diff options
-rwxr-xr-x | test/features/3.1.exp | 2 | ||||
-rwxr-xr-x | test/features/3.5.exp | 77 | ||||
-rwxr-xr-x | test/features/3.6.exp | 77 | ||||
-rw-r--r-- | test/features/features.txt | 36 | ||||
-rwxr-xr-x | test/features/test.sh | 6 |
5 files changed, 167 insertions, 31 deletions
diff --git a/test/features/3.1.exp b/test/features/3.1.exp index 52a929651..a66fbdae1 100755 --- a/test/features/3.1.exp +++ b/test/features/3.1.exp | |||
@@ -1,6 +1,6 @@ | |||
1 | #!/usr/bin/expect -f | 1 | #!/usr/bin/expect -f |
2 | # | 2 | # |
3 | # tmpfs | 3 | # private |
4 | # | 4 | # |
5 | 5 | ||
6 | set timeout 10 | 6 | set timeout 10 |
diff --git a/test/features/3.5.exp b/test/features/3.5.exp new file mode 100755 index 000000000..d190ef36f --- /dev/null +++ b/test/features/3.5.exp | |||
@@ -0,0 +1,77 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # private-dev | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "firejail --noprofile --private-dev\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "ls -al /dev | wc -l\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "14" | ||
26 | } | ||
27 | |||
28 | after 100 | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | # | ||
33 | # O | ||
34 | # | ||
35 | if { $overlay == "overlay" } { | ||
36 | send -- "firejail --noprofile --overlay --private-dev\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 2\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 1 | ||
42 | |||
43 | send -- "ls -al /dev | wc -l\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
46 | "13" | ||
47 | } | ||
48 | |||
49 | after 100 | ||
50 | send -- "exit\r" | ||
51 | sleep 1 | ||
52 | } | ||
53 | |||
54 | # | ||
55 | # C | ||
56 | # | ||
57 | if { $chroot == "chroot" } { | ||
58 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-dev\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 4\n";exit} | ||
61 | "Child process initialized" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | send -- "ls -al /dev | wc -l\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
68 | "13" | ||
69 | } | ||
70 | |||
71 | after 100 | ||
72 | send -- "exit\r" | ||
73 | sleep 1 | ||
74 | } | ||
75 | |||
76 | |||
77 | puts "\nall done\n" | ||
diff --git a/test/features/3.6.exp b/test/features/3.6.exp new file mode 100755 index 000000000..6117485da --- /dev/null +++ b/test/features/3.6.exp | |||
@@ -0,0 +1,77 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # private-etc | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | send -- "firejail --noprofile --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0\n";exit} | ||
18 | "Child process initialized" | ||
19 | } | ||
20 | sleep 1 | ||
21 | |||
22 | send -- "ls -al /etc | wc -l\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
25 | "10" | ||
26 | } | ||
27 | |||
28 | after 100 | ||
29 | send -- "exit\r" | ||
30 | sleep 1 | ||
31 | |||
32 | # | ||
33 | # O | ||
34 | # | ||
35 | if { $overlay == "overlay" } { | ||
36 | send -- "firejail --noprofile --overlay --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 2\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 1 | ||
42 | |||
43 | send -- "ls -al /etc | wc -l\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
46 | "10" | ||
47 | } | ||
48 | |||
49 | after 100 | ||
50 | send -- "exit\r" | ||
51 | sleep 1 | ||
52 | } | ||
53 | |||
54 | # | ||
55 | # C | ||
56 | # | ||
57 | if { $chroot == "chroot" } { | ||
58 | send -- "firejail --noprofile --chroot=/tmp/chroot --private-etc=group,hostname,hosts,nsswitch.conf,passwd,resolv.conf,skel\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 4\n";exit} | ||
61 | "Child process initialized" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | send -- "ls -al /etc | wc -l\r" | ||
66 | expect { | ||
67 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
68 | "10" | ||
69 | } | ||
70 | |||
71 | after 100 | ||
72 | send -- "exit\r" | ||
73 | sleep 1 | ||
74 | } | ||
75 | |||
76 | |||
77 | puts "\nall done\n" | ||
diff --git a/test/features/features.txt b/test/features/features.txt index 1dedff357..0c41090aa 100644 --- a/test/features/features.txt +++ b/test/features/features.txt | |||
@@ -9,11 +9,7 @@ C - chroot filesystem | |||
9 | 1. Default features (tesing with --noprofile) | 9 | 1. Default features (tesing with --noprofile) |
10 | 10 | ||
11 | 1.1 disable /boot | 11 | 1.1 disable /boot |
12 | - N, O, C | ||
13 | |||
14 | 1.2 new /proc | 12 | 1.2 new /proc |
15 | - N, O, C | ||
16 | |||
17 | 1.3 new /sys | 13 | 1.3 new /sys |
18 | - N, O fails remount, C fails remount | 14 | - N, O fails remount, C fails remount |
19 | 15 | ||
@@ -23,49 +19,23 @@ C - chroot filesystem | |||
23 | - /etc/group: N, O, C to test | 19 | - /etc/group: N, O, C to test |
24 | 20 | ||
25 | 1.5 PID namespace | 21 | 1.5 PID namespace |
26 | - N, O, C | ||
27 | |||
28 | 1.6 new /var/log | 22 | 1.6 new /var/log |
29 | - N, O, C | ||
30 | |||
31 | 1.7 new /var/tmp | 23 | 1.7 new /var/tmp |
32 | -N, O, C | ||
33 | |||
34 | 1.8 disable /etc/firejail and ~/.config/firejail | 24 | 1.8 disable /etc/firejail and ~/.config/firejail |
35 | -N, O, C | ||
36 | |||
37 | 1.9 mount namespace | 25 | 1.9 mount namespace |
38 | |||
39 | 1.10 disable /selinux | 26 | 1.10 disable /selinux |
40 | - N, O, C | ||
41 | |||
42 | |||
43 | 27 | ||
44 | 2. Networking features | 28 | 2. Networking features |
45 | 29 | ||
46 | 2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname) | 30 | 2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname) |
47 | - N, O, C | ||
48 | - ping disabled for C by default seccomp filter, use "getent hosts bingo" | 31 | - ping disabled for C by default seccomp filter, use "getent hosts bingo" |
49 | 32 | ||
50 | 2.2 DNS (use --dns=4.2.2.1, use "dig google.com") | 33 | 2.2 DNS (use --dns=4.2.2.1, use "dig google.com") |
51 | - N, O, C | ||
52 | |||
53 | 2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com) | 34 | 2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com) |
54 | - N, O, C | ||
55 | - test --ip: N, O, C | ||
56 | |||
57 | 2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw) | 35 | 2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw) |
58 | - N, O, C | ||
59 | - ping disabled for C by default seccomp filter - transfer test not implemented for C | 36 | - ping disabled for C by default seccomp filter - transfer test not implemented for C |
60 | - test --ip: N, O, C | ||
61 | |||
62 | 2.5 interface | 37 | 2.5 interface |
63 | - N, O, C | ||
64 | |||
65 | 2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn) | 38 | 2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn) |
66 | - N, O, C | ||
67 | |||
68 | |||
69 | 39 | ||
70 | 3. Filesystem features (use --noprofile) | 40 | 3. Filesystem features (use --noprofile) |
71 | 41 | ||
@@ -73,3 +43,9 @@ C - chroot filesystem | |||
73 | 3.2 read-only | 43 | 3.2 read-only |
74 | 3.3 blacklist | 44 | 3.3 blacklist |
75 | 3.4 whitelist home | 45 | 3.4 whitelist home |
46 | 3.5 private-dev | ||
47 | - O, C - somehow /dev/log is missing | ||
48 | 3.6 private-etc | ||
49 | - O not working | ||
50 | |||
51 | \ No newline at end of file | ||
diff --git a/test/features/test.sh b/test/features/test.sh index 56b6289b4..a162fc9ca 100755 --- a/test/features/test.sh +++ b/test/features/test.sh | |||
@@ -95,3 +95,9 @@ echo "TESTING: 3.3 blacklist" | |||
95 | echo "TESTING: 3.4 whitelist" | 95 | echo "TESTING: 3.4 whitelist" |
96 | ./3.4.exp $OVERLAY $CHROOT | 96 | ./3.4.exp $OVERLAY $CHROOT |
97 | 97 | ||
98 | echo "TESTING: 3.5 private-dev" | ||
99 | ./3.5.exp $OVERLAY $CHROOT | ||
100 | |||
101 | echo "TESTING: 3.6 private-etc" | ||
102 | ./3.6.exp notworking-todo $CHROOT | ||
103 | |||