test apparmor

author: netblue30 <netblue30@protonmail.com> 2023-03-04 11:48:00 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-03-04 11:48:00 -0500
commit: 1bab42a72483b2addd1546240d93fdd135781892 (patch)
tree: 29323f45c3ce632394dd6b8b3f874033fff42c92 /test
parent: testing: moving apparmor out from filters group (diff)
download: firejail-1bab42a72483b2addd1546240d93fdd135781892.tar.gz
firejail-1bab42a72483b2addd1546240d93fdd135781892.tar.zst
firejail-1bab42a72483b2addd1546240d93fdd135781892.zip
5 files changed, 92 insertions, 1 deletions
diff --git a/test/apparmor/apparmor-norun.exp b/test/apparmor/apparmor-norun.exp
new file mode 100755
index 000000000..625d4b4e0
--- /dev/null
+++ b/test/apparmor/apparmor-norun.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# start a bash session
+send --  "firejail --apparmor\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+# ... and try to run a local program
+send --  "./a.out --help\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Usage: ./a.out" {puts "TESTING ERROR 2\n";exit}
+        "denied"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/apparmor/apparmor-run.exp b/test/apparmor/apparmor-run.exp
new file mode 100755
index 000000000..c11b50151
--- /dev/null
+++ b/test/apparmor/apparmor-run.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+# start a bash session
+send --  "firejail --apparmor=test-profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+# ... and try to run a local program
+send --  "./a.out --help\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "denied" {puts "TESTING ERROR 2\n";exit}
+        "Usage: ./a.out"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/apparmor/apparmor.exp b/test/apparmor/apparmor.exp
index a8f73c797..4498fadd9 100755
--- a/test/apparmor/apparmor.exp
+++ b/test/apparmor/apparmor.exp
@@ -54,6 +54,6 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "AppArmor: firejail-default//&unconfined enforce"
 }
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/apparmor/apparmor.sh b/test/apparmor/apparmor.sh
new file mode 100755
index 000000000..84076fc96
--- /dev/null
+++ b/test/apparmor/apparmor.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+#       sudo /usr/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default
+if [[ -f /sys/kernel/security/apparmor/profiles ]]; then
+        # setup
+        cp test-profile /tmp/.
+        sudo /usr/sbin/apparmor_parser -r /tmp/test-profile
+        cp /usr/bin/pwd a.out
+        echo "TESTING: apparmor firemon (test/filters/apparmor.exp)"
+        ./apparmor.exp
+        echo "TESTING: apparmor norun test (test/filters/apparmor-norun.exp)"
+        ./apparmor-norun.exp
+        echo "TESTING: apparmor run test (test/filters/apparmor-run.exp)"
+        ./apparmor-run.exp
+        # cleanup
+        rm -f a.out
+        sudo /usr/sbin/apparmor_parser -R /tmp/test-profile
+else
+        echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)"
+fi
diff --git a/test/apparmor/test-profile b/test/apparmor/test-profile
new file mode 100644
index 000000000..082ec3dc0
--- /dev/null
+++ b/test/apparmor/test-profile
@@ -0,0 +1,3 @@
+profile test-profile flags=(attach_disconnected,mediate_deleted) {
+        /{,**} rklmwix,
+}
author	netblue30 <netblue30@protonmail.com>	2023-03-04 11:48:00 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-03-04 11:48:00 -0500
commit	1bab42a72483b2addd1546240d93fdd135781892 (patch)
tree	29323f45c3ce632394dd6b8b3f874033fff42c92 /test
parent	testing: moving apparmor out from filters group (diff)
download	firejail-1bab42a72483b2addd1546240d93fdd135781892.tar.gz firejail-1bab42a72483b2addd1546240d93fdd135781892.tar.zst firejail-1bab42a72483b2addd1546240d93fdd135781892.zip

diff --git a/test/apparmor/apparmor-norun.exp b/test/apparmor/apparmor-norun.exp new file mode 100755 index 000000000..625d4b4e0 --- /dev/null +++ b/test/apparmor/apparmor-norun.exp
@@ -0,0 +1,26 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2023 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	# start a bash session
		11	send -- "firejail --apparmor\r"
		12	expect {
		13	timeout {puts "TESTING ERROR 0\n";exit}
		14	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		15	}
		16	sleep 1
		17
		18	# ... and try to run a local program
		19	send -- "./a.out --help\r"
		20	expect {
		21	timeout {puts "TESTING ERROR 1\n";exit}
		22	"Usage: ./a.out" {puts "TESTING ERROR 2\n";exit}
		23	"denied"
		24	}
		25	after 500
		26	puts "\nall done\n"


diff --git a/test/apparmor/apparmor-run.exp b/test/apparmor/apparmor-run.exp new file mode 100755 index 000000000..c11b50151 --- /dev/null +++ b/test/apparmor/apparmor-run.exp
@@ -0,0 +1,26 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2023 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	# start a bash session
		11	send -- "firejail --apparmor=test-profile\r"
		12	expect {
		13	timeout {puts "TESTING ERROR 0\n";exit}
		14	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		15	}
		16	sleep 1
		17
		18	# ... and try to run a local program
		19	send -- "./a.out --help\r"
		20	expect {
		21	timeout {puts "TESTING ERROR 1\n";exit}
		22	"denied" {puts "TESTING ERROR 2\n";exit}
		23	"Usage: ./a.out"
		24	}
		25	after 500
		26	puts "\nall done\n"


diff --git a/test/apparmor/apparmor.exp b/test/apparmor/apparmor.exp index a8f73c797..4498fadd9 100755 --- a/test/apparmor/apparmor.exp +++ b/test/apparmor/apparmor.exp
@@ -54,6 +54,6 @@ expect {
54	timeout {puts "TESTING ERROR 7\n";exit}	54	timeout {puts "TESTING ERROR 7\n";exit}
55	"AppArmor: firejail-default//&unconfined enforce"	55	"AppArmor: firejail-default//&unconfined enforce"
56	}	56	}
57	after 100	57	after 500
58		58
59	puts "\nall done\n"	59	puts "\nall done\n"


diff --git a/test/apparmor/apparmor.sh b/test/apparmor/apparmor.sh new file mode 100755 index 000000000..84076fc96 --- /dev/null +++ b/test/apparmor/apparmor.sh
@@ -0,0 +1,36 @@
		1	#!/bin/bash
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2023 Firejail Authors
		4	# License GPL v2
		5
		6	export MALLOC_CHECK_=3
		7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
		8	export LC_ALL=C
		9
		10
		11	# sudo /usr/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default
		12
		13
		14	if [[ -f /sys/kernel/security/apparmor/profiles ]]; then
		15	# setup
		16	cp test-profile /tmp/.
		17	sudo /usr/sbin/apparmor_parser -r /tmp/test-profile
		18	cp /usr/bin/pwd a.out
		19
		20	echo "TESTING: apparmor firemon (test/filters/apparmor.exp)"
		21	./apparmor.exp
		22
		23	echo "TESTING: apparmor norun test (test/filters/apparmor-norun.exp)"
		24	./apparmor-norun.exp
		25
		26	echo "TESTING: apparmor run test (test/filters/apparmor-run.exp)"
		27	./apparmor-run.exp
		28
		29	# cleanup
		30	rm -f a.out
		31	sudo /usr/sbin/apparmor_parser -R /tmp/test-profile
		32
		33	else
		34	echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)"
		35	fi
		36


diff --git a/test/apparmor/test-profile b/test/apparmor/test-profile new file mode 100644 index 000000000..082ec3dc0 --- /dev/null +++ b/test/apparmor/test-profile
@@ -0,0 +1,3 @@
		1	profile test-profile flags=(attach_disconnected,mediate_deleted) {
		2	/{,**} rklmwix,
		3	}