diff options
-rw-r--r-- | Makefile.in | 32 | ||||
-rw-r--r-- | src/firejail/appimage.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 101 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 32 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 23 | ||||
-rw-r--r-- | src/firejail/join.c | 14 | ||||
-rw-r--r-- | src/firejail/util.c | 36 | ||||
-rwxr-xr-x | test/appimage/appimage-v1.exp | 6 | ||||
-rwxr-xr-x | test/appimage/appimage-v2.exp | 4 | ||||
-rwxr-xr-x | test/apps-x11/apps-x11.sh | 36 | ||||
-rwxr-xr-x | test/apps-x11/x11-none.exp | 48 | ||||
-rwxr-xr-x | test/apps-x11/x11-xephyr.exp | 59 | ||||
-rwxr-xr-x | test/apps-x11/xterm-xephyr.exp | 86 | ||||
-rwxr-xr-x | test/apps-x11/xterm-xorg.exp (renamed from test/apps-x11/xterm.exp) | 2 | ||||
-rwxr-xr-x | test/apps-x11/xterm-xpra.exp | 86 | ||||
-rwxr-xr-x | test/fs/read-write.exp | 4 | ||||
-rwxr-xr-x | test/network/firemon-arp.exp | 12 | ||||
-rw-r--r-- | test/root/firejail.config | 20 | ||||
-rwxr-xr-x | test/root/root.sh | 6 | ||||
-rwxr-xr-x | test/root/seccomp-umount.exp | 2 | ||||
-rwxr-xr-x | test/utils/join.exp | 2 | ||||
-rwxr-xr-x | test/utils/ls.exp | 42 | ||||
-rwxr-xr-x | test/utils/utils.sh | 4 | ||||
-rw-r--r-- | todo | 1 |
27 files changed, 493 insertions, 186 deletions
diff --git a/Makefile.in b/Makefile.in index 83d44fb1c..8649475dd 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -146,7 +146,7 @@ uninstall: | |||
146 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg | 146 | rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg |
147 | 147 | ||
148 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" | 148 | DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" |
149 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/appimage test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" | 149 | DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" |
150 | 150 | ||
151 | dist: | 151 | dist: |
152 | mv config.status config.status.old | 152 | mv config.status config.status.old |
@@ -232,26 +232,34 @@ test-arguments: | |||
232 | test-fs: | 232 | test-fs: |
233 | cd test/fs; ./fs.sh | grep TESTING | 233 | cd test/fs; ./fs.sh | grep TESTING |
234 | 234 | ||
235 | test-appimage: | 235 | test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments |
236 | cd test/appimage; ./appimage.sh | grep TESTING | ||
237 | |||
238 | test: test-profiles test-fs test-utils test-environment test-appimage test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments | ||
239 | echo "TEST COMPLETE" | 236 | echo "TEST COMPLETE" |
240 | 237 | ||
241 | # | 238 | ########################################## |
242 | # individual tests, some of them requiring root access | 239 | # Individual tests, some of them require root access |
243 | # | 240 | # The tests are very intrussive, by the time you are done |
241 | # with them you will need to restart your computer. | ||
242 | ########################################## | ||
244 | 243 | ||
245 | # root access, network devices are created before the test | 244 | # Huge appimage files, not included in "make dist" archive |
245 | test-appimage: | ||
246 | cd test/appimage; ./appimage.sh | grep TESTING | ||
247 | |||
248 | # Root access, network devices are created before the test | ||
249 | # restart your computer to get rid of these devices | ||
246 | test-network: | 250 | test-network: |
247 | cd test/network; ./network.sh | grep TESTING | 251 | cd test/network; ./network.sh | grep TESTING |
248 | 252 | ||
249 | # all the tests are run as root | 253 | # Tesets running a root user |
250 | test-root: | 254 | test-root: |
251 | cd test/root; su -c ./root.sh | grep TESTING | 255 | cd test/root; su -c ./root.sh | grep TESTING |
252 | 256 | ||
253 | # runs as regular user | 257 | # OverlayFS is not available on all platforms |
254 | test-overlay: | 258 | test-overlay: |
255 | cd test/overlay; ./overlay.sh | grep TESTING | 259 | cd test/overlay; ./overlay.sh | grep TESTING |
256 | 260 | ||
257 | # mount -o remount,rw,hidepid=2 /proc | 261 | # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" |
262 | |||
263 | test-all: test-root test-network test-appimage test-overlay test | ||
264 | echo "TEST COMPLETE" | ||
265 | \ No newline at end of file | ||
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 96c054048..a658173eb 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -94,14 +94,8 @@ void appimage_set(const char *appimage_path) { | |||
94 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) | 94 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) |
95 | errExit("asprintf"); | 95 | errExit("asprintf"); |
96 | EUID_ROOT(); | 96 | EUID_ROOT(); |
97 | if (mkdir(mntdir, 0700) == -1) { | 97 | mkdir_attr(mntdir, 0700, getuid(), getgid()); |
98 | fprintf(stderr, "Error: cannot create appimage mount point\n"); | ||
99 | exit(1); | ||
100 | } | ||
101 | if (set_perms(mntdir, getuid(), getgid(), 0700)) | ||
102 | errExit("set_perms"); | ||
103 | EUID_USER(); | 98 | EUID_USER(); |
104 | ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); | ||
105 | 99 | ||
106 | // mount | 100 | // mount |
107 | char *mode; | 101 | char *mode; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 282271a64..d7ba539e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -461,6 +461,7 @@ void flush_stdin(void); | |||
461 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 461 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
462 | void create_empty_file_as_root(const char *dir, mode_t mode); | 462 | void create_empty_file_as_root(const char *dir, mode_t mode); |
463 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 463 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
464 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); | ||
464 | 465 | ||
465 | // fs_var.c | 466 | // fs_var.c |
466 | void fs_var_log(void); // mounting /var/log | 467 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3a2fd8c38..7ff7e3c59 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -247,21 +247,13 @@ void fs_blacklist(void) { | |||
247 | 247 | ||
248 | // process bind command | 248 | // process bind command |
249 | if (strncmp(entry->data, "bind ", 5) == 0) { | 249 | if (strncmp(entry->data, "bind ", 5) == 0) { |
250 | struct stat s; | ||
250 | char *dname1 = entry->data + 5; | 251 | char *dname1 = entry->data + 5; |
251 | char *dname2 = split_comma(dname1); | 252 | char *dname2 = split_comma(dname1); |
252 | if (dname2 == NULL) { | 253 | if (dname2 == NULL || |
253 | fprintf(stderr, "Error: second directory missing in bind command\n"); | 254 | stat(dname1, &s) == -1 || |
254 | entry = entry->next; | 255 | stat(dname2, &s) == -1) { |
255 | continue; | 256 | fprintf(stderr, "Error: invalid bind command, directory missing\n"); |
256 | } | ||
257 | struct stat s; | ||
258 | if (stat(dname1, &s) == -1) { | ||
259 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname1); | ||
260 | entry = entry->next; | ||
261 | continue; | ||
262 | } | ||
263 | if (stat(dname2, &s) == -1) { | ||
264 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname2); | ||
265 | entry = entry->next; | 257 | entry = entry->next; |
266 | continue; | 258 | continue; |
267 | } | 259 | } |
@@ -410,10 +402,9 @@ void fs_rdonly(const char *dir) { | |||
410 | int rv = stat(dir, &s); | 402 | int rv = stat(dir, &s); |
411 | if (rv == 0) { | 403 | if (rv == 0) { |
412 | // mount --bind /bin /bin | 404 | // mount --bind /bin /bin |
413 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
414 | errExit("mount read-only"); | ||
415 | // mount --bind -o remount,ro /bin | 405 | // mount --bind -o remount,ro /bin |
416 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | 406 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
407 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | ||
417 | errExit("mount read-only"); | 408 | errExit("mount read-only"); |
418 | fs_logger2("read-only", dir); | 409 | fs_logger2("read-only", dir); |
419 | } | 410 | } |
@@ -428,15 +419,15 @@ static void fs_rdwr(const char *dir) { | |||
428 | // if the file is outside /home directory, allow only root user | 419 | // if the file is outside /home directory, allow only root user |
429 | uid_t u = getuid(); | 420 | uid_t u = getuid(); |
430 | if (u != 0 && s.st_uid != u) { | 421 | if (u != 0 && s.st_uid != u) { |
431 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | 422 | if (!arg_quiet) |
423 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
432 | return; | 424 | return; |
433 | } | 425 | } |
434 | 426 | ||
435 | // mount --bind /bin /bin | 427 | // mount --bind /bin /bin |
436 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
437 | errExit("mount read-write"); | ||
438 | // mount --bind -o remount,rw /bin | 428 | // mount --bind -o remount,rw /bin |
439 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | 429 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
430 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
440 | errExit("mount read-write"); | 431 | errExit("mount read-write"); |
441 | fs_logger2("read-write", dir); | 432 | fs_logger2("read-write", dir); |
442 | } | 433 | } |
@@ -449,37 +440,16 @@ void fs_noexec(const char *dir) { | |||
449 | int rv = stat(dir, &s); | 440 | int rv = stat(dir, &s); |
450 | if (rv == 0) { | 441 | if (rv == 0) { |
451 | // mount --bind /bin /bin | 442 | // mount --bind /bin /bin |
452 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
453 | errExit("mount noexec"); | ||
454 | // mount --bind -o remount,ro /bin | 443 | // mount --bind -o remount,ro /bin |
455 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) | 444 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
456 | errExit("mount read-only"); | 445 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) |
446 | errExit("mount noexec"); | ||
457 | fs_logger2("noexec", dir); | 447 | fs_logger2("noexec", dir); |
458 | } | 448 | } |
459 | } | 449 | } |
460 | 450 | ||
461 | 451 | ||
462 | 452 | ||
463 | void fs_rdonly_noexit(const char *dir) { | ||
464 | assert(dir); | ||
465 | // check directory exists | ||
466 | struct stat s; | ||
467 | int rv = stat(dir, &s); | ||
468 | if (rv == 0) { | ||
469 | int merr = 0; | ||
470 | // mount --bind /bin /bin | ||
471 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
472 | merr = 1; | ||
473 | // mount --bind -o remount,ro /bin | ||
474 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | ||
475 | merr = 1; | ||
476 | if (merr) | ||
477 | fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); | ||
478 | else | ||
479 | fs_logger2("read-only", dir); | ||
480 | } | ||
481 | } | ||
482 | |||
483 | // mount /proc and /sys directories | 453 | // mount /proc and /sys directories |
484 | void fs_proc_sys_dev_boot(void) { | 454 | void fs_proc_sys_dev_boot(void) { |
485 | if (arg_debug) | 455 | if (arg_debug) |
@@ -489,10 +459,8 @@ void fs_proc_sys_dev_boot(void) { | |||
489 | fs_logger("remount /proc"); | 459 | fs_logger("remount /proc"); |
490 | 460 | ||
491 | // remount /proc/sys readonly | 461 | // remount /proc/sys readonly |
492 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) | 462 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || |
493 | errExit("mounting /proc/sys"); | 463 | mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) |
494 | |||
495 | if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) | ||
496 | errExit("mounting /proc/sys"); | 464 | errExit("mounting /proc/sys"); |
497 | fs_logger("read-only /proc/sys"); | 465 | fs_logger("read-only /proc/sys"); |
498 | 466 | ||
@@ -646,12 +614,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
646 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 614 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
647 | errExit("asprintf"); | 615 | errExit("asprintf"); |
648 | if (stat(dirname, &s) == -1) { | 616 | if (stat(dirname, &s) == -1) { |
649 | /* coverity[toctou] */ | 617 | mkdir_attr(dirname, 0700, 0, 0); |
650 | if (mkdir(dirname, 0700)) | ||
651 | errExit("mkdir"); | ||
652 | if (chmod(dirname, 0700) == -1) | ||
653 | errExit("chmod"); | ||
654 | ASSERT_PERMS(dirname, getuid(), getgid(), 0700); | ||
655 | } | 618 | } |
656 | else if (is_link(dirname)) { | 619 | else if (is_link(dirname)) { |
657 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 620 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
@@ -733,11 +696,7 @@ void fs_overlayfs(void) { | |||
733 | char *oroot; | 696 | char *oroot; |
734 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) | 697 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) |
735 | errExit("asprintf"); | 698 | errExit("asprintf"); |
736 | if (mkdir(oroot, 0755)) | 699 | mkdir_attr(oroot, 0755, 0, 0); |
737 | errExit("mkdir"); | ||
738 | if (chmod(oroot, 0755) == -1) | ||
739 | errExit("chmod"); | ||
740 | ASSERT_PERMS(oroot, 0, 0, 0755); | ||
741 | 700 | ||
742 | struct stat s; | 701 | struct stat s; |
743 | char *basedir = RUN_MNT_DIR; | 702 | char *basedir = RUN_MNT_DIR; |
@@ -766,11 +725,9 @@ void fs_overlayfs(void) { | |||
766 | 725 | ||
767 | // no need to check arg_overlay_reuse | 726 | // no need to check arg_overlay_reuse |
768 | if (stat(odiff, &s) != 0) { | 727 | if (stat(odiff, &s) != 0) { |
769 | if (mkdir(odiff, 0755)) | 728 | mkdir_attr(odiff, 0755, 0, 0); |
770 | errExit("mkdir"); | ||
771 | } | 729 | } |
772 | 730 | else if (set_perms(odiff, 0, 0, 0755)) | |
773 | if (set_perms(odiff, 0, 0, 0755)) | ||
774 | errExit("set_perms"); | 731 | errExit("set_perms"); |
775 | 732 | ||
776 | char *owork; | 733 | char *owork; |
@@ -779,11 +736,9 @@ void fs_overlayfs(void) { | |||
779 | 736 | ||
780 | // no need to check arg_overlay_reuse | 737 | // no need to check arg_overlay_reuse |
781 | if (stat(owork, &s) != 0) { | 738 | if (stat(owork, &s) != 0) { |
782 | if (mkdir(owork, 0755)) | 739 | mkdir_attr(owork, 0755, 0, 0); |
783 | errExit("mkdir"); | ||
784 | } | 740 | } |
785 | 741 | else if (set_perms(owork, 0, 0, 0755)) | |
786 | if (set_perms(owork, 0, 0, 0755)) | ||
787 | errExit("chown"); | 742 | errExit("chown"); |
788 | 743 | ||
789 | // mount overlayfs | 744 | // mount overlayfs |
@@ -839,11 +794,9 @@ void fs_overlayfs(void) { | |||
839 | 794 | ||
840 | // no need to check arg_overlay_reuse | 795 | // no need to check arg_overlay_reuse |
841 | if (stat(hdiff, &s) != 0) { | 796 | if (stat(hdiff, &s) != 0) { |
842 | if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO)) | 797 | mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0); |
843 | errExit("mkdir"); | ||
844 | } | 798 | } |
845 | 799 | else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | |
846 | if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | ||
847 | errExit("set_perms"); | 800 | errExit("set_perms"); |
848 | 801 | ||
849 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) | 802 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) |
@@ -851,11 +804,9 @@ void fs_overlayfs(void) { | |||
851 | 804 | ||
852 | // no need to check arg_overlay_reuse | 805 | // no need to check arg_overlay_reuse |
853 | if (stat(hwork, &s) != 0) { | 806 | if (stat(hwork, &s) != 0) { |
854 | if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO)) | 807 | mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0); |
855 | errExit("mkdir"); | ||
856 | } | 808 | } |
857 | 809 | else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | |
858 | if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | ||
859 | errExit("set_perms"); | 810 | errExit("set_perms"); |
860 | 811 | ||
861 | // no homedir in overlay so now mount another overlay for /home | 812 | // no homedir in overlay so now mount another overlay for /home |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index c906e32c0..6cc1bf3ab 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -212,11 +212,7 @@ void fs_private_bin_list(void) { | |||
212 | assert(private_list); | 212 | assert(private_list); |
213 | 213 | ||
214 | // create /run/firejail/mnt/bin directory | 214 | // create /run/firejail/mnt/bin directory |
215 | if (mkdir(RUN_BIN_DIR, 0755) == -1) | 215 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
216 | errExit("mkdir"); | ||
217 | if (chmod(RUN_BIN_DIR, 0755) == -1) | ||
218 | errExit("chmod"); | ||
219 | ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755); | ||
220 | 216 | ||
221 | // copy the list of files in the new etc directory | 217 | // copy the list of files in the new etc directory |
222 | // using a new child process without root privileges | 218 | // using a new child process without root privileges |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index ef5d67b55..d710e98f2 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -65,11 +65,7 @@ static void deventry_mount(void) { | |||
65 | if (arg_debug) | 65 | if (arg_debug) |
66 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); | 66 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); |
67 | if (dir) { | 67 | if (dir) { |
68 | if (mkdir(dev[i].dev_fname, 0755) == -1) | 68 | mkdir_attr(dev[i].dev_fname, 0755, 0, 0); |
69 | errExit("mkdir"); | ||
70 | if (chmod(dev[i].dev_fname, 0755) == -1) | ||
71 | errExit("chmod"); | ||
72 | ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); | ||
73 | } | 69 | } |
74 | else { | 70 | else { |
75 | struct stat s; | 71 | struct stat s; |
@@ -130,11 +126,7 @@ void fs_private_dev(void){ | |||
130 | 126 | ||
131 | // create DRI_DIR | 127 | // create DRI_DIR |
132 | // keep a copy of dev directory | 128 | // keep a copy of dev directory |
133 | if (mkdir(RUN_DEV_DIR, 0755) == -1) | 129 | mkdir_attr(RUN_DEV_DIR, 0755, 0, 0); |
134 | errExit("mkdir"); | ||
135 | if (chmod(RUN_DEV_DIR, 0755) == -1) | ||
136 | errExit("chmod"); | ||
137 | ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755); | ||
138 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 130 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
139 | errExit("mounting /dev/dri"); | 131 | errExit("mounting /dev/dri"); |
140 | 132 | ||
@@ -179,12 +171,7 @@ void fs_private_dev(void){ | |||
179 | // create /dev/shm | 171 | // create /dev/shm |
180 | if (arg_debug) | 172 | if (arg_debug) |
181 | printf("Create /dev/shm directory\n"); | 173 | printf("Create /dev/shm directory\n"); |
182 | if (mkdir("/dev/shm", 01777) == -1) | 174 | mkdir_attr("/dev/shm", 01777, 0, 0); |
183 | errExit("mkdir"); | ||
184 | // mkdir sets only the file permission bits | ||
185 | if (chmod("/dev/shm", 01777) < 0) | ||
186 | errExit("chmod"); | ||
187 | ASSERT_PERMS("/dev/shm", 0, 0, 01777); | ||
188 | fs_logger("mkdir /dev/shm"); | 175 | fs_logger("mkdir /dev/shm"); |
189 | 176 | ||
190 | // create devices | 177 | // create devices |
@@ -206,11 +193,7 @@ void fs_private_dev(void){ | |||
206 | #endif | 193 | #endif |
207 | 194 | ||
208 | // pseudo-terminal | 195 | // pseudo-terminal |
209 | if (mkdir("/dev/pts", 0755) == -1) | 196 | mkdir_attr("/dev/pts", 0755, 0, 0); |
210 | errExit("mkdir"); | ||
211 | if (chmod("/dev/pts", 0755) == -1) | ||
212 | errExit("chmod"); | ||
213 | ASSERT_PERMS("/dev/pts", 0, 0, 0755); | ||
214 | fs_logger("mkdir /dev/pts"); | 197 | fs_logger("mkdir /dev/pts"); |
215 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); | 198 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); |
216 | fs_logger("mknod /dev/pts/ptmx"); | 199 | fs_logger("mknod /dev/pts/ptmx"); |
@@ -260,12 +243,7 @@ void fs_dev_shm(void) { | |||
260 | if (lnk) { | 243 | if (lnk) { |
261 | if (!is_dir(lnk)) { | 244 | if (!is_dir(lnk)) { |
262 | // create directory | 245 | // create directory |
263 | if (mkdir(lnk, 01777)) | 246 | mkdir_attr(lnk, 01777, 0, 0); |
264 | errExit("mkdir"); | ||
265 | // mkdir sets only the file permission bits | ||
266 | if (chmod(lnk, 01777)) | ||
267 | errExit("chmod"); | ||
268 | ASSERT_PERMS(lnk, 0, 0, 01777); | ||
269 | } | 247 | } |
270 | if (arg_debug) | 248 | if (arg_debug) |
271 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); | 249 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index ebcde29a3..7e18840fd 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -132,11 +132,7 @@ void fs_private_etc_list(void) { | |||
132 | } | 132 | } |
133 | 133 | ||
134 | // create /run/firejail/mnt/etc directory | 134 | // create /run/firejail/mnt/etc directory |
135 | if (mkdir(RUN_ETC_DIR, 0755) == -1) | 135 | mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); |
136 | errExit("mkdir"); | ||
137 | if (chmod(RUN_ETC_DIR, 0755) == -1) | ||
138 | errExit("chmod"); | ||
139 | ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755); | ||
140 | fs_logger("tmpfs /etc"); | 136 | fs_logger("tmpfs /etc"); |
141 | 137 | ||
142 | fs_logger_print(); // save the current log | 138 | fs_logger_print(); // save the current log |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 4ff00f3ba..ca50685ad 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -98,10 +98,7 @@ static void build_dirs(void) { | |||
98 | // create directories under /var/log | 98 | // create directories under /var/log |
99 | DirData *ptr = dirlist; | 99 | DirData *ptr = dirlist; |
100 | while (ptr) { | 100 | while (ptr) { |
101 | if (mkdir(ptr->name, ptr->st_mode)) | 101 | mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid); |
102 | errExit("mkdir"); | ||
103 | if (chown(ptr->name, ptr->st_uid, ptr->st_gid)) | ||
104 | errExit("chown"); | ||
105 | fs_logger2("mkdir", ptr->name); | 102 | fs_logger2("mkdir", ptr->name); |
106 | ptr = ptr->next; | 103 | ptr = ptr->next; |
107 | } | 104 | } |
@@ -223,18 +220,10 @@ void fs_var_cache(void) { | |||
223 | gid = p->pw_gid; | 220 | gid = p->pw_gid; |
224 | } | 221 | } |
225 | 222 | ||
226 | int rv = mkdir("/var/cache/lighttpd/compress", 0755); | 223 | mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); |
227 | if (rv == -1) | ||
228 | errExit("mkdir"); | ||
229 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) | ||
230 | errExit("chown"); | ||
231 | fs_logger("mkdir /var/cache/lighttpd/compress"); | 224 | fs_logger("mkdir /var/cache/lighttpd/compress"); |
232 | 225 | ||
233 | rv = mkdir("/var/cache/lighttpd/uploads", 0755); | 226 | mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); |
234 | if (rv == -1) | ||
235 | errExit("mkdir"); | ||
236 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) | ||
237 | errExit("chown"); | ||
238 | fs_logger("/var/cache/lighttpd/uploads"); | 227 | fs_logger("/var/cache/lighttpd/uploads"); |
239 | } | 228 | } |
240 | } | 229 | } |
@@ -268,11 +257,7 @@ void fs_var_lock(void) { | |||
268 | if (lnk) { | 257 | if (lnk) { |
269 | if (!is_dir(lnk)) { | 258 | if (!is_dir(lnk)) { |
270 | // create directory | 259 | // create directory |
271 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 260 | mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0); |
272 | errExit("mkdir"); | ||
273 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | ||
274 | errExit("chmod"); | ||
275 | ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO); | ||
276 | } | 261 | } |
277 | if (arg_debug) | 262 | if (arg_debug) |
278 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 263 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 899166447..628002d35 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -229,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
229 | exit(1); | 229 | exit(1); |
230 | } | 230 | } |
231 | else { | 231 | else { |
232 | if (join_namespace(pid, "ipc")) | 232 | if (join_namespace(pid, "ipc") || |
233 | exit(1); | 233 | join_namespace(pid, "net") || |
234 | if (join_namespace(pid, "net")) | 234 | join_namespace(pid, "pid") || |
235 | exit(1); | 235 | join_namespace(pid, "uts") || |
236 | if (join_namespace(pid, "pid")) | 236 | join_namespace(pid, "mnt")) |
237 | exit(1); | ||
238 | if (join_namespace(pid, "uts")) | ||
239 | exit(1); | ||
240 | if (join_namespace(pid, "mnt")) | ||
241 | exit(1); | 237 | exit(1); |
242 | } | 238 | } |
243 | 239 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3424d8ab6..d928c6b42 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -731,4 +731,40 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | |||
731 | return 0; | 731 | return 0; |
732 | } | 732 | } |
733 | 733 | ||
734 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | ||
735 | assert(fname); | ||
736 | mode &= 07777; | ||
737 | #if 0 | ||
738 | printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode); | ||
739 | if (S_ISLNK(mode)) | ||
740 | printf("l"); | ||
741 | else if (S_ISDIR(mode)) | ||
742 | printf("d"); | ||
743 | else if (S_ISCHR(mode)) | ||
744 | printf("c"); | ||
745 | else if (S_ISBLK(mode)) | ||
746 | printf("b"); | ||
747 | else if (S_ISSOCK(mode)) | ||
748 | printf("s"); | ||
749 | else | ||
750 | printf("-"); | ||
751 | printf( (mode & S_IRUSR) ? "r" : "-"); | ||
752 | printf( (mode & S_IWUSR) ? "w" : "-"); | ||
753 | printf( (mode & S_IXUSR) ? "x" : "-"); | ||
754 | printf( (mode & S_IRGRP) ? "r" : "-"); | ||
755 | printf( (mode & S_IWGRP) ? "w" : "-"); | ||
756 | printf( (mode & S_IXGRP) ? "x" : "-"); | ||
757 | printf( (mode & S_IROTH) ? "r" : "-"); | ||
758 | printf( (mode & S_IWOTH) ? "w" : "-"); | ||
759 | printf( (mode & S_IXOTH) ? "x" : "-"); | ||
760 | printf("\n"); | ||
761 | #endif | ||
762 | if (mkdir(fname, mode) == -1 || | ||
763 | chmod(fname, mode) == -1 || | ||
764 | chown(fname, uid, gid)) { | ||
765 | fprintf(stderr, "Error: failed to create %s directory\n", fname); | ||
766 | errExit("mkdir/chmod"); | ||
767 | } | ||
734 | 768 | ||
769 | ASSERT_PERMS(fname, uid, gid, mode); | ||
770 | } | ||
diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp index 88687ae2a..503da2b9b 100755 --- a/test/appimage/appimage-v1.exp +++ b/test/appimage/appimage-v1.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --appimage Leafpad-0.8.17-x86_64.AppImage\r" | 10 | send -- "firejail --name=appimage-test --appimage Leafpad-0.8.17-x86_64.AppImage\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "Child process initialized" | 13 | "Child process initialized" |
@@ -77,5 +77,9 @@ expect { | |||
77 | } | 77 | } |
78 | after 100 | 78 | after 100 |
79 | 79 | ||
80 | spawn $env(SHELL) | ||
81 | send -- "firejail --shutdown=appimage-test\r" | ||
82 | sleep 3 | ||
83 | |||
80 | puts "\nall done\n" | 84 | puts "\nall done\n" |
81 | 85 | ||
diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 7b3bf4cbd..5cb9d0849 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp | |||
@@ -77,5 +77,9 @@ expect { | |||
77 | } | 77 | } |
78 | after 100 | 78 | after 100 |
79 | 79 | ||
80 | spawn $env(SHELL) | ||
81 | send -- "firejail --shutdown=appimage-test\r" | ||
82 | sleep 3 | ||
83 | |||
80 | puts "\nall done\n" | 84 | puts "\nall done\n" |
81 | 85 | ||
diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh index 1b3494290..4a8671dbd 100755 --- a/test/apps-x11/apps-x11.sh +++ b/test/apps-x11/apps-x11.sh | |||
@@ -6,6 +6,33 @@ | |||
6 | export MALLOC_CHECK_=3 | 6 | export MALLOC_CHECK_=3 |
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | 7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) |
8 | 8 | ||
9 | echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" | ||
10 | ./x11-none.exp | ||
11 | |||
12 | |||
13 | which xterm | ||
14 | if [ "$?" -eq 0 ]; | ||
15 | then | ||
16 | echo "TESTING: xterm x11 xorg" | ||
17 | ./xterm-xorg.exp | ||
18 | |||
19 | which xpra | ||
20 | if [ "$?" -eq 0 ]; | ||
21 | then | ||
22 | echo "TESTING: xterm x11 xpra" | ||
23 | ./xterm-xpra.exp | ||
24 | fi | ||
25 | |||
26 | which Xephyr | ||
27 | if [ "$?" -eq 0 ]; | ||
28 | then | ||
29 | echo "TESTING: xterm x11 xephyr" | ||
30 | ./xterm-xephyr.exp | ||
31 | fi | ||
32 | else | ||
33 | echo "TESTING SKIP: xterm not found" | ||
34 | fi | ||
35 | |||
9 | # check xpra/xephyr | 36 | # check xpra/xephyr |
10 | which xpra | 37 | which xpra |
11 | if [ "$?" -eq 0 ]; | 38 | if [ "$?" -eq 0 ]; |
@@ -23,15 +50,6 @@ else | |||
23 | fi | 50 | fi |
24 | fi | 51 | fi |
25 | 52 | ||
26 | which xterm | ||
27 | if [ "$?" -eq 0 ]; | ||
28 | then | ||
29 | echo "TESTING: xterm x11" | ||
30 | ./xterm.exp | ||
31 | else | ||
32 | echo "TESTING SKIP: xterm not found" | ||
33 | fi | ||
34 | |||
35 | which firefox | 53 | which firefox |
36 | if [ "$?" -eq 0 ]; | 54 | if [ "$?" -eq 0 ]; |
37 | then | 55 | then |
diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp new file mode 100755 index 000000000..e9908839b --- /dev/null +++ b/test/apps-x11/x11-none.exp | |||
@@ -0,0 +1,48 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=none\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "use network namespace in firejail" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "firejail --name=test --net=none --x11=none\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "Child process initialized" | ||
21 | } | ||
22 | sleep 1 | ||
23 | |||
24 | send -- "ls -al /tmp/.X11-unix\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "cannot open directory" | ||
28 | } | ||
29 | after 100 | ||
30 | |||
31 | send -- "xterm\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3\n";exit} | ||
34 | "DISPLAY is not set" | ||
35 | } | ||
36 | after 100 | ||
37 | |||
38 | send -- "export DISPLAY=:0.0\r" | ||
39 | after 100 | ||
40 | send -- "xterm\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 4\n";exit} | ||
43 | "Xt error" | ||
44 | } | ||
45 | after 100 | ||
46 | |||
47 | puts "\nall done\n" | ||
48 | |||
diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp new file mode 100755 index 000000000..41a413890 --- /dev/null +++ b/test/apps-x11/x11-xephyr.exp | |||
@@ -0,0 +1,59 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xephyr xterm\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | |||
16 | exit | ||
17 | |||
18 | |||
19 | sleep 5 | ||
20 | |||
21 | |||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 0\n";exit} | ||
24 | "use network namespace in firejail" | ||
25 | } | ||
26 | sleep 1 | ||
27 | |||
28 | send -- "firejail --name=test --net=none --x11=none\r" | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 1\n";exit} | ||
31 | "Child process initialized" | ||
32 | } | ||
33 | sleep 1 | ||
34 | |||
35 | send -- "ls -al /tmp/.X11-unix\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 2\n";exit} | ||
38 | "cannot open directory" | ||
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "xterm\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 3\n";exit} | ||
45 | "DISPLAY is not set" | ||
46 | } | ||
47 | after 100 | ||
48 | |||
49 | send -- "export DISPLAY=:0.0\r" | ||
50 | after 100 | ||
51 | send -- "xterm\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 4\n";exit} | ||
54 | "Xt error" | ||
55 | } | ||
56 | after 100 | ||
57 | |||
58 | puts "\nall done\n" | ||
59 | |||
diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp new file mode 100755 index 000000000..5b4299478 --- /dev/null +++ b/test/apps-x11/xterm-xephyr.exp | |||
@@ -0,0 +1,86 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xephyr xterm\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "xterm" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
45 | ":firejail" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
49 | "xterm" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
53 | "Seccomp: 2" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
57 | "name=blablabla" | ||
58 | } | ||
59 | sleep 1 | ||
60 | send -- "firemon --caps\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6\n";exit} | ||
63 | ":firejail" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
67 | "xterm" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
71 | "CapBnd" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
75 | "0000000000000000" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
79 | "name=blablabla" | ||
80 | } | ||
81 | sleep 1 | ||
82 | send -- "firejail --shutdown=test\r" | ||
83 | sleep 3 | ||
84 | |||
85 | puts "\nall done\n" | ||
86 | |||
diff --git a/test/apps-x11/xterm.exp b/test/apps-x11/xterm-xorg.exp index 4fa5ddf0c..fbc88f196 100755 --- a/test/apps-x11/xterm.exp +++ b/test/apps-x11/xterm-xorg.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --name=test --x11 xterm\r" | 10 | send -- "firejail --name=test --x11=xorg xterm\r" |
11 | sleep 10 | 11 | sleep 10 |
12 | 12 | ||
13 | spawn $env(SHELL) | 13 | spawn $env(SHELL) |
diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp new file mode 100755 index 000000000..379de131a --- /dev/null +++ b/test/apps-x11/xterm-xpra.exp | |||
@@ -0,0 +1,86 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --x11=xpra xterm\r" | ||
11 | sleep 10 | ||
12 | |||
13 | spawn $env(SHELL) | ||
14 | send -- "firejail --list\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 3\n";exit} | ||
17 | ":firejail" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
21 | "xterm" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | # grsecurity exit | ||
26 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
29 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
30 | "cannot open" {puts "grsecurity not present\n"} | ||
31 | } | ||
32 | |||
33 | send -- "firejail --name=blablabla\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 4\n";exit} | ||
36 | "Child process initialized" | ||
37 | } | ||
38 | sleep 2 | ||
39 | |||
40 | spawn $env(SHELL) | ||
41 | send -- "firemon --seccomp\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 5\n";exit} | ||
44 | "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} | ||
45 | ":firejail" | ||
46 | } | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 5.0\n";exit} | ||
49 | "xterm" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} | ||
53 | "Seccomp: 2" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 5.1\n";exit} | ||
57 | "name=blablabla" | ||
58 | } | ||
59 | sleep 1 | ||
60 | send -- "firemon --caps\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 6\n";exit} | ||
63 | ":firejail" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 6.0\n";exit} | ||
67 | "xterm" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 6.1\n";exit} | ||
71 | "CapBnd" | ||
72 | } | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 6.2\n";exit} | ||
75 | "0000000000000000" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 6.3\n";exit} | ||
79 | "name=blablabla" | ||
80 | } | ||
81 | sleep 1 | ||
82 | send -- "firejail --shutdown=test\r" | ||
83 | sleep 3 | ||
84 | |||
85 | puts "\nall done\n" | ||
86 | |||
diff --git a/test/fs/read-write.exp b/test/fs/read-write.exp index cfca15605..57986488e 100755 --- a/test/fs/read-write.exp +++ b/test/fs/read-write.exp | |||
@@ -20,12 +20,14 @@ expect { | |||
20 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "done" | 21 | "done" |
22 | } | 22 | } |
23 | after 100 | ||
23 | 24 | ||
24 | send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r" | 25 | send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r" |
25 | expect { | 26 | expect { |
26 | timeout {puts "TESTING ERROR 2\n";exit} | 27 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "done" | 28 | "done" |
28 | } | 29 | } |
30 | after 100 | ||
29 | 31 | ||
30 | send -- "cat ~/_firejail_test_dir/a;echo done\r" | 32 | send -- "cat ~/_firejail_test_dir/a;echo done\r" |
31 | expect { | 33 | expect { |
@@ -33,7 +35,7 @@ expect { | |||
33 | "mytest" {puts "TESTING ERROR 4\n";exit} | 35 | "mytest" {puts "TESTING ERROR 4\n";exit} |
34 | "done" | 36 | "done" |
35 | } | 37 | } |
36 | 38 | after 100 | |
37 | 39 | ||
38 | send -- "cat ~/_firejail_test_dir/test1/b;echo done\r" | 40 | send -- "cat ~/_firejail_test_dir/test1/b;echo done\r" |
39 | expect { | 41 | expect { |
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp index e40ffb609..71fa1660f 100755 --- a/test/network/firemon-arp.exp +++ b/test/network/firemon-arp.exp | |||
@@ -4,12 +4,12 @@ set timeout 10 | |||
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | send -- "ping -c 3 192.168.1.1\r" | 7 | #send -- "ping -c 3 192.168.1.1\r" |
8 | expect { | 8 | #expect { |
9 | timeout {puts "TESTING ERROR 0\n";exit} | 9 | # timeout {puts "TESTING ERROR 0\n";exit} |
10 | "3 packets transmitted" | 10 | # "3 packets transmitted" |
11 | } | 11 | #} |
12 | sleep 1 | 12 | #sleep 1 |
13 | 13 | ||
14 | send -- "firejail --name=test1\r" | 14 | send -- "firejail --name=test1\r" |
15 | expect { | 15 | expect { |
diff --git a/test/root/firejail.config b/test/root/firejail.config new file mode 100644 index 000000000..71ff2f4e9 --- /dev/null +++ b/test/root/firejail.config | |||
@@ -0,0 +1,20 @@ | |||
1 | bind yes | ||
2 | chroot yes | ||
3 | chroot-desktop yes | ||
4 | file-transfer yes | ||
5 | force-nonewprivs no | ||
6 | network yes | ||
7 | overlayfs yes | ||
8 | private-bin-no-local no | ||
9 | private-home yes | ||
10 | quiet-by-default no | ||
11 | remount-proc-sys yes | ||
12 | restricted-network no | ||
13 | # netfilter-default /etc/iptables.iptables.rules | ||
14 | seccomp yes | ||
15 | userns yes | ||
16 | whitelist yes | ||
17 | x11 yes | ||
18 | xephyr-screen 800x600 | ||
19 | xephyr-window-title yes | ||
20 | xephyr-extra-params -grayscale | ||
diff --git a/test/root/root.sh b/test/root/root.sh index 8c7437e49..471b7d535 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -1,5 +1,8 @@ | |||
1 | #!/bin/bash | 1 | #!/bin/bash |
2 | 2 | ||
3 | # set a new firejail config file | ||
4 | cp firejail.config /etc/firejail/firejail.config | ||
5 | |||
3 | #******************************** | 6 | #******************************** |
4 | # servers | 7 | # servers |
5 | #******************************** | 8 | #******************************** |
@@ -91,3 +94,6 @@ else | |||
91 | echo "TESTING SKIP: firecfg, firefox not found" | 94 | echo "TESTING SKIP: firecfg, firefox not found" |
92 | fi | 95 | fi |
93 | 96 | ||
97 | # restore the default config file | ||
98 | cp ../../etc/firejail.config /etc/firejail/firejail.config | ||
99 | |||
diff --git a/test/root/seccomp-umount.exp b/test/root/seccomp-umount.exp index 04a9b7a3d..c441c5fc4 100755 --- a/test/root/seccomp-umount.exp +++ b/test/root/seccomp-umount.exp | |||
@@ -7,7 +7,7 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" | 10 | send -- "firejail --seccomp --noprofile\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "Child process initialized" | 13 | "Child process initialized" |
diff --git a/test/utils/join.exp b/test/utils/join.exp index 7f582e2e5..fc30bc6a4 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp | |||
@@ -8,7 +8,7 @@ cd /home | |||
8 | spawn $env(SHELL) | 8 | spawn $env(SHELL) |
9 | match_max 100000 | 9 | match_max 100000 |
10 | 10 | ||
11 | send -- "firejail --name=jointesting\r" | 11 | send -- "firejail --name=jointesting --cpu=0 --nice=2\r" |
12 | expect { | 12 | expect { |
13 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
14 | "Child process initialized" | 14 | "Child process initialized" |
diff --git a/test/utils/ls.exp b/test/utils/ls.exp index cd2c2984c..ff6867c51 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp | |||
@@ -3,6 +3,8 @@ | |||
3 | set timeout 10 | 3 | set timeout 10 |
4 | spawn $env(SHELL) | 4 | spawn $env(SHELL) |
5 | match_max 100000 | 5 | match_max 100000 |
6 | set firstspawn $spawn_id | ||
7 | |||
6 | 8 | ||
7 | send -- "rm -f lstesting\r" | 9 | send -- "rm -f lstesting\r" |
8 | sleep 1 | 10 | sleep 1 |
@@ -11,11 +13,11 @@ expect { | |||
11 | timeout {puts "TESTING ERROR 0\n";exit} | 13 | timeout {puts "TESTING ERROR 0\n";exit} |
12 | "Child process initialized" | 14 | "Child process initialized" |
13 | } | 15 | } |
14 | sleep 2 | 16 | sleep 1 |
15 | send -- "echo my_testing > ~/lstesting\r" | 17 | send -- "echo my_testing > ~/lstesting\r" |
16 | sleep 2 | 18 | after 100 |
17 | |||
18 | 19 | ||
20 | # ls | ||
19 | spawn $env(SHELL) | 21 | spawn $env(SHELL) |
20 | send -- "firejail --ls=test ~/.\r" | 22 | send -- "firejail --ls=test ~/.\r" |
21 | expect { | 23 | expect { |
@@ -23,14 +25,44 @@ expect { | |||
23 | "lstesting" | 25 | "lstesting" |
24 | } | 26 | } |
25 | sleep 1 | 27 | sleep 1 |
28 | |||
29 | # get | ||
26 | send -- "firejail --get=test ~/lstesting\r" | 30 | send -- "firejail --get=test ~/lstesting\r" |
27 | sleep 2 | 31 | sleep 1 |
28 | send -- "cat lstesting\r" | 32 | send -- "cat lstesting\r" |
29 | expect { | 33 | expect { |
30 | timeout {puts "TESTING ERROR 3\n";exit} | 34 | timeout {puts "TESTING ERROR 2n";exit} |
31 | "my_testing" | 35 | "my_testing" |
32 | } | 36 | } |
37 | after 100 | ||
38 | |||
39 | # put | ||
40 | send -- "echo put_test > ~/lstesting\r" | ||
41 | after 100 | ||
42 | send -- "firejail --put=test ~/lstesting ~/lstesting_2\r" | ||
33 | sleep 1 | 43 | sleep 1 |
44 | |||
45 | set spawn_id $firstspawn | ||
46 | send -- "ls -al ~\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 3\n";exit} | ||
49 | "lstesting_2" | ||
50 | } | ||
51 | |||
52 | after 100 | ||
53 | send -- "cat ~/lstesting_2\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 4\n";exit} | ||
56 | "put_test" | ||
57 | } | ||
58 | after 100 | ||
59 | send -- "exit\r" | ||
60 | sleep 1 | ||
61 | |||
62 | |||
63 | |||
64 | |||
65 | |||
34 | send -- "rm -f lstesting\r" | 66 | send -- "rm -f lstesting\r" |
35 | 67 | ||
36 | after 100 | 68 | after 100 |
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 7b0ab1096..bd91110f7 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -88,10 +88,10 @@ echo "TESTING: top (test/utils/top.exp)" | |||
88 | echo "TESTING: file transfer (test/utils/ls.exp)" | 88 | echo "TESTING: file transfer (test/utils/ls.exp)" |
89 | ./ls.exp | 89 | ./ls.exp |
90 | 90 | ||
91 | echo "TESTING: firemon --seccomp (test/utils/firemon-seccomp.exp)" | 91 | echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)" |
92 | ./firemon-seccomp.exp | 92 | ./firemon-seccomp.exp |
93 | 93 | ||
94 | echo "TESTING: firemon --caps (test/utils/firemon-caps.exp)" | 94 | echo "TESTING: firemon caps (test/utils/firemon-caps.exp)" |
95 | ./firemon-caps.exp | 95 | ./firemon-caps.exp |
96 | 96 | ||
97 | echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" | 97 | echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" |
@@ -286,4 +286,5 @@ removable media, partitions, software RAID volumes, logical volumes, and files. | |||
286 | 286 | ||
287 | 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* | 287 | 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* |
288 | 288 | ||
289 | 30. /* coverity[toctou] */ | ||
289 | 290 | ||