 000000000..721ba092e
--- /dev/null
+++ b/test/filters/namespaces
diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32
new file mode 100755
index 000000000..4df674d1b
--- /dev/null
+++ b/test/filters/namespaces-32
diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp
new file mode 100755
index 000000000..b643a28d3
--- /dev/null
+++ b/test/filters/namespaces-32.exp
@@ -0,0 +1,173 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+#
+# clone
+#
+
+send --  "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "clone successful"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "clone successful"
+}
+after 100
+
+#
+# unshare
+#
+
+send --  "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "unshare successful"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "unshare successful"
+}
+
+
+after 100
+puts "\nall done\n"
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c
new file mode 100644
index 000000000..06dfa4edf
--- /dev/null
+++ b/test/filters/namespaces.c
@@ -0,0 +1,96 @@
+#define _GNU_SOURCE
+#include <errno.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#ifndef CLONE_NEWTIME
+#define CLONE_NEWTIME 0x00000080
+#endif
+
+#define STACK_SIZE 1024 * 1024
+
+static int usage() {
+    fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");
+    exit(1);
+}
+
+static void die(const char *msg) {
+    fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno));
+    exit(1);
+}
+
+static int ns_flags(const char *list) {
+    int flags = 0;
+
+    char *dup = strdup(list);
+    if (!dup)
+        die("cannot allocate memory");
+
+    char *token = strtok(dup, ",");
+    while (token) {
+        if (strcmp(token, "cgroup") == 0)
+            flags |= CLONE_NEWCGROUP;
+        else if (strcmp(token, "ipc") == 0)
+            flags |= CLONE_NEWIPC;
+        else if (strcmp(token, "net") == 0)
+            flags |= CLONE_NEWNET;
+        else if (strcmp(token, "mnt") == 0)
+            flags |= CLONE_NEWNS;
+        else if (strcmp(token, "pid") == 0)
+            flags |= CLONE_NEWPID;
+        else if (strcmp(token, "time") == 0)
+            flags |= CLONE_NEWTIME;
+        else if (strcmp(token, "user") == 0)
+            flags |= CLONE_NEWUSER;
+        else if (strcmp(token, "uts") == 0)
+            flags |= CLONE_NEWUTS;
+        else
+            usage();
+
+        token = strtok(NULL, ",");
+    }
+
+    free(dup);
+    return flags;
+}
+
+static int child(void *arg) {
+    (void) arg;
+
+    fprintf(stderr, "clone successful\n");
+    return 0;
+}
+
+int main (int argc, char **argv) {
+    if (argc != 3)
+        usage();
+
+    int flags = ns_flags(argv[2]);
+    if (getuid() != 0)
+        flags |= CLONE_NEWUSER;
+
+    if (strcmp(argv[1], "clone") == 0) {
+        void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE,
+                    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+        if (stack == MAP_FAILED)
+            die("mmap");
+
+        if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0)
+            die("clone");
+    }
+    else if (strcmp(argv[1], "unshare") == 0) {
+        if (unshare(flags))
+            die("unshare");
+
+        fprintf(stderr, "unshare successful\n");
+    }
+    else
+        usage();
+
+    return 0;
+}
diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp
new file mode 100755
index 000000000..cfa92f0ba
--- /dev/null
+++ b/test/filters/namespaces.exp
@@ -0,0 +1,173 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+#
+# clone
+#
+
+send --  "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "clone successful"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces ./namespaces clone user\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Error: clone: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "clone successful"
+}
+after 100
+
+#
+# unshare
+#
+
+send --  "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "unshare successful"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r"
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 23\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r"
+expect {
+        timeout {puts "TESTING ERROR 24\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 25\n";exit}
+        "Error: unshare: Operation not permitted"
+}
+after 100
+
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "unshare successful"
+}
+
+
+after 100
+puts "\nall done\n"