diff options
-rw-r--r-- | .github/workflows/build.yml | 4 | ||||
-rw-r--r-- | Makefile | 4 | ||||
-rwxr-xr-x | test/fs/fs.sh | 6 | ||||
-rwxr-xr-x | test/fs/private-etc-empty.exp | 42 | ||||
-rw-r--r-- | test/fs/private-etc-empty.profile | 1 | ||||
-rwxr-xr-x | test/private-etc/etc-cleanup.exp | 33 | ||||
-rwxr-xr-x | test/private-etc/groups.exp | 132 | ||||
-rw-r--r-- | test/private-etc/p1.profile | 1 | ||||
-rw-r--r-- | test/private-etc/p2.profile | 1 | ||||
-rw-r--r-- | test/private-etc/p3.profile | 1 | ||||
-rwxr-xr-x | test/private-etc/private-etc.exp (renamed from test/fs/private-etc.exp) | 1 | ||||
-rwxr-xr-x | test/private-etc/private-etc.sh | 21 | ||||
-rwxr-xr-x | test/private-etc/profile.exp | 90 |
13 files changed, 284 insertions, 53 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f075ec493..f61e19fdc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | - name: update package information | 60 | - name: update package information |
61 | run: sudo apt-get update | 61 | run: sudo apt-get update |
62 | - name: install dependencies | 62 | - name: install dependencies |
63 | run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec | 63 | run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois |
64 | - name: configure | 64 | - name: configure |
65 | run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr | 65 | run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr |
66 | - name: make | 66 | - name: make |
@@ -73,6 +73,8 @@ jobs: | |||
73 | run: SHELL=/bin/bash make lab-setup | 73 | run: SHELL=/bin/bash make lab-setup |
74 | - name: run sysutils tests | 74 | - name: run sysutils tests |
75 | run: SHELL=/bin/bash make test-sysutils | 75 | run: SHELL=/bin/bash make test-sysutils |
76 | - name: run private-etc tests | ||
77 | run: SHELL=/bin/bash make test-private-etc | ||
76 | - name: run profile tests | 78 | - name: run profile tests |
77 | run: SHELL=/bin/bash make test-profiles | 79 | run: SHELL=/bin/bash make test-profiles |
78 | - name: run fcopy tests | 80 | - name: run fcopy tests |
@@ -368,7 +368,7 @@ scan-build: clean | |||
368 | # make test | 368 | # make test |
369 | # | 369 | # |
370 | 370 | ||
371 | TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter | 371 | TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc |
372 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) | 372 | TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) |
373 | 373 | ||
374 | $(TEST_TARGETS): | 374 | $(TEST_TARGETS): |
@@ -378,7 +378,7 @@ $(TEST_TARGETS): | |||
378 | # extract some data about the testing setup: kernel, network connectivity, user | 378 | # extract some data about the testing setup: kernel, network connectivity, user |
379 | lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc | 379 | lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc |
380 | 380 | ||
381 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 381 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
382 | echo "TEST COMPLETE" | 382 | echo "TEST COMPLETE" |
383 | 383 | ||
384 | test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 384 | test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 4b85d3006..affc4bc7e 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -80,12 +80,6 @@ rm -fr ~/_firejail_test_dir1 | |||
80 | rm -f ~/_firejail_test_link1 | 80 | rm -f ~/_firejail_test_link1 |
81 | rm -f ~/_firejail_test_link2 | 81 | rm -f ~/_firejail_test_link2 |
82 | 82 | ||
83 | echo "TESTING: private-etc (test/fs/private-etc.exp)" | ||
84 | ./private-etc.exp | ||
85 | |||
86 | #echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" | ||
87 | #./private-etc-empty.exp | ||
88 | |||
89 | echo "TESTING: private-bin (test/fs/private-bin.exp)" | 83 | echo "TESTING: private-bin (test/fs/private-bin.exp)" |
90 | ./private-bin.exp | 84 | ./private-bin.exp |
91 | 85 | ||
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp deleted file mode 100755 index 6878a642c..000000000 --- a/test/fs/private-etc-empty.exp +++ /dev/null | |||
@@ -1,42 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --private-etc=blablabla\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls -l /etc | wc -l\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "0" {puts "Debian\n"} | ||
21 | "1" {puts "Arch\n"} | ||
22 | } | ||
23 | send -- "exit\r" | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "firejail --profile=private-etc-empty.profile\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 0\n";exit} | ||
29 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | send -- "ls -l /etc | wc -l\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 1\n";exit} | ||
36 | "0" {puts "Debian\n"} | ||
37 | "1" {puts "Arch\n"} | ||
38 | |||
39 | } | ||
40 | |||
41 | after 100 | ||
42 | puts "\nall done\n" | ||
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile deleted file mode 100644 index 38aa8cd68..000000000 --- a/test/fs/private-etc-empty.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | private-etc blablabla | ||
diff --git a/test/private-etc/etc-cleanup.exp b/test/private-etc/etc-cleanup.exp new file mode 100755 index 000000000..eb7eedcf4 --- /dev/null +++ b/test/private-etc/etc-cleanup.exp | |||
@@ -0,0 +1,33 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "/usr/lib/firejail/etc-cleanup p1.profile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "old: private-etc passwd,group,resolv.conf,X11" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "new: private-etc @x11" | ||
18 | } | ||
19 | after 500 | ||
20 | |||
21 | send -- "/usr/lib/firejail/etc-cleanup p3.profile\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "old: private-etc @tls-ca,os-release,@x11,mime.types,mailcap" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 4\n";exit} | ||
28 | "new: private-etc @tls-ca,@x11,mailcap,mime.types,os-release" | ||
29 | } | ||
30 | after 500 | ||
31 | |||
32 | |||
33 | puts "\nall done\n" | ||
diff --git a/test/private-etc/groups.exp b/test/private-etc/groups.exp new file mode 100755 index 000000000..fed6d40b0 --- /dev/null +++ b/test/private-etc/groups.exp | |||
@@ -0,0 +1,132 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --private-etc ls -l /etc\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Private /etc installed in" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "cron" {puts "TESTING ERROR 2\n"; exit} | ||
18 | "shadow" {puts "TESTING ERROR 3\n"; exit} | ||
19 | "ssl" {puts "TESTING ERROR 4\n"; exit} | ||
20 | "ld.so.cache" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 5\n";exit} | ||
24 | "cron" {puts "TESTING ERROR 2\n"; exit} | ||
25 | "shadow" {puts "TESTING ERROR 3\n"; exit} | ||
26 | "ssl" {puts "TESTING ERROR 4\n"; exit} | ||
27 | "nsswitch.conf" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 6\n";exit} | ||
31 | "cron" {puts "TESTING ERROR 2\n"; exit} | ||
32 | "shadow" {puts "TESTING ERROR 3\n"; exit} | ||
33 | "ssl" {puts "TESTING ERROR 4\n"; exit} | ||
34 | "resolv.conf" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 7\n";exit} | ||
38 | "cron" {puts "TESTING ERROR 2\n"; exit} | ||
39 | "shadow" {puts "TESTING ERROR 3\n"; exit} | ||
40 | "xdg" {puts "TESTING ERROR 4\n"; exit} | ||
41 | "Parent is shutting down" | ||
42 | } | ||
43 | after 500 | ||
44 | |||
45 | |||
46 | send -- "firejail --private-etc=@tls-ca ls -l /etc\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 10\n";exit} | ||
49 | "Private /etc installed in" | ||
50 | } | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 11\n";exit} | ||
53 | "cron" {puts "TESTING ERROR 12\n"; exit} | ||
54 | "shadow" {puts "TESTING ERROR 13\n"; exit} | ||
55 | "ca-certificates" | ||
56 | } | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 14\n";exit} | ||
59 | "cron" {puts "TESTING ERROR 12\n"; exit} | ||
60 | "shadow" {puts "TESTING ERROR 13\n"; exit} | ||
61 | "nsswitch.conf" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 15\n";exit} | ||
65 | "cron" {puts "TESTING ERROR 12\n"; exit} | ||
66 | "shadow" {puts "TESTING ERROR 13\n"; exit} | ||
67 | "resolv.conf" | ||
68 | } | ||
69 | expect { | ||
70 | timeout {puts "TESTING ERROR 16\n";exit} | ||
71 | "cron" {puts "TESTING ERROR 12\n"; exit} | ||
72 | "shadow" {puts "TESTING ERROR 13\n"; exit} | ||
73 | "ssl" | ||
74 | } | ||
75 | after 500 | ||
76 | |||
77 | |||
78 | send -- "firejail --private-etc --nosound ls -l /etc\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 20\n";exit} | ||
81 | "Private /etc installed in" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 21\n";exit} | ||
85 | "cron" {puts "TESTING ERROR 22\n"; exit} | ||
86 | "shadow" {puts "TESTING ERROR 23\n"; exit} | ||
87 | "machine-id" {puts "TESTING ERROR 24\n"; exit} | ||
88 | "nsswitch.conf" | ||
89 | } | ||
90 | expect { | ||
91 | timeout {puts "TESTING ERROR 25\n";exit} | ||
92 | "Parent is shutting down" | ||
93 | } | ||
94 | after 500 | ||
95 | |||
96 | send -- "firejail --private-etc --net=none ls -l /etc\r" | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 30\n";exit} | ||
99 | "Private /etc installed in" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 31\n";exit} | ||
103 | "cron" {puts "TESTING ERROR 32\n"; exit} | ||
104 | "shadow" {puts "TESTING ERROR 33\n"; exit} | ||
105 | "nsswitch.conf" | ||
106 | } | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 34\n";exit} | ||
109 | "resolv.conf" {puts "TESTING ERROR 35\n"; exit} | ||
110 | "Parent is shutting down" | ||
111 | } | ||
112 | after 500 | ||
113 | |||
114 | send -- "firejail --private-etc=@x11 ls -l /etc\r" | ||
115 | expect { | ||
116 | timeout {puts "TESTING ERROR 40\n";exit} | ||
117 | "Private /etc installed in" | ||
118 | } | ||
119 | expect { | ||
120 | timeout {puts "TESTING ERROR 41\n";exit} | ||
121 | "cron" {puts "TESTING ERROR 42\n"; exit} | ||
122 | "shadow" {puts "TESTING ERROR 43\n"; exit} | ||
123 | "nsswitch.conf" | ||
124 | } | ||
125 | expect { | ||
126 | timeout {puts "TESTING ERROR 44\n";exit} | ||
127 | "xdg" | ||
128 | } | ||
129 | after 100 | ||
130 | |||
131 | |||
132 | puts "\nall done\n" | ||
diff --git a/test/private-etc/p1.profile b/test/private-etc/p1.profile new file mode 100644 index 000000000..8929dace1 --- /dev/null +++ b/test/private-etc/p1.profile | |||
@@ -0,0 +1 @@ | |||
private-etc passwd,group,resolv.conf,X11 | |||
diff --git a/test/private-etc/p2.profile b/test/private-etc/p2.profile new file mode 100644 index 000000000..7193428b9 --- /dev/null +++ b/test/private-etc/p2.profile | |||
@@ -0,0 +1 @@ | |||
private-etc @x11 | |||
diff --git a/test/private-etc/p3.profile b/test/private-etc/p3.profile new file mode 100644 index 000000000..64e4025d0 --- /dev/null +++ b/test/private-etc/p3.profile | |||
@@ -0,0 +1 @@ | |||
private-etc @tls-ca,os-release,@x11,mime.types,mailcap | |||
diff --git a/test/fs/private-etc.exp b/test/private-etc/private-etc.exp index f51fc5221..3aac7cdf2 100755 --- a/test/fs/private-etc.exp +++ b/test/private-etc/private-etc.exp | |||
@@ -7,7 +7,6 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | # directory with ~ | ||
11 | send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" | 10 | send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" |
12 | expect { | 11 | expect { |
13 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
diff --git a/test/private-etc/private-etc.sh b/test/private-etc/private-etc.sh new file mode 100755 index 000000000..67076af95 --- /dev/null +++ b/test/private-etc/private-etc.sh | |||
@@ -0,0 +1,21 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | export LC_ALL=C | ||
9 | |||
10 | echo "TESTING: private-etc (test/private-etc/private-etc.exp)" | ||
11 | ./private-etc.exp | ||
12 | |||
13 | echo "TESTING: profile (test/private-etc/profile.exp)" | ||
14 | ./private-etc.exp | ||
15 | |||
16 | echo "TESTING: groups (test/private-etc/groups.exp)" | ||
17 | ./groups.exp | ||
18 | |||
19 | echo "TESTING: etc-cleanup (test/private-etc/etc-cleanup.exp)" | ||
20 | ./etc-cleanup.exp | ||
21 | |||
diff --git a/test/private-etc/profile.exp b/test/private-etc/profile.exp new file mode 100755 index 000000000..d5713fe95 --- /dev/null +++ b/test/private-etc/profile.exp | |||
@@ -0,0 +1,90 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2022 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --profile=p1.profile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "LC_ALL=C ls -al /etc\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 3\n";exit} | ||
20 | "X11" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 4\n";exit} | ||
24 | "group" | ||
25 | } | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 5\n";exit} | ||
28 | "passwd" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 6\n";exit} | ||
32 | "resolv.conf" | ||
33 | } | ||
34 | |||
35 | |||
36 | send -- "file /etc/shadow\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 7\n";exit} | ||
39 | "No such file or directory" | ||
40 | } | ||
41 | after 100 | ||
42 | send -- "exit\r" | ||
43 | sleep 1 | ||
44 | |||
45 | send -- "firejail --profile=p2.profile\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 11\n";exit} | ||
48 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
49 | } | ||
50 | sleep 1 | ||
51 | |||
52 | send -- "LC_ALL=C ls -al /etc\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 13\n";exit} | ||
55 | "X11" | ||
56 | } | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 14\n";exit} | ||
59 | "group" | ||
60 | } | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 15\n";exit} | ||
63 | "passwd" | ||
64 | } | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 16\n";exit} | ||
67 | "resolv.conf" | ||
68 | } | ||
69 | |||
70 | |||
71 | send -- "file /etc/shadow\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 17\n";exit} | ||
74 | "No such file or directory" | ||
75 | } | ||
76 | after 100 | ||
77 | send -- "exit\r" | ||
78 | sleep 1 | ||
79 | |||
80 | |||
81 | |||
82 | |||
83 | |||
84 | |||
85 | |||
86 | |||
87 | |||
88 | |||
89 | after 100 | ||
90 | puts "\nall done\n" | ||