diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 32 | ||||
-rw-r--r-- | .github/workflows/build.yml | 12 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 12 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 2 | ||||
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | etc/profile-m-z/onionshare-gui.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/remmina.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/torbrowser-launcher.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/torbrowser.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/viewnior.profile | 1 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 14 | ||||
-rw-r--r-- | m4/ax_check_compile_flag.m4 | 31 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 10 | ||||
-rw-r--r-- | src/lib/ldd_utils.c | 2 | ||||
-rw-r--r-- | src/lib/syscall.c | 52 | ||||
-rw-r--r-- | test/Makefile | 2 | ||||
-rwxr-xr-x | test/environment/dns.exp | 32 | ||||
-rwxr-xr-x | test/sysutils/less.exp | 1 | ||||
-rwxr-xr-x | test/utils/man.exp | 1 | ||||
-rwxr-xr-x | test/utils/trace.exp | 4 |
24 files changed, 144 insertions, 89 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 6f9a4bc2c..9296062c1 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -4,7 +4,10 @@ on: | |||
4 | push: | 4 | push: |
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths-ignore: | 6 | paths-ignore: |
7 | - .git-blame-ignore-revs | ||
8 | - .gitignore | ||
7 | - CONTRIBUTING.md | 9 | - CONTRIBUTING.md |
10 | - COPYING | ||
8 | - README | 11 | - README |
9 | - README.md | 12 | - README.md |
10 | - RELNOTES | 13 | - RELNOTES |
@@ -16,7 +19,10 @@ on: | |||
16 | pull_request: | 19 | pull_request: |
17 | branches: [ master ] | 20 | branches: [ master ] |
18 | paths-ignore: | 21 | paths-ignore: |
22 | - .git-blame-ignore-revs | ||
23 | - .gitignore | ||
19 | - CONTRIBUTING.md | 24 | - CONTRIBUTING.md |
25 | - COPYING | ||
20 | - README | 26 | - README |
21 | - README.md | 27 | - README.md |
22 | - RELNOTES | 28 | - RELNOTES |
@@ -28,11 +34,13 @@ on: | |||
28 | 34 | ||
29 | jobs: | 35 | jobs: |
30 | build-clang: | 36 | build-clang: |
31 | runs-on: ubuntu-20.04 | 37 | runs-on: ubuntu-22.04 |
32 | steps: | 38 | steps: |
33 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 39 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
40 | - name: install dependencies | ||
41 | run: sudo apt-get install libapparmor-dev libselinux1-dev | ||
34 | - name: configure | 42 | - name: configure |
35 | run: CC=clang-11 ./configure --enable-fatal-warnings | 43 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux |
36 | - name: make | 44 | - name: make |
37 | run: make | 45 | run: make |
38 | - name: make install | 46 | - name: make install |
@@ -40,16 +48,26 @@ jobs: | |||
40 | - name: print version | 48 | - name: print version |
41 | run: command -V firejail && firejail --version | 49 | run: command -V firejail && firejail --version |
42 | scan-build: | 50 | scan-build: |
43 | runs-on: ubuntu-20.04 | 51 | runs-on: ubuntu-22.04 |
44 | steps: | 52 | steps: |
45 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 53 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
46 | - name: install clang-tools-11 | 54 | - name: install clang-tools-14 and dependencies |
47 | run: sudo apt-get install clang-tools-11 | 55 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
48 | - name: configure | 56 | - name: configure |
49 | run: CC=clang-11 ./configure --enable-fatal-warnings | 57 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux |
50 | - name: scan-build | 58 | - name: scan-build |
51 | run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make | 59 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make |
52 | cppcheck: | 60 | cppcheck: |
61 | runs-on: ubuntu-22.04 | ||
62 | steps: | ||
63 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
64 | - name: install cppcheck | ||
65 | run: sudo apt-get install cppcheck | ||
66 | - name: cppcheck | ||
67 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
68 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also | ||
69 | # with older cppcheck version from ubuntu 20.04. | ||
70 | cppcheck_old: | ||
53 | runs-on: ubuntu-20.04 | 71 | runs-on: ubuntu-20.04 |
54 | steps: | 72 | steps: |
55 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 73 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc7893305..3203e0677 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -4,7 +4,10 @@ on: | |||
4 | push: | 4 | push: |
5 | branches: [ master ] | 5 | branches: [ master ] |
6 | paths-ignore: | 6 | paths-ignore: |
7 | - .git-blame-ignore-revs | ||
8 | - .gitignore | ||
7 | - CONTRIBUTING.md | 9 | - CONTRIBUTING.md |
10 | - COPYING | ||
8 | - README | 11 | - README |
9 | - README.md | 12 | - README.md |
10 | - RELNOTES | 13 | - RELNOTES |
@@ -12,7 +15,10 @@ on: | |||
12 | pull_request: | 15 | pull_request: |
13 | branches: [ master ] | 16 | branches: [ master ] |
14 | paths-ignore: | 17 | paths-ignore: |
18 | - .git-blame-ignore-revs | ||
19 | - .gitignore | ||
15 | - CONTRIBUTING.md | 20 | - CONTRIBUTING.md |
21 | - COPYING | ||
16 | - README | 22 | - README |
17 | - README.md | 23 | - README.md |
18 | - RELNOTES | 24 | - RELNOTES |
@@ -20,15 +26,15 @@ on: | |||
20 | 26 | ||
21 | jobs: | 27 | jobs: |
22 | build_and_test: | 28 | build_and_test: |
23 | runs-on: ubuntu-20.04 | 29 | runs-on: ubuntu-22.04 |
24 | steps: | 30 | steps: |
25 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 31 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
26 | - name: update package information | 32 | - name: update package information |
27 | run: sudo apt-get update | 33 | run: sudo apt-get update |
28 | - name: install dependencies | 34 | - name: install dependencies |
29 | run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec | 35 | run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec |
30 | - name: configure | 36 | - name: configure |
31 | run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr | 37 | run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr |
32 | - name: make | 38 | - name: make |
33 | run: make | 39 | run: make |
34 | - name: make install | 40 | - name: make install |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d34a48aa3..4a09ad9d8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -9,7 +9,10 @@ on: | |||
9 | push: | 9 | push: |
10 | branches: [ master ] | 10 | branches: [ master ] |
11 | paths-ignore: | 11 | paths-ignore: |
12 | - .git-blame-ignore-revs | ||
13 | - .gitignore | ||
12 | - CONTRIBUTING.md | 14 | - CONTRIBUTING.md |
15 | - COPYING | ||
13 | - README | 16 | - README |
14 | - README.md | 17 | - README.md |
15 | - RELNOTES | 18 | - RELNOTES |
@@ -19,7 +22,10 @@ on: | |||
19 | # The branches below must be a subset of the branches above | 22 | # The branches below must be a subset of the branches above |
20 | branches: [ master ] | 23 | branches: [ master ] |
21 | paths-ignore: | 24 | paths-ignore: |
25 | - .git-blame-ignore-revs | ||
26 | - .gitignore | ||
22 | - CONTRIBUTING.md | 27 | - CONTRIBUTING.md |
28 | - COPYING | ||
23 | - README | 29 | - README |
24 | - README.md | 30 | - README.md |
25 | - RELNOTES | 31 | - RELNOTES |
@@ -47,7 +53,7 @@ jobs: | |||
47 | 53 | ||
48 | # Initializes the CodeQL tools for scanning. | 54 | # Initializes the CodeQL tools for scanning. |
49 | - name: Initialize CodeQL | 55 | - name: Initialize CodeQL |
50 | uses: github/codeql-action/init@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 | 56 | uses: github/codeql-action/init@3e7e3b32d0fb8283594bb0a76cc60a00918b0969 |
51 | with: | 57 | with: |
52 | languages: ${{ matrix.language }} | 58 | languages: ${{ matrix.language }} |
53 | # If you wish to specify custom queries, you can do so here or in a config file. | 59 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -58,7 +64,7 @@ jobs: | |||
58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
59 | # If this step fails, then you should remove it and run the build manually (see below) | 65 | # If this step fails, then you should remove it and run the build manually (see below) |
60 | - name: Autobuild | 66 | - name: Autobuild |
61 | uses: github/codeql-action/autobuild@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 | 67 | uses: github/codeql-action/autobuild@3e7e3b32d0fb8283594bb0a76cc60a00918b0969 |
62 | 68 | ||
63 | # ℹ️ Command-line programs to run using the OS shell. | 69 | # ℹ️ Command-line programs to run using the OS shell. |
64 | # 📚 https://git.io/JvXDl | 70 | # 📚 https://git.io/JvXDl |
@@ -72,4 +78,4 @@ jobs: | |||
72 | # make release | 78 | # make release |
73 | 79 | ||
74 | - name: Perform CodeQL Analysis | 80 | - name: Perform CodeQL Analysis |
75 | uses: github/codeql-action/analyze@3f62b754e23e0dd60f91b744033e1dc1654c0ec6 | 81 | uses: github/codeql-action/analyze@3e7e3b32d0fb8283594bb0a76cc60a00918b0969 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 9138e8a57..d235aeb64 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -18,7 +18,7 @@ on: | |||
18 | 18 | ||
19 | jobs: | 19 | jobs: |
20 | profile-checks: | 20 | profile-checks: |
21 | runs-on: ubuntu-20.04 | 21 | runs-on: ubuntu-latest |
22 | steps: | 22 | steps: |
23 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 23 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
24 | - name: sort.py | 24 | - name: sort.py |
diff --git a/.gitignore b/.gitignore index 66daccf5d..b5d29dc19 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -10,6 +10,7 @@ | |||
10 | .directory | 10 | .directory |
11 | *.man | 11 | *.man |
12 | .vscode | 12 | .vscode |
13 | /firejail-*/ | ||
13 | autom4te.cache/ | 14 | autom4te.cache/ |
14 | config.log | 15 | config.log |
15 | config.mk | 16 | config.mk |
diff --git a/etc/profile-m-z/onionshare-gui.profile b/etc/profile-m-z/onionshare-gui.profile index fbf4c3ef0..db923056a 100644 --- a/etc/profile-m-z/onionshare-gui.profile +++ b/etc/profile-m-z/onionshare-gui.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.config/onionshare | |||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | include allow-python3.inc | 12 | include allow-python3.inc |
13 | 13 | ||
14 | blacklist /sys/class/net | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 6b98c5976..79630f09c 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.local/share/remmina | |||
13 | # Allow ssh (blacklisted by disable-common.inc) | 13 | # Allow ssh (blacklisted by disable-common.inc) |
14 | include allow-ssh.inc | 14 | include allow-ssh.inc |
15 | 15 | ||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | include allow-python3.inc | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile index 700a10be8..9d66c5fa4 100644 --- a/etc/profile-m-z/torbrowser-launcher.profile +++ b/etc/profile-m-z/torbrowser-launcher.profile | |||
@@ -16,6 +16,7 @@ include allow-python2.inc | |||
16 | include allow-python3.inc | 16 | include allow-python3.inc |
17 | 17 | ||
18 | blacklist /srv | 18 | blacklist /srv |
19 | blacklist /sys/class/net | ||
19 | 20 | ||
20 | include disable-common.inc | 21 | include disable-common.inc |
21 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile index fc579b973..15ca5b550 100644 --- a/etc/profile-m-z/torbrowser.profile +++ b/etc/profile-m-z/torbrowser.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.cache/mozilla | |||
13 | noblacklist ${HOME}/.mozilla | 13 | noblacklist ${HOME}/.mozilla |
14 | 14 | ||
15 | blacklist /usr/libexec | 15 | blacklist /usr/libexec |
16 | blacklist /sys/class/net | ||
16 | 17 | ||
17 | mkdir ${HOME}/.cache/mozilla/torbrowser | 18 | mkdir ${HOME}/.cache/mozilla/torbrowser |
18 | mkdir ${HOME}/.mozilla | 19 | mkdir ${HOME}/.mozilla |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index 47e618ae2..6d7fa94e7 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -19,6 +19,7 @@ include disable-interpreters.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | 21 | ||
22 | whitelist /usr/share/viewnior | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 827b075e5..c33e6d602 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -27,26 +27,26 @@ Always have a look at 'man 1 firejail'. | |||
27 | Definition of groups | 27 | Definition of groups |
28 | -------------------- | 28 | -------------------- |
29 | 29 | ||
30 | @aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit | 30 | @aio=io_cancel,io_destroy,io_getevents,io_pgetevents,io_setup,io_submit,io_uring_enter,io_uring_register,io_uring_setup |
31 | @basic-io=_llseek,close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev | 31 | @basic-io=_llseek,close,close_range,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev |
32 | @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 | 32 | @chown=chown,chown32,fchown,fchown32,fchownat,lchown,lchown32 |
33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execveat,execve,prctl | 38 | @default-keep=execveat,execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |
40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select | 40 | @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_ctl_old,epoll_pwait,epoll_wait,epoll_wait_old,eventfd,eventfd2,poll,ppoll,pselect6,select |
41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget | 41 | @ipc=ipc,memfd_create,mq_getsetattr,mq_notify,mq_open,mq_timedreceive,mq_timedsend,mq_unlink,msgctl,msgget,msgrcv,msgsnd,pipe,pipe2,process_madvise,process_vm_readv,process_vm_writev,semctl,semget,semop,semtimedop,shmat,shmctl,shmdt,shmget |
42 | @keyring=add_key,keyctl,request_key | 42 | @keyring=add_key,keyctl,request_key |
43 | @memlock=mlock,mlock2,mlockall,munlock,munlockall | 43 | @memlock=mlock,mlock2,mlockall,munlock,munlockall |
44 | @module=delete_module,finit_module,init_module | 44 | @module=delete_module,finit_module,init_module |
45 | @mount=chroot,mount,pivot_root,umount,umount2 | 45 | @mount=chroot,fsconfig,fsmount,fsopen,fspick,mount,move_mount,open_tree,pivot_root,umount,umount2 |
46 | @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair | 46 | @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair |
47 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver | 47 | @obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,idle,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver |
48 | @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup | 48 | @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup |
49 | @process=arch_prctl,capget,clone,execveat,fork,getrusage,kill,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid | 49 | @process=arch_prctl,capget,clone,clone3,execveat,fork,getrusage,kill,pidfd_open,pidfd_send_signal,prctl,rt_sigqueueinfo,rt_tgsigqueueinfo,setns,swapcontext,tgkill,times,tkill,unshare,vfork,wait4,waitid,waitpid |
50 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write | 50 | @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write |
51 | @reboot=kexec_load,kexec_file_load,reboot | 51 | @reboot=kexec_load,kexec_file_load,reboot |
52 | @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy | 52 | @resources=ioprio_set,mbind,migrate_pages,move_pages,nice,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy |
diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4 index dcabb92a1..bd753b34d 100644 --- a/m4/ax_check_compile_flag.m4 +++ b/m4/ax_check_compile_flag.m4 | |||
@@ -29,33 +29,12 @@ | |||
29 | # Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> | 29 | # Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> |
30 | # Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> | 30 | # Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> |
31 | # | 31 | # |
32 | # This program is free software: you can redistribute it and/or modify it | 32 | # Copying and distribution of this file, with or without modification, are |
33 | # under the terms of the GNU General Public License as published by the | 33 | # permitted in any medium without royalty provided the copyright notice |
34 | # Free Software Foundation, either version 3 of the License, or (at your | 34 | # and this notice are preserved. This file is offered as-is, without any |
35 | # option) any later version. | 35 | # warranty. |
36 | # | ||
37 | # This program is distributed in the hope that it will be useful, but | ||
38 | # WITHOUT ANY WARRANTY; without even the implied warranty of | ||
39 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General | ||
40 | # Public License for more details. | ||
41 | # | ||
42 | # You should have received a copy of the GNU General Public License along | ||
43 | # with this program. If not, see <https://www.gnu.org/licenses/>. | ||
44 | # | ||
45 | # As a special exception, the respective Autoconf Macro's copyright owner | ||
46 | # gives unlimited permission to copy, distribute and modify the configure | ||
47 | # scripts that are the output of Autoconf when processing the Macro. You | ||
48 | # need not follow the terms of the GNU General Public License when using | ||
49 | # or distributing such scripts, even though portions of the text of the | ||
50 | # Macro appear in them. The GNU General Public License (GPL) does govern | ||
51 | # all other use of the material that constitutes the Autoconf Macro. | ||
52 | # | ||
53 | # This special exception to the GPL applies to versions of the Autoconf | ||
54 | # Macro released by the Autoconf Archive. When you make and distribute a | ||
55 | # modified version of the Autoconf Macro, you may extend this special | ||
56 | # exception to the GPL to apply to your modified version as well. | ||
57 | 36 | ||
58 | #serial 5 | 37 | #serial 6 |
59 | 38 | ||
60 | AC_DEFUN([AX_CHECK_COMPILE_FLAG], | 39 | AC_DEFUN([AX_CHECK_COMPILE_FLAG], |
61 | [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF | 40 | [AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f8a23678a..96e3f735e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -385,7 +385,6 @@ char *guess_shell(void); | |||
385 | #define SANDBOX_DONE '1' | 385 | #define SANDBOX_DONE '1' |
386 | int sandbox(void* sandbox_arg); | 386 | int sandbox(void* sandbox_arg); |
387 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); | 387 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) __attribute__((noreturn)); |
388 | void set_apparmor(void); | ||
389 | 388 | ||
390 | // network_main.c | 389 | // network_main.c |
391 | void net_configure_sandbox_ip(Bridge *br); | 390 | void net_configure_sandbox_ip(Bridge *br); |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 2b0b3003e..6228e9740 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -27,7 +27,7 @@ | |||
27 | 27 | ||
28 | static int prog_cnt = 0; | 28 | static int prog_cnt = 0; |
29 | 29 | ||
30 | static char *paths[] = { | 30 | static const char * const paths[] = { |
31 | "/usr/local/bin", | 31 | "/usr/local/bin", |
32 | "/usr/bin", | 32 | "/usr/bin", |
33 | "/bin", | 33 | "/bin", |
@@ -40,7 +40,7 @@ static char *paths[] = { | |||
40 | }; | 40 | }; |
41 | 41 | ||
42 | // return 1 if found, 0 if not found | 42 | // return 1 if found, 0 if not found |
43 | static char *check_dir_or_file(const char *name) { | 43 | static const char *check_dir_or_file(const char *name) { |
44 | EUID_ASSERT(); | 44 | EUID_ASSERT(); |
45 | assert(name); | 45 | assert(name); |
46 | struct stat s; | 46 | struct stat s; |
@@ -160,7 +160,7 @@ static void duplicate(char *fname) { | |||
160 | else { | 160 | else { |
161 | // Find the standard directory (by looping through paths[]) | 161 | // Find the standard directory (by looping through paths[]) |
162 | // where the filename fname is located | 162 | // where the filename fname is located |
163 | char *path = check_dir_or_file(fname); | 163 | const char *path = check_dir_or_file(fname); |
164 | if (!path) | 164 | if (!path) |
165 | return; | 165 | return; |
166 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) | 166 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 9523875d7..ad5ee6759 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -300,7 +300,7 @@ void fs_var_utmp(void) { | |||
300 | 300 | ||
301 | // read current utmp | 301 | // read current utmp |
302 | struct utmp *u; | 302 | struct utmp *u; |
303 | struct utmp u_boot; | 303 | struct utmp u_boot = {0}; |
304 | setutent(); | 304 | setutent(); |
305 | while ((u = getutent()) != NULL) { | 305 | while ((u = getutent()) != NULL) { |
306 | if (u->ut_type == BOOT_TIME) { | 306 | if (u->ut_type == BOOT_TIME) { |
diff --git a/src/firejail/join.c b/src/firejail/join.c index ec9c922ef..4e636ca27 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -33,10 +33,6 @@ | |||
33 | #define PR_SET_NO_NEW_PRIVS 38 | 33 | #define PR_SET_NO_NEW_PRIVS 38 |
34 | #endif | 34 | #endif |
35 | 35 | ||
36 | #ifdef HAVE_APPARMOR | ||
37 | #include <sys/apparmor.h> | ||
38 | #endif | ||
39 | |||
40 | static int apply_caps = 0; | 36 | static int apply_caps = 0; |
41 | static uint64_t caps = 0; | 37 | static uint64_t caps = 0; |
42 | static unsigned display = 0; | 38 | static unsigned display = 0; |
@@ -513,10 +509,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
513 | // kill the child in case the parent died | 509 | // kill the child in case the parent died |
514 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | 510 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); |
515 | 511 | ||
516 | #ifdef HAVE_APPARMOR | ||
517 | set_apparmor(); | ||
518 | #endif | ||
519 | |||
520 | extract_command(argc, argv, index); | 512 | extract_command(argc, argv, index); |
521 | if (cfg.command_line == NULL) | 513 | if (cfg.command_line == NULL) |
522 | cfg.window_title = cfg.usershell; | 514 | cfg.window_title = cfg.usershell; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e8c4a445a..e72b03e15 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -128,7 +128,7 @@ static void set_caps(void) { | |||
128 | } | 128 | } |
129 | 129 | ||
130 | #ifdef HAVE_APPARMOR | 130 | #ifdef HAVE_APPARMOR |
131 | void set_apparmor(void) { | 131 | static void set_apparmor(void) { |
132 | EUID_ASSERT(); | 132 | EUID_ASSERT(); |
133 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { | 133 | if (checkcfg(CFG_APPARMOR) && arg_apparmor) { |
134 | if (aa_change_onexec("firejail-default")) { | 134 | if (aa_change_onexec("firejail-default")) { |
@@ -486,6 +486,9 @@ static void close_file_descriptors(void) { | |||
486 | 486 | ||
487 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 487 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
488 | if (no_sandbox == 0) { | 488 | if (no_sandbox == 0) { |
489 | #ifdef HAVE_APPARMOR | ||
490 | set_apparmor(); | ||
491 | #endif | ||
489 | close_file_descriptors(); | 492 | close_file_descriptors(); |
490 | 493 | ||
491 | // set nice and rlimits | 494 | // set nice and rlimits |
@@ -1299,10 +1302,7 @@ int sandbox(void* sandbox_arg) { | |||
1299 | errExit("fork"); | 1302 | errExit("fork"); |
1300 | 1303 | ||
1301 | if (app_pid == 0) { | 1304 | if (app_pid == 0) { |
1302 | #ifdef HAVE_APPARMOR | 1305 | start_application(0, -1, set_sandbox_status); // this function does not return |
1303 | set_apparmor(); | ||
1304 | #endif | ||
1305 | start_application(0, -1, set_sandbox_status); | ||
1306 | } | 1306 | } |
1307 | 1307 | ||
1308 | munmap(set_sandbox_status, 1); | 1308 | munmap(set_sandbox_status, 1); |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index bc4f7cf9c..a50b759c3 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
@@ -47,7 +47,7 @@ int is_lib_64(const char *exe) { | |||
47 | if (fd < 0) | 47 | if (fd < 0) |
48 | return 0; | 48 | return 0; |
49 | 49 | ||
50 | unsigned char buf[EI_NIDENT]; | 50 | unsigned char buf[EI_NIDENT] = {0}; |
51 | ssize_t len = 0; | 51 | ssize_t len = 0; |
52 | while (len < EI_NIDENT) { | 52 | while (len < EI_NIDENT) { |
53 | ssize_t sz = read(fd, buf + len, EI_NIDENT - len); | 53 | ssize_t sz = read(fd, buf + len, EI_NIDENT - len); |
diff --git a/src/lib/syscall.c b/src/lib/syscall.c index a17f6423a..29cf6318f 100644 --- a/src/lib/syscall.c +++ b/src/lib/syscall.c | |||
@@ -92,7 +92,16 @@ static const SyscallGroupList sysgroups[] = { | |||
92 | "io_setup," | 92 | "io_setup," |
93 | #endif | 93 | #endif |
94 | #ifdef SYS_io_submit | 94 | #ifdef SYS_io_submit |
95 | "io_submit" | 95 | "io_submit," |
96 | #endif | ||
97 | #ifdef SYS_io_uring_enter | ||
98 | "io_uring_enter," | ||
99 | #endif | ||
100 | #ifdef SYS_io_uring_register | ||
101 | "io_uring_register," | ||
102 | #endif | ||
103 | #ifdef SYS_io_uring_setup | ||
104 | "io_uring_setup" | ||
96 | #endif | 105 | #endif |
97 | }, | 106 | }, |
98 | { .name = "@basic-io", .list = | 107 | { .name = "@basic-io", .list = |
@@ -102,6 +111,9 @@ static const SyscallGroupList sysgroups[] = { | |||
102 | #ifdef SYS_close | 111 | #ifdef SYS_close |
103 | "close," | 112 | "close," |
104 | #endif | 113 | #endif |
114 | #ifdef SYS_close_range | ||
115 | "close_range," | ||
116 | #endif | ||
105 | #ifdef SYS_dup | 117 | #ifdef SYS_dup |
106 | "dup," | 118 | "dup," |
107 | #endif | 119 | #endif |
@@ -212,6 +224,9 @@ static const SyscallGroupList sysgroups[] = { | |||
212 | #ifdef SYS_perf_event_open | 224 | #ifdef SYS_perf_event_open |
213 | "perf_event_open," | 225 | "perf_event_open," |
214 | #endif | 226 | #endif |
227 | #ifdef SYS_pidfd_getfd | ||
228 | "pidfd_getfd," | ||
229 | #endif | ||
215 | #ifdef SYS_process_vm_writev | 230 | #ifdef SYS_process_vm_writev |
216 | "process_vm_writev," | 231 | "process_vm_writev," |
217 | #endif | 232 | #endif |
@@ -290,7 +305,7 @@ static const SyscallGroupList sysgroups[] = { | |||
290 | "remap_file_pages," | 305 | "remap_file_pages," |
291 | #endif | 306 | #endif |
292 | #ifdef SYS_set_mempolicy | 307 | #ifdef SYS_set_mempolicy |
293 | "set_mempolicy" | 308 | "set_mempolicy," |
294 | #endif | 309 | #endif |
295 | #ifdef SYS_vmsplice | 310 | #ifdef SYS_vmsplice |
296 | "vmsplice," | 311 | "vmsplice," |
@@ -350,6 +365,9 @@ static const SyscallGroupList sysgroups[] = { | |||
350 | #ifdef SYS_close | 365 | #ifdef SYS_close |
351 | "close," | 366 | "close," |
352 | #endif | 367 | #endif |
368 | #ifdef SYS_close_range | ||
369 | "close_range," | ||
370 | #endif | ||
353 | #ifdef SYS_creat | 371 | #ifdef SYS_creat |
354 | "creat," | 372 | "creat," |
355 | #endif | 373 | #endif |
@@ -503,6 +521,9 @@ static const SyscallGroupList sysgroups[] = { | |||
503 | #ifdef SYS_openat | 521 | #ifdef SYS_openat |
504 | "openat," | 522 | "openat," |
505 | #endif | 523 | #endif |
524 | #ifdef SYS_openat2 | ||
525 | "openat2," | ||
526 | #endif | ||
506 | #ifdef SYS_readlink | 527 | #ifdef SYS_readlink |
507 | "readlink," | 528 | "readlink," |
508 | #endif | 529 | #endif |
@@ -657,6 +678,9 @@ static const SyscallGroupList sysgroups[] = { | |||
657 | #ifdef SYS_pipe2 | 678 | #ifdef SYS_pipe2 |
658 | "pipe2," | 679 | "pipe2," |
659 | #endif | 680 | #endif |
681 | #ifdef SYS_process_madvise | ||
682 | "process_madvise," | ||
683 | #endif | ||
660 | #ifdef SYS_process_vm_readv | 684 | #ifdef SYS_process_vm_readv |
661 | "process_vm_readv," | 685 | "process_vm_readv," |
662 | #endif | 686 | #endif |
@@ -731,9 +755,27 @@ static const SyscallGroupList sysgroups[] = { | |||
731 | #ifdef SYS_chroot | 755 | #ifdef SYS_chroot |
732 | "chroot," | 756 | "chroot," |
733 | #endif | 757 | #endif |
758 | #ifdef SYS_fsconfig | ||
759 | "fsconfig," | ||
760 | #endif | ||
761 | #ifdef SYS_fsmount | ||
762 | "fsmount," | ||
763 | #endif | ||
764 | #ifdef SYS_fsopen | ||
765 | "fsopen," | ||
766 | #endif | ||
767 | #ifdef SYS_fspick | ||
768 | "fspick," | ||
769 | #endif | ||
734 | #ifdef SYS_mount | 770 | #ifdef SYS_mount |
735 | "mount," | 771 | "mount," |
736 | #endif | 772 | #endif |
773 | #ifdef SYS_move_mount | ||
774 | "move_mount," | ||
775 | #endif | ||
776 | #ifdef SYS_open_tree | ||
777 | "open_tree," | ||
778 | #endif | ||
737 | #ifdef SYS_pivot_root | 779 | #ifdef SYS_pivot_root |
738 | "pivot_root," | 780 | "pivot_root," |
739 | #endif | 781 | #endif |
@@ -985,6 +1027,9 @@ static const SyscallGroupList sysgroups[] = { | |||
985 | #ifdef SYS_clone | 1027 | #ifdef SYS_clone |
986 | "clone," | 1028 | "clone," |
987 | #endif | 1029 | #endif |
1030 | #ifdef SYS_clone3 | ||
1031 | "clone3," | ||
1032 | #endif | ||
988 | #ifdef SYS_execveat | 1033 | #ifdef SYS_execveat |
989 | "execveat," | 1034 | "execveat," |
990 | #endif | 1035 | #endif |
@@ -997,6 +1042,9 @@ static const SyscallGroupList sysgroups[] = { | |||
997 | #ifdef SYS_kill | 1042 | #ifdef SYS_kill |
998 | "kill," | 1043 | "kill," |
999 | #endif | 1044 | #endif |
1045 | #ifdef SYS_pidfd_open | ||
1046 | "pidfd_open," | ||
1047 | #endif | ||
1000 | #ifdef SYS_pidfd_send_signal | 1048 | #ifdef SYS_pidfd_send_signal |
1001 | "pidfd_send_signal," | 1049 | "pidfd_send_signal," |
1002 | #endif | 1050 | #endif |
diff --git a/test/Makefile b/test/Makefile index 2f3a97d73..2c376da58 100644 --- a/test/Makefile +++ b/test/Makefile | |||
@@ -3,7 +3,7 @@ TESTS=$(patsubst %/,%,$(wildcard */)) | |||
3 | .PHONY: $(TESTS) | 3 | .PHONY: $(TESTS) |
4 | $(TESTS): | 4 | $(TESTS): |
5 | cd $@ && ./$@.sh 2>&1 | tee $@.log | 5 | cd $@ && ./$@.sh 2>&1 | tee $@.log |
6 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log | 6 | cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log |
7 | 7 | ||
8 | .PHONY: clean | 8 | .PHONY: clean |
9 | clean: | 9 | clean: |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index b5a8c119b..2c00cfa1c 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
@@ -110,23 +110,23 @@ expect { | |||
110 | send -- "exit\r" | 110 | send -- "exit\r" |
111 | sleep 1 | 111 | sleep 1 |
112 | 112 | ||
113 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | 113 | # test disabled, as Github CI uses systemd-resolved, which does not work |
114 | expect { | 114 | # properly with --dns=, so curl does not use the specified nameserver |
115 | timeout {puts "TESTING ERROR 6.1\n";exit} | 115 | #send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r" |
116 | "connect" | 116 | #expect { |
117 | } | 117 | # timeout {puts "TESTING ERROR 6.1\n";exit} |
118 | expect { | 118 | # "connect" |
119 | timeout {puts "TESTING ERROR 6.2\n";exit} | 119 | #} |
120 | "208.67.222.222" | 120 | #expect { |
121 | } | 121 | # timeout {puts "TESTING ERROR 6.2\n";exit} |
122 | expect { | 122 | # "208.67.222.222" |
123 | timeout {puts "TESTING ERROR 6.3\n";exit} | 123 | #} |
124 | "53" | 124 | #expect { |
125 | } | 125 | # timeout {puts "TESTING ERROR 6.3\n";exit} |
126 | after 100 | 126 | # "53" |
127 | #} | ||
128 | #after 100 | ||
127 | 129 | ||
128 | send -- "rm index.html\r" | ||
129 | after 100 | ||
130 | send -- "exit\r" | 130 | send -- "exit\r" |
131 | sleep 1 | 131 | sleep 1 |
132 | 132 | ||
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index e6698eab0..01a298fe0 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
@@ -11,6 +11,7 @@ send -- "firejail less sysutils.sh\r" | |||
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} | 13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} |
14 | "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit} | ||
14 | "MALLOC_CHECK" | 15 | "MALLOC_CHECK" |
15 | } | 16 | } |
16 | expect { | 17 | expect { |
diff --git a/test/utils/man.exp b/test/utils/man.exp index 3a0ca46d6..f62859a8f 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp | |||
@@ -11,6 +11,7 @@ send -- "man firejail\r" | |||
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} | 13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} |
14 | "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit} | ||
14 | "Linux namespaces sandbox program" | 15 | "Linux namespaces sandbox program" |
15 | } | 16 | } |
16 | after 100 | 17 | after 100 |
diff --git a/test/utils/trace.exp b/test/utils/trace.exp index f14001c88..beb59d337 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp | |||
@@ -68,10 +68,6 @@ expect { | |||
68 | "wget:fopen /etc/wgetrc" {puts "OK\n";} | 68 | "wget:fopen /etc/wgetrc" {puts "OK\n";} |
69 | } | 69 | } |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 8.4\n";exit} | ||
72 | "wget:fopen /etc/hosts" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 8.5\n";exit} | 71 | timeout {puts "TESTING ERROR 8.5\n";exit} |
76 | "wget:connect" | 72 | "wget:connect" |
77 | } | 73 | } |