diff options
-rwxr-xr-x | gcov.sh | 71 | ||||
-rw-r--r-- | src/firejail/caps.c | 13 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 55 | ||||
-rwxr-xr-x | test/rlimit/rlimit.sh | 14 | ||||
-rwxr-xr-x | test/root/private.exp | 33 |
5 files changed, 127 insertions, 59 deletions
diff --git a/gcov.sh b/gcov.sh new file mode 100755 index 000000000..ffacce6b5 --- /dev/null +++ b/gcov.sh | |||
@@ -0,0 +1,71 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | generate() { | ||
4 | lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file | ||
5 | rm -fr gcov-dir | ||
6 | genhtml gcov-file --output-directory gcov-dir | ||
7 | } | ||
8 | |||
9 | # init | ||
10 | USER=`whoami` | ||
11 | firejail --help | ||
12 | firemon --help | ||
13 | /usr/lib/firejail/fnet --help | ||
14 | /usr/lib/firejail/fseccomp --help | ||
15 | /usr/lib/firejail/ftee --help | ||
16 | firecfg --help | ||
17 | sudo chown $USER:$USER `find .` | ||
18 | generate | ||
19 | |||
20 | # running tests | ||
21 | make test-root | ||
22 | generate | ||
23 | sleep 2 | ||
24 | |||
25 | make test-network | ||
26 | generate | ||
27 | sleep 2 | ||
28 | |||
29 | make test-appimage | ||
30 | generate | ||
31 | sleep 2 | ||
32 | |||
33 | make test-overlay | ||
34 | generate | ||
35 | sleep 2 | ||
36 | |||
37 | make test-profiles | ||
38 | generate | ||
39 | sleep 2 | ||
40 | |||
41 | make test-fs | ||
42 | generate | ||
43 | sleep 2 | ||
44 | |||
45 | make test-utils | ||
46 | generate | ||
47 | sleep 2 | ||
48 | |||
49 | make test-environment | ||
50 | generate | ||
51 | sleep 2 | ||
52 | |||
53 | make test-apps | ||
54 | generate | ||
55 | sleep 2 | ||
56 | |||
57 | make test-apps-x11 | ||
58 | generate | ||
59 | sleep 2 | ||
60 | |||
61 | make test-apps-x11-xorg | ||
62 | generate | ||
63 | sleep 2 | ||
64 | |||
65 | make test-filters | ||
66 | generate | ||
67 | sleep 2 | ||
68 | |||
69 | make test-arguments | ||
70 | generate | ||
71 | sleep 2 | ||
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 3fd8b576e..ba811cada 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -168,17 +168,6 @@ static CapsEntry capslist[] = { | |||
168 | // | 168 | // |
169 | }; // end of capslist | 169 | }; // end of capslist |
170 | 170 | ||
171 | const char *caps_find_nr(int nr) { | ||
172 | int i; | ||
173 | int elems = sizeof(capslist) / sizeof(capslist[0]); | ||
174 | for (i = 0; i < elems; i++) { | ||
175 | if (nr == capslist[i].nr) | ||
176 | return capslist[i].name; | ||
177 | } | ||
178 | |||
179 | return "unknown"; | ||
180 | } | ||
181 | |||
182 | // return -1 if error, or syscall number | 171 | // return -1 if error, or syscall number |
183 | static int caps_find_name(const char *name) { | 172 | static int caps_find_name(const char *name) { |
184 | int i; | 173 | int i; |
@@ -397,7 +386,7 @@ static uint64_t extract_caps(int pid) { | |||
397 | } | 386 | } |
398 | fclose(fp); | 387 | fclose(fp); |
399 | free(file); | 388 | free(file); |
400 | printf("Error: cannot read caps configuration\n"); | 389 | fprintf(stderr, "Error: cannot read caps configuration\n"); |
401 | exit(1); | 390 | exit(1); |
402 | } | 391 | } |
403 | 392 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9d8021219..564dc8290 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -530,11 +530,7 @@ void fs_whitelist(void) { | |||
530 | // /home/user | 530 | // /home/user |
531 | if (home_dir) { | 531 | if (home_dir) { |
532 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR | 532 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR |
533 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); | 533 | mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); |
534 | if (rv == -1) | ||
535 | errExit("mkdir"); | ||
536 | if (set_perms(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid(), 0755)) | ||
537 | errExit("set_perms"); | ||
538 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 534 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
539 | errExit("mount bind"); | 535 | errExit("mount bind"); |
540 | 536 | ||
@@ -545,12 +541,7 @@ void fs_whitelist(void) { | |||
545 | // /tmp mountpoint | 541 | // /tmp mountpoint |
546 | if (tmp_dir) { | 542 | if (tmp_dir) { |
547 | // keep a copy of real /tmp directory in | 543 | // keep a copy of real /tmp directory in |
548 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); | 544 | mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); |
549 | if (rv == -1) | ||
550 | errExit("mkdir"); | ||
551 | if (set_perms(RUN_WHITELIST_TMP_DIR, 0, 0, 1777)) | ||
552 | errExit("set_perms"); | ||
553 | |||
554 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 545 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
555 | errExit("mount bind"); | 546 | errExit("mount bind"); |
556 | 547 | ||
@@ -568,12 +559,7 @@ void fs_whitelist(void) { | |||
568 | struct stat s; | 559 | struct stat s; |
569 | if (stat("/media", &s) == 0) { | 560 | if (stat("/media", &s) == 0) { |
570 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR | 561 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
571 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); | 562 | mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); |
572 | if (rv == -1) | ||
573 | errExit("mkdir"); | ||
574 | if (set_perms(RUN_WHITELIST_MEDIA_DIR, 0, 0, 0755)) | ||
575 | errExit("set_perms"); | ||
576 | |||
577 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 563 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
578 | errExit("mount bind"); | 564 | errExit("mount bind"); |
579 | 565 | ||
@@ -594,12 +580,7 @@ void fs_whitelist(void) { | |||
594 | struct stat s; | 580 | struct stat s; |
595 | if (stat("/mnt", &s) == 0) { | 581 | if (stat("/mnt", &s) == 0) { |
596 | // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR | 582 | // keep a copy of real /mnt directory in RUN_WHITELIST_MNT_DIR |
597 | int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); | 583 | mkdir_attr(RUN_WHITELIST_MNT_DIR, 0755, 0, 0); |
598 | if (rv == -1) | ||
599 | errExit("mkdir"); | ||
600 | if (set_perms(RUN_WHITELIST_MNT_DIR, 0, 0, 0755)) | ||
601 | errExit("set_perms"); | ||
602 | |||
603 | if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 584 | if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
604 | errExit("mount bind"); | 585 | errExit("mount bind"); |
605 | 586 | ||
@@ -618,12 +599,7 @@ void fs_whitelist(void) { | |||
618 | // /var mountpoint | 599 | // /var mountpoint |
619 | if (var_dir) { | 600 | if (var_dir) { |
620 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR | 601 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR |
621 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); | 602 | mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); |
622 | if (rv == -1) | ||
623 | errExit("mkdir"); | ||
624 | if (set_perms(RUN_WHITELIST_VAR_DIR, 0, 0, 0755)) | ||
625 | errExit("set_perms"); | ||
626 | |||
627 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 603 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
628 | errExit("mount bind"); | 604 | errExit("mount bind"); |
629 | 605 | ||
@@ -638,12 +614,7 @@ void fs_whitelist(void) { | |||
638 | // /dev mountpoint | 614 | // /dev mountpoint |
639 | if (dev_dir) { | 615 | if (dev_dir) { |
640 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR | 616 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR |
641 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); | 617 | mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); |
642 | if (rv == -1) | ||
643 | errExit("mkdir"); | ||
644 | if (set_perms(RUN_WHITELIST_DEV_DIR, 0, 0, 0755)) | ||
645 | errExit("set_perms"); | ||
646 | |||
647 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) | 618 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) |
648 | errExit("mount bind"); | 619 | errExit("mount bind"); |
649 | 620 | ||
@@ -658,12 +629,7 @@ void fs_whitelist(void) { | |||
658 | // /opt mountpoint | 629 | // /opt mountpoint |
659 | if (opt_dir) { | 630 | if (opt_dir) { |
660 | // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR | 631 | // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR |
661 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); | 632 | mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); |
662 | if (rv == -1) | ||
663 | errExit("mkdir"); | ||
664 | if (set_perms(RUN_WHITELIST_OPT_DIR, 0, 0, 0755)) | ||
665 | errExit("set_perms"); | ||
666 | |||
667 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 633 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
668 | errExit("mount bind"); | 634 | errExit("mount bind"); |
669 | 635 | ||
@@ -681,12 +647,7 @@ void fs_whitelist(void) { | |||
681 | struct stat s; | 647 | struct stat s; |
682 | if (stat("/srv", &s) == 0) { | 648 | if (stat("/srv", &s) == 0) { |
683 | // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR | 649 | // keep a copy of real /srv directory in RUN_WHITELIST_SRV_DIR |
684 | int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); | 650 | mkdir_attr(RUN_WHITELIST_SRV_DIR, 0755, 0, 0); |
685 | if (rv == -1) | ||
686 | errExit("mkdir"); | ||
687 | if (set_perms(RUN_WHITELIST_SRV_DIR, 0, 0, 0755)) | ||
688 | errExit("set_perms"); | ||
689 | |||
690 | if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 651 | if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
691 | errExit("mount bind"); | 652 | errExit("mount bind"); |
692 | 653 | ||
diff --git a/test/rlimit/rlimit.sh b/test/rlimit/rlimit.sh new file mode 100755 index 000000000..d85497176 --- /dev/null +++ b/test/rlimit/rlimit.sh | |||
@@ -0,0 +1,14 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | echo "TESTING: rlimit (test/rlimit/rlimit.exp)" | ||
10 | ./rlimit.exp | ||
11 | |||
12 | echo "TESTING: rlimit profile (test/rlimit/rlimit-profile.exp)" | ||
13 | ./rlimit-profile.exp | ||
14 | |||
diff --git a/test/root/private.exp b/test/root/private.exp new file mode 100755 index 000000000..4040081ee --- /dev/null +++ b/test/root/private.exp | |||
@@ -0,0 +1,33 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --private\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | send -- "ls -l /home\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "total 0" | ||
21 | } | ||
22 | after 100 | ||
23 | |||
24 | send -- "ls -l /root\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "total 0" | ||
28 | } | ||
29 | after 100 | ||
30 | |||
31 | send -- "exit\r" | ||
32 | after 100 | ||
33 | puts "\nall done\n" | ||