diff options
-rw-r--r-- | Makefile.in | 7 | ||||
-rw-r--r-- | etc/cpio.profile | 21 | ||||
-rw-r--r-- | etc/gzip.profile | 1 | ||||
-rw-r--r-- | etc/strings.profile | 1 | ||||
-rw-r--r-- | etc/xz.profile | 2 | ||||
-rw-r--r-- | etc/xzdec.profile | 4 | ||||
-rw-r--r-- | platform/debian/conffiles | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 61 | ||||
-rwxr-xr-x | test/sysutils/cpio.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/gzip.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/strings.exp | 26 | ||||
-rwxr-xr-x | test/sysutils/sysutils.sh | 44 | ||||
-rwxr-xr-x | test/sysutils/xzdec.exp | 29 | ||||
-rw-r--r-- | todo | 7 |
14 files changed, 235 insertions, 21 deletions
diff --git a/Makefile.in b/Makefile.in index cb166aa33..5204fc34a 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -53,6 +53,7 @@ clean: | |||
53 | rm -f test/environment/wget-log* | 53 | rm -f test/environment/wget-log* |
54 | rm -fr test/environment/-testdir | 54 | rm -fr test/environment/-testdir |
55 | rm -f test/environment/logfile* | 55 | rm -f test/environment/logfile* |
56 | rm -f test/sysutils/firejail_t* | ||
56 | cd test/compile; ./compile.sh --clean; cd ../.. | 57 | cd test/compile; ./compile.sh --clean; cd ../.. |
57 | cd test/dist-compile; ./compile.sh --clean; cd ../.. | 58 | cd test/dist-compile; ./compile.sh --clean; cd ../.. |
58 | 59 | ||
@@ -213,6 +214,7 @@ realinstall: | |||
213 | install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 214 | install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
214 | install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 215 | install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
215 | install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. | 216 | install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. |
217 | install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. | ||
216 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" | 218 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" |
217 | install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. | 219 | install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. |
218 | rm -fr .etc | 220 | rm -fr .etc |
@@ -327,6 +329,9 @@ test-apps: | |||
327 | test-apps-x11: | 329 | test-apps-x11: |
328 | cd test/apps-x11; ./apps-x11.sh | grep TESTING | 330 | cd test/apps-x11; ./apps-x11.sh | grep TESTING |
329 | 331 | ||
332 | test-sysutils: | ||
333 | cd test/sysutils; ./sysutils.sh | grep TESTING | ||
334 | |||
330 | test-utils: | 335 | test-utils: |
331 | cd test/utils; ./utils.sh | grep TESTING | 336 | cd test/utils; ./utils.sh | grep TESTING |
332 | 337 | ||
@@ -342,5 +347,5 @@ test-network: | |||
342 | test-fs: | 347 | test-fs: |
343 | cd test/fs; ./fs.sh | grep TESTING | 348 | cd test/fs; ./fs.sh | grep TESTING |
344 | 349 | ||
345 | test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters | 350 | test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters |
346 | echo "TEST COMPLETE" | 351 | echo "TEST COMPLETE" |
diff --git a/etc/cpio.profile b/etc/cpio.profile index f10b82962..b0e59c106 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -1,10 +1,21 @@ | |||
1 | # cpio profile | 1 | # cpio profile |
2 | # testing: find . -print -depth | cpio -ov > tree.cpio | 2 | # /sbin and /usr/sbin are visible inside the sandbox |
3 | include /etc/firejail/default.profile | 3 | # /boot is not visible and /var is heavily modified |
4 | tracelog | 4 | |
5 | noblacklist /sbin | ||
6 | noblacklist /usr/sbin | ||
7 | include /etc/firejail/disable-common.inc | ||
8 | include /etc/firejail/disable-programs.inc | ||
9 | include /etc/firejail/disable-passwdmgr.inc | ||
10 | |||
11 | private-dev | ||
12 | private-tmp | ||
13 | seccomp | ||
14 | caps.drop all | ||
5 | net none | 15 | net none |
6 | shell none | 16 | shell none |
7 | private-bin cpio | 17 | tracelog |
8 | private-dev | 18 | net none |
19 | |||
9 | 20 | ||
10 | 21 | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 3c9e8a9bf..8d35c9f66 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -4,3 +4,4 @@ tracelog | |||
4 | net none | 4 | net none |
5 | shell none | 5 | shell none |
6 | private-dev | 6 | private-dev |
7 | private-tmp | ||
diff --git a/etc/strings.profile b/etc/strings.profile index 8be9a5719..9bc67cfb8 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -4,3 +4,4 @@ tracelog | |||
4 | net none | 4 | net none |
5 | shell none | 5 | shell none |
6 | private-dev | 6 | private-dev |
7 | private-tmp | ||
diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..709585acd --- /dev/null +++ b/etc/xz.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # xz profile | ||
2 | include /etc/firejail/cpio.profile | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index ade46dddd..1bff66965 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # XZ decompressor profile | 1 | # xzdec profile |
2 | include /etc/firejail/default.profile | 2 | include /etc/firejail/default.profile |
3 | tracelog | 3 | tracelog |
4 | net none | 4 | net none |
5 | shell none | 5 | shell none |
6 | private-dev | 6 | private-dev |
7 | 7 | private-tmp | |
diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a09df0c29..34ab8cd81 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles | |||
@@ -123,4 +123,5 @@ | |||
123 | /etc/firejail/gzip.profile | 123 | /etc/firejail/gzip.profile |
124 | /etc/firejail/xzdec.profile | 124 | /etc/firejail/xzdec.profile |
125 | /etc/firejail/strings.profile | 125 | /etc/firejail/strings.profile |
126 | /etc/firejail/xz.profile | ||
126 | 127 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index c6fbd584e..f149dd376 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -693,6 +693,52 @@ static void delete_x11_file(pid_t pid) { | |||
693 | free(fname); | 693 | free(fname); |
694 | } | 694 | } |
695 | 695 | ||
696 | static void detect_quiet(int argc, char **argv) { | ||
697 | int i; | ||
698 | char *progs[] = { | ||
699 | "cpio", | ||
700 | "strings", | ||
701 | "gzip", | ||
702 | "xz", | ||
703 | "xzdec", | ||
704 | NULL | ||
705 | }; | ||
706 | |||
707 | // detect --quiet | ||
708 | for (i = 1; i < argc; i++) { | ||
709 | if (strcmp(argv[i], "--quiet") == 0) { | ||
710 | arg_quiet = 1; | ||
711 | break; | ||
712 | } | ||
713 | |||
714 | // detect end of firejail params | ||
715 | if (strcmp(argv[i], "--") == 0) | ||
716 | break; | ||
717 | if (strncmp(argv[i], "--", 2) != 0) | ||
718 | break; | ||
719 | } | ||
720 | |||
721 | // argv[i] is the program name if --quiet was not already detected | ||
722 | if (arg_quiet || i == argc) | ||
723 | return; | ||
724 | |||
725 | // extract the name of the program without the leading path | ||
726 | char *ptr = strrchr(argv[i], '/'); | ||
727 | char *name = (ptr)? (ptr + 1): argv[i]; | ||
728 | if (*name == '\0') | ||
729 | return; | ||
730 | |||
731 | // look for the program in the list | ||
732 | int j = 0; | ||
733 | while (progs[j] != NULL) { | ||
734 | if (strcmp(name, progs[j]) == 0) { | ||
735 | arg_quiet = 1; | ||
736 | return; | ||
737 | } | ||
738 | j++; | ||
739 | } | ||
740 | } | ||
741 | |||
696 | //******************************************* | 742 | //******************************************* |
697 | // Main program | 743 | // Main program |
698 | //******************************************* | 744 | //******************************************* |
@@ -709,6 +755,8 @@ int main(int argc, char **argv) { | |||
709 | int highest_errno = errno_highest_nr(); | 755 | int highest_errno = errno_highest_nr(); |
710 | #endif | 756 | #endif |
711 | 757 | ||
758 | detect_quiet(argc, argv); | ||
759 | |||
712 | // drop permissions by default and rise them when required | 760 | // drop permissions by default and rise them when required |
713 | EUID_INIT(); | 761 | EUID_INIT(); |
714 | EUID_USER(); | 762 | EUID_USER(); |
@@ -717,19 +765,6 @@ int main(int argc, char **argv) { | |||
717 | if (*argv[0] != '-') | 765 | if (*argv[0] != '-') |
718 | run_symlink(argc, argv); | 766 | run_symlink(argc, argv); |
719 | 767 | ||
720 | // detect --quiet | ||
721 | for (i = 1; i < argc; i++) { | ||
722 | if (strcmp(argv[i], "--quiet") == 0) { | ||
723 | arg_quiet = 1; | ||
724 | break; | ||
725 | } | ||
726 | |||
727 | // detect end of firejail params | ||
728 | if (strcmp(argv[i], "--") == 0) | ||
729 | break; | ||
730 | if (strncmp(argv[i], "--", 2) != 0) | ||
731 | break; | ||
732 | } | ||
733 | 768 | ||
734 | // check if we already have a sandbox running | 769 | // check if we already have a sandbox running |
735 | // If LXC is detected, start firejail sandbox | 770 | // If LXC is detected, start firejail sandbox |
diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp new file mode 100755 index 000000000..9755d8737 --- /dev/null +++ b/test/sysutils/cpio.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp new file mode 100755 index 000000000..ab0e727de --- /dev/null +++ b/test/sysutils/gzip.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp new file mode 100755 index 000000000..1fd0f5dc0 --- /dev/null +++ b/test/sysutils/strings.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "firejail_t1 and firejail_t2 are identical" | ||
20 | } | ||
21 | |||
22 | send -- "rm firejail_t*\r" | ||
23 | sleep 1 | ||
24 | |||
25 | |||
26 | puts "\nall done\n" | ||
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh new file mode 100755 index 000000000..f230c9a6b --- /dev/null +++ b/test/sysutils/sysutils.sh | |||
@@ -0,0 +1,44 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | which cpio | ||
10 | if [ "$?" -eq 0 ]; | ||
11 | then | ||
12 | echo "TESTING: cpio" | ||
13 | ./cpio.exp | ||
14 | else | ||
15 | echo "TESTING SKIP: cpio not found" | ||
16 | fi | ||
17 | |||
18 | which strings | ||
19 | if [ "$?" -eq 0 ]; | ||
20 | then | ||
21 | echo "TESTING: strings" | ||
22 | ./strings.exp | ||
23 | else | ||
24 | echo "TESTING SKIP: strings not found" | ||
25 | fi | ||
26 | |||
27 | which gzip | ||
28 | if [ "$?" -eq 0 ]; | ||
29 | then | ||
30 | echo "TESTING: gzip" | ||
31 | ./gzip.exp | ||
32 | else | ||
33 | echo "TESTING SKIP: gzip not found" | ||
34 | fi | ||
35 | |||
36 | which xzdec | ||
37 | if [ "$?" -eq 0 ]; | ||
38 | then | ||
39 | echo "TESTING: xzdec" | ||
40 | ./xzdec.exp | ||
41 | else | ||
42 | echo "TESTING SKIP: xzdec not found" | ||
43 | fi | ||
44 | |||
diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp new file mode 100755 index 000000000..0ea6f5fb0 --- /dev/null +++ b/test/sysutils/xzdec.exp | |||
@@ -0,0 +1,29 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" | ||
11 | sleep 1 | ||
12 | |||
13 | send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" | ||
14 | sleep 1 | ||
15 | |||
16 | send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "diff -s firejail_t1 firejail_t2\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "firejail_t1 and firejail_t2 are identical" | ||
23 | } | ||
24 | |||
25 | send -- "rm firejail_t*\r" | ||
26 | sleep 1 | ||
27 | |||
28 | |||
29 | puts "\nall done\n" | ||
@@ -101,3 +101,10 @@ firejail.src: E: no-changelogname-tag | |||
101 | firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found | 101 | firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found |
102 | 1 packages and 0 specfiles checked; 1 errors, 1 warnings. | 102 | 1 packages and 0 specfiles checked; 1 errors, 1 warnings. |
103 | 103 | ||
104 | 15. Testing: | ||
105 | find /usr/share/doc/firejail | cpio -ov > t1 | ||
106 | strings /usr/bin/firejail > t1 | ||
107 | gzip -c /usr/bin/firejail > t1 | ||
108 | |||
109 | use diff -s to compare the files | ||
110 | |||