diff options
-rw-r--r-- | etc/disable-common.inc | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 67 | ||||
-rwxr-xr-x | test/network/dns-print.exp | 31 | ||||
-rwxr-xr-x | test/network/net_macvlan2.exp | 43 | ||||
-rwxr-xr-x | test/network/network.sh | 9 | ||||
-rwxr-xr-x | test/stress/net_macvlan.exp (renamed from test/network/net_macvlan.exp) | 2 | ||||
-rwxr-xr-x | test/stress/stress.sh | 11 |
7 files changed, 163 insertions, 3 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 95af0aa34..b86c6f998 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -209,7 +209,8 @@ blacklist ${PATH}/roxterm-config | |||
209 | blacklist ${PATH}/terminix | 209 | blacklist ${PATH}/terminix |
210 | blacklist ${PATH}/urxvtc | 210 | blacklist ${PATH}/urxvtc |
211 | blacklist ${PATH}/urxvtcd | 211 | blacklist ${PATH}/urxvtcd |
212 | blacklist ${PATH}/konsole | 212 | #konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 |
213 | #blacklist ${PATH}/konsole | ||
213 | 214 | ||
214 | # kernel files | 215 | # kernel files |
215 | blacklist /vmlinuz* | 216 | blacklist /vmlinuz* |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 53d63a108..905d2903d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -225,7 +225,7 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
225 | } | 225 | } |
226 | 226 | ||
227 | 227 | ||
228 | // blacklist files or directoies by mounting empty files on top of them | 228 | // blacklist files or directories by mounting empty files on top of them |
229 | void fs_blacklist(void) { | 229 | void fs_blacklist(void) { |
230 | char *homedir = cfg.homedir; | 230 | char *homedir = cfg.homedir; |
231 | assert(homedir); | 231 | assert(homedir); |
@@ -530,6 +530,71 @@ void fs_proc_sys_dev_boot(void) { | |||
530 | 530 | ||
531 | // disable /dev/port | 531 | // disable /dev/port |
532 | disable_file(BLACKLIST_FILE, "/dev/port"); | 532 | disable_file(BLACKLIST_FILE, "/dev/port"); |
533 | |||
534 | |||
535 | // WARNING: this is not reliable. When services like gpg-agent are started after the jail, the sockets are not blacklisted | ||
536 | |||
537 | // disable various ipc sockets | ||
538 | struct stat s; | ||
539 | |||
540 | |||
541 | // breaks too many applications, option needed | ||
542 | /* // disable /run/user/{uid}/bus */ | ||
543 | /* char *fnamebus; */ | ||
544 | /* if (asprintf(&fnamebus, "/run/user/%d/bus", getuid()) == -1) */ | ||
545 | /* errExit("asprintf"); */ | ||
546 | /* if (stat(fnamebus, &s) == 0) */ | ||
547 | /* disable_file(BLACKLIST_FILE, fnamebus); */ | ||
548 | /* free(fnamebus); */ | ||
549 | |||
550 | // disable /run/user/{uid}/gnupg | ||
551 | char *fnamegpg; | ||
552 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | ||
553 | errExit("asprintf"); | ||
554 | if (stat(fnamegpg, &s) == 0) | ||
555 | disable_file(BLACKLIST_FILE, fnamegpg); | ||
556 | free(fnamegpg); | ||
557 | |||
558 | // disable /run/user/{uid}/systemd | ||
559 | char *fnamesysd; | ||
560 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | ||
561 | errExit("asprintf"); | ||
562 | if (stat(fnamesysd, &s) == 0) | ||
563 | disable_file(BLACKLIST_FILE, fnamesysd); | ||
564 | free(fnamesysd); | ||
565 | |||
566 | |||
567 | // WARNING: not working | ||
568 | // disable /run/user/{uid}/kdeinit* | ||
569 | //char *fnamekde; | ||
570 | //if (asprintf(&fnamekde, "/run/user/%d/kdeinit*", getuid()) == -1) | ||
571 | // errExit("asprintf"); | ||
572 | //if (stat(fnamekde, &s) == 0) | ||
573 | // disable_file(BLACKLIST_FILE, fnamekde); | ||
574 | //free(fnamekde); | ||
575 | |||
576 | |||
577 | // disable /run/user/{uid}/pulse | ||
578 | /* char *fnamepulse; */ | ||
579 | /* if (asprintf(&fnamepulse, "/run/user/%d/pulse", getuid()) == -1) */ | ||
580 | /* errExit("asprintf"); */ | ||
581 | /* if (stat(fnamepulse, &s) == 0) */ | ||
582 | /* disable_file(BLACKLIST_FILE, fnamepulse); */ | ||
583 | /* free(fnamepulse); */ | ||
584 | |||
585 | // disable /run/user/{uid}/dconf | ||
586 | /* char *fnamedconf; */ | ||
587 | /* if (asprintf(&fnamedconf, "/run/user/%d/dconf", getuid()) == -1) */ | ||
588 | /* errExit("asprintf"); */ | ||
589 | /* if (stat(fnamedconf, &s) == 0) */ | ||
590 | /* disable_file(BLACKLIST_FILE, fnamedconf); */ | ||
591 | /* free(fnamedconf); */ | ||
592 | |||
593 | |||
594 | //more files with sockets to be blacklisted | ||
595 | // /run/dbus /run/systemd /run/udev /run/lvm | ||
596 | |||
597 | |||
533 | 598 | ||
534 | if (getuid() != 0) { | 599 | if (getuid() != 0) { |
535 | // disable /dev/kmsg and /proc/kmsg | 600 | // disable /dev/kmsg and /proc/kmsg |
diff --git a/test/network/dns-print.exp b/test/network/dns-print.exp new file mode 100755 index 000000000..9cdc14a6d --- /dev/null +++ b/test/network/dns-print.exp | |||
@@ -0,0 +1,31 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | spawn $env(SHELL) | ||
15 | send -- "firejail --dns.print=test-dns\r" | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2\n";exit} | ||
18 | "nameserver 1.2.3.4" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 2\n";exit} | ||
22 | "nameserver 2.3.4.5" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "nameserver 3.4.5.6" | ||
27 | } | ||
28 | |||
29 | after 100 | ||
30 | |||
31 | puts "\nall done\n" | ||
diff --git a/test/network/net_macvlan2.exp b/test/network/net_macvlan2.exp new file mode 100755 index 000000000..7f21fc083 --- /dev/null +++ b/test/network/net_macvlan2.exp | |||
@@ -0,0 +1,43 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
13 | "eth0-" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
17 | "eth1-" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
21 | "eth2-" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
25 | "eth3-" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 0.5\n";exit} | ||
29 | "Default gateway 192.168.1.1" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 0.6\n";exit} | ||
33 | "Child process initialized" | ||
34 | } | ||
35 | after 100 | ||
36 | send -- "exit\r" | ||
37 | sleep 1 | ||
38 | |||
39 | |||
40 | after 100 | ||
41 | |||
42 | puts "\nall done\n" | ||
43 | |||
diff --git a/test/network/network.sh b/test/network/network.sh index bea5dfb26..94df9935e 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -11,6 +11,9 @@ sudo ./configure | |||
11 | echo "TESTING: firemon interface (firemon-interfaces.exp)" | 11 | echo "TESTING: firemon interface (firemon-interfaces.exp)" |
12 | sudo ./firemon-interfaces.exp | 12 | sudo ./firemon-interfaces.exp |
13 | 13 | ||
14 | echo "TESTING: print dns (dns-print.exp)" | ||
15 | ./dns-print.exp | ||
16 | |||
14 | echo "TESTING: firemon arp (firemon-arp.exp)" | 17 | echo "TESTING: firemon arp (firemon-arp.exp)" |
15 | ./firemon-arp.exp | 18 | ./firemon-arp.exp |
16 | 19 | ||
@@ -69,6 +72,9 @@ echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" | |||
69 | echo "TESTING: scan (net_scan.exp)" | 72 | echo "TESTING: scan (net_scan.exp)" |
70 | ./net_scan.exp | 73 | ./net_scan.exp |
71 | 74 | ||
75 | echo "TESTING: mtu (mtu.exp)" | ||
76 | ./mtu.exp | ||
77 | |||
72 | echo "TESTING: interface (interface.exp)" | 78 | echo "TESTING: interface (interface.exp)" |
73 | ./interface.exp | 79 | ./interface.exp |
74 | 80 | ||
@@ -84,6 +90,9 @@ echo "TESTING: iprange (iprange.exp)" | |||
84 | echo "TESTING: veth-name (veth-name.exp)" | 90 | echo "TESTING: veth-name (veth-name.exp)" |
85 | ./veth-name.exp | 91 | ./veth-name.exp |
86 | 92 | ||
93 | echo "TESTING: macvlan2 (net_macvlan2.exp)" | ||
94 | ./net_macvlan2.exp | ||
95 | |||
87 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" | 96 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" |
88 | ./4bridges_arp.exp | 97 | ./4bridges_arp.exp |
89 | 98 | ||
diff --git a/test/network/net_macvlan.exp b/test/stress/net_macvlan.exp index f457ea98f..6ea4a6adf 100755 --- a/test/network/net_macvlan.exp +++ b/test/stress/net_macvlan.exp | |||
@@ -12,7 +12,7 @@ spawn $env(SHELL) | |||
12 | send -- "firejail --net=eth0 --ip=192.168.1.60\r" | 12 | send -- "firejail --net=eth0 --ip=192.168.1.60\r" |
13 | expect { | 13 | expect { |
14 | timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit} | 14 | timeout {puts "TESTING ERROR 1.1\n";puts "Please open a sandbox on 192.168.1.60\n";exit} |
15 | "the address 192.168.1.60 is already in use" | 15 | "192.168.1.60 is interface eth0 address" |
16 | } | 16 | } |
17 | 17 | ||
18 | 18 | ||
diff --git a/test/stress/stress.sh b/test/stress/stress.sh new file mode 100755 index 000000000..35c846071 --- /dev/null +++ b/test/stress/stress.sh | |||
@@ -0,0 +1,11 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: macvlan (net_macvlan.exp)" | ||
10 | ./net_macvlan.exp | ||
11 | |||