diff options
-rw-r--r-- | Makefile.in | 4 | ||||
-rwxr-xr-x | test/filters/caps.exp | 72 | ||||
-rwxr-xr-x | test/filters/noroot.exp | 156 | ||||
-rwxr-xr-x | test/filters/protocol.exp (renamed from test/protocol.exp) | 12 | ||||
-rw-r--r-- | test/filters/protocol1.profile (renamed from test/protocol1.profile) | 0 | ||||
-rw-r--r-- | test/filters/protocol2.profile (renamed from test/protocol2.profile) | 0 | ||||
-rwxr-xr-x | test/filters/seccomp-bad-empty.exp (renamed from test/seccomp-bad-empty.exp) | 0 | ||||
-rw-r--r-- | test/filters/seccomp-bad-empty.profile (renamed from test/seccomp-bad-empty.profile) | 0 | ||||
-rw-r--r-- | test/filters/seccomp-bad-empty2.profile (renamed from test/seccomp-bad-empty2.profile) | 0 | ||||
-rw-r--r-- | test/filters/seccomp.profile (renamed from test/seccomp.profile) | 0 | ||||
-rwxr-xr-x | test/filters/syscall_test (renamed from src/tools/syscall_test) | bin | 9552 -> 9552 bytes | |||
-rw-r--r-- | test/filters/syscall_test.c (renamed from src/tools/syscall_test.c) | 4 | ||||
-rwxr-xr-x | test/filters/syscall_test32 (renamed from src/tools/syscall_test32) | bin | 6868 -> 6868 bytes | |||
-rwxr-xr-x | test/noroot.exp | 117 | ||||
-rwxr-xr-x | test/seccomp-chmod-profile.exp | 46 | ||||
-rwxr-xr-x | test/seccomp-chmod.exp | 46 | ||||
-rwxr-xr-x | test/seccomp-chown.exp | 46 | ||||
-rwxr-xr-x | test/seccomp-debug.exp | 28 | ||||
-rwxr-xr-x | test/seccomp-dualfilter.exp | 38 | ||||
-rwxr-xr-x | test/seccomp-empty.exp | 145 | ||||
-rw-r--r-- | test/seccomp-empty.profile | 1 | ||||
-rwxr-xr-x | test/seccomp-errno.exp | 87 | ||||
-rwxr-xr-x | test/seccomp-ptrace.exp | 23 | ||||
-rwxr-xr-x | test/seccomp-su.exp | 34 | ||||
-rwxr-xr-x | test/seccomp-umount.exp | 28 |
25 files changed, 240 insertions, 647 deletions
diff --git a/Makefile.in b/Makefile.in index 44b5cec83..6c70e5360 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -252,6 +252,7 @@ dist: | |||
252 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/environment test/.; cd .. | 252 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/environment test/.; cd .. |
253 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. | 253 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/compile test/.; cd .. |
254 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. | 254 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. |
255 | cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/filters test/.; cd .. | ||
255 | cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. | 256 | cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. |
256 | tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) | 257 | tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) |
257 | rm -fr $(NAME)-$(VERSION) | 258 | rm -fr $(NAME)-$(VERSION) |
@@ -295,5 +296,8 @@ test-utils: | |||
295 | test-environment: | 296 | test-environment: |
296 | cd test/environment; ./environment.sh | grep TESTING | 297 | cd test/environment; ./environment.sh | grep TESTING |
297 | 298 | ||
299 | test-filters: | ||
300 | cd test/filters; ./filters.sh | grep TESTING | ||
301 | |||
298 | test: test-profiles test-utils test-environment test-apps test-apps-x11 | 302 | test: test-profiles test-utils test-environment test-apps test-apps-x11 |
299 | echo "TEST COMPLETE" | 303 | echo "TEST COMPLETE" |
diff --git a/test/filters/caps.exp b/test/filters/caps.exp new file mode 100755 index 000000000..034d6a733 --- /dev/null +++ b/test/filters/caps.exp | |||
@@ -0,0 +1,72 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --caps.keep=chown,fowner --noprofile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | send -- "cat /proc/self/status\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "CapBnd: 0000000000000009" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "Seccomp:" | ||
25 | } | ||
26 | send -- "exit\r" | ||
27 | sleep 1 | ||
28 | |||
29 | send -- "firejail --caps.drop=all --noprofile\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | "Child process initialized" | ||
33 | } | ||
34 | sleep 2 | ||
35 | |||
36 | send -- "cat /proc/self/status\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "CapBnd: 0000000000000000" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 6\n";exit} | ||
43 | "Seccomp:" | ||
44 | } | ||
45 | send -- "exit\r" | ||
46 | sleep 1 | ||
47 | |||
48 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 7\n";exit} | ||
51 | "Child process initialized" | ||
52 | } | ||
53 | sleep 2 | ||
54 | |||
55 | send -- "cat /proc/self/status\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 8\n";exit} | ||
58 | "CapBnd:" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 9\n";exit} | ||
62 | "fffffff0" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10\n";exit} | ||
66 | "Seccomp:" | ||
67 | } | ||
68 | send -- "exit\r" | ||
69 | sleep 1 | ||
70 | |||
71 | |||
72 | puts "\nall done\n" | ||
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp new file mode 100755 index 000000000..a1f6ce88d --- /dev/null +++ b/test/filters/noroot.exp | |||
@@ -0,0 +1,156 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "cat /proc/self/status\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "CapBnd: 0000000000000000" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 2\n";exit} | ||
24 | "Seccomp:" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3\n";exit} | ||
28 | "2" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | "Cpus_allowed:" | ||
33 | } | ||
34 | puts "\n" | ||
35 | |||
36 | send -- "ping 0\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "Operation not permitted" | ||
40 | } | ||
41 | send -- "whoami\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 6\n";exit} | ||
44 | $env(USER) | ||
45 | } | ||
46 | send -- "sudo -s\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 8\n";exit} | ||
49 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
50 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
51 | } | ||
52 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 7\n";exit} | ||
55 | "1" | ||
56 | } | ||
57 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 8\n";exit} | ||
60 | "3" | ||
61 | } | ||
62 | |||
63 | puts "\n" | ||
64 | send -- "exit\r" | ||
65 | sleep 2 | ||
66 | |||
67 | |||
68 | |||
69 | send -- "firejail --name=test --noroot --noprofile\r" | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 9\n";exit} | ||
72 | "Child process initialized" | ||
73 | } | ||
74 | sleep 1 | ||
75 | |||
76 | send -- "cat /proc/self/status\r" | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 10\n";exit} | ||
79 | "CapBnd:" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 11\n";exit} | ||
83 | "ffffffff" | ||
84 | } | ||
85 | expect { | ||
86 | timeout {puts "TESTING ERROR 12\n";exit} | ||
87 | "Seccomp:" | ||
88 | } | ||
89 | expect { | ||
90 | timeout {puts "TESTING ERROR 13\n";exit} | ||
91 | "0" | ||
92 | } | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 14\n";exit} | ||
95 | "Cpus_allowed:" | ||
96 | } | ||
97 | puts "\n" | ||
98 | |||
99 | send -- "whoami\r" | ||
100 | expect { | ||
101 | timeout {puts "TESTING ERROR 15\n";exit} | ||
102 | $env(USER) | ||
103 | } | ||
104 | send -- "sudo -s\r" | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 16\n";exit} | ||
107 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
108 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
109 | } | ||
110 | send -- "ping 0\r" | ||
111 | expect { | ||
112 | timeout {puts "TESTING ERROR 17\n";exit} | ||
113 | "Operation not permitted" | ||
114 | } | ||
115 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 18\n";exit} | ||
118 | "1" | ||
119 | } | ||
120 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 19\n";exit} | ||
123 | "3" | ||
124 | } | ||
125 | |||
126 | |||
127 | |||
128 | spawn $env(SHELL) | ||
129 | send -- "firejail --debug --join=test\r" | ||
130 | expect { | ||
131 | timeout {puts "TESTING ERROR 20\n";exit} | ||
132 | "User namespace detected" | ||
133 | } | ||
134 | expect { | ||
135 | timeout {puts "TESTING ERROR 21\n";exit} | ||
136 | "Joining user namespace" | ||
137 | } | ||
138 | sleep 1 | ||
139 | |||
140 | send -- "sudo -s\r" | ||
141 | expect { | ||
142 | timeout {puts "TESTING ERROR 22\n";exit} | ||
143 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
144 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
145 | } | ||
146 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
147 | expect { | ||
148 | timeout {puts "TESTING ERROR 23\n";exit} | ||
149 | "1" | ||
150 | } | ||
151 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
152 | expect { | ||
153 | timeout {puts "TESTING ERROR 24\n";exit} | ||
154 | "3" | ||
155 | } | ||
156 | puts "\nall done\n" | ||
diff --git a/test/protocol.exp b/test/filters/protocol.exp index 018f4cd9b..cf552da56 100755 --- a/test/protocol.exp +++ b/test/filters/protocol.exp | |||
@@ -4,7 +4,7 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r" | 7 | send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" |
8 | expect { | 8 | expect { |
9 | timeout {puts "TESTING ERROR 1\n";exit} | 9 | timeout {puts "TESTING ERROR 1\n";exit} |
10 | "Child process initialized" | 10 | "Child process initialized" |
@@ -47,7 +47,7 @@ expect { | |||
47 | } | 47 | } |
48 | sleep 1 | 48 | sleep 1 |
49 | 49 | ||
50 | send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r" | 50 | send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" |
51 | expect { | 51 | expect { |
52 | timeout {puts "TESTING ERROR 2\n";exit} | 52 | timeout {puts "TESTING ERROR 2\n";exit} |
53 | "Child process initialized" | 53 | "Child process initialized" |
@@ -91,7 +91,7 @@ expect { | |||
91 | sleep 1 | 91 | sleep 1 |
92 | 92 | ||
93 | # profile testing | 93 | # profile testing |
94 | send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r" | 94 | send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" |
95 | expect { | 95 | expect { |
96 | timeout {puts "TESTING ERROR 3\n";exit} | 96 | timeout {puts "TESTING ERROR 3\n";exit} |
97 | "Child process initialized" | 97 | "Child process initialized" |
@@ -134,7 +134,7 @@ expect { | |||
134 | } | 134 | } |
135 | sleep 1 | 135 | sleep 1 |
136 | 136 | ||
137 | send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r" | 137 | send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" |
138 | expect { | 138 | expect { |
139 | timeout {puts "TESTING ERROR 4\n";exit} | 139 | timeout {puts "TESTING ERROR 4\n";exit} |
140 | "Child process initialized" | 140 | "Child process initialized" |
@@ -177,8 +177,4 @@ expect { | |||
177 | } | 177 | } |
178 | sleep 1 | 178 | sleep 1 |
179 | 179 | ||
180 | |||
181 | |||
182 | |||
183 | |||
184 | puts "\nall done\n" | 180 | puts "\nall done\n" |
diff --git a/test/protocol1.profile b/test/filters/protocol1.profile index 3e1ea2a29..3e1ea2a29 100644 --- a/test/protocol1.profile +++ b/test/filters/protocol1.profile | |||
diff --git a/test/protocol2.profile b/test/filters/protocol2.profile index b7eb4ab91..b7eb4ab91 100644 --- a/test/protocol2.profile +++ b/test/filters/protocol2.profile | |||
diff --git a/test/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 631d67743..631d67743 100755 --- a/test/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp | |||
diff --git a/test/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile index 2d4fcde7c..2d4fcde7c 100644 --- a/test/seccomp-bad-empty.profile +++ b/test/filters/seccomp-bad-empty.profile | |||
diff --git a/test/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile index c4e6c9f74..c4e6c9f74 100644 --- a/test/seccomp-bad-empty2.profile +++ b/test/filters/seccomp-bad-empty2.profile | |||
diff --git a/test/seccomp.profile b/test/filters/seccomp.profile index cb0b15aee..cb0b15aee 100644 --- a/test/seccomp.profile +++ b/test/filters/seccomp.profile | |||
diff --git a/src/tools/syscall_test b/test/filters/syscall_test index bf29c5b99..bf29c5b99 100755 --- a/src/tools/syscall_test +++ b/test/filters/syscall_test | |||
Binary files differ | |||
diff --git a/src/tools/syscall_test.c b/test/filters/syscall_test.c index b3f43c755..422af619d 100644 --- a/src/tools/syscall_test.c +++ b/test/filters/syscall_test.c | |||
@@ -1,3 +1,7 @@ | |||
1 | // This file is part of Firejail project | ||
2 | // Copyright (C) 2014-2016 Firejail Authors | ||
3 | // License GPL v2 | ||
4 | |||
1 | #include <stdlib.h> | 5 | #include <stdlib.h> |
2 | #include <stdio.h> | 6 | #include <stdio.h> |
3 | #include <unistd.h> | 7 | #include <unistd.h> |
diff --git a/src/tools/syscall_test32 b/test/filters/syscall_test32 index 8d72f58c4..8d72f58c4 100755 --- a/src/tools/syscall_test32 +++ b/test/filters/syscall_test32 | |||
Binary files differ | |||
diff --git a/test/noroot.exp b/test/noroot.exp deleted file mode 100755 index 37d55fe78..000000000 --- a/test/noroot.exp +++ /dev/null | |||
@@ -1,117 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "cat /proc/self/status\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "CapBnd:" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
21 | "0000000000000000" | ||
22 | } | ||
23 | |||
24 | send -- "cat /proc/self/status\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "Cpus_allowed:" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
31 | "3" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
35 | "Cpus_allowed_list:" | ||
36 | } | ||
37 | puts "\n" | ||
38 | |||
39 | send -- "cat /proc/self/status\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 2\n";exit} | ||
42 | "Seccomp:" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
46 | "2" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
50 | "Cpus_allowed:" | ||
51 | } | ||
52 | puts "\n" | ||
53 | |||
54 | send -- "ping 0\r" | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 4\n";exit} | ||
57 | "Operation not permitted" | ||
58 | } | ||
59 | puts "\n" | ||
60 | |||
61 | send -- "whoami\r" | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 55\\n";exit} | ||
64 | "netblue" | ||
65 | } | ||
66 | puts "\n" | ||
67 | send -- "exit\r" | ||
68 | sleep 2 | ||
69 | |||
70 | |||
71 | send -- "firejail --noroot --noprofile\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 6\n";exit} | ||
74 | "Child process initialized" | ||
75 | } | ||
76 | sleep 1 | ||
77 | send -- "whoami\r" | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 7\n";exit} | ||
80 | "netblue" | ||
81 | } | ||
82 | send -- "sudo -s\r" | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 8\n";exit} | ||
85 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
86 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
87 | } | ||
88 | puts "\n" | ||
89 | send -- "exit\r" | ||
90 | sleep 2 | ||
91 | |||
92 | send -- "firejail --name=test --noroot --noprofile\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 9\n";exit} | ||
95 | "Child process initialized" | ||
96 | } | ||
97 | sleep 1 | ||
98 | |||
99 | spawn $env(SHELL) | ||
100 | send -- "firejail --debug --join=test\r" | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 9\n";exit} | ||
103 | "User namespace detected" | ||
104 | } | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 9\n";exit} | ||
107 | "Joining user namespace" | ||
108 | } | ||
109 | sleep 1 | ||
110 | |||
111 | send -- "sudo -s\r" | ||
112 | expect { | ||
113 | timeout {puts "TESTING ERROR 8\n";exit} | ||
114 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
115 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
116 | } | ||
117 | puts "all done\n" | ||
diff --git a/test/seccomp-chmod-profile.exp b/test/seccomp-chmod-profile.exp deleted file mode 100755 index 098328cea..000000000 --- a/test/seccomp-chmod-profile.exp +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --profile=seccomp.profile --private\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 2 | ||
13 | |||
14 | send -- "touch testfile;pwd\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "/root" {puts "running as root"} | ||
18 | "/home" | ||
19 | } | ||
20 | |||
21 | send -- "ls -l testfile;pwd\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 2\n";exit} | ||
24 | "testfile" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3\n";exit} | ||
28 | "/root" {puts "running as root"} | ||
29 | "/home" | ||
30 | } | ||
31 | |||
32 | send -- "chmod +x testfile;pwd\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 2\n";exit} | ||
35 | "Bad system call" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 3\n";exit} | ||
39 | "/root" {puts "running as root"} | ||
40 | "/home" | ||
41 | } | ||
42 | |||
43 | |||
44 | send -- "exit\r" | ||
45 | sleep 1 | ||
46 | puts "\n" | ||
diff --git a/test/seccomp-chmod.exp b/test/seccomp-chmod.exp deleted file mode 100755 index b4a213206..000000000 --- a/test/seccomp-chmod.exp +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 2 | ||
13 | |||
14 | send -- "touch testfile;pwd\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "/root" {puts "running as root"} | ||
18 | "/home" | ||
19 | } | ||
20 | |||
21 | send -- "ls -l testfile;pwd\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 2\n";exit} | ||
24 | "testfile" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3\n";exit} | ||
28 | "/root" {puts "running as root"} | ||
29 | "/home" | ||
30 | } | ||
31 | |||
32 | send -- "chmod +x testfile;pwd\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 2\n";exit} | ||
35 | "Bad system call" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 3\n";exit} | ||
39 | "/root" {puts "running as root"} | ||
40 | "/home" | ||
41 | } | ||
42 | |||
43 | |||
44 | send -- "exit\r" | ||
45 | sleep 1 | ||
46 | puts "\n" | ||
diff --git a/test/seccomp-chown.exp b/test/seccomp-chown.exp deleted file mode 100755 index 69b896700..000000000 --- a/test/seccomp-chown.exp +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 2 | ||
13 | |||
14 | send -- "touch testfile;pwd\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "/root" {puts "running as root"} | ||
18 | "/home" | ||
19 | } | ||
20 | |||
21 | send -- "ls -l testfile;pwd\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 2\n";exit} | ||
24 | "testfile" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 3\n";exit} | ||
28 | "/root" {puts "running as root"} | ||
29 | "/home" | ||
30 | } | ||
31 | |||
32 | send -- "chown netblue:netblue testfile;pwd\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 2\n";exit} | ||
35 | "Bad system call" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 3\n";exit} | ||
39 | "/root" {puts "running as root"} | ||
40 | "/home" | ||
41 | } | ||
42 | |||
43 | |||
44 | send -- "exit\r" | ||
45 | sleep 1 | ||
46 | puts "\n" | ||
diff --git a/test/seccomp-debug.exp b/test/seccomp-debug.exp deleted file mode 100755 index 1034f040e..000000000 --- a/test/seccomp-debug.exp +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --seccomp --debug\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "SECCOMP Filter" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 2\n";exit} | ||
14 | "BLACKLIST" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 3\n";exit} | ||
18 | "open_by_handle_at" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 4\n";exit} | ||
22 | "Child process initialized" | ||
23 | } | ||
24 | sleep 2 | ||
25 | |||
26 | send -- "exit\r" | ||
27 | after 100 | ||
28 | puts "all done\n" | ||
diff --git a/test/seccomp-dualfilter.exp b/test/seccomp-dualfilter.exp deleted file mode 100755 index afdf8a53a..000000000 --- a/test/seccomp-dualfilter.exp +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail ../src/tools/syscall_test mount\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 1\n";exit} | ||
14 | "before mount" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 2\n";exit} | ||
18 | "after mount" {puts "TESTING ERROR 2.1\n";exit} | ||
19 | "Parent is shutting down" | ||
20 | } | ||
21 | sleep 1 | ||
22 | |||
23 | send -- "firejail ../src/tools/syscall_test32 mount\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 4\n";exit} | ||
30 | "before mount" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 5\n";exit} | ||
34 | "after mount" {puts "TESTING ERROR 5.1\n";exit} | ||
35 | "Parent is shutting down" | ||
36 | } | ||
37 | |||
38 | puts "\nall done\n" | ||
diff --git a/test/seccomp-empty.exp b/test/seccomp-empty.exp deleted file mode 100755 index 11abf2e00..000000000 --- a/test/seccomp-empty.exp +++ /dev/null | |||
@@ -1,145 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "VALIDATE_ARCHITECTURE" | ||
11 | } | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0.1\n";exit} | ||
14 | "mount" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 0.2\n";exit} | ||
18 | "ptrace" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
22 | "chmod" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 0.4\n";exit} | ||
26 | "fchmod" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 0.5\n";exit} | ||
30 | "fchmodat" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 0.6\n";exit} | ||
34 | "RETURN_ALLOW" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 0.7\n";exit} | ||
38 | "Child process initialized" | ||
39 | } | ||
40 | sleep 2 | ||
41 | send -- "exit\r" | ||
42 | sleep 3 | ||
43 | puts "\n" | ||
44 | |||
45 | send -- "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 1\n";exit} | ||
48 | "VALIDATE_ARCHITECTURE" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 1.1\n";exit} | ||
52 | "mount" {puts "TESTING ERROR 1.2\n";exit} | ||
53 | "ptrace" {puts "TESTING ERROR 1.3\n";exit} | ||
54 | "chmod" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 1.4\n";exit} | ||
58 | "fchmod" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 1.5\n";exit} | ||
62 | "fchmodat" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 1.6\n";exit} | ||
66 | "RETURN_ALLOW" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 1.7\n";exit} | ||
70 | "Child process initialized" | ||
71 | } | ||
72 | sleep 2 | ||
73 | send -- "exit\r" | ||
74 | puts "\n" | ||
75 | |||
76 | sleep 2 | ||
77 | send -- "firejail --debug --profile=seccomp.profile --private\r" | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 2\n";exit} | ||
80 | "VALIDATE_ARCHITECTURE" | ||
81 | } | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
84 | "mount" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 2.2\n";exit} | ||
88 | "ptrace" | ||
89 | } | ||
90 | expect { | ||
91 | timeout {puts "TESTING ERROR 2.3\n";exit} | ||
92 | "chmod" | ||
93 | } | ||
94 | expect { | ||
95 | timeout {puts "TESTING ERROR 2.4\n";exit} | ||
96 | "fchmod" | ||
97 | } | ||
98 | expect { | ||
99 | timeout {puts "TESTING ERROR 2.5\n";exit} | ||
100 | "fchmodat" | ||
101 | } | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 2.6\n";exit} | ||
104 | "RETURN_ALLOW" | ||
105 | } | ||
106 | expect { | ||
107 | timeout {puts "TESTING ERROR 2.7\n";exit} | ||
108 | "Child process initialized" | ||
109 | } | ||
110 | sleep 2 | ||
111 | send -- "exit\r" | ||
112 | sleep 3 | ||
113 | puts "\n" | ||
114 | |||
115 | send -- "firejail --debug --profile=seccomp-empty.profile --private\r" | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 3\n";exit} | ||
118 | "VALIDATE_ARCHITECTURE" | ||
119 | } | ||
120 | expect { | ||
121 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
122 | "mount" {puts "TESTING ERROR 3.2\n";exit} | ||
123 | "ptrace" {puts "TESTING ERROR 3.3\n";exit} | ||
124 | "chmod" | ||
125 | } | ||
126 | expect { | ||
127 | timeout {puts "TESTING ERROR 3.4\n";exit} | ||
128 | "fchmod" | ||
129 | } | ||
130 | expect { | ||
131 | timeout {puts "TESTING ERROR 3.5\n";exit} | ||
132 | "fchmodat" | ||
133 | } | ||
134 | expect { | ||
135 | timeout {puts "TESTING ERROR 3.6\n";exit} | ||
136 | "RETURN_ALLOW" | ||
137 | } | ||
138 | expect { | ||
139 | timeout {puts "TESTING ERROR 3.7\n";exit} | ||
140 | "Child process initialized" | ||
141 | } | ||
142 | sleep 2 | ||
143 | send -- "exit\r" | ||
144 | puts "\n" | ||
145 | |||
diff --git a/test/seccomp-empty.profile b/test/seccomp-empty.profile deleted file mode 100644 index 8f71f55a5..000000000 --- a/test/seccomp-empty.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | seccomp.drop chmod,fchmod,fchmodat | ||
diff --git a/test/seccomp-errno.exp b/test/seccomp-errno.exp deleted file mode 100755 index e6678ab8f..000000000 --- a/test/seccomp-errno.exp +++ /dev/null | |||
@@ -1,87 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "touch seccomp-test-file\r" | ||
8 | sleep 1 | ||
9 | |||
10 | send -- "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "No such file or directory" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "unlinkat 2 ENOENT" | ||
21 | } | ||
22 | sleep 1 | ||
23 | |||
24 | send -- "firejail --seccomp.enoent=unlinkat,mkdir\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "Child process initialized" | ||
28 | } | ||
29 | sleep 1 | ||
30 | send -- "rm seccomp-test-file\r" | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 3\n";exit} | ||
33 | "No such file or directory" | ||
34 | } | ||
35 | after 100 | ||
36 | puts "\n" | ||
37 | |||
38 | send -- "mkdir seccomp-test-dir\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 4\n";exit} | ||
41 | "No such file or directory" | ||
42 | } | ||
43 | after 100 | ||
44 | puts "\n" | ||
45 | |||
46 | send -- "exit\r" | ||
47 | sleep 1 | ||
48 | |||
49 | |||
50 | send -- "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5\n";exit} | ||
53 | "errno enoent already configured" | ||
54 | } | ||
55 | sleep 1 | ||
56 | |||
57 | send -- "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r" | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 6\n";exit} | ||
60 | "Child process initialized" | ||
61 | } | ||
62 | sleep 1 | ||
63 | send -- "rm seccomp-test-file\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 7\n";exit} | ||
66 | "No such file or directory" | ||
67 | } | ||
68 | after 100 | ||
69 | puts "\n" | ||
70 | |||
71 | send -- "mkdir seccomp-test-dir\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 8\n";exit} | ||
74 | "Operation not permitted" | ||
75 | } | ||
76 | after 100 | ||
77 | puts "\n" | ||
78 | |||
79 | send -- "exit\r" | ||
80 | sleep 1 | ||
81 | |||
82 | |||
83 | |||
84 | |||
85 | send -- "rm seccomp-test-file\r" | ||
86 | sleep 1 | ||
87 | puts "all done\n" | ||
diff --git a/test/seccomp-ptrace.exp b/test/seccomp-ptrace.exp deleted file mode 100755 index 9a9b7430e..000000000 --- a/test/seccomp-ptrace.exp +++ /dev/null | |||
@@ -1,23 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --noprofile --seccomp\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 2 | ||
13 | |||
14 | send -- "strace ls\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Bad system call" {puts "version 1\n";} | ||
18 | " unexpected signal 31" {puts "version 2\n"} | ||
19 | } | ||
20 | |||
21 | send -- "exit\r" | ||
22 | sleep 1 | ||
23 | puts "all done\n" | ||
diff --git a/test/seccomp-su.exp b/test/seccomp-su.exp deleted file mode 100755 index dcae6f869..000000000 --- a/test/seccomp-su.exp +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --noprofile --seccomp\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 2 | ||
13 | |||
14 | send -- "sudo su -\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "effective uid is not 0" | ||
18 | } | ||
19 | |||
20 | send -- "sudo ls\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2\n";exit} | ||
23 | "effective uid is not 0" | ||
24 | } | ||
25 | |||
26 | send -- "ping google.com\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "Operation not permitted" | ||
30 | } | ||
31 | |||
32 | send -- "exit\r" | ||
33 | sleep 1 | ||
34 | puts "all done\n" | ||
diff --git a/test/seccomp-umount.exp b/test/seccomp-umount.exp deleted file mode 100755 index c0107a084..000000000 --- a/test/seccomp-umount.exp +++ /dev/null | |||
@@ -1,28 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "sudo ls; sudo whoami; sudo pwd\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} | ||
10 | "root" | ||
11 | } | ||
12 | |||
13 | send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" | ||
14 | expect { | ||
15 | timeout {puts "TESTING ERROR 0\n";exit} | ||
16 | "Child process initialized" | ||
17 | } | ||
18 | sleep 2 | ||
19 | |||
20 | send -- "umount /proc\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 1\n";exit} | ||
23 | "Bad system call" | ||
24 | } | ||
25 | |||
26 | send -- "exit\r" | ||
27 | sleep 1 | ||
28 | puts "\n" | ||