diff options
-rw-r--r-- | Makefile.in | 5 | ||||
-rw-r--r-- | src/include/common.h | 2 | ||||
-rw-r--r-- | src/lib/common.c | 9 | ||||
-rw-r--r-- | src/lib/pid.c | 2 | ||||
-rwxr-xr-x | test/apps-x11-xorg/apps-x11-xorg.sh | 35 | ||||
-rwxr-xr-x | test/apps-x11-xorg/firefox.exp | 90 | ||||
-rwxr-xr-x | test/apps-x11-xorg/icedove.exp | 85 | ||||
-rwxr-xr-x | test/apps-x11-xorg/transmission-gtk.exp | 85 |
8 files changed, 307 insertions, 6 deletions
diff --git a/Makefile.in b/Makefile.in index 3f08c5952..ad81c8851 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -195,6 +195,9 @@ test-apps: | |||
195 | test-apps-x11: | 195 | test-apps-x11: |
196 | cd test/apps-x11; ./apps-x11.sh | grep TESTING | 196 | cd test/apps-x11; ./apps-x11.sh | grep TESTING |
197 | 197 | ||
198 | test-apps-x11-xorg: | ||
199 | cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING | ||
200 | |||
198 | test-sysutils: | 201 | test-sysutils: |
199 | cd test/sysutils; ./sysutils.sh | grep TESTING | 202 | cd test/sysutils; ./sysutils.sh | grep TESTING |
200 | 203 | ||
@@ -213,5 +216,5 @@ test-network: | |||
213 | test-fs: | 216 | test-fs: |
214 | cd test/fs; ./fs.sh | grep TESTING | 217 | cd test/fs; ./fs.sh | grep TESTING |
215 | 218 | ||
216 | test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters | 219 | test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-xorg-x11 test-filters |
217 | echo "TEST COMPLETE" | 220 | echo "TEST COMPLETE" |
diff --git a/src/include/common.h b/src/include/common.h index e28870807..f7c8ea725 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -113,5 +113,5 @@ int join_namespace(pid_t pid, char *type); | |||
113 | int name2pid(const char *name, pid_t *pid); | 113 | int name2pid(const char *name, pid_t *pid); |
114 | char *pid_proc_comm(const pid_t pid); | 114 | char *pid_proc_comm(const pid_t pid); |
115 | char *pid_proc_cmdline(const pid_t pid); | 115 | char *pid_proc_cmdline(const pid_t pid); |
116 | int pid_proc_cmdline_x11(const pid_t pid); | 116 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid); |
117 | #endif | 117 | #endif |
diff --git a/src/lib/common.c b/src/lib/common.c index acb6bd3b4..fc4c167ba 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -201,7 +201,7 @@ char *pid_proc_cmdline(const pid_t pid) { | |||
201 | } | 201 | } |
202 | 202 | ||
203 | // return 1 if firejail --x11 on command line | 203 | // return 1 if firejail --x11 on command line |
204 | int pid_proc_cmdline_x11(const pid_t pid) { | 204 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { |
205 | // if comm is not firejail return 0 | 205 | // if comm is not firejail return 0 |
206 | char *comm = pid_proc_comm(pid); | 206 | char *comm = pid_proc_comm(pid); |
207 | if (strcmp(comm, "firejail") != 0) { | 207 | if (strcmp(comm, "firejail") != 0) { |
@@ -248,8 +248,11 @@ int pid_proc_cmdline_x11(const pid_t pid) { | |||
248 | break; | 248 | break; |
249 | if (strncmp(arg, "--", 2) != 0) | 249 | if (strncmp(arg, "--", 2) != 0) |
250 | break; | 250 | break; |
251 | 251 | ||
252 | // check x11 | 252 | if (strcmp(arg, "--x11=xorg") == 0) |
253 | return 0; | ||
254 | |||
255 | // check x11 xpra or xephyr | ||
253 | if (strncmp(arg, "--x11", 5) == 0) | 256 | if (strncmp(arg, "--x11", 5) == 0) |
254 | return 1; | 257 | return 1; |
255 | i += strlen(arg); | 258 | i += strlen(arg); |
diff --git a/src/lib/pid.c b/src/lib/pid.c index bbb123b81..ef1a428fb 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -341,7 +341,7 @@ void pid_read(pid_t mon_pid) { | |||
341 | } | 341 | } |
342 | 342 | ||
343 | if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { | 343 | if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { |
344 | if (pid_proc_cmdline_x11(pid)) | 344 | if (pid_proc_cmdline_x11_xpra_xephyr(pid)) |
345 | pids[pid].level = -1; | 345 | pids[pid].level = -1; |
346 | else | 346 | else |
347 | pids[pid].level = 1; | 347 | pids[pid].level = 1; |
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh new file mode 100755 index 000000000..b05914b52 --- /dev/null +++ b/test/apps-x11-xorg/apps-x11-xorg.sh | |||
@@ -0,0 +1,35 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | which firefox | ||
10 | if [ "$?" -eq 0 ]; | ||
11 | then | ||
12 | echo "TESTING: firefox x11 xorg" | ||
13 | ./firefox.exp | ||
14 | else | ||
15 | echo "TESTING SKIP: firefox not found" | ||
16 | fi | ||
17 | |||
18 | which transmission-gtk | ||
19 | if [ "$?" -eq 0 ]; | ||
20 | then | ||
21 | echo "TESTING: transmission-gtk x11 xorg" | ||
22 | ./transmission-gtk.exp | ||
23 | else | ||
24 | echo "TESTING SKIP: transmission-gtk not found" | ||
25 | fi | ||
26 | |||
27 | which icedove | ||
28 | if [ "$?" -eq 0 ]; | ||
29 | then | ||
30 | echo "TESTING: icedove x11 xorg" | ||
31 | ./icedove.exp | ||
32 | else | ||
33 | echo "TESTING SKIP: icedove not found" | ||
34 | fi | ||
35 | |||
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp new file mode 100755 index 000000000..5231bf8ed --- /dev/null +++ b/test/apps-x11-xorg/firefox.exp | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "firefox" {puts "firefox detected\n";} | ||
22 | "iceweasel" {puts "iceweasel detected\n";} | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3.2\n";exit} | ||
26 | "no-remote" | ||
27 | } | ||
28 | sleep 1 | ||
29 | # grsecurity exit | ||
30 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
33 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
34 | "cannot open" {puts "grsecurity not present\n"} | ||
35 | } | ||
36 | send -- "firejail --name=blablabla\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | "Child process initialized" | ||
40 | } | ||
41 | sleep 2 | ||
42 | |||
43 | spawn $env(SHELL) | ||
44 | send -- "firemon --seccomp\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5\n";exit} | ||
47 | " firefox" {puts "firefox detected\n";} | ||
48 | " iceweasel" {puts "iceweasel detected\n";} | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
52 | "no-remote" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
56 | "Seccomp: 2" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
60 | "name=blablabla" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "firemon --caps\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6\n";exit} | ||
66 | " firefox" {puts "firefox detected\n";} | ||
67 | " iceweasel" {puts "iceweasel detected\n";} | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
71 | "no-remote" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
75 | "CapBnd:" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
79 | "0000000000000000" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
83 | "name=blablabla" | ||
84 | } | ||
85 | sleep 1 | ||
86 | send -- "firejail --shutdown=test\r" | ||
87 | sleep 3 | ||
88 | |||
89 | puts "\nall done\n" | ||
90 | |||
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp new file mode 100755 index 000000000..f676264ed --- /dev/null +++ b/test/apps-x11-xorg/icedove.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg icedove\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "icedove" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | ":firejail" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
48 | "icedove" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
52 | "Seccomp: 2" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
56 | "name=blablabla" | ||
57 | } | ||
58 | sleep 2 | ||
59 | send -- "firemon --caps\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | ":firejail" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
66 | "icedove" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | send -- "firejail --shutdown=test\r" | ||
82 | sleep 3 | ||
83 | |||
84 | puts "\nall done\n" | ||
85 | |||
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp new file mode 100755 index 000000000..a91a1be08 --- /dev/null +++ b/test/apps-x11-xorg/transmission-gtk.exp | |||
@@ -0,0 +1,85 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xorg transmission-gtk\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "transmission-gtk" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | ":firejail" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
48 | "transmission-gtk" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
52 | "Seccomp: 2" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
56 | "name=blablabla" | ||
57 | } | ||
58 | sleep 1 | ||
59 | send -- "firemon --caps\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | ":firejail" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
66 | "transmission-gtk" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
70 | "CapBnd" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
74 | "0000000000000000" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
78 | "name=blablabla" | ||
79 | } | ||
80 | sleep 1 | ||
81 | send -- "firejail --shutdown=test\r" | ||
82 | sleep 3 | ||
83 | |||
84 | puts "\nall done\n" | ||
85 | |||