diff options
-rw-r--r-- | etc/libreoffice.profile | 12 | ||||
-rw-r--r-- | etc/rhythmbox.profile | 3 | ||||
-rw-r--r-- | etc/vlc.profile | 2 | ||||
-rw-r--r-- | etc/webstorm.profile | 9 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 4 | ||||
-rw-r--r-- | src/firecfg/util.c | 12 | ||||
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 8 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 18 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 22 | ||||
-rw-r--r-- | src/firejail/util.c | 36 | ||||
-rw-r--r-- | src/fldd/main.c | 6 | ||||
-rw-r--r-- | src/lib/firejail_user.c | 3 | ||||
-rwxr-xr-x | test/arguments/arguments.sh | 3 | ||||
-rwxr-xr-x | test/filters/filters.sh | 4 | ||||
-rwxr-xr-x | test/fs/invalid_filename.exp | 79 | ||||
-rwxr-xr-x | test/private-lib/gedit.exp | 83 | ||||
-rwxr-xr-x | test/private-lib/pluma.exp | 83 | ||||
-rwxr-xr-x | test/private-lib/private-lib.sh | 2 |
19 files changed, 295 insertions, 104 deletions
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 4b3eb1ac7..18fcc59c6 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -23,20 +23,22 @@ include /etc/firejail/disable-programs.inc | |||
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | 24 | include /etc/firejail/whitelist-var-common.inc |
25 | 25 | ||
26 | apparmor | 26 | # Ubuntu 18.04 uses its own apparmor profile |
27 | # uncomment the next line if you are not on Ubuntu | ||
28 | #apparmor | ||
27 | caps.drop all | 29 | caps.drop all |
28 | machine-id | 30 | machine-id |
29 | netfilter | 31 | netfilter |
30 | nodbus | 32 | nodbus |
31 | nodvd | 33 | nodvd |
32 | nogroups | 34 | nogroups |
33 | nonewprivs | 35 | #nonewprivs - fix for Ubuntu 18.04/Debian 10 |
34 | noroot | 36 | noroot |
35 | notv | 37 | notv |
36 | protocol unix,inet,inet6 | 38 | #protocol unix,inet,inet6 - fix for Ubuntu 18.04/Debian 10 |
37 | seccomp | 39 | #seccomp - fix for Ubuntu 18.04/Debian 10 |
38 | shell none | 40 | shell none |
39 | tracelog | 41 | #tracelog - problems reported by Ubuntu 18.04 apparmor profile in /var/log/syslog |
40 | 42 | ||
41 | private-dev | 43 | private-dev |
42 | private-tmp | 44 | private-tmp |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 38ccb886f..57e1ce5f0 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -8,7 +8,8 @@ include /etc/firejail/globals.local | |||
8 | 8 | ||
9 | include /etc/firejail/disable-common.inc | 9 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 10 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-interpreters.inc | 11 | # rhythmbox is using Python |
12 | #include /etc/firejail/disable-interpreters.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
14 | 15 | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 6b0bee7bd..9ccbb7310 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | 18 | include /etc/firejail/whitelist-var-common.inc |
19 | 19 | ||
20 | apparmor | 20 | #apparmor - on Ubuntu 18.04 it refuses to start without dbus access |
21 | caps.drop all | 21 | caps.drop all |
22 | netfilter | 22 | netfilter |
23 | # nodbus - problems with KDE | 23 | # nodbus - problems with KDE |
diff --git a/etc/webstorm.profile b/etc/webstorm.profile index 6da71224f..93bcb50bb 100644 --- a/etc/webstorm.profile +++ b/etc/webstorm.profile | |||
@@ -6,12 +6,17 @@ include /etc/firejail/webstorm.local | |||
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.WebStorm* | 8 | noblacklist ${HOME}/.WebStorm* |
9 | noblacklist ${HOME}/.android | ||
9 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.gradle | ||
10 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
11 | noblacklist ${HOME}/.local/share/JetBrains | 13 | noblacklist ${HOME}/.local/share/JetBrains |
12 | noblacklist ${HOME}/.ssh | 14 | noblacklist ${HOME}/.ssh |
13 | noblacklist ${HOME}/.tooling | 15 | noblacklist ${HOME}/.tooling |
14 | 16 | ||
17 | noblacklist ${PATH}/node | ||
18 | noblacklist ${HOME}/.nvm | ||
19 | |||
15 | include /etc/firejail/disable-common.inc | 20 | include /etc/firejail/disable-common.inc |
16 | include /etc/firejail/disable-passwdmgr.inc | 21 | include /etc/firejail/disable-passwdmgr.inc |
17 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
@@ -31,6 +36,4 @@ seccomp | |||
31 | shell none | 36 | shell none |
32 | 37 | ||
33 | private-dev | 38 | private-dev |
34 | # private-tmp | 39 | private-tmp |
35 | |||
36 | noexec /tmp | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 81acf7d83..da8937717 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -275,7 +275,7 @@ musescore | |||
275 | musixmatch | 275 | musixmatch |
276 | mutt | 276 | mutt |
277 | natron | 277 | natron |
278 | nautilus | 278 | #nautilus - removed in order to let the application start in a new sandbox when clicking on icons in the file manager |
279 | ncdu | 279 | ncdu |
280 | netsurf | 280 | netsurf |
281 | neverball | 281 | neverball |
@@ -300,7 +300,7 @@ pdftotext | |||
300 | peek | 300 | peek |
301 | picard | 301 | picard |
302 | pidgin | 302 | pidgin |
303 | ping | 303 | #ping - disabled until we fix #1912 |
304 | pingus | 304 | pingus |
305 | pinta | 305 | pinta |
306 | pithos | 306 | pithos |
diff --git a/src/firecfg/util.c b/src/firecfg/util.c index f0446ca8d..7ed86c36e 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c | |||
@@ -58,9 +58,15 @@ int which(const char *program) { | |||
58 | // use path2 to count the entries | 58 | // use path2 to count the entries |
59 | char *ptr = strtok(path2, ":"); | 59 | char *ptr = strtok(path2, ":"); |
60 | while (ptr) { | 60 | while (ptr) { |
61 | if (find(program, ptr)) { | 61 | // Ubuntu 18.04 is adding /snap/bin to PATH; |
62 | free(path2); | 62 | // they populate /snap/bin with simbolic links to /usr/bin/ programs; |
63 | return 1; | 63 | // most simlinked programs are not installed by default. |
64 | // Removing /snap/bin from our search | ||
65 | if (strcmp(ptr, "/snap/bin") != 0) { | ||
66 | if (find(program, ptr)) { | ||
67 | free(path2); | ||
68 | return 1; | ||
69 | } | ||
64 | } | 70 | } |
65 | ptr = strtok(NULL, ":"); | 71 | ptr = strtok(NULL, ":"); |
66 | } | 72 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 0df832c09..14f87c36c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -524,6 +524,16 @@ unsigned extract_timeout(const char *str); | |||
524 | void disable_file_or_dir(const char *fname); | 524 | void disable_file_or_dir(const char *fname); |
525 | void disable_file_path(const char *path, const char *file); | 525 | void disable_file_path(const char *path, const char *file); |
526 | 526 | ||
527 | // Get info regarding the last kernel mount operation. | ||
528 | // The return value points to a static area, and will be overwritten by subsequent calls. | ||
529 | // The function does an exit(1) if anything goes wrong. | ||
530 | typedef struct { | ||
531 | char *fsname; | ||
532 | char *dir; | ||
533 | } MountData; | ||
534 | MountData *get_last_mount(void); | ||
535 | |||
536 | |||
527 | // fs_var.c | 537 | // fs_var.c |
528 | void fs_var_log(void); // mounting /var/log | 538 | void fs_var_log(void); // mounting /var/log |
529 | void fs_var_lib(void); // various other fixes for software in /var directory | 539 | void fs_var_lib(void); // various other fixes for software in /var directory |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index d4cdbbe0a..b0ad35299 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -25,6 +25,8 @@ | |||
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | #include <glob.h> | 26 | #include <glob.h> |
27 | 27 | ||
28 | static int prog_cnt = 0; | ||
29 | |||
28 | static char *paths[] = { | 30 | static char *paths[] = { |
29 | "/usr/local/bin", | 31 | "/usr/local/bin", |
30 | "/usr/bin", | 32 | "/usr/bin", |
@@ -191,6 +193,7 @@ static void duplicate(char *fname, FILE *fplist) { | |||
191 | // solving problems such as /bin/sh -> /bin/dash | 193 | // solving problems such as /bin/sh -> /bin/dash |
192 | // copy the real file pointed by symlink | 194 | // copy the real file pointed by symlink |
193 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); | 195 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); |
196 | prog_cnt++; | ||
194 | char *f = strrchr(actual_path, '/'); | 197 | char *f = strrchr(actual_path, '/'); |
195 | if (f && *(++f) !='\0') | 198 | if (f && *(++f) !='\0') |
196 | report_duplication(f); | 199 | report_duplication(f); |
@@ -201,6 +204,7 @@ static void duplicate(char *fname, FILE *fplist) { | |||
201 | 204 | ||
202 | // copy a file or a symlink | 205 | // copy a file or a symlink |
203 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 206 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); |
207 | prog_cnt++; | ||
204 | free(full_path); | 208 | free(full_path); |
205 | report_duplication(fname); | 209 | report_duplication(fname); |
206 | } | 210 | } |
@@ -256,6 +260,9 @@ void fs_private_bin_list(void) { | |||
256 | char *private_list = cfg.bin_private_keep; | 260 | char *private_list = cfg.bin_private_keep; |
257 | assert(private_list); | 261 | assert(private_list); |
258 | 262 | ||
263 | // start timetrace | ||
264 | timetrace_start(); | ||
265 | |||
259 | // create /run/firejail/mnt/bin directory | 266 | // create /run/firejail/mnt/bin directory |
260 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); | 267 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
261 | 268 | ||
@@ -298,4 +305,5 @@ void fs_private_bin_list(void) { | |||
298 | } | 305 | } |
299 | i++; | 306 | i++; |
300 | } | 307 | } |
308 | fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); | ||
301 | } | 309 | } |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 8a105be97..363b48d1d 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -201,7 +201,7 @@ static char *valid_file(const char *lib) { | |||
201 | } | 201 | } |
202 | free(fname); | 202 | free(fname); |
203 | } | 203 | } |
204 | printf("not found %s\n", lib); | 204 | |
205 | fwarning("%s library not found, skipping...\n", lib); | 205 | fwarning("%s library not found, skipping...\n", lib); |
206 | return NULL; | 206 | return NULL; |
207 | } | 207 | } |
@@ -352,7 +352,7 @@ void fs_private_lib(void) { | |||
352 | fslib_copy_dir(name); | 352 | fslib_copy_dir(name); |
353 | free(name); | 353 | free(name); |
354 | 354 | ||
355 | // /usr/lib/x86_linux-gnu - debian & frriends | 355 | // /usr/lib/x86_linux-gnu - debian & friends |
356 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr) == -1) | 356 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr) == -1) |
357 | errExit("asprintf"); | 357 | errExit("asprintf"); |
358 | if (is_dir(name)) | 358 | if (is_dir(name)) |
@@ -377,20 +377,12 @@ void fs_private_lib(void) { | |||
377 | printf("*** Installing system libraries\n"); | 377 | printf("*** Installing system libraries\n"); |
378 | fslib_install_system(); | 378 | fslib_install_system(); |
379 | 379 | ||
380 | fmessage("Installed %d libraries and %d directories\n", lib_cnt, dir_cnt); | 380 | fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", |
381 | dir_cnt, (dir_cnt == 1)? "directory": "directories"); | ||
381 | 382 | ||
382 | // bring in firejail directory for --trace options | 383 | // bring in firejail directory for --trace and seccomp post exec |
383 | fslib_copy_dir(LIBDIR "/firejail"); | 384 | fslib_copy_dir(LIBDIR "/firejail"); |
384 | 385 | ||
385 | // ... and for sandbox in sandbox functionality | ||
386 | fslib_copy_libs(LIBDIR "/firejail/faudit"); | ||
387 | fslib_copy_libs(LIBDIR "/firejail/fbuilder"); | ||
388 | fslib_copy_libs(LIBDIR "/firejail/fcopy"); | ||
389 | fslib_copy_libs(LIBDIR "/firejail/fldd"); | ||
390 | fslib_copy_libs(LIBDIR "/firejail/fnet"); | ||
391 | fslib_copy_libs(LIBDIR "/firejail/fnetfilter"); | ||
392 | fslib_copy_libs(LIBDIR "/firejail/fseccomp"); | ||
393 | fslib_copy_libs(LIBDIR "/firejail/ftee"); | ||
394 | // mount lib filesystem | 386 | // mount lib filesystem |
395 | mount_directories(); | 387 | mount_directories(); |
396 | } | 388 | } |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 21fa8e624..60bb0f6ed 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -37,6 +37,7 @@ static char *dentry[] = { | |||
37 | #define EMPTY_STRING ("") | 37 | #define EMPTY_STRING ("") |
38 | #define MAXBUF 4098 | 38 | #define MAXBUF 4098 |
39 | static char *resolve_downloads(int nowhitelist_flag) { | 39 | static char *resolve_downloads(int nowhitelist_flag) { |
40 | EUID_ASSERT(); | ||
40 | char *fname; | 41 | char *fname; |
41 | struct stat s; | 42 | struct stat s; |
42 | 43 | ||
@@ -316,6 +317,16 @@ static void whitelist_path(ProfileEntry *entry) { | |||
316 | if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) | 317 | if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) |
317 | errExit("mount bind"); | 318 | errExit("mount bind"); |
318 | 319 | ||
320 | // check the last mount operation | ||
321 | MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found | ||
322 | |||
323 | // No mounts are allowed on top level directories. A destination such as "/etc" is very bad! | ||
324 | // - there should be more than one '/' char in dest string | ||
325 | if (mptr->dir == strrchr(mptr->dir, '/')) { | ||
326 | fprintf(stderr, "Error: invalid mount on top of %s\n", mptr->dir); | ||
327 | exit(1); | ||
328 | } | ||
329 | |||
319 | free(wfile); | 330 | free(wfile); |
320 | return; | 331 | return; |
321 | 332 | ||
@@ -352,6 +363,7 @@ void fs_whitelist(void) { | |||
352 | errExit("failed allocating memory for nowhitelist entries"); | 363 | errExit("failed allocating memory for nowhitelist entries"); |
353 | 364 | ||
354 | // verify whitelist files, extract symbolic links, etc. | 365 | // verify whitelist files, extract symbolic links, etc. |
366 | EUID_USER(); | ||
355 | while (entry) { | 367 | while (entry) { |
356 | int nowhitelist_flag = 0; | 368 | int nowhitelist_flag = 0; |
357 | 369 | ||
@@ -643,6 +655,7 @@ void fs_whitelist(void) { | |||
643 | assert(nowhitelist); | 655 | assert(nowhitelist); |
644 | free(nowhitelist); | 656 | free(nowhitelist); |
645 | 657 | ||
658 | EUID_ROOT(); | ||
646 | // /home/user | 659 | // /home/user |
647 | if (home_dir) { | 660 | if (home_dir) { |
648 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR | 661 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR |
@@ -856,6 +869,15 @@ void fs_whitelist(void) { | |||
856 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 869 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
857 | else if (arg_debug || arg_debug_whitelists) | 870 | else if (arg_debug || arg_debug_whitelists) |
858 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 871 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
872 | |||
873 | // check again for files in /tmp directory | ||
874 | if (strncmp(entry->link, "/tmp/", 5) == 0) { | ||
875 | char *path = realpath(entry->link, NULL); | ||
876 | if (path == NULL || strncmp(path, "/tmp/", 5) != 0) { | ||
877 | fprintf(stderr, "Error: invalid symbolic link %s\n", entry->link); | ||
878 | exit(1); | ||
879 | } | ||
880 | } | ||
859 | } | 881 | } |
860 | } | 882 | } |
861 | } | 883 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index a44e52e98..f441f283f 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1029,3 +1029,39 @@ void disable_file_path(const char *path, const char *file) { | |||
1029 | free(fname); | 1029 | free(fname); |
1030 | } | 1030 | } |
1031 | 1031 | ||
1032 | #define MAX_BUF 4096 | ||
1033 | static char mbuf[MAX_BUF]; | ||
1034 | static MountData mdata; | ||
1035 | |||
1036 | // Get info regarding the last kernel mount operation. | ||
1037 | // The return value points to a static area, and will be overwritten by subsequent calls. | ||
1038 | // The function does an exit(1) if anything goes wrong. | ||
1039 | MountData *get_last_mount(void) { | ||
1040 | // open /proc/self/mounts | ||
1041 | FILE *fp = fopen("/proc/self/mounts", "r"); | ||
1042 | if (!fp) | ||
1043 | goto errexit; | ||
1044 | |||
1045 | mbuf[0] = '\0'; | ||
1046 | while (fgets(mbuf, MAX_BUF, fp)); | ||
1047 | fclose(fp); | ||
1048 | if (arg_debug || arg_debug_whitelists) | ||
1049 | printf("%s", mbuf); | ||
1050 | |||
1051 | // there should be no reason to have a new mount on top of a top level directory | ||
1052 | mdata.fsname = mbuf; | ||
1053 | mdata.dir = strstr(mbuf, " "); | ||
1054 | if (!mdata.dir) | ||
1055 | goto errexit; | ||
1056 | mdata.dir++; | ||
1057 | char *end = strstr(mdata.dir, " "); | ||
1058 | if (!end) | ||
1059 | goto errexit; | ||
1060 | *end = '\0'; | ||
1061 | |||
1062 | return &mdata; | ||
1063 | |||
1064 | errexit: | ||
1065 | fprintf(stderr, "Error: cannot read /proc/self/mounts"); | ||
1066 | exit(1); | ||
1067 | } | ||
diff --git a/src/fldd/main.c b/src/fldd/main.c index be4500d2a..4658e82fb 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -340,10 +340,8 @@ printf("\n"); | |||
340 | else { | 340 | else { |
341 | if (is_lib_64(argv[1])) | 341 | if (is_lib_64(argv[1])) |
342 | parse_elf(argv[1]); | 342 | parse_elf(argv[1]); |
343 | else { | 343 | else |
344 | fprintf(stderr, "Error fldd: %s is not a 64bit program/library\n", argv[1]); | 344 | fprintf(stderr, "Warning fldd: %s is not a 64bit program/library\n", argv[1]); |
345 | exit(1); | ||
346 | } | ||
347 | } | 345 | } |
348 | 346 | ||
349 | 347 | ||
diff --git a/src/lib/firejail_user.c b/src/lib/firejail_user.c index 09a4da0e7..0cc0ac6c1 100644 --- a/src/lib/firejail_user.c +++ b/src/lib/firejail_user.c | |||
@@ -47,7 +47,8 @@ int firejail_user_check(const char *name) { | |||
47 | return 1; | 47 | return 1; |
48 | 48 | ||
49 | // other system users will run the program as is | 49 | // other system users will run the program as is |
50 | if (getuid() < UID_MIN || strcmp(name, "nobody") == 0) | 50 | uid_t uid = getuid(); |
51 | if ((uid < UID_MIN && uid != 0) || strcmp(name, "nobody") == 0) | ||
51 | return 0; | 52 | return 0; |
52 | 53 | ||
53 | // check file existence | 54 | // check file existence |
diff --git a/test/arguments/arguments.sh b/test/arguments/arguments.sh index 9500b5975..d9f2d4697 100755 --- a/test/arguments/arguments.sh +++ b/test/arguments/arguments.sh | |||
@@ -3,9 +3,8 @@ | |||
3 | if [ -f /etc/debian_version ]; then | 3 | if [ -f /etc/debian_version ]; then |
4 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") | 4 | libdir=$(dirname "$(dpkg -L firejail | grep faudit)") |
5 | export PATH="$PATH:$libdir" | 5 | export PATH="$PATH:$libdir" |
6 | else | ||
7 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | ||
8 | fi | 6 | fi |
7 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | ||
9 | 8 | ||
10 | echo "TESTING: 1. regular bash session" | 9 | echo "TESTING: 1. regular bash session" |
11 | ./bashrun.exp | 10 | ./bashrun.exp |
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index ff197aa54..d0a34ccc5 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -9,9 +9,9 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | |||
9 | if [ -f /etc/debian_version ]; then | 9 | if [ -f /etc/debian_version ]; then |
10 | libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)") | 10 | libdir=$(dirname "$(dpkg -L firejail | grep fseccomp)") |
11 | export PATH="$PATH:$libdir" | 11 | export PATH="$PATH:$libdir" |
12 | else | ||
13 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | ||
14 | fi | 12 | fi |
13 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | ||
14 | |||
15 | 15 | ||
16 | if [ "$(uname -m)" = "x86_64" ]; then | 16 | if [ "$(uname -m)" = "x86_64" ]; then |
17 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" | 17 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" |
diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp index e16798ab8..84abe74cd 100755 --- a/test/fs/invalid_filename.exp +++ b/test/fs/invalid_filename.exp | |||
@@ -7,11 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r" | 10 | send -- "firejail --noprofile --blacklist=\"bla&&bla\"\r" |
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
13 | "Checking filename bla&&bla" | ||
14 | } | ||
15 | expect { | 11 | expect { |
16 | timeout {puts "TESTING ERROR 1.2\n";exit} | 12 | timeout {puts "TESTING ERROR 1.2\n";exit} |
17 | "Error:" | 13 | "Error:" |
@@ -22,11 +18,7 @@ expect { | |||
22 | } | 18 | } |
23 | after 100 | 19 | after 100 |
24 | 20 | ||
25 | send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r" | 21 | send -- "firejail --noprofile --cgroup=\"bla&&bla\"\r" |
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
28 | "Checking filename bla&&bla" | ||
29 | } | ||
30 | expect { | 22 | expect { |
31 | timeout {puts "TESTING ERROR 2.2\n";exit} | 23 | timeout {puts "TESTING ERROR 2.2\n";exit} |
32 | "Error:" | 24 | "Error:" |
@@ -37,12 +29,7 @@ expect { | |||
37 | } | 29 | } |
38 | after 100 | 30 | after 100 |
39 | 31 | ||
40 | send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" | 32 | send -- "firejail --noprofile --chroot=\"bla&&bla\"\r" |
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
43 | "Checking filename bla&&bla" {puts "normal system\n"} | ||
44 | "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} | ||
45 | } | ||
46 | expect { | 33 | expect { |
47 | timeout {puts "TESTING ERROR 3.2\n";exit} | 34 | timeout {puts "TESTING ERROR 3.2\n";exit} |
48 | "Error:" | 35 | "Error:" |
@@ -53,11 +40,7 @@ expect { | |||
53 | } | 40 | } |
54 | after 100 | 41 | after 100 |
55 | 42 | ||
56 | send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r" | 43 | send -- "firejail --noprofile --netfilter=\"bla&&bla\"\r" |
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 4.1\n";exit} | ||
59 | "Checking filename bla&&bla" | ||
60 | } | ||
61 | expect { | 44 | expect { |
62 | timeout {puts "TESTING ERROR 4.2\n";exit} | 45 | timeout {puts "TESTING ERROR 4.2\n";exit} |
63 | "Error:" | 46 | "Error:" |
@@ -68,22 +51,14 @@ expect { | |||
68 | } | 51 | } |
69 | after 100 | 52 | after 100 |
70 | 53 | ||
71 | send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r" | 54 | send -- "firejail --noprofile --output=\"bla&&bla\"\r" |
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 5.2\n";exit} | ||
74 | "Error:" | ||
75 | } | ||
76 | expect { | 55 | expect { |
77 | timeout {puts "TESTING ERROR 5.3\n";exit} | 56 | timeout {puts "TESTING ERROR 5.3\n";exit} |
78 | "is an invalid filename" | 57 | "is an invalid filename" |
79 | } | 58 | } |
80 | after 100 | 59 | after 100 |
81 | 60 | ||
82 | send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r" | 61 | send -- "firejail --noprofile --private=\"bla&&bla\"\r" |
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
85 | "Checking filename bla&&bla" | ||
86 | } | ||
87 | expect { | 62 | expect { |
88 | timeout {puts "TESTING ERROR 6.2\n";exit} | 63 | timeout {puts "TESTING ERROR 6.2\n";exit} |
89 | "Error:" | 64 | "Error:" |
@@ -94,11 +69,7 @@ expect { | |||
94 | } | 69 | } |
95 | after 100 | 70 | after 100 |
96 | 71 | ||
97 | send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r" | 72 | send -- "firejail --noprofile --private-bin=\"bla&&bla\"\r" |
98 | expect { | ||
99 | timeout {puts "TESTING ERROR 7.1\n";exit} | ||
100 | "Checking filename bla&&bla" | ||
101 | } | ||
102 | expect { | 73 | expect { |
103 | timeout {puts "TESTING ERROR 7.2\n";exit} | 74 | timeout {puts "TESTING ERROR 7.2\n";exit} |
104 | "Error:" | 75 | "Error:" |
@@ -109,11 +80,7 @@ expect { | |||
109 | } | 80 | } |
110 | after 100 | 81 | after 100 |
111 | 82 | ||
112 | send -- "firejail --debug-check-filename --noprofile --private-home=\"bla&&bla\"\r" | 83 | send -- "firejail --noprofile --private-home=\"bla&&bla\"\r" |
113 | expect { | ||
114 | timeout {puts "TESTING ERROR 8.1\n";exit} | ||
115 | "Checking filename bla&&bla" | ||
116 | } | ||
117 | expect { | 84 | expect { |
118 | timeout {puts "TESTING ERROR 8.2\n";exit} | 85 | timeout {puts "TESTING ERROR 8.2\n";exit} |
119 | "Error:" | 86 | "Error:" |
@@ -124,11 +91,7 @@ expect { | |||
124 | } | 91 | } |
125 | after 100 | 92 | after 100 |
126 | 93 | ||
127 | send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" | 94 | send -- "firejail --noprofile --private-etc=\"bla&&bla\"\r" |
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 9.1\n";exit} | ||
130 | "Checking filename bla&&bla" | ||
131 | } | ||
132 | expect { | 95 | expect { |
133 | timeout {puts "TESTING ERROR 9.2\n";exit} | 96 | timeout {puts "TESTING ERROR 9.2\n";exit} |
134 | "Error:" | 97 | "Error:" |
@@ -139,11 +102,7 @@ expect { | |||
139 | } | 102 | } |
140 | after 100 | 103 | after 100 |
141 | 104 | ||
142 | send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r" | 105 | send -- "firejail --profile=\"bla&&bla\"\r" |
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 10.1\n";exit} | ||
145 | "Checking filename bla&&bla" | ||
146 | } | ||
147 | expect { | 106 | expect { |
148 | timeout {puts "TESTING ERROR 10.2\n";exit} | 107 | timeout {puts "TESTING ERROR 10.2\n";exit} |
149 | "Error:" | 108 | "Error:" |
@@ -154,11 +113,7 @@ expect { | |||
154 | } | 113 | } |
155 | after 100 | 114 | after 100 |
156 | 115 | ||
157 | send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r" | 116 | send -- "firejail --read-only=\"bla&&bla\"\r" |
158 | expect { | ||
159 | timeout {puts "TESTING ERROR 11.1\n";exit} | ||
160 | "Checking filename bla&&bla" | ||
161 | } | ||
162 | expect { | 117 | expect { |
163 | timeout {puts "TESTING ERROR 11.2\n";exit} | 118 | timeout {puts "TESTING ERROR 11.2\n";exit} |
164 | "Error:" | 119 | "Error:" |
@@ -169,11 +124,7 @@ expect { | |||
169 | } | 124 | } |
170 | after 100 | 125 | after 100 |
171 | 126 | ||
172 | send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r" | 127 | send -- "firejail --shell=\"bla&&bla\"\r" |
173 | expect { | ||
174 | timeout {puts "TESTING ERROR 12.1\n";exit} | ||
175 | "Checking filename bla&&bla" | ||
176 | } | ||
177 | expect { | 128 | expect { |
178 | timeout {puts "TESTING ERROR 12.2\n";exit} | 129 | timeout {puts "TESTING ERROR 12.2\n";exit} |
179 | "Error:" | 130 | "Error:" |
@@ -185,11 +136,7 @@ expect { | |||
185 | after 100 | 136 | after 100 |
186 | 137 | ||
187 | 138 | ||
188 | send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" | 139 | send -- "firejail --whitelist=\"bla&&bla\"\r" |
189 | expect { | ||
190 | timeout {puts "TESTING ERROR 14.1\n";exit} | ||
191 | "Checking filename bla&&bla" | ||
192 | } | ||
193 | expect { | 140 | expect { |
194 | timeout {puts "TESTING ERROR 14.2\n";exit} | 141 | timeout {puts "TESTING ERROR 14.2\n";exit} |
195 | "Error:" | 142 | "Error:" |
diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp new file mode 100755 index 000000000..00fa934e7 --- /dev/null +++ b/test/private-lib/gedit.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail /usr/bin/gedit\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/gedit.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "gedit" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
53 | ":firejail /usr/bin/gedit" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
57 | "Seccomp: 2" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
61 | "name=blablabla" | ||
62 | } | ||
63 | after 100 | ||
64 | send -- "firemon --caps\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6\n";exit} | ||
67 | ":firejail /usr/bin/gedit" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
71 | "CapBnd:" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
75 | "0000000000000000" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
79 | "name=blablabla" | ||
80 | } | ||
81 | after 100 | ||
82 | |||
83 | puts "\nall done\n" | ||
diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp new file mode 100755 index 000000000..92ae0a345 --- /dev/null +++ b/test/private-lib/pluma.exp | |||
@@ -0,0 +1,83 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2018 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail pluma\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Reading profile /etc/firejail/pluma.profile" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Child process initialized" | ||
18 | } | ||
19 | sleep 3 | ||
20 | |||
21 | spawn $env(SHELL) | ||
22 | send -- "firejail --list\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | ":firejail" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
29 | "pluma" | ||
30 | } | ||
31 | after 100 | ||
32 | |||
33 | # grsecurity exit | ||
34 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
37 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
38 | "cannot open" {puts "grsecurity not present\n"} | ||
39 | } | ||
40 | |||
41 | send -- "firejail --name=blablabla\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 4\n";exit} | ||
44 | "Child process initialized" | ||
45 | } | ||
46 | sleep 2 | ||
47 | |||
48 | spawn $env(SHELL) | ||
49 | send -- "firemon --seccomp\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 5\n";exit} | ||
52 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
53 | ":firejail pluma" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
57 | "Seccomp: 2" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
61 | "name=blablabla" | ||
62 | } | ||
63 | after 100 | ||
64 | send -- "firemon --caps\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6\n";exit} | ||
67 | ":firejail pluma" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
71 | "CapBnd:" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
75 | "0000000000000000" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
79 | "name=blablabla" | ||
80 | } | ||
81 | after 100 | ||
82 | |||
83 | puts "\nall done\n" | ||
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 2a0eb8d30..edf81917a 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -5,7 +5,7 @@ | |||
5 | 5 | ||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | LIST="evince galculator gnome-calculator leafpad mousepad transmission-gtk xcalc atril gpicview eom eog" | 8 | LIST="evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" |
9 | 9 | ||
10 | 10 | ||
11 | for app in $LIST; do | 11 | for app in $LIST; do |