restrict-namespaces testing

author: smitsohu <smitsohu@gmail.com> 2023-03-02 17:34:07 +0100
committer: smitsohu <smitsohu@gmail.com> 2023-03-02 17:34:07 +0100
commit: eb8dfc1284f29afa76697f1f3e87b6374d1706fa (patch)
tree: 7f0761dc76179d733c8fe2058e1ba16063c4d809 /test
parent: network testing; merges (diff)
download: firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.tar.gz
firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.tar.zst
firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.zip
5 files changed, 153 insertions, 45 deletions
diff --git a/test/filters/namespaces b/test/filters/namespaces
index 721ba092e..6d36ae8e9 100755
--- a/test/filters/namespaces
+++ b/test/filters/namespaces
Binary files differ
diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32
index 4df674d1b..a5ba488a4 100755
--- a/test/filters/namespaces-32
+++ b/test/filters/namespaces-32
Binary files differ
diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp
index 3b618bd01..f2310db3b 100755
--- a/test/filters/namespaces-32.exp
+++ b/test/filters/namespaces-32.exp
@@ -20,7 +20,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "clone successful"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r"
 expect {
@@ -31,7 +31,7 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r"
 expect {
@@ -42,7 +42,7 @@ expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
 expect {
@@ -53,9 +53,9 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup,user\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -64,9 +64,9 @@ expect {
        timeout {puts "TESTING ERROR 9\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc,user\r"
 expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -75,9 +75,9 @@ expect {
        timeout {puts "TESTING ERROR 11\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,user,uts\r"
 expect {
        timeout {puts "TESTING ERROR 12\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -86,7 +86,7 @@ expect {
        timeout {puts "TESTING ERROR 13\n";exit}
        "clone successful"
 }
-after 100
+after 200
 #
 # unshare
@@ -101,7 +101,7 @@ expect {
        timeout {puts "TESTING ERROR 15\n";exit}
        "unshare successful"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r"
 expect {
@@ -112,7 +112,7 @@ expect {
        timeout {puts "TESTING ERROR 17\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r"
 expect {
@@ -123,7 +123,7 @@ expect {
        timeout {puts "TESTING ERROR 19\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
 expect {
@@ -134,9 +134,9 @@ expect {
        timeout {puts "TESTING ERROR 21\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup,user\r"
 expect {
        timeout {puts "TESTING ERROR 22\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -145,9 +145,9 @@ expect {
        timeout {puts "TESTING ERROR 23\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc,user\r"
 expect {
        timeout {puts "TESTING ERROR 24\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -156,9 +156,9 @@ expect {
        timeout {puts "TESTING ERROR 25\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,user,uts\r"
 expect {
        timeout {puts "TESTING ERROR 26\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -167,7 +167,47 @@ expect {
        timeout {puts "TESTING ERROR 27\n";exit}
        "unshare successful"
 }
+after 200
-after 100
+#
+# clone3
+#
+send --  "firejail --noprofile ./namespaces-32 clone3 cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 28\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"}
+        "clone3 successful" {
+                after 200
+                send --  "firejail --noprofile --restrict-namespaces ./namespaces-32 clone3 user\r"
+                expect {
+                        timeout {puts "TESTING ERROR 30\n";exit}
+                        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+                }
+                expect {
+                        timeout {puts "TESTING ERROR 31\n";exit}
+                        "Error: clone3: Function not implemented"
+                }
+                after 200
+                # clone3 arguments are not checked
+                send --  "firejail --noprofile --restrict-namespaces=mnt ./namespaces-32 clone3 cgroup,ipc,net,pid,user,uts\r"
+                expect {
+                        timeout {puts "TESTING ERROR 32\n";exit}
+                        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+                }
+                expect {
+                        timeout {puts "TESTING ERROR 33\n";exit}
+                        "Error: clone3: Function not implemented"
+                }
+        }
+}
+after 200
 puts "\nall done\n"
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c
index ecf0fdcd1..18ebc8faa 100644
--- a/test/filters/namespaces.c
+++ b/test/filters/namespaces.c
@@ -1,21 +1,29 @@
 #define _GNU_SOURCE
 #include <errno.h>
-#include <sched.h>
+#include <linux/sched.h>
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/mman.h>
+#include <sys/wait.h>
 #include <unistd.h>
+#include <sched.h>
 #ifndef CLONE_NEWTIME
 #define CLONE_NEWTIME 0x00000080
 #endif
+#include <sys/syscall.h>
+#ifndef __NR_clone3
+#define __NR_clone3 435
+#endif
 #define STACK_SIZE 1024 * 1024
 static int usage() {
-        fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");
+        fprintf(stderr, "Usage: namespaces <system call>[clone,clone3,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");
        exit(1);
 }
@@ -71,8 +79,11 @@ int main (int argc, char **argv) {
                usage();
        int flags = ns_flags(argv[2]);
-        if (getuid() != 0)
-                flags |= CLONE_NEWUSER;
+        if (getuid() != 0 && (flags & CLONE_NEWUSER) != CLONE_NEWUSER) {
+                fprintf(stderr, "Error: add \"user\" to namespaces list\n");
+                exit(1);
+        }
        if (strcmp(argv[1], "clone") == 0) {
                void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE,
@@ -80,8 +91,25 @@ int main (int argc, char **argv) {
                if (stack == MAP_FAILED)
                        die("mmap");
-                if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0)
+                pid_t pid = clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL);
+                if (pid < 0)
                        die("clone");
+                waitpid(pid, NULL, 0);
+        }
+        else if (strcmp(argv[1], "clone3") == 0) {
+                struct clone_args args = {
+                        .flags = flags,
+                        .exit_signal = SIGCHLD,
+                };
+                pid_t pid = syscall(__NR_clone3, &args, sizeof(struct clone_args));
+                if (pid < 0)
+                        die("clone3");
+                if (pid == 0) {
+                        fprintf(stderr, "clone3 successful\n");
+                        exit(0);
+                }
+                waitpid(pid, NULL, 0);
        }
        else if (strcmp(argv[1], "unshare") == 0) {
                if (unshare(flags))
diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp
index 96e4a774a..394826de7 100755
--- a/test/filters/namespaces.exp
+++ b/test/filters/namespaces.exp
@@ -20,7 +20,7 @@ expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        "clone successful"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces ./namespaces clone user\r"
 expect {
@@ -31,7 +31,7 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r"
 expect {
@@ -42,7 +42,7 @@ expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
 expect {
@@ -53,9 +53,9 @@ expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup,user\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -64,9 +64,9 @@ expect {
        timeout {puts "TESTING ERROR 9\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc,user\r"
 expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -75,9 +75,9 @@ expect {
        timeout {puts "TESTING ERROR 11\n";exit}
        "Error: clone: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,user,uts\r"
 expect {
        timeout {puts "TESTING ERROR 12\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -86,7 +86,7 @@ expect {
        timeout {puts "TESTING ERROR 13\n";exit}
        "clone successful"
 }
-after 100
+after 200
 #
 # unshare
@@ -101,7 +101,7 @@ expect {
        timeout {puts "TESTING ERROR 15\n";exit}
        "unshare successful"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r"
 expect {
@@ -112,7 +112,7 @@ expect {
        timeout {puts "TESTING ERROR 17\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r"
 expect {
@@ -123,7 +123,7 @@ expect {
        timeout {puts "TESTING ERROR 19\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
 send --  "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
 expect {
@@ -134,9 +134,9 @@ expect {
        timeout {puts "TESTING ERROR 21\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup,user\r"
 expect {
        timeout {puts "TESTING ERROR 22\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -145,9 +145,9 @@ expect {
        timeout {puts "TESTING ERROR 23\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc,user\r"
 expect {
        timeout {puts "TESTING ERROR 24\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -156,9 +156,9 @@ expect {
        timeout {puts "TESTING ERROR 25\n";exit}
        "Error: unshare: Operation not permitted"
 }
-after 100
+after 200
-send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r"
+send --  "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,user,uts\r"
 expect {
        timeout {puts "TESTING ERROR 26\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -167,7 +167,47 @@ expect {
        timeout {puts "TESTING ERROR 27\n";exit}
        "unshare successful"
 }
+after 200
-after 100
+#
+# clone3
+#
+send --  "firejail --noprofile ./namespaces clone3 cgroup,ipc,mnt,net,pid,user,uts\r"
+expect {
+        timeout {puts "TESTING ERROR 28\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"}
+        "clone3 successful" {
+                after 200
+                send --  "firejail --noprofile --restrict-namespaces ./namespaces clone3 user\r"
+                expect {
+                        timeout {puts "TESTING ERROR 30\n";exit}
+                        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+                }
+                expect {
+                        timeout {puts "TESTING ERROR 31\n";exit}
+                        "Error: clone3: Function not implemented"
+                }
+                after 200
+                # clone3 arguments are not checked
+                send --  "firejail --noprofile --restrict-namespaces=mnt ./namespaces clone3 cgroup,ipc,net,pid,user,uts\r"
+                expect {
+                        timeout {puts "TESTING ERROR 32\n";exit}
+                        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+                }
+                expect {
+                        timeout {puts "TESTING ERROR 33\n";exit}
+                        "Error: clone3: Function not implemented"
+                }
+        }
+}
+after 200
 puts "\nall done\n"
author	smitsohu <smitsohu@gmail.com>	2023-03-02 17:34:07 +0100
committer	smitsohu <smitsohu@gmail.com>	2023-03-02 17:34:07 +0100
commit	eb8dfc1284f29afa76697f1f3e87b6374d1706fa (patch)
tree	7f0761dc76179d733c8fe2058e1ba16063c4d809 /test
parent	network testing; merges (diff)
download	firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.tar.gz firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.tar.zst firejail-eb8dfc1284f29afa76697f1f3e87b6374d1706fa.zip

diff --git a/test/filters/namespaces b/test/filters/namespaces index 721ba092e..6d36ae8e9 100755 --- a/test/filters/namespaces +++ b/test/filters/namespaces
Binary files differ


diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 index 4df674d1b..a5ba488a4 100755 --- a/test/filters/namespaces-32 +++ b/test/filters/namespaces-32
Binary files differ


diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp index 3b618bd01..f2310db3b 100755 --- a/test/filters/namespaces-32.exp +++ b/test/filters/namespaces-32.exp
@@ -20,7 +20,7 @@ expect {
20	timeout {puts "TESTING ERROR 1\n";exit}	20	timeout {puts "TESTING ERROR 1\n";exit}
21	"clone successful"	21	"clone successful"
22	}	22	}
23	after 100	23	after 200
24		24
25	send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r"	25	send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r"
26	expect {	26	expect {
@@ -31,7 +31,7 @@ expect {
31	timeout {puts "TESTING ERROR 3\n";exit}	31	timeout {puts "TESTING ERROR 3\n";exit}
32	"Error: clone: Operation not permitted"	32	"Error: clone: Operation not permitted"
33	}	33	}
34	after 100	34	after 200
35		35
36	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r"	36	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r"
37	expect {	37	expect {
@@ -42,7 +42,7 @@ expect {
42	timeout {puts "TESTING ERROR 5\n";exit}	42	timeout {puts "TESTING ERROR 5\n";exit}
43	"Error: clone: Operation not permitted"	43	"Error: clone: Operation not permitted"
44	}	44	}
45	after 100	45	after 200
46		46
47	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"	47	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
48	expect {	48	expect {
@@ -53,9 +53,9 @@ expect {
53	timeout {puts "TESTING ERROR 7\n";exit}	53	timeout {puts "TESTING ERROR 7\n";exit}
54	"Error: clone: Operation not permitted"	54	"Error: clone: Operation not permitted"
55	}	55	}
56	after 100	56	after 200
57		57
58	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r"	58	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup,user\r"
59	expect {	59	expect {
60	timeout {puts "TESTING ERROR 8\n";exit}	60	timeout {puts "TESTING ERROR 8\n";exit}
61	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	61	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -64,9 +64,9 @@ expect {
64	timeout {puts "TESTING ERROR 9\n";exit}	64	timeout {puts "TESTING ERROR 9\n";exit}
65	"Error: clone: Operation not permitted"	65	"Error: clone: Operation not permitted"
66	}	66	}
67	after 100	67	after 200
68		68
69	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r"	69	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc,user\r"
70	expect {	70	expect {
71	timeout {puts "TESTING ERROR 10\n";exit}	71	timeout {puts "TESTING ERROR 10\n";exit}
72	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	72	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -75,9 +75,9 @@ expect {
75	timeout {puts "TESTING ERROR 11\n";exit}	75	timeout {puts "TESTING ERROR 11\n";exit}
76	"Error: clone: Operation not permitted"	76	"Error: clone: Operation not permitted"
77	}	77	}
78	after 100	78	after 200
79		79
80	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r"	80	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,user,uts\r"
81	expect {	81	expect {
82	timeout {puts "TESTING ERROR 12\n";exit}	82	timeout {puts "TESTING ERROR 12\n";exit}
83	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	83	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -86,7 +86,7 @@ expect {
86	timeout {puts "TESTING ERROR 13\n";exit}	86	timeout {puts "TESTING ERROR 13\n";exit}
87	"clone successful"	87	"clone successful"
88	}	88	}
89	after 100	89	after 200
90		90
91	#	91	#
92	# unshare	92	# unshare
@@ -101,7 +101,7 @@ expect {
101	timeout {puts "TESTING ERROR 15\n";exit}	101	timeout {puts "TESTING ERROR 15\n";exit}
102	"unshare successful"	102	"unshare successful"
103	}	103	}
104	after 100	104	after 200
105		105
106	send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r"	106	send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r"
107	expect {	107	expect {
@@ -112,7 +112,7 @@ expect {
112	timeout {puts "TESTING ERROR 17\n";exit}	112	timeout {puts "TESTING ERROR 17\n";exit}
113	"Error: unshare: Operation not permitted"	113	"Error: unshare: Operation not permitted"
114	}	114	}
115	after 100	115	after 200
116		116
117	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r"	117	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r"
118	expect {	118	expect {
@@ -123,7 +123,7 @@ expect {
123	timeout {puts "TESTING ERROR 19\n";exit}	123	timeout {puts "TESTING ERROR 19\n";exit}
124	"Error: unshare: Operation not permitted"	124	"Error: unshare: Operation not permitted"
125	}	125	}
126	after 100	126	after 200
127		127
128	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"	128	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
129	expect {	129	expect {
@@ -134,9 +134,9 @@ expect {
134	timeout {puts "TESTING ERROR 21\n";exit}	134	timeout {puts "TESTING ERROR 21\n";exit}
135	"Error: unshare: Operation not permitted"	135	"Error: unshare: Operation not permitted"
136	}	136	}
137	after 100	137	after 200
138		138
139	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r"	139	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup,user\r"
140	expect {	140	expect {
141	timeout {puts "TESTING ERROR 22\n";exit}	141	timeout {puts "TESTING ERROR 22\n";exit}
142	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	142	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -145,9 +145,9 @@ expect {
145	timeout {puts "TESTING ERROR 23\n";exit}	145	timeout {puts "TESTING ERROR 23\n";exit}
146	"Error: unshare: Operation not permitted"	146	"Error: unshare: Operation not permitted"
147	}	147	}
148	after 100	148	after 200
149		149
150	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r"	150	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc,user\r"
151	expect {	151	expect {
152	timeout {puts "TESTING ERROR 24\n";exit}	152	timeout {puts "TESTING ERROR 24\n";exit}
153	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	153	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -156,9 +156,9 @@ expect {
156	timeout {puts "TESTING ERROR 25\n";exit}	156	timeout {puts "TESTING ERROR 25\n";exit}
157	"Error: unshare: Operation not permitted"	157	"Error: unshare: Operation not permitted"
158	}	158	}
159	after 100	159	after 200
160		160
161	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r"	161	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,user,uts\r"
162	expect {	162	expect {
163	timeout {puts "TESTING ERROR 26\n";exit}	163	timeout {puts "TESTING ERROR 26\n";exit}
164	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	164	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -167,7 +167,47 @@ expect {
167	timeout {puts "TESTING ERROR 27\n";exit}	167	timeout {puts "TESTING ERROR 27\n";exit}
168	"unshare successful"	168	"unshare successful"
169	}	169	}
		170	after 200
170		171
171		172
172	after 100	173	#
		174	# clone3
		175	#
		176
		177	send -- "firejail --noprofile ./namespaces-32 clone3 cgroup,ipc,mnt,net,pid,user,uts\r"
		178	expect {
		179	timeout {puts "TESTING ERROR 28\n";exit}
		180	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		181	}
		182	expect {
		183	timeout {puts "TESTING ERROR 29\n";exit}
		184	"Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"}
		185	"clone3 successful" {
		186	after 200
		187
		188	send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone3 user\r"
		189	expect {
		190	timeout {puts "TESTING ERROR 30\n";exit}
		191	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		192	}
		193	expect {
		194	timeout {puts "TESTING ERROR 31\n";exit}
		195	"Error: clone3: Function not implemented"
		196	}
		197	after 200
		198
		199	# clone3 arguments are not checked
		200	send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces-32 clone3 cgroup,ipc,net,pid,user,uts\r"
		201	expect {
		202	timeout {puts "TESTING ERROR 32\n";exit}
		203	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		204	}
		205	expect {
		206	timeout {puts "TESTING ERROR 33\n";exit}
		207	"Error: clone3: Function not implemented"
		208	}
		209	}
		210	}
		211
		212	after 200
173	puts "\nall done\n"	213	puts "\nall done\n"


diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index ecf0fdcd1..18ebc8faa 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c
@@ -1,21 +1,29 @@
1	#define _GNU_SOURCE	1	#define _GNU_SOURCE
2	#include <errno.h>	2	#include <errno.h>
3	#include <sched.h>	3	#include <linux/sched.h>
4	#include <signal.h>	4	#include <signal.h>
5	#include <stdio.h>	5	#include <stdio.h>
6	#include <stdlib.h>	6	#include <stdlib.h>
7	#include <string.h>	7	#include <string.h>
8	#include <sys/mman.h>	8	#include <sys/mman.h>
		9	#include <sys/wait.h>
9	#include <unistd.h>	10	#include <unistd.h>
10		11
		12	#include <sched.h>
11	#ifndef CLONE_NEWTIME	13	#ifndef CLONE_NEWTIME
12	#define CLONE_NEWTIME 0x00000080	14	#define CLONE_NEWTIME 0x00000080
13	#endif	15	#endif
14		16
		17	#include <sys/syscall.h>
		18	#ifndef __NR_clone3
		19	#define __NR_clone3 435
		20	#endif
		21
15	#define STACK_SIZE 1024 * 1024	22	#define STACK_SIZE 1024 * 1024
16		23
		24
17	static int usage() {	25	static int usage() {
18	fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");	26	fprintf(stderr, "Usage: namespaces <system call>[clone,clone3,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");
19	exit(1);	27	exit(1);
20	}	28	}
21		29
@@ -71,8 +79,11 @@ int main (int argc, char **argv) {
71	usage();	79	usage();
72		80
73	int flags = ns_flags(argv[2]);	81	int flags = ns_flags(argv[2]);
74	if (getuid() != 0)	82
75	flags \|= CLONE_NEWUSER;	83	if (getuid() != 0 && (flags & CLONE_NEWUSER) != CLONE_NEWUSER) {
		84	fprintf(stderr, "Error: add \"user\" to namespaces list\n");
		85	exit(1);
		86	}
76		87
77	if (strcmp(argv[1], "clone") == 0) {	88	if (strcmp(argv[1], "clone") == 0) {
78	void *stack = mmap(NULL, STACK_SIZE, PROT_READ \| PROT_WRITE,	89	void *stack = mmap(NULL, STACK_SIZE, PROT_READ \| PROT_WRITE,
@@ -80,8 +91,25 @@ int main (int argc, char **argv) {
80	if (stack == MAP_FAILED)	91	if (stack == MAP_FAILED)
81	die("mmap");	92	die("mmap");
82		93
83	if (clone(child, stack + STACK_SIZE, flags \| SIGCHLD, NULL) < 0)	94	pid_t pid = clone(child, stack + STACK_SIZE, flags \| SIGCHLD, NULL);
		95	if (pid < 0)
84	die("clone");	96	die("clone");
		97	waitpid(pid, NULL, 0);
		98	}
		99	else if (strcmp(argv[1], "clone3") == 0) {
		100	struct clone_args args = {
		101	.flags = flags,
		102	.exit_signal = SIGCHLD,
		103	};
		104
		105	pid_t pid = syscall(__NR_clone3, &args, sizeof(struct clone_args));
		106	if (pid < 0)
		107	die("clone3");
		108	if (pid == 0) {
		109	fprintf(stderr, "clone3 successful\n");
		110	exit(0);
		111	}
		112	waitpid(pid, NULL, 0);
85	}	113	}
86	else if (strcmp(argv[1], "unshare") == 0) {	114	else if (strcmp(argv[1], "unshare") == 0) {
87	if (unshare(flags))	115	if (unshare(flags))


diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp index 96e4a774a..394826de7 100755 --- a/test/filters/namespaces.exp +++ b/test/filters/namespaces.exp
@@ -20,7 +20,7 @@ expect {
20	timeout {puts "TESTING ERROR 1\n";exit}	20	timeout {puts "TESTING ERROR 1\n";exit}
21	"clone successful"	21	"clone successful"
22	}	22	}
23	after 100	23	after 200
24		24
25	send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r"	25	send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r"
26	expect {	26	expect {
@@ -31,7 +31,7 @@ expect {
31	timeout {puts "TESTING ERROR 3\n";exit}	31	timeout {puts "TESTING ERROR 3\n";exit}
32	"Error: clone: Operation not permitted"	32	"Error: clone: Operation not permitted"
33	}	33	}
34	after 100	34	after 200
35		35
36	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r"	36	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r"
37	expect {	37	expect {
@@ -42,7 +42,7 @@ expect {
42	timeout {puts "TESTING ERROR 5\n";exit}	42	timeout {puts "TESTING ERROR 5\n";exit}
43	"Error: clone: Operation not permitted"	43	"Error: clone: Operation not permitted"
44	}	44	}
45	after 100	45	after 200
46		46
47	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"	47	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
48	expect {	48	expect {
@@ -53,9 +53,9 @@ expect {
53	timeout {puts "TESTING ERROR 7\n";exit}	53	timeout {puts "TESTING ERROR 7\n";exit}
54	"Error: clone: Operation not permitted"	54	"Error: clone: Operation not permitted"
55	}	55	}
56	after 100	56	after 200
57		57
58	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r"	58	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup,user\r"
59	expect {	59	expect {
60	timeout {puts "TESTING ERROR 8\n";exit}	60	timeout {puts "TESTING ERROR 8\n";exit}
61	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	61	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -64,9 +64,9 @@ expect {
64	timeout {puts "TESTING ERROR 9\n";exit}	64	timeout {puts "TESTING ERROR 9\n";exit}
65	"Error: clone: Operation not permitted"	65	"Error: clone: Operation not permitted"
66	}	66	}
67	after 100	67	after 200
68		68
69	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r"	69	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc,user\r"
70	expect {	70	expect {
71	timeout {puts "TESTING ERROR 10\n";exit}	71	timeout {puts "TESTING ERROR 10\n";exit}
72	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	72	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -75,9 +75,9 @@ expect {
75	timeout {puts "TESTING ERROR 11\n";exit}	75	timeout {puts "TESTING ERROR 11\n";exit}
76	"Error: clone: Operation not permitted"	76	"Error: clone: Operation not permitted"
77	}	77	}
78	after 100	78	after 200
79		79
80	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r"	80	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,user,uts\r"
81	expect {	81	expect {
82	timeout {puts "TESTING ERROR 12\n";exit}	82	timeout {puts "TESTING ERROR 12\n";exit}
83	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	83	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -86,7 +86,7 @@ expect {
86	timeout {puts "TESTING ERROR 13\n";exit}	86	timeout {puts "TESTING ERROR 13\n";exit}
87	"clone successful"	87	"clone successful"
88	}	88	}
89	after 100	89	after 200
90		90
91	#	91	#
92	# unshare	92	# unshare
@@ -101,7 +101,7 @@ expect {
101	timeout {puts "TESTING ERROR 15\n";exit}	101	timeout {puts "TESTING ERROR 15\n";exit}
102	"unshare successful"	102	"unshare successful"
103	}	103	}
104	after 100	104	after 200
105		105
106	send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r"	106	send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r"
107	expect {	107	expect {
@@ -112,7 +112,7 @@ expect {
112	timeout {puts "TESTING ERROR 17\n";exit}	112	timeout {puts "TESTING ERROR 17\n";exit}
113	"Error: unshare: Operation not permitted"	113	"Error: unshare: Operation not permitted"
114	}	114	}
115	after 100	115	after 200
116		116
117	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r"	117	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r"
118	expect {	118	expect {
@@ -123,7 +123,7 @@ expect {
123	timeout {puts "TESTING ERROR 19\n";exit}	123	timeout {puts "TESTING ERROR 19\n";exit}
124	"Error: unshare: Operation not permitted"	124	"Error: unshare: Operation not permitted"
125	}	125	}
126	after 100	126	after 200
127		127
128	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"	128	send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
129	expect {	129	expect {
@@ -134,9 +134,9 @@ expect {
134	timeout {puts "TESTING ERROR 21\n";exit}	134	timeout {puts "TESTING ERROR 21\n";exit}
135	"Error: unshare: Operation not permitted"	135	"Error: unshare: Operation not permitted"
136	}	136	}
137	after 100	137	after 200
138		138
139	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r"	139	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup,user\r"
140	expect {	140	expect {
141	timeout {puts "TESTING ERROR 22\n";exit}	141	timeout {puts "TESTING ERROR 22\n";exit}
142	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	142	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -145,9 +145,9 @@ expect {
145	timeout {puts "TESTING ERROR 23\n";exit}	145	timeout {puts "TESTING ERROR 23\n";exit}
146	"Error: unshare: Operation not permitted"	146	"Error: unshare: Operation not permitted"
147	}	147	}
148	after 100	148	after 200
149		149
150	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r"	150	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc,user\r"
151	expect {	151	expect {
152	timeout {puts "TESTING ERROR 24\n";exit}	152	timeout {puts "TESTING ERROR 24\n";exit}
153	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	153	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -156,9 +156,9 @@ expect {
156	timeout {puts "TESTING ERROR 25\n";exit}	156	timeout {puts "TESTING ERROR 25\n";exit}
157	"Error: unshare: Operation not permitted"	157	"Error: unshare: Operation not permitted"
158	}	158	}
159	after 100	159	after 200
160		160
161	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r"	161	send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,user,uts\r"
162	expect {	162	expect {
163	timeout {puts "TESTING ERROR 26\n";exit}	163	timeout {puts "TESTING ERROR 26\n";exit}
164	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	164	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -167,7 +167,47 @@ expect {
167	timeout {puts "TESTING ERROR 27\n";exit}	167	timeout {puts "TESTING ERROR 27\n";exit}
168	"unshare successful"	168	"unshare successful"
169	}	169	}
		170	after 200
170		171
171		172
172	after 100	173	#
		174	# clone3
		175	#
		176
		177	send -- "firejail --noprofile ./namespaces clone3 cgroup,ipc,mnt,net,pid,user,uts\r"
		178	expect {
		179	timeout {puts "TESTING ERROR 28\n";exit}
		180	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		181	}
		182	expect {
		183	timeout {puts "TESTING ERROR 29\n";exit}
		184	"Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"}
		185	"clone3 successful" {
		186	after 200
		187
		188	send -- "firejail --noprofile --restrict-namespaces ./namespaces clone3 user\r"
		189	expect {
		190	timeout {puts "TESTING ERROR 30\n";exit}
		191	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		192	}
		193	expect {
		194	timeout {puts "TESTING ERROR 31\n";exit}
		195	"Error: clone3: Function not implemented"
		196	}
		197	after 200
		198
		199	# clone3 arguments are not checked
		200	send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces clone3 cgroup,ipc,net,pid,user,uts\r"
		201	expect {
		202	timeout {puts "TESTING ERROR 32\n";exit}
		203	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		204	}
		205	expect {
		206	timeout {puts "TESTING ERROR 33\n";exit}
		207	"Error: clone3: Function not implemented"
		208	}
		209	}
		210	}
		211
		212	after 200
173	puts "\nall done\n"	213	puts "\nall done\n"