diff options
author | vis <vis@mailbox.org> | 2016-11-03 15:06:57 +0100 |
---|---|---|
committer | vis <vis@mailbox.org> | 2016-11-03 15:06:57 +0100 |
commit | 2aafd9bd3a96b578bf423eb8faba0efe965c52d5 (patch) | |
tree | 6ab4d26a6daad1e3972a86dbdcbe67030d710883 /test | |
parent | Improvements for Zathura profile (diff) | |
parent | removed warning if --quiet is enabled (diff) | |
download | firejail-2aafd9bd3a96b578bf423eb8faba0efe965c52d5.tar.gz firejail-2aafd9bd3a96b578bf423eb8faba0efe965c52d5.tar.zst firejail-2aafd9bd3a96b578bf423eb8faba0efe965c52d5.zip |
Merge remote-tracking branch 'upstream/master'
Diffstat (limited to 'test')
-rwxr-xr-x | test/apps-x11-xorg/apps-x11-xorg.sh | 35 | ||||
-rwxr-xr-x | test/apps-x11-xorg/firefox.exp | 90 | ||||
-rwxr-xr-x | test/apps-x11-xorg/icedove.exp | 85 | ||||
-rwxr-xr-x | test/apps-x11-xorg/transmission-gtk.exp | 85 | ||||
-rwxr-xr-x | test/environment/allow-debuggers.exp | 18 | ||||
-rwxr-xr-x | test/filters/filters.sh | 15 | ||||
-rwxr-xr-x | test/filters/fseccomp.exp | 138 | ||||
-rwxr-xr-x | test/filters/noroot.exp | 44 | ||||
-rwxr-xr-x | test/fs/fs.sh | 3 | ||||
-rwxr-xr-x | test/fs/sys_fs.exp | 44 |
10 files changed, 526 insertions, 31 deletions
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh new file mode 100755 index 000000000..b05914b52 --- /dev/null +++ b/test/apps-x11-xorg/apps-x11-xorg.sh | |||
@@ -0,0 +1,35 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | which firefox | ||
10 | if [ "$?" -eq 0 ]; | ||
11 | then | ||
12 | echo "TESTING: firefox x11 xorg" | ||
13 | ./firefox.exp | ||
14 | else | ||
15 | echo "TESTING SKIP: firefox not found" | ||
16 | fi | ||
17 | |||
18 | which transmission-gtk | ||
19 | if [ "$?" -eq 0 ]; | ||
20 | then | ||
21 | echo "TESTING: transmission-gtk x11 xorg" | ||
22 | ./transmission-gtk.exp | ||
23 | else | ||
24 | echo "TESTING SKIP: transmission-gtk not found" | ||
25 | fi | ||
26 | |||
27 | which icedove | ||
28 | if [ "$?" -eq 0 ]; | ||
29 | then | ||
30 | echo "TESTING: icedove x11 xorg" | ||
31 | ./icedove.exp | ||
32 | else | ||
33 | echo "TESTING SKIP: icedove not found" | ||
34 | fi | ||
35 | |||
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp new file mode 100755 index 000000000..5231bf8ed --- /dev/null +++ b/test/apps-x11-xorg/firefox.exp | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "firefox" {puts "firefox detected\n";} | ||
22 | "iceweasel" {puts "iceweasel detected\n";} | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
26 | "no-remote" | ||
27 | } | ||
28 | sleep 1 | ||
29 | # grsecurity exit | ||
30 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
33 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
34 | "cannot open" {puts "grsecurity not present\n"} | ||
35 | } | ||
36 | send -- "firejail --name=blablabla\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 2 | ||
42 | |||
43 | spawn $env(SHELL) | ||
44 | send -- "firemon --seccomp\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5\n";exit} | ||
47 | " firefox" {puts "firefox detected\n";} | ||
48 | " iceweasel" {puts "iceweasel detected\n";} | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
52 | "no-remote" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | " firefox" {puts "firefox detected\n";} | ||
67 | " iceweasel" {puts "iceweasel detected\n";} | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
71 | "no-remote" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
75 | "CapBnd:" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
79 | "0000000000000000" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
83 | "name=blablabla" | ||
84 | } | ||
85 | sleep 1 | ||
86 | send -- "firejail --shutdown=test\r" | ||
87 | sleep 3 | ||
88 | |||
89 | puts "\nall done\n" | ||
90 | |||
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp new file mode 100755 index 000000000..f676264ed --- /dev/null +++ b/test/apps-x11-xorg/icedove.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg icedove\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "icedove" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | ":firejail" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
48 | "icedove" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
52 | "Seccomp: 2" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
56 | "name=blablabla" | ||
57 | } | ||
58 | sleep 2 | ||
59 | send -- "firemon --caps\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | ":firejail" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
66 | "icedove" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | send -- "firejail --shutdown=test\r" | ||
82 | sleep 3 | ||
83 | |||
84 | puts "\nall done\n" | ||
85 | |||
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp new file mode 100755 index 000000000..a91a1be08 --- /dev/null +++ b/test/apps-x11-xorg/transmission-gtk.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg transmission-gtk\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "transmission-gtk" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | ":firejail" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
48 | "transmission-gtk" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
52 | "Seccomp: 2" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
56 | "name=blablabla" | ||
57 | } | ||
58 | sleep 1 | ||
59 | send -- "firemon --caps\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | ":firejail" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
66 | "transmission-gtk" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | send -- "firejail --shutdown=test\r" | ||
82 | sleep 3 | ||
83 | |||
84 | puts "\nall done\n" | ||
85 | |||
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp index dde9c4cc1..8a404decb 100755 --- a/test/environment/allow-debuggers.exp +++ b/test/environment/allow-debuggers.exp | |||
@@ -11,19 +11,27 @@ expect { | |||
11 | "Child process initialized" | 11 | "Child process initialized" |
12 | } | 12 | } |
13 | expect { | 13 | expect { |
14 | timeout {puts "TESTING ERROR 1\n";exit} | 14 | timeout {puts "TESTING ERROR 1\n";exit} |
15 | "exited with 0" | 15 | "ioctl" |
16 | } | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 2\n";exit} | ||
19 | "exit_group" | ||
16 | } | 20 | } |
17 | after 100 | 21 | after 100 |
18 | 22 | ||
19 | send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r" | 23 | send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r" |
20 | expect { | 24 | expect { |
21 | timeout {puts "TESTING ERROR 2\n";exit} | 25 | timeout {puts "TESTING ERROR 3\n";exit} |
22 | "Child process initialized" | 26 | "Child process initialized" |
23 | } | 27 | } |
24 | expect { | 28 | expect { |
25 | timeout {puts "TESTING ERROR 3\n";exit} | 29 | timeout {puts "TESTING ERROR 4\n";exit} |
26 | "exited with 0" | 30 | "ioctl" |
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 5\n";exit} | ||
34 | "exit_group" | ||
27 | } | 35 | } |
28 | after 100 | 36 | after 100 |
29 | 37 | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 5093c8614..5c7c98b3e 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -12,11 +12,21 @@ echo "TESTING: noroot (test/filters/noroot.exp)" | |||
12 | echo "TESTING: capabilities (test/filters/caps.exp)" | 12 | echo "TESTING: capabilities (test/filters/caps.exp)" |
13 | ./caps.exp | 13 | ./caps.exp |
14 | 14 | ||
15 | rm -f seccomp-test-file | ||
16 | if [ "$(uname -m)" = "x86_64" ]; then | ||
17 | echo "TESTING: fseccomp (test/filters/fseccomp.exp)" | ||
18 | ./fseccomp.exp | ||
19 | else | ||
20 | echo "TESTING SKIP: fseccomp test implemented only for x86_64" | ||
21 | fi | ||
22 | rm -f seccomp-test-file | ||
23 | |||
24 | |||
15 | if [ "$(uname -m)" = "x86_64" ]; then | 25 | if [ "$(uname -m)" = "x86_64" ]; then |
16 | echo "TESTING: protocol (test/filters/protocol.exp)" | 26 | echo "TESTING: protocol (test/filters/protocol.exp)" |
17 | ./protocol.exp | 27 | ./protocol.exp |
18 | else | 28 | else |
19 | echo "TESTING SKIP: protocol, not running on x86_64" | 29 | echo "TESTING SKIP: protocol, running only on x86_64" |
20 | fi | 30 | fi |
21 | 31 | ||
22 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" | 32 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" |
@@ -50,9 +60,6 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod | |||
50 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" | 60 | echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" |
51 | ./seccomp-empty.exp | 61 | ./seccomp-empty.exp |
52 | 62 | ||
53 | echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" | ||
54 | ./seccomp-bad-empty.exp | ||
55 | |||
56 | if [ "$(uname -m)" = "x86_64" ]; then | 63 | if [ "$(uname -m)" = "x86_64" ]; then |
57 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" | 64 | echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" |
58 | ./seccomp-dualfilter.exp | 65 | ./seccomp-dualfilter.exp |
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp new file mode 100755 index 000000000..8a9a8f9dc --- /dev/null +++ b/test/filters/fseccomp.exp | |||
@@ -0,0 +1,138 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | after 100 | ||
11 | send -- "/usr/lib/firejail/fseccomp debug-syscalls\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "1 - write" | ||
15 | } | ||
16 | |||
17 | after 100 | ||
18 | send -- "/usr/lib/firejail/fseccomp debug-errnos\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "1 - EPERM" | ||
22 | } | ||
23 | |||
24 | after 100 | ||
25 | send -- "/usr/lib/firejail/fseccomp debug-protocols\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3\n";exit} | ||
28 | "unix, inet, inet6, netlink, packet," | ||
29 | } | ||
30 | |||
31 | after 100 | ||
32 | send -- "/usr/lib/firejail/fseccomp protocol build unix,inet seccomp-test-file\r" | ||
33 | after 100 | ||
34 | send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
37 | "WHITELIST 41 socket" | ||
38 | } | ||
39 | |||
40 | after 100 | ||
41 | send -- "/usr/lib/firejail/fseccomp secondary 64 seccomp-test-file\r" | ||
42 | after 100 | ||
43 | send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
46 | "BLACKLIST 165 mount" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
50 | "BLACKLIST 166 umount2" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 5.3\n";exit} | ||
54 | "RETURN_ALLOW" | ||
55 | } | ||
56 | |||
57 | after 100 | ||
58 | send -- "/usr/lib/firejail/fseccomp default seccomp-test-file\r" | ||
59 | after 100 | ||
60 | send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
63 | "BLACKLIST 165 mount" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
67 | "BLACKLIST 166 umount2" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
71 | "RETURN_ALLOW" | ||
72 | } | ||
73 | |||
74 | after 100 | ||
75 | send -- "/usr/lib/firejail/fseccomp drop seccomp-test-file chmod,chown\r" | ||
76 | after 100 | ||
77 | send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 7.1\n";exit} | ||
80 | "BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit} | ||
81 | "BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit} | ||
82 | "BLACKLIST 90 chmod" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 7.4\n";exit} | ||
86 | "BLACKLIST 92 chown" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 7.5\n";exit} | ||
90 | "RETURN_ALLOW" | ||
91 | } | ||
92 | |||
93 | after 100 | ||
94 | send -- "/usr/lib/firejail/fseccomp default drop seccomp-test-file chmod,chown\r" | ||
95 | after 100 | ||
96 | send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 8.1\n";exit} | ||
99 | "BLACKLIST 165 mount" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 8.2\n";exit} | ||
103 | "BLACKLIST 166 umount2" | ||
104 | } | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 8.3\n";exit} | ||
107 | "BLACKLIST 90 chmod" | ||
108 | } | ||
109 | expect { | ||
110 | timeout {puts "TESTING ERROR 8.4\n";exit} | ||
111 | "BLACKLIST 92 chown" | ||
112 | } | ||
113 | expect { | ||
114 | timeout {puts "TESTING ERROR 8.5\n";exit} | ||
115 | "RETURN_ALLOW" | ||
116 | } | ||
117 | after 100 | ||
118 | send -- "/usr/lib/firejail/fseccomp keep seccomp-test-file chmod,chown\r" | ||
119 | after 100 | ||
120 | send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r" | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 9.1\n";exit} | ||
123 | "WHITELIST 90 chmod" | ||
124 | } | ||
125 | expect { | ||
126 | timeout {puts "TESTING ERROR 9.2\n";exit} | ||
127 | "WHITELIST 92 chown" | ||
128 | } | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 9.3\n";exit} | ||
131 | "KILL_PROCESS" | ||
132 | } | ||
133 | |||
134 | |||
135 | |||
136 | after 100 | ||
137 | puts "\nall done\n" | ||
138 | |||
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 2a7cb7975..b011f2bf9 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -46,20 +46,20 @@ expect { | |||
46 | } | 46 | } |
47 | send -- "sudo -s\r" | 47 | send -- "sudo -s\r" |
48 | expect { | 48 | expect { |
49 | timeout {puts "TESTING ERROR 8\n";exit} | 49 | timeout {puts "TESTING ERROR 7\n";exit} |
50 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 50 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
51 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 51 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
52 | "Bad system call" { puts "OK\n";} | 52 | "Bad system call" { puts "OK\n";} |
53 | } | 53 | } |
54 | send -- "cat /proc/self/uid_map | wc -l\r" | 54 | send -- "cat /proc/self/uid_map | wc -l\r" |
55 | expect { | 55 | expect { |
56 | timeout {puts "TESTING ERROR 7\n";exit} | 56 | timeout {puts "TESTING ERROR 8\n";exit} |
57 | "1" | 57 | "1" |
58 | } | 58 | } |
59 | send -- "cat /proc/self/gid_map | wc -l\r" | 59 | send -- "cat /proc/self/gid_map | wc -l\r" |
60 | expect { | 60 | expect { |
61 | timeout {puts "TESTING ERROR 8\n";exit} | 61 | timeout {puts "TESTING ERROR 9\n";exit} |
62 | "3" | 62 | "5" |
63 | } | 63 | } |
64 | 64 | ||
65 | puts "\n" | 65 | puts "\n" |
@@ -70,59 +70,59 @@ sleep 2 | |||
70 | 70 | ||
71 | send -- "firejail --name=test --noroot --noprofile\r" | 71 | send -- "firejail --name=test --noroot --noprofile\r" |
72 | expect { | 72 | expect { |
73 | timeout {puts "TESTING ERROR 9\n";exit} | 73 | timeout {puts "TESTING ERROR 10\n";exit} |
74 | "Child process initialized" | 74 | "Child process initialized" |
75 | } | 75 | } |
76 | sleep 1 | 76 | sleep 1 |
77 | 77 | ||
78 | send -- "cat /proc/self/status\r" | 78 | send -- "cat /proc/self/status\r" |
79 | expect { | 79 | expect { |
80 | timeout {puts "TESTING ERROR 10\n";exit} | 80 | timeout {puts "TESTING ERROR 11\n";exit} |
81 | "CapBnd:" | 81 | "CapBnd:" |
82 | } | 82 | } |
83 | expect { | 83 | expect { |
84 | timeout {puts "TESTING ERROR 11\n";exit} | 84 | timeout {puts "TESTING ERROR 12\n";exit} |
85 | "ffffffff" | 85 | "ffffffff" |
86 | } | 86 | } |
87 | expect { | 87 | expect { |
88 | timeout {puts "TESTING ERROR 12\n";exit} | 88 | timeout {puts "TESTING ERROR 13\n";exit} |
89 | "Seccomp:" | 89 | "Seccomp:" |
90 | } | 90 | } |
91 | expect { | 91 | expect { |
92 | timeout {puts "TESTING ERROR 13\n";exit} | 92 | timeout {puts "TESTING ERROR 14\n";exit} |
93 | "0" | 93 | "0" |
94 | } | 94 | } |
95 | expect { | 95 | expect { |
96 | timeout {puts "TESTING ERROR 14\n";exit} | 96 | timeout {puts "TESTING ERROR 15\n";exit} |
97 | "Cpus_allowed:" | 97 | "Cpus_allowed:" |
98 | } | 98 | } |
99 | puts "\n" | 99 | puts "\n" |
100 | 100 | ||
101 | send -- "whoami\r" | 101 | send -- "whoami\r" |
102 | expect { | 102 | expect { |
103 | timeout {puts "TESTING ERROR 15\n";exit} | 103 | timeout {puts "TESTING ERROR 16\n";exit} |
104 | $env(USER) | 104 | $env(USER) |
105 | } | 105 | } |
106 | send -- "sudo -s\r" | 106 | send -- "sudo -s\r" |
107 | expect { | 107 | expect { |
108 | timeout {puts "TESTING ERROR 16\n";exit} | 108 | timeout {puts "TESTING ERROR 17\n";exit} |
109 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 109 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
110 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 110 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
111 | } | 111 | } |
112 | send -- "ping 0\r" | 112 | send -- "ping 0\r" |
113 | expect { | 113 | expect { |
114 | timeout {puts "TESTING ERROR 17\n";exit} | 114 | timeout {puts "TESTING ERROR 18\n";exit} |
115 | "Operation not permitted" | 115 | "Operation not permitted" |
116 | } | 116 | } |
117 | send -- "cat /proc/self/uid_map | wc -l\r" | 117 | send -- "cat /proc/self/uid_map | wc -l\r" |
118 | expect { | 118 | expect { |
119 | timeout {puts "TESTING ERROR 18\n";exit} | 119 | timeout {puts "TESTING ERROR 19\n";exit} |
120 | "1" | 120 | "1" |
121 | } | 121 | } |
122 | send -- "cat /proc/self/gid_map | wc -l\r" | 122 | send -- "cat /proc/self/gid_map | wc -l\r" |
123 | expect { | 123 | expect { |
124 | timeout {puts "TESTING ERROR 19\n";exit} | 124 | timeout {puts "TESTING ERROR 20\n";exit} |
125 | "3" | 125 | "5" |
126 | } | 126 | } |
127 | 127 | ||
128 | 128 | ||
@@ -130,31 +130,31 @@ expect { | |||
130 | spawn $env(SHELL) | 130 | spawn $env(SHELL) |
131 | send -- "firejail --debug --join=test\r" | 131 | send -- "firejail --debug --join=test\r" |
132 | expect { | 132 | expect { |
133 | timeout {puts "TESTING ERROR 20\n";exit} | 133 | timeout {puts "TESTING ERROR 21\n";exit} |
134 | "User namespace detected" | 134 | "User namespace detected" |
135 | } | 135 | } |
136 | expect { | 136 | expect { |
137 | timeout {puts "TESTING ERROR 21\n";exit} | 137 | timeout {puts "TESTING ERROR 22\n";exit} |
138 | "Joining user namespace" | 138 | "Joining user namespace" |
139 | } | 139 | } |
140 | sleep 1 | 140 | sleep 1 |
141 | 141 | ||
142 | send -- "sudo -s\r" | 142 | send -- "sudo -s\r" |
143 | expect { | 143 | expect { |
144 | timeout {puts "TESTING ERROR 22\n";exit} | 144 | timeout {puts "TESTING ERROR 23\n";exit} |
145 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 145 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
146 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 146 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
147 | "Permission denied" { puts "OK\n";} | 147 | "Permission denied" { puts "OK\n";} |
148 | } | 148 | } |
149 | send -- "cat /proc/self/uid_map | wc -l\r" | 149 | send -- "cat /proc/self/uid_map | wc -l\r" |
150 | expect { | 150 | expect { |
151 | timeout {puts "TESTING ERROR 23\n";exit} | 151 | timeout {puts "TESTING ERROR 24\n";exit} |
152 | "1" | 152 | "1" |
153 | } | 153 | } |
154 | send -- "cat /proc/self/gid_map | wc -l\r" | 154 | send -- "cat /proc/self/gid_map | wc -l\r" |
155 | expect { | 155 | expect { |
156 | timeout {puts "TESTING ERROR 24\n";exit} | 156 | timeout {puts "TESTING ERROR 25\n";exit} |
157 | "3" | 157 | "5" |
158 | } | 158 | } |
159 | after 100 | 159 | after 100 |
160 | puts "\nall done\n" | 160 | puts "\nall done\n" |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d45ef48bd..3139b8eae 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -6,6 +6,9 @@ | |||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | 8 | ||
9 | echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)" | ||
10 | ./sys_fs.exp | ||
11 | |||
9 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" | 12 | echo "TESTING: kmsg access (test/fs/kmsg.exp)" |
10 | ./kmsg.exp | 13 | ./kmsg.exp |
11 | 14 | ||
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp new file mode 100755 index 000000000..f512776d9 --- /dev/null +++ b/test/fs/sys_fs.exp | |||
@@ -0,0 +1,44 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls /sys/fs\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "Permission denied" | ||
21 | } | ||
22 | after 100 | ||
23 | |||
24 | send -- "exit\r" | ||
25 | sleep 1 | ||
26 | |||
27 | send -- "firejail --noblacklist=/sys/fs\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 1\n";exit} | ||
30 | "Child process initialized" | ||
31 | } | ||
32 | sleep 1 | ||
33 | |||
34 | send -- "ls /sys/fs\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 2\n";exit} | ||
37 | "cgroup" | ||
38 | } | ||
39 | after 100 | ||
40 | send -- "exit\r" | ||
41 | after 100 | ||
42 | |||
43 | puts "\nall done\n" | ||
44 | |||