diff options
38 files changed, 661 insertions, 145 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f18b0d396..bc2f6869d 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -24,7 +24,7 @@ blacklist ${HOME}/.config/openbox/autostart | |||
24 | blacklist ${HOME}/.config/openbox/environment | 24 | blacklist ${HOME}/.config/openbox/environment |
25 | blacklist ${HOME}/.gnomerc | 25 | blacklist ${HOME}/.gnomerc |
26 | blacklist /etc/X11/Xsession.d/ | 26 | blacklist /etc/X11/Xsession.d/ |
27 | blacklist ${HOME}/.xpra | 27 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
28 | 28 | ||
29 | # VirtualBox | 29 | # VirtualBox |
30 | blacklist ${HOME}/.VirtualBox | 30 | blacklist ${HOME}/.VirtualBox |
diff --git a/etc/file.profile b/etc/file.profile index f709e7f0c..d145fe12a 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # file profile | 1 | # file profile |
2 | quiet | ||
2 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
@@ -16,7 +17,6 @@ protocol unix | |||
16 | seccomp | 17 | seccomp |
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | quiet | ||
20 | x11 none | 20 | x11 none |
21 | 21 | ||
22 | blacklist /tmp/.X11-unix | 22 | blacklist /tmp/.X11-unix |
diff --git a/etc/gajim.profile b/etc/gajim.profile index b030a68b4..eb60f858b 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -1,4 +1,8 @@ | |||
1 | # Firejail profile for Gajim | 1 | # Firejail profile for Gajim |
2 | noblacklist ${HOME}/.cache/gajim | ||
3 | noblacklist ${HOME}/.local/share/gajim | ||
4 | noblacklist ${HOME}/.config/gajim | ||
5 | |||
2 | mkdir ${HOME}/.cache/gajim | 6 | mkdir ${HOME}/.cache/gajim |
3 | mkdir ${HOME}/.local/share/gajim | 7 | mkdir ${HOME}/.local/share/gajim |
4 | mkdir ${HOME}/.config/gajim | 8 | mkdir ${HOME}/.config/gajim |
@@ -29,4 +33,6 @@ seccomp | |||
29 | shell none | 33 | shell none |
30 | 34 | ||
31 | #private-bin python2.7 gajim | 35 | #private-bin python2.7 gajim |
36 | #private-etc fonts | ||
32 | private-dev | 37 | private-dev |
38 | #private-tmp | ||
diff --git a/etc/git.profile b/etc/git.profile index edb59ce13..d60e58c03 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # git profile | 1 | # git profile |
2 | quiet | ||
2 | noblacklist ~/.gitconfig | 3 | noblacklist ~/.gitconfig |
3 | noblacklist ~/.ssh | 4 | noblacklist ~/.ssh |
4 | noblacklist ~/.gnupg | 5 | noblacklist ~/.gnupg |
@@ -19,7 +20,6 @@ nonewprivs | |||
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
22 | quiet | ||
23 | seccomp | 23 | seccomp |
24 | shell none | 24 | shell none |
25 | 25 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index d51b9a951..feb27c150 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # gzip profile | 1 | # gzip profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | 5 | ||
@@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix | |||
7 | net none | 8 | net none |
8 | no3d | 9 | no3d |
9 | nosound | 10 | nosound |
10 | quiet | ||
11 | shell none | 11 | shell none |
12 | tracelog | 12 | tracelog |
13 | 13 | ||
diff --git a/etc/strings.profile b/etc/strings.profile index 7c464bf88..2b7724b11 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -1,10 +1,10 @@ | |||
1 | # strings profile | 1 | # strings profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | 5 | ||
5 | net none | 6 | net none |
6 | nosound | 7 | nosound |
7 | quiet | ||
8 | shell none | 8 | shell none |
9 | tracelog | 9 | tracelog |
10 | 10 | ||
diff --git a/etc/tar.profile b/etc/tar.profile index 91fdaf48d..3addb02fb 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # tar profile | 1 | # tar profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | 5 | ||
@@ -8,7 +9,6 @@ hostname tar | |||
8 | net none | 9 | net none |
9 | no3d | 10 | no3d |
10 | nosound | 11 | nosound |
11 | quiet | ||
12 | shell none | 12 | shell none |
13 | tracelog | 13 | tracelog |
14 | 14 | ||
diff --git a/etc/unrar.profile b/etc/unrar.profile index 0700cafe9..bde6f4e22 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # unrar profile | 1 | # unrar profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | 5 | ||
@@ -8,7 +9,6 @@ hostname unrar | |||
8 | net none | 9 | net none |
9 | no3d | 10 | no3d |
10 | nosound | 11 | nosound |
11 | quiet | ||
12 | shell none | 12 | shell none |
13 | tracelog | 13 | tracelog |
14 | 14 | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index a43785795..8c10d11a0 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # unzip profile | 1 | # unzip profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | blacklist /tmp/.X11-unix | 5 | blacklist /tmp/.X11-unix |
@@ -7,7 +8,6 @@ hostname unzip | |||
7 | net none | 8 | net none |
8 | no3d | 9 | no3d |
9 | nosound | 10 | nosound |
10 | quiet | ||
11 | shell none | 11 | shell none |
12 | tracelog | 12 | tracelog |
13 | 13 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 5ba0896ab..d5b750a13 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # uudeview profile | 1 | # uudeview profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | 5 | ||
@@ -7,7 +8,6 @@ blacklist /etc | |||
7 | hostname uudeview | 8 | hostname uudeview |
8 | net none | 9 | net none |
9 | nosound | 10 | nosound |
10 | quiet | ||
11 | shell none | 11 | shell none |
12 | tracelog | 12 | tracelog |
13 | 13 | ||
diff --git a/etc/wget.profile b/etc/wget.profile index ad2b03b33..d9bca2acc 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # wget profile | 1 | # wget profile |
2 | quiet | ||
2 | include /etc/firejail/disable-common.inc | 3 | include /etc/firejail/disable-common.inc |
3 | include /etc/firejail/disable-programs.inc | 4 | include /etc/firejail/disable-programs.inc |
4 | include /etc/firejail/disable-passwdmgr.inc | 5 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 04f98cef6..6164e3200 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,4 +1,5 @@ | |||
1 | # xzdec profile | 1 | # xzdec profile |
2 | quiet | ||
2 | ignore noroot | 3 | ignore noroot |
3 | include /etc/firejail/default.profile | 4 | include /etc/firejail/default.profile |
4 | 5 | ||
@@ -7,7 +8,6 @@ blacklist /tmp/.X11-unix | |||
7 | net none | 8 | net none |
8 | no3d | 9 | no3d |
9 | nosound | 10 | nosound |
10 | quiet | ||
11 | shell none | 11 | shell none |
12 | tracelog | 12 | tracelog |
13 | 13 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 40dda07ff..369abdc20 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -17,7 +17,6 @@ transmission-qt | |||
17 | transmission-cli | 17 | transmission-cli |
18 | transmission-show | 18 | transmission-show |
19 | uget-gtk | 19 | uget-gtk |
20 | wget | ||
21 | 20 | ||
22 | # browsers/email | 21 | # browsers/email |
23 | abrowser | 22 | abrowser |
@@ -187,21 +186,14 @@ atom | |||
187 | atom-beta | 186 | atom-beta |
188 | gpa | 187 | gpa |
189 | gpg | 188 | gpg |
190 | # don't run ssh-agent and gpg-agent with firejail by default | ||
191 | # this will break many processes using them in the background | ||
192 | # ssh-agent | ||
193 | # gpg-agent | ||
194 | git | ||
195 | ranger | 189 | ranger |
196 | keepass | 190 | keepass |
197 | keepass2 | 191 | keepass2 |
198 | keepassx | 192 | keepassx |
199 | pluma | 193 | pluma |
200 | ssh | ||
201 | tracker | 194 | tracker |
202 | xiphos | 195 | xiphos |
203 | xed | 196 | xed |
204 | xpra | ||
205 | 197 | ||
206 | # weather/climate | 198 | # weather/climate |
207 | aweather | 199 | aweather |
@@ -212,13 +204,3 @@ ark | |||
212 | atool | 204 | atool |
213 | file-roller | 205 | file-roller |
214 | 206 | ||
215 | # when used by other processes in the background, it will break stuff | ||
216 | #7z | ||
217 | #cpio | ||
218 | #gtar | ||
219 | #gzip | ||
220 | #tar | ||
221 | #unrar | ||
222 | #unzip | ||
223 | #xz | ||
224 | #xzdec | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 61de17bf8..d172efce1 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -43,6 +43,8 @@ | |||
43 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" | 43 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" |
44 | #define RUN_HOME_DIR "/run/firejail/mnt/home" | 44 | #define RUN_HOME_DIR "/run/firejail/mnt/home" |
45 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | 45 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
46 | #define RUN_OPT_DIR "/run/firejail/mnt/opt" | ||
47 | #define RUN_SRV_DIR "/run/firejail/mnt/srv" | ||
46 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | 48 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
47 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 49 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
48 | 50 | ||
@@ -200,6 +202,8 @@ typedef struct config_t { | |||
200 | char *home_private; // private home directory | 202 | char *home_private; // private home directory |
201 | char *home_private_keep; // keep list for private home directory | 203 | char *home_private_keep; // keep list for private home directory |
202 | char *etc_private_keep; // keep list for private etc directory | 204 | char *etc_private_keep; // keep list for private etc directory |
205 | char *opt_private_keep; // keep list for private opt directory | ||
206 | char *srv_private_keep; // keep list for private srv directory | ||
203 | char *bin_private_keep; // keep list for private bin directory | 207 | char *bin_private_keep; // keep list for private bin directory |
204 | char *cwd; // current working directory | 208 | char *cwd; // current working directory |
205 | char *overlay_dir; | 209 | char *overlay_dir; |
@@ -315,6 +319,8 @@ extern int arg_doubledash; // double dash | |||
315 | extern int arg_shell_none; // run the program directly without a shell | 319 | extern int arg_shell_none; // run the program directly without a shell |
316 | extern int arg_private_dev; // private dev directory | 320 | extern int arg_private_dev; // private dev directory |
317 | extern int arg_private_etc; // private etc directory | 321 | extern int arg_private_etc; // private etc directory |
322 | extern int arg_private_opt; // private opt directory | ||
323 | extern int arg_private_srv; // private srv directory | ||
318 | extern int arg_private_bin; // private bin directory | 324 | extern int arg_private_bin; // private bin directory |
319 | extern int arg_private_tmp; // private tmp directory | 325 | extern int arg_private_tmp; // private tmp directory |
320 | extern int arg_scan; // arp-scan all interfaces | 326 | extern int arg_scan; // arp-scan all interfaces |
@@ -556,7 +562,7 @@ void network_del_run_file(pid_t pid); | |||
556 | void network_set_run_file(pid_t pid); | 562 | void network_set_run_file(pid_t pid); |
557 | 563 | ||
558 | // fs_etc.c | 564 | // fs_etc.c |
559 | void fs_private_etc_list(void); | 565 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
560 | 566 | ||
561 | // no_sandbox.c | 567 | // no_sandbox.c |
562 | int check_namespace_virt(void); | 568 | int check_namespace_virt(void); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 80329d5ba..9a28ac601 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -47,7 +47,7 @@ errexit: | |||
47 | exit(1); | 47 | exit(1); |
48 | } | 48 | } |
49 | 49 | ||
50 | static void duplicate(char *fname) { | 50 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
51 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { | 51 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { |
52 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 52 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
53 | exit(1); | 53 | exit(1); |
@@ -55,40 +55,44 @@ static void duplicate(char *fname) { | |||
55 | invalid_filename(fname); | 55 | invalid_filename(fname); |
56 | 56 | ||
57 | char *src; | 57 | char *src; |
58 | if (asprintf(&src, "/etc/%s", fname) == -1) | 58 | if (asprintf(&src, "%s/%s", private_dir, fname) == -1) |
59 | errExit("asprintf"); | 59 | errExit("asprintf"); |
60 | if (check_dir_or_file(src) == 0) { | 60 | if (check_dir_or_file(src) == 0) { |
61 | if (!arg_quiet) | 61 | if (!arg_quiet) |
62 | fprintf(stderr, "Warning: skipping %s for private bin\n", fname); | 62 | fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir); |
63 | free(src); | 63 | free(src); |
64 | return; | 64 | return; |
65 | } | 65 | } |
66 | 66 | ||
67 | if (arg_debug) | ||
68 | printf("copying %s to private %s\n", src, private_dir); | ||
69 | |||
67 | struct stat s; | 70 | struct stat s; |
68 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | 71 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { |
69 | // create the directory in RUN_ETC_DIR | 72 | // create the directory in RUN_ETC_DIR |
70 | char *dirname; | 73 | char *dirname; |
71 | if (asprintf(&dirname, "%s/%s", RUN_ETC_DIR, fname) == -1) | 74 | if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) |
72 | errExit("asprintf"); | 75 | errExit("asprintf"); |
73 | create_empty_dir_as_root(dirname, s.st_mode); | 76 | create_empty_dir_as_root(dirname, s.st_mode); |
74 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); | 77 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); |
75 | free(dirname); | 78 | free(dirname); |
76 | } | 79 | } |
77 | else | 80 | else |
78 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, RUN_ETC_DIR); | 81 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); |
79 | 82 | ||
80 | fs_logger2("clone", src); | 83 | fs_logger2("clone", src); |
81 | free(src); | 84 | free(src); |
82 | } | 85 | } |
83 | 86 | ||
84 | 87 | ||
85 | void fs_private_etc_list(void) { | 88 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list) { |
86 | char *private_list = cfg.etc_private_keep; | 89 | assert(private_dir); |
90 | assert(private_run_dir); | ||
87 | assert(private_list); | 91 | assert(private_list); |
88 | 92 | ||
89 | // create /run/firejail/mnt/etc directory | 93 | // create /run/firejail/mnt/etc directory |
90 | mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); | 94 | mkdir_attr(private_run_dir, 0755, 0, 0); |
91 | fs_logger("tmpfs /etc"); | 95 | fs_logger2("tmpfs", private_dir); |
92 | 96 | ||
93 | fs_logger_print(); // save the current log | 97 | fs_logger_print(); // save the current log |
94 | 98 | ||
@@ -97,7 +101,7 @@ void fs_private_etc_list(void) { | |||
97 | // using a new child process with root privileges | 101 | // using a new child process with root privileges |
98 | if (*private_list != '\0') { | 102 | if (*private_list != '\0') { |
99 | if (arg_debug) | 103 | if (arg_debug) |
100 | printf("Copying files in the new etc directory:\n"); | 104 | printf("Copying files in the new %s directory:\n", private_dir); |
101 | 105 | ||
102 | // copy the list of files in the new home directory | 106 | // copy the list of files in the new home directory |
103 | char *dlist = strdup(private_list); | 107 | char *dlist = strdup(private_list); |
@@ -106,18 +110,18 @@ void fs_private_etc_list(void) { | |||
106 | 110 | ||
107 | 111 | ||
108 | char *ptr = strtok(dlist, ","); | 112 | char *ptr = strtok(dlist, ","); |
109 | duplicate(ptr); | 113 | duplicate(ptr, private_dir, private_run_dir); |
110 | 114 | ||
111 | while ((ptr = strtok(NULL, ",")) != NULL) | 115 | while ((ptr = strtok(NULL, ",")) != NULL) |
112 | duplicate(ptr); | 116 | duplicate(ptr, private_dir, private_run_dir); |
113 | free(dlist); | 117 | free(dlist); |
114 | fs_logger_print(); | 118 | fs_logger_print(); |
115 | } | 119 | } |
116 | 120 | ||
117 | if (arg_debug) | 121 | if (arg_debug) |
118 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); | 122 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); |
119 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 123 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) |
120 | errExit("mount bind"); | 124 | errExit("mount bind"); |
121 | fs_logger("mount /etc"); | 125 | fs_logger2("mount", private_dir); |
122 | } | 126 | } |
123 | 127 | ||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 2aa4a1b54..bdc5ecaf3 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -65,10 +65,9 @@ static void build_list(const char *srcdir) { | |||
65 | struct stat s; | 65 | struct stat s; |
66 | char *name; | 66 | char *name; |
67 | if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) | 67 | if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) |
68 | continue; | 68 | errExit("asprintf"); |
69 | if (stat(name, &s) == -1) | 69 | if (stat(name, &s) == -1 || |
70 | continue; | 70 | S_ISLNK(s.st_mode)) { |
71 | if (S_ISLNK(s.st_mode)) { | ||
72 | free(name); | 71 | free(name); |
73 | continue; | 72 | continue; |
74 | } | 73 | } |
@@ -143,7 +142,7 @@ void fs_var_log(void) { | |||
143 | fs_logger("touch /var/log/btmp"); | 142 | fs_logger("touch /var/log/btmp"); |
144 | } | 143 | } |
145 | else | 144 | else |
146 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); | 145 | fprintf(stderr, "Warning: cannot hide /var/log directory\n"); |
147 | } | 146 | } |
148 | 147 | ||
149 | void fs_var_lib(void) { | 148 | void fs_var_lib(void) { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7b32021be..b10858411 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -95,34 +95,29 @@ static char *resolve_downloads(void) { | |||
95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
96 | errExit("asprintf"); | 96 | errExit("asprintf"); |
97 | 97 | ||
98 | if (stat(fname, &s) == -1) { | 98 | if (stat(fname, &s) == -1) |
99 | fprintf(stderr, "***\n"); | ||
100 | fprintf(stderr, "*** Error: directory %s not found.\n", fname); | ||
101 | fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n"); | ||
102 | fprintf(stderr, "*** \tPlease create a Downloads directory.\n"); | ||
103 | fprintf(stderr, "***\n"); | ||
104 | free(fname); | 99 | free(fname); |
105 | return NULL; | 100 | goto errout; |
106 | } | ||
107 | 101 | ||
108 | char *rv; | 102 | char *rv; |
109 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) | 103 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) |
110 | errExit("asprintf"); | 104 | errExit("asprintf"); |
111 | return rv; | 105 | return rv; |
112 | } | 106 | } |
113 | else { | 107 | else |
114 | fprintf(stderr, "***\n"); | 108 | goto errout; |
115 | fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n"); | ||
116 | fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n"); | ||
117 | fprintf(stderr, "***\n"); | ||
118 | fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n"); | ||
119 | fprintf(stderr, "***\n"); | ||
120 | return NULL; | ||
121 | } | ||
122 | } | 109 | } |
123 | } | 110 | } |
124 | } | 111 | } |
112 | |||
125 | fclose(fp); | 113 | fclose(fp); |
114 | return NULL; | ||
115 | |||
116 | errout: | ||
117 | fprintf(stderr, "***\n"); | ||
118 | fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); | ||
119 | fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); | ||
120 | fprintf(stderr, "***\n"); | ||
126 | 121 | ||
127 | return NULL; | 122 | return NULL; |
128 | } | 123 | } |
@@ -181,10 +176,8 @@ static void whitelist_path(ProfileEntry *entry) { | |||
181 | if (entry->home_dir) { | 176 | if (entry->home_dir) { |
182 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 177 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
183 | fname = path + strlen(cfg.homedir); | 178 | fname = path + strlen(cfg.homedir); |
184 | if (*fname == '\0') { | 179 | if (*fname == '\0') |
185 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 180 | goto errexit; |
186 | exit(1); | ||
187 | } | ||
188 | } | 181 | } |
189 | else | 182 | else |
190 | fname = path; | 183 | fname = path; |
@@ -194,70 +187,56 @@ static void whitelist_path(ProfileEntry *entry) { | |||
194 | } | 187 | } |
195 | else if (entry->tmp_dir) { | 188 | else if (entry->tmp_dir) { |
196 | fname = path + 4; // strlen("/tmp") | 189 | fname = path + 4; // strlen("/tmp") |
197 | if (*fname == '\0') { | 190 | if (*fname == '\0') |
198 | fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path); | 191 | goto errexit; |
199 | exit(1); | ||
200 | } | ||
201 | 192 | ||
202 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) | 193 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
203 | errExit("asprintf"); | 194 | errExit("asprintf"); |
204 | } | 195 | } |
205 | else if (entry->media_dir) { | 196 | else if (entry->media_dir) { |
206 | fname = path + 6; // strlen("/media") | 197 | fname = path + 6; // strlen("/media") |
207 | if (*fname == '\0') { | 198 | if (*fname == '\0') |
208 | fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path); | 199 | goto errexit; |
209 | exit(1); | ||
210 | } | ||
211 | 200 | ||
212 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) | 201 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) |
213 | errExit("asprintf"); | 202 | errExit("asprintf"); |
214 | } | 203 | } |
215 | else if (entry->mnt_dir) { | 204 | else if (entry->mnt_dir) { |
216 | fname = path + 4; // strlen("/mnt") | 205 | fname = path + 4; // strlen("/mnt") |
217 | if (*fname == '\0') { | 206 | if (*fname == '\0') |
218 | fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path); | 207 | goto errexit; |
219 | exit(1); | ||
220 | } | ||
221 | 208 | ||
222 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) | 209 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) |
223 | errExit("asprintf"); | 210 | errExit("asprintf"); |
224 | } | 211 | } |
225 | else if (entry->var_dir) { | 212 | else if (entry->var_dir) { |
226 | fname = path + 4; // strlen("/var") | 213 | fname = path + 4; // strlen("/var") |
227 | if (*fname == '\0') { | 214 | if (*fname == '\0') |
228 | fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path); | 215 | goto errexit; |
229 | exit(1); | ||
230 | } | ||
231 | 216 | ||
232 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) | 217 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
233 | errExit("asprintf"); | 218 | errExit("asprintf"); |
234 | } | 219 | } |
235 | else if (entry->dev_dir) { | 220 | else if (entry->dev_dir) { |
236 | fname = path + 4; // strlen("/dev") | 221 | fname = path + 4; // strlen("/dev") |
237 | if (*fname == '\0') { | 222 | if (*fname == '\0') |
238 | fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path); | 223 | goto errexit; |
239 | exit(1); | ||
240 | } | ||
241 | 224 | ||
242 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) | 225 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
243 | errExit("asprintf"); | 226 | errExit("asprintf"); |
244 | } | 227 | } |
245 | else if (entry->opt_dir) { | 228 | else if (entry->opt_dir) { |
246 | fname = path + 4; // strlen("/opt") | 229 | fname = path + 4; // strlen("/opt") |
247 | if (*fname == '\0') { | 230 | if (*fname == '\0') |
248 | fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path); | 231 | goto errexit; |
249 | exit(1); | ||
250 | } | ||
251 | 232 | ||
252 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) | 233 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
253 | errExit("asprintf"); | 234 | errExit("asprintf"); |
254 | } | 235 | } |
255 | else if (entry->srv_dir) { | 236 | else if (entry->srv_dir) { |
256 | fname = path + 4; // strlen("/srv") | 237 | fname = path + 4; // strlen("/srv") |
257 | if (*fname == '\0') { | 238 | if (*fname == '\0') |
258 | fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); | 239 | goto errexit; |
259 | exit(1); | ||
260 | } | ||
261 | 240 | ||
262 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) | 241 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) |
263 | errExit("asprintf"); | 242 | errExit("asprintf"); |
@@ -305,6 +284,11 @@ static void whitelist_path(ProfileEntry *entry) { | |||
305 | errExit("mount bind"); | 284 | errExit("mount bind"); |
306 | 285 | ||
307 | free(wfile); | 286 | free(wfile); |
287 | return; | ||
288 | |||
289 | errexit: | ||
290 | fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path); | ||
291 | exit(1); | ||
308 | } | 292 | } |
309 | 293 | ||
310 | 294 | ||
@@ -432,8 +416,6 @@ void fs_whitelist(void) { | |||
432 | tmp_dir = 1; | 416 | tmp_dir = 1; |
433 | // both path and absolute path are under /tmp | 417 | // both path and absolute path are under /tmp |
434 | if (strncmp(fname, "/tmp/", 5) != 0) { | 418 | if (strncmp(fname, "/tmp/", 5) != 0) { |
435 | if (arg_debug) | ||
436 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
437 | goto errexit; | 419 | goto errexit; |
438 | } | 420 | } |
439 | } | 421 | } |
@@ -442,8 +424,6 @@ void fs_whitelist(void) { | |||
442 | media_dir = 1; | 424 | media_dir = 1; |
443 | // both path and absolute path are under /media | 425 | // both path and absolute path are under /media |
444 | if (strncmp(fname, "/media/", 7) != 0) { | 426 | if (strncmp(fname, "/media/", 7) != 0) { |
445 | if (arg_debug) | ||
446 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
447 | goto errexit; | 427 | goto errexit; |
448 | } | 428 | } |
449 | } | 429 | } |
@@ -452,8 +432,6 @@ void fs_whitelist(void) { | |||
452 | mnt_dir = 1; | 432 | mnt_dir = 1; |
453 | // both path and absolute path are under /mnt | 433 | // both path and absolute path are under /mnt |
454 | if (strncmp(fname, "/mnt/", 5) != 0) { | 434 | if (strncmp(fname, "/mnt/", 5) != 0) { |
455 | if (arg_debug) | ||
456 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
457 | goto errexit; | 435 | goto errexit; |
458 | } | 436 | } |
459 | } | 437 | } |
@@ -467,8 +445,6 @@ void fs_whitelist(void) { | |||
467 | else if (strcmp(new_name, "/var/lock")== 0) | 445 | else if (strcmp(new_name, "/var/lock")== 0) |
468 | ; | 446 | ; |
469 | else if (strncmp(fname, "/var/", 5) != 0) { | 447 | else if (strncmp(fname, "/var/", 5) != 0) { |
470 | if (arg_debug) | ||
471 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
472 | goto errexit; | 448 | goto errexit; |
473 | } | 449 | } |
474 | } | 450 | } |
@@ -477,8 +453,6 @@ void fs_whitelist(void) { | |||
477 | dev_dir = 1; | 453 | dev_dir = 1; |
478 | // both path and absolute path are under /dev | 454 | // both path and absolute path are under /dev |
479 | if (strncmp(fname, "/dev/", 5) != 0) { | 455 | if (strncmp(fname, "/dev/", 5) != 0) { |
480 | if (arg_debug) | ||
481 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
482 | goto errexit; | 456 | goto errexit; |
483 | } | 457 | } |
484 | } | 458 | } |
@@ -487,8 +461,6 @@ void fs_whitelist(void) { | |||
487 | opt_dir = 1; | 461 | opt_dir = 1; |
488 | // both path and absolute path are under /dev | 462 | // both path and absolute path are under /dev |
489 | if (strncmp(fname, "/opt/", 5) != 0) { | 463 | if (strncmp(fname, "/opt/", 5) != 0) { |
490 | if (arg_debug) | ||
491 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
492 | goto errexit; | 464 | goto errexit; |
493 | } | 465 | } |
494 | } | 466 | } |
@@ -497,14 +469,10 @@ void fs_whitelist(void) { | |||
497 | srv_dir = 1; | 469 | srv_dir = 1; |
498 | // both path and absolute path are under /srv | 470 | // both path and absolute path are under /srv |
499 | if (strncmp(fname, "/srv/", 5) != 0) { | 471 | if (strncmp(fname, "/srv/", 5) != 0) { |
500 | if (arg_debug) | ||
501 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
502 | goto errexit; | 472 | goto errexit; |
503 | } | 473 | } |
504 | } | 474 | } |
505 | else { | 475 | else { |
506 | if (arg_debug) | ||
507 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
508 | goto errexit; | 476 | goto errexit; |
509 | } | 477 | } |
510 | 478 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0929347b7..4ccbb6a86 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -88,6 +88,8 @@ int arg_doubledash = 0; // double dash | |||
88 | int arg_shell_none = 0; // run the program directly without a shell | 88 | int arg_shell_none = 0; // run the program directly without a shell |
89 | int arg_private_dev = 0; // private dev directory | 89 | int arg_private_dev = 0; // private dev directory |
90 | int arg_private_etc = 0; // private etc directory | 90 | int arg_private_etc = 0; // private etc directory |
91 | int arg_private_opt = 0; // private opt directory | ||
92 | int arg_private_srv = 0; // private srv directory | ||
91 | int arg_private_bin = 0; // private bin directory | 93 | int arg_private_bin = 0; // private bin directory |
92 | int arg_private_tmp = 0; // private tmp directory | 94 | int arg_private_tmp = 0; // private tmp directory |
93 | int arg_scan = 0; // arp-scan all interfaces | 95 | int arg_scan = 0; // arp-scan all interfaces |
@@ -1624,6 +1626,24 @@ int main(int argc, char **argv) { | |||
1624 | } | 1626 | } |
1625 | arg_private_etc = 1; | 1627 | arg_private_etc = 1; |
1626 | } | 1628 | } |
1629 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { | ||
1630 | // extract private opt list | ||
1631 | cfg.opt_private_keep = argv[i] + 14; | ||
1632 | if (*cfg.opt_private_keep == '\0') { | ||
1633 | fprintf(stderr, "Error: invalid private-opt option\n"); | ||
1634 | exit(1); | ||
1635 | } | ||
1636 | arg_private_opt = 1; | ||
1637 | } | ||
1638 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | ||
1639 | // extract private srv list | ||
1640 | cfg.srv_private_keep = argv[i] + 14; | ||
1641 | if (*cfg.srv_private_keep == '\0') { | ||
1642 | fprintf(stderr, "Error: invalid private-etc option\n"); | ||
1643 | exit(1); | ||
1644 | } | ||
1645 | arg_private_srv = 1; | ||
1646 | } | ||
1627 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 1647 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1628 | // extract private bin list | 1648 | // extract private bin list |
1629 | cfg.bin_private_keep = argv[i] + 14; | 1649 | cfg.bin_private_keep = argv[i] + 14; |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ef4915f15..9e759ec70 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) { | |||
47 | EUID_ASSERT(); | 47 | EUID_ASSERT(); |
48 | invalid_filename(fname); | 48 | invalid_filename(fname); |
49 | 49 | ||
50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { | 50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { |
51 | fprintf(stderr, "Error: invalid network filter file\n"); | 51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); |
52 | exit(1); | ||
53 | } | ||
54 | |||
55 | // access call checks as real UID/GID, not as effective UID/GID | ||
56 | if (access(fname, R_OK)) { | ||
57 | fprintf(stderr, "Error: cannot access network filter file\n"); | ||
58 | exit(1); | 52 | exit(1); |
59 | } | 53 | } |
60 | } | 54 | } |
@@ -101,7 +95,10 @@ void netfilter(const char *fname) { | |||
101 | // push filter | 95 | // push filter |
102 | if (arg_debug) | 96 | if (arg_debug) |
103 | printf("Installing network filter:\n%s\n", filter); | 97 | printf("Installing network filter:\n%s\n", filter); |
104 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 98 | |
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | ||
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | ||
101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | ||
105 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
106 | 103 | ||
107 | // debug | 104 | // debug |
@@ -138,7 +135,7 @@ void netfilter6(const char *fname) { | |||
138 | char *filter = read_text_file_or_exit(fname); | 135 | char *filter = read_text_file_or_exit(fname); |
139 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); | 136 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); |
140 | if (!fp) { | 137 | if (!fp) { |
141 | fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); | 138 | fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); |
142 | exit(1); | 139 | exit(1); |
143 | } | 140 | } |
144 | fprintf(fp, "%s\n", filter); | 141 | fprintf(fp, "%s\n", filter); |
@@ -147,7 +144,10 @@ void netfilter6(const char *fname) { | |||
147 | // push filter | 144 | // push filter |
148 | if (arg_debug) | 145 | if (arg_debug) |
149 | printf("Installing network filter:\n%s\n", filter); | 146 | printf("Installing network filter:\n%s\n", filter); |
150 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP | SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 147 | |
148 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | ||
149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | ||
150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | ||
151 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
152 | 152 | ||
153 | // debug | 153 | // debug |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9acb1b813..2be6948f0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -739,6 +739,22 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
739 | return 0; | 739 | return 0; |
740 | } | 740 | } |
741 | 741 | ||
742 | // private /opt list of files and directories | ||
743 | if (strncmp(ptr, "private-opt ", 12) == 0) { | ||
744 | cfg.opt_private_keep = ptr + 12; | ||
745 | arg_private_opt = 1; | ||
746 | |||
747 | return 0; | ||
748 | } | ||
749 | |||
750 | // private /srv list of files and directories | ||
751 | if (strncmp(ptr, "private-srv ", 12) == 0) { | ||
752 | cfg.srv_private_keep = ptr + 12; | ||
753 | arg_private_srv = 1; | ||
754 | |||
755 | return 0; | ||
756 | } | ||
757 | |||
742 | // private /bin list of files | 758 | // private /bin list of files |
743 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 759 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
744 | cfg.bin_private_keep = ptr + 12; | 760 | cfg.bin_private_keep = ptr + 12; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index a4dce405d..753c50208 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -90,8 +90,6 @@ void run_symlink(int argc, char **argv) { | |||
90 | if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) | 90 | if (asprintf(&firejail, "%s/bin/firejail", PREFIX) == -1) |
91 | errExit("asprintf"); | 91 | errExit("asprintf"); |
92 | 92 | ||
93 | printf("Redirecting symlink to %s\n", program); | ||
94 | |||
95 | // drop privileges | 93 | // drop privileges |
96 | if (setgid(getgid()) < 0) | 94 | if (setgid(getgid()) < 0) |
97 | errExit("setgid/getgid"); | 95 | errExit("setgid/getgid"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0a6777fef..68b8f554d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -671,13 +671,33 @@ int sandbox(void* sandbox_arg) { | |||
671 | else if (arg_overlay) | 671 | else if (arg_overlay) |
672 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); | 672 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); |
673 | else { | 673 | else { |
674 | fs_private_etc_list(); | 674 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); |
675 | // create /etc/ld.so.preload file again | 675 | // create /etc/ld.so.preload file again |
676 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) | 676 | if (arg_trace || arg_tracelog || mask_x11_abstract_socket) |
677 | fs_trace_preload(); | 677 | fs_trace_preload(); |
678 | } | 678 | } |
679 | } | 679 | } |
680 | 680 | ||
681 | if (arg_private_opt) { | ||
682 | if (cfg.chrootdir) | ||
683 | fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n"); | ||
684 | else if (arg_overlay) | ||
685 | fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n"); | ||
686 | else { | ||
687 | fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep); | ||
688 | } | ||
689 | } | ||
690 | |||
691 | if (arg_private_srv) { | ||
692 | if (cfg.chrootdir) | ||
693 | fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n"); | ||
694 | else if (arg_overlay) | ||
695 | fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n"); | ||
696 | else { | ||
697 | fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep); | ||
698 | } | ||
699 | } | ||
700 | |||
681 | if (arg_private_bin) { | 701 | if (arg_private_bin) { |
682 | if (cfg.chrootdir) | 702 | if (cfg.chrootdir) |
683 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | 703 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 40403aade..3e2a0ffd4 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
@@ -26,15 +26,34 @@ expect { | |||
26 | } | 26 | } |
27 | after 100 | 27 | after 100 |
28 | send -- "exit\r" | 28 | send -- "exit\r" |
29 | after 100 | 29 | sleep 1 |
30 | 30 | ||
31 | 31 | ||
32 | # no chroot | 32 | send -- "firejail --profile=dns.profile\r" |
33 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
34 | expect { | 33 | expect { |
35 | timeout {puts "TESTING ERROR 1.1\n";exit} | 34 | timeout {puts "TESTING ERROR 12.1\n";exit} |
36 | "Child process initialized" | 35 | "Child process initialized" |
37 | } | 36 | } |
37 | sleep 1 | ||
38 | |||
39 | send -- "cat /etc/resolv.conf\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 12.2\n";exit} | ||
42 | "nameserver 8.8.4.4" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 12.3\n";exit} | ||
46 | "nameserver 8.8.8.8" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 12.4\n";exit} | ||
50 | "nameserver 4.2.2.1" | ||
51 | } | ||
52 | after 100 | ||
53 | send -- "exit\r" | ||
54 | sleep 1 | ||
55 | |||
56 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | ||
38 | expect { | 57 | expect { |
39 | timeout {puts "TESTING ERROR 1.2\n";exit} | 58 | timeout {puts "TESTING ERROR 1.2\n";exit} |
40 | "connect" | 59 | "connect" |
diff --git a/test/environment/dns.profile b/test/environment/dns.profile new file mode 100644 index 000000000..d1b842c86 --- /dev/null +++ b/test/environment/dns.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | dns 8.8.4.4 | ||
2 | dns 8.8.8.8 | ||
3 | dns 4.2.2.1 | ||
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d9a425661..611b62b09 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -88,6 +88,9 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" | |||
88 | echo "TESTING: whitelist (test/fs/whitelist.exp)" | 88 | echo "TESTING: whitelist (test/fs/whitelist.exp)" |
89 | ./whitelist.exp | 89 | ./whitelist.exp |
90 | 90 | ||
91 | echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | ||
92 | ./whitelist-dev.exp | ||
93 | |||
91 | echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" | 94 | echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" |
92 | ./fscheck-bindnoroot.exp | 95 | ./fscheck-bindnoroot.exp |
93 | 96 | ||
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp new file mode 100755 index 000000000..a19d5cedf --- /dev/null +++ b/test/fs/whitelist-dev.exp | |||
@@ -0,0 +1,47 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --whitelist=/dev/null --debug\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls -l /dev | find /dev | wc -l\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "2" | ||
21 | } | ||
22 | after 100 | ||
23 | send -- "exit\r" | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "firejail --whitelist=/var/tmp --debug\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 0\n";exit} | ||
29 | "Child process initialized" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | send -- "ls -l /dev | find /dev | wc -l\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 1\n";exit} | ||
36 | "2" | ||
37 | } | ||
38 | after 100 | ||
39 | send -- "exit\r" | ||
40 | sleep 1 | ||
41 | |||
42 | |||
43 | |||
44 | |||
45 | after 100 | ||
46 | puts "\nall done\n" | ||
47 | |||
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9a9a0f353..9b631b884 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp | |||
@@ -36,7 +36,7 @@ after 200 | |||
36 | send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" | 36 | send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" |
37 | after 200 | 37 | after 200 |
38 | 38 | ||
39 | send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" | 39 | send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r" |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 0\n";exit} | 41 | timeout {puts "TESTING ERROR 0\n";exit} |
42 | "Child process initialized" | 42 | "Child process initialized" |
@@ -49,19 +49,19 @@ expect { | |||
49 | "2" | 49 | "2" |
50 | } | 50 | } |
51 | 51 | ||
52 | send -- "cat fjtest-file\r" | 52 | send -- "cat ~/fjtest-file\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 2\n";exit} | 54 | timeout {puts "TESTING ERROR 2\n";exit} |
55 | "123" | 55 | "123" |
56 | } | 56 | } |
57 | 57 | ||
58 | send -- "cat fjtest-dir/fjtest-file\r" | 58 | send -- "cat ~/fjtest-dir/fjtest-file\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 3\n";exit} | 60 | timeout {puts "TESTING ERROR 3\n";exit} |
61 | "123" | 61 | "123" |
62 | } | 62 | } |
63 | 63 | ||
64 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 64 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 4\n";exit} | 66 | timeout {puts "TESTING ERROR 4\n";exit} |
67 | "123" | 67 | "123" |
@@ -86,7 +86,7 @@ expect { | |||
86 | "1" | 86 | "1" |
87 | } | 87 | } |
88 | 88 | ||
89 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 89 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
90 | expect { | 90 | expect { |
91 | timeout {puts "TESTING ERROR 12\n";exit} | 91 | timeout {puts "TESTING ERROR 12\n";exit} |
92 | "123" | 92 | "123" |
@@ -111,37 +111,37 @@ expect { | |||
111 | "4" | 111 | "4" |
112 | } | 112 | } |
113 | 113 | ||
114 | send -- "cat fjtest-file\r" | 114 | send -- "cat ~/fjtest-file\r" |
115 | expect { | 115 | expect { |
116 | timeout {puts "TESTING ERROR 22\n";exit} | 116 | timeout {puts "TESTING ERROR 22\n";exit} |
117 | "123" | 117 | "123" |
118 | } | 118 | } |
119 | 119 | ||
120 | send -- "cat fjtest-dir/fjtest-file\r" | 120 | send -- "cat ~/fjtest-dir/fjtest-file\r" |
121 | expect { | 121 | expect { |
122 | timeout {puts "TESTING ERROR 23\n";exit} | 122 | timeout {puts "TESTING ERROR 23\n";exit} |
123 | "123" | 123 | "123" |
124 | } | 124 | } |
125 | 125 | ||
126 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 126 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
127 | expect { | 127 | expect { |
128 | timeout {puts "TESTING ERROR 24\n";exit} | 128 | timeout {puts "TESTING ERROR 24\n";exit} |
129 | "123" | 129 | "123" |
130 | } | 130 | } |
131 | 131 | ||
132 | send -- "cat fjtest-file-lnk\r" | 132 | send -- "cat ~/fjtest-file-lnk\r" |
133 | expect { | 133 | expect { |
134 | timeout {puts "TESTING ERROR 25\n";exit} | 134 | timeout {puts "TESTING ERROR 25\n";exit} |
135 | "123" | 135 | "123" |
136 | } | 136 | } |
137 | 137 | ||
138 | send -- "cat fjtest-dir-lnk/fjtest-file\r" | 138 | send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" |
139 | expect { | 139 | expect { |
140 | timeout {puts "TESTING ERROR 26\n";exit} | 140 | timeout {puts "TESTING ERROR 26\n";exit} |
141 | "123" | 141 | "123" |
142 | } | 142 | } |
143 | 143 | ||
144 | send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" | 144 | send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r" |
145 | expect { | 145 | expect { |
146 | timeout {puts "TESTING ERROR 27\n";exit} | 146 | timeout {puts "TESTING ERROR 27\n";exit} |
147 | "123" | 147 | "123" |
@@ -193,13 +193,13 @@ expect { | |||
193 | "2" | 193 | "2" |
194 | } | 194 | } |
195 | 195 | ||
196 | send -- "cat fjtest-file-lnk\r" | 196 | send -- "cat ~/fjtest-file-lnk\r" |
197 | expect { | 197 | expect { |
198 | timeout {puts "TESTING ERROR 42\n";exit} | 198 | timeout {puts "TESTING ERROR 42\n";exit} |
199 | "123" | 199 | "123" |
200 | } | 200 | } |
201 | 201 | ||
202 | send -- "cat fjtest-dir-lnk/fjtest-file\r" | 202 | send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" |
203 | expect { | 203 | expect { |
204 | timeout {puts "TESTING ERROR 43\n";exit} | 204 | timeout {puts "TESTING ERROR 43\n";exit} |
205 | "123" | 205 | "123" |
diff --git a/test/network/ip6.exp b/test/network/ip6.exp index f0fcebcf8..1db16c28a 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp | |||
@@ -43,6 +43,46 @@ expect { | |||
43 | } | 43 | } |
44 | 44 | ||
45 | send -- "exit\r" | 45 | send -- "exit\r" |
46 | sleep 2 | ||
47 | |||
48 | |||
49 | send -- "firejail --debug --profile=ip6.profile\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 10\n";exit} | ||
52 | "Installing network filter" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 11\n";exit} | ||
56 | "DROP" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 12\n";exit} | ||
60 | "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} | ||
61 | "2001:db8:1f0a:3ec::2" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 13\n";exit} | ||
65 | "Child process initialized" | ||
66 | } | ||
67 | sleep 2 | ||
68 | |||
69 | send -- "/sbin/ifconfig\r" | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 14\n";exit} | ||
72 | "inet6" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 15\n";exit} | ||
76 | "2001:db8:0:f101::1" | ||
77 | } | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 16\n";exit} | ||
80 | "Scope:Global" { puts "Debian\n"} | ||
81 | "scopeid 0x0<global>" { puts "Arch\n"} | ||
82 | } | ||
83 | |||
84 | send -- "exit\r" | ||
85 | |||
46 | after 100 | 86 | after 100 |
47 | 87 | ||
48 | puts "\nall done\n" | 88 | puts "\nall done\n" |
diff --git a/test/network/ip6.profile b/test/network/ip6.profile new file mode 100644 index 000000000..87afa3941 --- /dev/null +++ b/test/network/ip6.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | net br0 | ||
2 | ip6 2001:0db8:0:f101::1/64 | ||
3 | netfilter6 ipv6.net | ||
diff --git a/test/network/iprange.exp b/test/network/iprange.exp new file mode 100755 index 000000000..a1b2ccab4 --- /dev/null +++ b/test/network/iprange.exp | |||
@@ -0,0 +1,103 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "eth0" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "10.10.30.50" {puts "10.10.30.50\n"} | ||
18 | "10.10.30.51" {puts "10.10.30.51\n"} | ||
19 | "10.10.30.52" {puts "10.10.30.52\n"} | ||
20 | "10.10.30.53" {puts "10.10.30.53\n"} | ||
21 | "10.10.30.54" {puts "10.10.30.54\n"} | ||
22 | "10.10.30.55" {puts "10.10.30.55\n"} | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "255.255.255.0" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 3\n";exit} | ||
30 | "Child process initialized" | ||
31 | } | ||
32 | sleep 1 | ||
33 | send -- "exit\r" | ||
34 | sleep 2 | ||
35 | |||
36 | send -- "firejail --profile=iprange.profile\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "eth0" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 6\n";exit} | ||
43 | "10.10.30.50" {puts "10.10.30.50\n"} | ||
44 | "10.10.30.51" {puts "10.10.30.51\n"} | ||
45 | "10.10.30.52" {puts "10.10.30.52\n"} | ||
46 | "10.10.30.53" {puts "10.10.30.53\n"} | ||
47 | "10.10.30.54" {puts "10.10.30.54\n"} | ||
48 | "10.10.30.55" {puts "10.10.30.55\n"} | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 7\n";exit} | ||
52 | "255.255.255.0" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 8\n";exit} | ||
56 | "Child process initialized" | ||
57 | } | ||
58 | sleep 1 | ||
59 | send -- "exit\r" | ||
60 | sleep 2 | ||
61 | |||
62 | |||
63 | |||
64 | send -- "firejail --iprange=10.10.30.50,10.10.30.55\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 9\n";exit} | ||
67 | "no network device configured" | ||
68 | } | ||
69 | after 100 | ||
70 | |||
71 | send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 10\n";exit} | ||
74 | "cannot configure the IP range twice for the same interface" | ||
75 | } | ||
76 | after 100 | ||
77 | |||
78 | send -- "firejail --net=br1 --iprange=10.10.30.50\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 11\n";exit} | ||
81 | "invalid IP range" | ||
82 | } | ||
83 | after 100 | ||
84 | |||
85 | send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r" | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 12\n";exit} | ||
88 | "IP range addresses not in network range" | ||
89 | } | ||
90 | after 100 | ||
91 | |||
92 | send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 12\n";exit} | ||
95 | "invalid IP range" | ||
96 | } | ||
97 | after 100 | ||
98 | |||
99 | |||
100 | after 100 | ||
101 | |||
102 | puts "\nall done\n" | ||
103 | |||
diff --git a/test/network/iprange.profile b/test/network/iprange.profile new file mode 100644 index 000000000..ecc01cd93 --- /dev/null +++ b/test/network/iprange.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | net br1 | ||
2 | iprange 10.10.30.50,10.10.30.55 | ||
diff --git a/test/network/net_veth.exp b/test/network/net_veth.exp index 89dedcb24..04091047b 100755 --- a/test/network/net_veth.exp +++ b/test/network/net_veth.exp | |||
@@ -123,6 +123,18 @@ expect { | |||
123 | } | 123 | } |
124 | sleep 1 | 124 | sleep 1 |
125 | send -- "exit\r" | 125 | send -- "exit\r" |
126 | sleep 1 | ||
127 | |||
128 | send -- "firejail --net=eth0 --ip=10.10.20.1\r" | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 27\n";exit} | ||
131 | "the IP address is not in the interface range" | ||
132 | } | ||
133 | |||
134 | |||
135 | |||
136 | |||
137 | |||
126 | 138 | ||
127 | after 100 | 139 | after 100 |
128 | 140 | ||
diff --git a/test/network/network.sh b/test/network/network.sh index e1646d64a..bea5dfb26 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -78,6 +78,12 @@ echo "TESTING: veth (net_veth.exp)" | |||
78 | echo "TESTING: netfilter (net_netfilter.exp)" | 78 | echo "TESTING: netfilter (net_netfilter.exp)" |
79 | ./net_netfilter.exp | 79 | ./net_netfilter.exp |
80 | 80 | ||
81 | echo "TESTING: iprange (iprange.exp)" | ||
82 | ./iprange.exp | ||
83 | |||
84 | echo "TESTING: veth-name (veth-name.exp)" | ||
85 | ./veth-name.exp | ||
86 | |||
81 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" | 87 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" |
82 | ./4bridges_arp.exp | 88 | ./4bridges_arp.exp |
83 | 89 | ||
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp new file mode 100755 index 000000000..36ed41d92 --- /dev/null +++ b/test/network/veth-name.exp | |||
@@ -0,0 +1,77 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # | ||
11 | send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "eth0" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 1\n";exit} | ||
18 | "10.10.30.50" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 2\n";exit} | ||
22 | "255.255.255.0" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | sleep 1 | ||
29 | |||
30 | spawn $env(SHELL) | ||
31 | send -- "ip link show\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "blablabla" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 5\n";exit} | ||
38 | "master br1 state UP" | ||
39 | } | ||
40 | sleep 1 | ||
41 | |||
42 | |||
43 | send -- "firejail --profile=veth-name.profile\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 6\n";exit} | ||
46 | "eth0" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 7\n";exit} | ||
50 | "10.10.60.51" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 8\n";exit} | ||
54 | "255.255.255.0" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 9\n";exit} | ||
58 | "Child process initialized" | ||
59 | } | ||
60 | sleep 1 | ||
61 | |||
62 | spawn $env(SHELL) | ||
63 | send -- "ip link show\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10\n";exit} | ||
66 | "bingo" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 11\n";exit} | ||
70 | "master br4 state UP" | ||
71 | } | ||
72 | sleep 1 | ||
73 | |||
74 | |||
75 | after 100 | ||
76 | puts "\nall done\n" | ||
77 | |||
diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile new file mode 100644 index 000000000..f00a74d63 --- /dev/null +++ b/test/network/veth-name.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | net br4 | ||
2 | ip 10.10.60.51 | ||
3 | veth-name bingo | ||
diff --git a/test/root/private.exp b/test/root/private.exp index 4040081ee..9ce9716f9 100755 --- a/test/root/private.exp +++ b/test/root/private.exp | |||
@@ -29,5 +29,62 @@ expect { | |||
29 | after 100 | 29 | after 100 |
30 | 30 | ||
31 | send -- "exit\r" | 31 | send -- "exit\r" |
32 | sleep 1 | ||
33 | |||
34 | |||
35 | |||
36 | send -- "touch /opt/firejail-test-file\r" | ||
37 | after 100 | ||
38 | send -- "mkdir /opt/firejail-test-dir\r" | ||
39 | after 100 | ||
40 | send -- "touch /opt/firejail-test-dir/firejail-test-file\r" | ||
41 | after 100 | ||
42 | send -- "firejail --private-opt=firejail-test-file,firejail-test-dir --debug\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 3\n";exit} | ||
45 | "Child process initialized" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | send -- "find /opt | wc -l\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 4\n";exit} | ||
52 | "4" | ||
53 | } | ||
54 | after 100 | ||
55 | send -- "exit\r" | ||
56 | sleep 1 | ||
57 | |||
58 | |||
59 | send -- "touch /srv/firejail-test-file\r" | ||
60 | after 100 | ||
61 | send -- "mkdir /srv/firejail-test-dir\r" | ||
62 | after 100 | ||
63 | send -- "touch /srv/firejail-test-dir/firejail-test-file\r" | ||
32 | after 100 | 64 | after 100 |
65 | send -- "firejail --private-srv=firejail-test-file,firejail-test-dir --debug\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5\n";exit} | ||
68 | "Child process initialized" | ||
69 | } | ||
70 | sleep 1 | ||
71 | |||
72 | send -- "find /srv | wc -l\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6\n";exit} | ||
75 | "4" | ||
76 | } | ||
77 | after 100 | ||
78 | send -- "exit\r" | ||
79 | sleep 1 | ||
80 | |||
81 | |||
82 | |||
83 | |||
84 | |||
85 | |||
86 | |||
87 | |||
88 | |||
89 | |||
33 | puts "\nall done\n" | 90 | puts "\nall done\n" |
diff --git a/test/root/root.sh b/test/root/root.sh index 494bd4fe7..371bccdff 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -53,6 +53,9 @@ fi | |||
53 | echo "TESTING: fs private (test/root/private.exp)" | 53 | echo "TESTING: fs private (test/root/private.exp)" |
54 | ./private.exp | 54 | ./private.exp |
55 | 55 | ||
56 | echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)" | ||
57 | ./whitelist.exp | ||
58 | |||
56 | #******************************** | 59 | #******************************** |
57 | # seccomp | 60 | # seccomp |
58 | #******************************** | 61 | #******************************** |
diff --git a/test/root/whitelist.exp b/test/root/whitelist.exp new file mode 100755 index 000000000..f6936c048 --- /dev/null +++ b/test/root/whitelist.exp | |||
@@ -0,0 +1,118 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "touch /mnt/firejail-test-file\r" | ||
11 | after 100 | ||
12 | send -- "mkdir /mnt/firejail-test-dir\r" | ||
13 | after 100 | ||
14 | send -- "touch /mnt/firejail-test-dir/firejail-test-file\r" | ||
15 | after 100 | ||
16 | send -- "firejail --whitelist=/mnt/firejail-test-file --whitelist=/mnt/firejail-test-dir --debug\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 0\n";exit} | ||
19 | "Child process initialized" | ||
20 | } | ||
21 | sleep 1 | ||
22 | |||
23 | send -- "find /mnt | wc -l\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 1\n";exit} | ||
26 | "4" | ||
27 | } | ||
28 | after 100 | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | |||
33 | send -- "touch /opt/firejail-test-file\r" | ||
34 | after 100 | ||
35 | send -- "mkdir /opt/firejail-test-dir\r" | ||
36 | after 100 | ||
37 | send -- "touch /opt/firejail-test-dir/firejail-test-file\r" | ||
38 | after 100 | ||
39 | send -- "firejail --whitelist=/opt/firejail-test-file --whitelist=/opt/firejail-test-dir --debug\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 2\n";exit} | ||
42 | "Child process initialized" | ||
43 | } | ||
44 | sleep 1 | ||
45 | |||
46 | send -- "find /opt | wc -l\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 3\n";exit} | ||
49 | "4" | ||
50 | } | ||
51 | after 100 | ||
52 | send -- "exit\r" | ||
53 | sleep 1 | ||
54 | |||
55 | send -- "touch /media/firejail-test-file\r" | ||
56 | after 100 | ||
57 | send -- "mkdir /media/firejail-test-dir\r" | ||
58 | after 100 | ||
59 | send -- "touch /media/firejail-test-dir/firejail-test-file\r" | ||
60 | after 100 | ||
61 | send -- "firejail --whitelist=/media/firejail-test-file --whitelist=/media/firejail-test-dir --debug\r" | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 4\n";exit} | ||
64 | "Child process initialized" | ||
65 | } | ||
66 | sleep 1 | ||
67 | |||
68 | send -- "find /media | wc -l\r" | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 5\n";exit} | ||
71 | "4" | ||
72 | } | ||
73 | after 100 | ||
74 | send -- "exit\r" | ||
75 | sleep 1 | ||
76 | |||
77 | |||
78 | send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 6\n";exit} | ||
81 | "Child process initialized" | ||
82 | } | ||
83 | sleep 1 | ||
84 | |||
85 | send -- "find /var | wc -l\r" | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 7\n";exit} | ||
88 | "" | ||
89 | } | ||
90 | after 100 | ||
91 | send -- "exit\r" | ||
92 | sleep 1 | ||
93 | |||
94 | send -- "touch /srv/firejail-test-file\r" | ||
95 | after 100 | ||
96 | send -- "mkdir /srv/firejail-test-dir\r" | ||
97 | after 100 | ||
98 | send -- "touch /srv/firejail-test-dir/firejail-test-file\r" | ||
99 | after 100 | ||
100 | send -- "firejail --whitelist=/srv/firejail-test-file --whitelist=/srv/firejail-test-dir --debug\r" | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 8\n";exit} | ||
103 | "Child process initialized" | ||
104 | } | ||
105 | sleep 1 | ||
106 | |||
107 | send -- "find /srv | wc -l\r" | ||
108 | expect { | ||
109 | timeout {puts "TESTING ERROR 9\n";exit} | ||
110 | "4" | ||
111 | } | ||
112 | after 100 | ||
113 | send -- "exit\r" | ||
114 | |||
115 | |||
116 | after 100 | ||
117 | puts "\nall done\n" | ||
118 | |||