diff options
-rwxr-xr-x | test/filters/namespaces | bin | 17392 -> 17496 bytes | |||
-rwxr-xr-x | test/filters/namespaces-32 | bin | 16104 -> 16180 bytes | |||
-rwxr-xr-x | test/filters/namespaces-32.exp | 80 | ||||
-rw-r--r-- | test/filters/namespaces.c | 38 | ||||
-rwxr-xr-x | test/filters/namespaces.exp | 80 |
5 files changed, 153 insertions, 45 deletions
diff --git a/test/filters/namespaces b/test/filters/namespaces index 721ba092e..6d36ae8e9 100755 --- a/test/filters/namespaces +++ b/test/filters/namespaces | |||
Binary files differ | |||
diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 index 4df674d1b..a5ba488a4 100755 --- a/test/filters/namespaces-32 +++ b/test/filters/namespaces-32 | |||
Binary files differ | |||
diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp index 3b618bd01..f2310db3b 100755 --- a/test/filters/namespaces-32.exp +++ b/test/filters/namespaces-32.exp | |||
@@ -20,7 +20,7 @@ expect { | |||
20 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "clone successful" | 21 | "clone successful" |
22 | } | 22 | } |
23 | after 100 | 23 | after 200 |
24 | 24 | ||
25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" | 25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" |
26 | expect { | 26 | expect { |
@@ -31,7 +31,7 @@ expect { | |||
31 | timeout {puts "TESTING ERROR 3\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
32 | "Error: clone: Operation not permitted" | 32 | "Error: clone: Operation not permitted" |
33 | } | 33 | } |
34 | after 100 | 34 | after 200 |
35 | 35 | ||
36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" | 36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" |
37 | expect { | 37 | expect { |
@@ -42,7 +42,7 @@ expect { | |||
42 | timeout {puts "TESTING ERROR 5\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
43 | "Error: clone: Operation not permitted" | 43 | "Error: clone: Operation not permitted" |
44 | } | 44 | } |
45 | after 100 | 45 | after 200 |
46 | 46 | ||
47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | 47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" |
48 | expect { | 48 | expect { |
@@ -53,9 +53,9 @@ expect { | |||
53 | timeout {puts "TESTING ERROR 7\n";exit} | 53 | timeout {puts "TESTING ERROR 7\n";exit} |
54 | "Error: clone: Operation not permitted" | 54 | "Error: clone: Operation not permitted" |
55 | } | 55 | } |
56 | after 100 | 56 | after 200 |
57 | 57 | ||
58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" | 58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup,user\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 8\n";exit} | 60 | timeout {puts "TESTING ERROR 8\n";exit} |
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -64,9 +64,9 @@ expect { | |||
64 | timeout {puts "TESTING ERROR 9\n";exit} | 64 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "Error: clone: Operation not permitted" | 65 | "Error: clone: Operation not permitted" |
66 | } | 66 | } |
67 | after 100 | 67 | after 200 |
68 | 68 | ||
69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" | 69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc,user\r" |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 10\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -75,9 +75,9 @@ expect { | |||
75 | timeout {puts "TESTING ERROR 11\n";exit} | 75 | timeout {puts "TESTING ERROR 11\n";exit} |
76 | "Error: clone: Operation not permitted" | 76 | "Error: clone: Operation not permitted" |
77 | } | 77 | } |
78 | after 100 | 78 | after 200 |
79 | 79 | ||
80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" | 80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,user,uts\r" |
81 | expect { | 81 | expect { |
82 | timeout {puts "TESTING ERROR 12\n";exit} | 82 | timeout {puts "TESTING ERROR 12\n";exit} |
83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -86,7 +86,7 @@ expect { | |||
86 | timeout {puts "TESTING ERROR 13\n";exit} | 86 | timeout {puts "TESTING ERROR 13\n";exit} |
87 | "clone successful" | 87 | "clone successful" |
88 | } | 88 | } |
89 | after 100 | 89 | after 200 |
90 | 90 | ||
91 | # | 91 | # |
92 | # unshare | 92 | # unshare |
@@ -101,7 +101,7 @@ expect { | |||
101 | timeout {puts "TESTING ERROR 15\n";exit} | 101 | timeout {puts "TESTING ERROR 15\n";exit} |
102 | "unshare successful" | 102 | "unshare successful" |
103 | } | 103 | } |
104 | after 100 | 104 | after 200 |
105 | 105 | ||
106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" | 106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" |
107 | expect { | 107 | expect { |
@@ -112,7 +112,7 @@ expect { | |||
112 | timeout {puts "TESTING ERROR 17\n";exit} | 112 | timeout {puts "TESTING ERROR 17\n";exit} |
113 | "Error: unshare: Operation not permitted" | 113 | "Error: unshare: Operation not permitted" |
114 | } | 114 | } |
115 | after 100 | 115 | after 200 |
116 | 116 | ||
117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" | 117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" |
118 | expect { | 118 | expect { |
@@ -123,7 +123,7 @@ expect { | |||
123 | timeout {puts "TESTING ERROR 19\n";exit} | 123 | timeout {puts "TESTING ERROR 19\n";exit} |
124 | "Error: unshare: Operation not permitted" | 124 | "Error: unshare: Operation not permitted" |
125 | } | 125 | } |
126 | after 100 | 126 | after 200 |
127 | 127 | ||
128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | 128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" |
129 | expect { | 129 | expect { |
@@ -134,9 +134,9 @@ expect { | |||
134 | timeout {puts "TESTING ERROR 21\n";exit} | 134 | timeout {puts "TESTING ERROR 21\n";exit} |
135 | "Error: unshare: Operation not permitted" | 135 | "Error: unshare: Operation not permitted" |
136 | } | 136 | } |
137 | after 100 | 137 | after 200 |
138 | 138 | ||
139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" | 139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup,user\r" |
140 | expect { | 140 | expect { |
141 | timeout {puts "TESTING ERROR 22\n";exit} | 141 | timeout {puts "TESTING ERROR 22\n";exit} |
142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -145,9 +145,9 @@ expect { | |||
145 | timeout {puts "TESTING ERROR 23\n";exit} | 145 | timeout {puts "TESTING ERROR 23\n";exit} |
146 | "Error: unshare: Operation not permitted" | 146 | "Error: unshare: Operation not permitted" |
147 | } | 147 | } |
148 | after 100 | 148 | after 200 |
149 | 149 | ||
150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" | 150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc,user\r" |
151 | expect { | 151 | expect { |
152 | timeout {puts "TESTING ERROR 24\n";exit} | 152 | timeout {puts "TESTING ERROR 24\n";exit} |
153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -156,9 +156,9 @@ expect { | |||
156 | timeout {puts "TESTING ERROR 25\n";exit} | 156 | timeout {puts "TESTING ERROR 25\n";exit} |
157 | "Error: unshare: Operation not permitted" | 157 | "Error: unshare: Operation not permitted" |
158 | } | 158 | } |
159 | after 100 | 159 | after 200 |
160 | 160 | ||
161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" | 161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,user,uts\r" |
162 | expect { | 162 | expect { |
163 | timeout {puts "TESTING ERROR 26\n";exit} | 163 | timeout {puts "TESTING ERROR 26\n";exit} |
164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -167,7 +167,47 @@ expect { | |||
167 | timeout {puts "TESTING ERROR 27\n";exit} | 167 | timeout {puts "TESTING ERROR 27\n";exit} |
168 | "unshare successful" | 168 | "unshare successful" |
169 | } | 169 | } |
170 | after 200 | ||
170 | 171 | ||
171 | 172 | ||
172 | after 100 | 173 | # |
174 | # clone3 | ||
175 | # | ||
176 | |||
177 | send -- "firejail --noprofile ./namespaces-32 clone3 cgroup,ipc,mnt,net,pid,user,uts\r" | ||
178 | expect { | ||
179 | timeout {puts "TESTING ERROR 28\n";exit} | ||
180 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
181 | } | ||
182 | expect { | ||
183 | timeout {puts "TESTING ERROR 29\n";exit} | ||
184 | "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"} | ||
185 | "clone3 successful" { | ||
186 | after 200 | ||
187 | |||
188 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone3 user\r" | ||
189 | expect { | ||
190 | timeout {puts "TESTING ERROR 30\n";exit} | ||
191 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
192 | } | ||
193 | expect { | ||
194 | timeout {puts "TESTING ERROR 31\n";exit} | ||
195 | "Error: clone3: Function not implemented" | ||
196 | } | ||
197 | after 200 | ||
198 | |||
199 | # clone3 arguments are not checked | ||
200 | send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces-32 clone3 cgroup,ipc,net,pid,user,uts\r" | ||
201 | expect { | ||
202 | timeout {puts "TESTING ERROR 32\n";exit} | ||
203 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
204 | } | ||
205 | expect { | ||
206 | timeout {puts "TESTING ERROR 33\n";exit} | ||
207 | "Error: clone3: Function not implemented" | ||
208 | } | ||
209 | } | ||
210 | } | ||
211 | |||
212 | after 200 | ||
173 | puts "\nall done\n" | 213 | puts "\nall done\n" |
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index ecf0fdcd1..18ebc8faa 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c | |||
@@ -1,21 +1,29 @@ | |||
1 | #define _GNU_SOURCE | 1 | #define _GNU_SOURCE |
2 | #include <errno.h> | 2 | #include <errno.h> |
3 | #include <sched.h> | 3 | #include <linux/sched.h> |
4 | #include <signal.h> | 4 | #include <signal.h> |
5 | #include <stdio.h> | 5 | #include <stdio.h> |
6 | #include <stdlib.h> | 6 | #include <stdlib.h> |
7 | #include <string.h> | 7 | #include <string.h> |
8 | #include <sys/mman.h> | 8 | #include <sys/mman.h> |
9 | #include <sys/wait.h> | ||
9 | #include <unistd.h> | 10 | #include <unistd.h> |
10 | 11 | ||
12 | #include <sched.h> | ||
11 | #ifndef CLONE_NEWTIME | 13 | #ifndef CLONE_NEWTIME |
12 | #define CLONE_NEWTIME 0x00000080 | 14 | #define CLONE_NEWTIME 0x00000080 |
13 | #endif | 15 | #endif |
14 | 16 | ||
17 | #include <sys/syscall.h> | ||
18 | #ifndef __NR_clone3 | ||
19 | #define __NR_clone3 435 | ||
20 | #endif | ||
21 | |||
15 | #define STACK_SIZE 1024 * 1024 | 22 | #define STACK_SIZE 1024 * 1024 |
16 | 23 | ||
24 | |||
17 | static int usage() { | 25 | static int usage() { |
18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | 26 | fprintf(stderr, "Usage: namespaces <system call>[clone,clone3,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); |
19 | exit(1); | 27 | exit(1); |
20 | } | 28 | } |
21 | 29 | ||
@@ -71,8 +79,11 @@ int main (int argc, char **argv) { | |||
71 | usage(); | 79 | usage(); |
72 | 80 | ||
73 | int flags = ns_flags(argv[2]); | 81 | int flags = ns_flags(argv[2]); |
74 | if (getuid() != 0) | 82 | |
75 | flags |= CLONE_NEWUSER; | 83 | if (getuid() != 0 && (flags & CLONE_NEWUSER) != CLONE_NEWUSER) { |
84 | fprintf(stderr, "Error: add \"user\" to namespaces list\n"); | ||
85 | exit(1); | ||
86 | } | ||
76 | 87 | ||
77 | if (strcmp(argv[1], "clone") == 0) { | 88 | if (strcmp(argv[1], "clone") == 0) { |
78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | 89 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, |
@@ -80,8 +91,25 @@ int main (int argc, char **argv) { | |||
80 | if (stack == MAP_FAILED) | 91 | if (stack == MAP_FAILED) |
81 | die("mmap"); | 92 | die("mmap"); |
82 | 93 | ||
83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | 94 | pid_t pid = clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL); |
95 | if (pid < 0) | ||
84 | die("clone"); | 96 | die("clone"); |
97 | waitpid(pid, NULL, 0); | ||
98 | } | ||
99 | else if (strcmp(argv[1], "clone3") == 0) { | ||
100 | struct clone_args args = { | ||
101 | .flags = flags, | ||
102 | .exit_signal = SIGCHLD, | ||
103 | }; | ||
104 | |||
105 | pid_t pid = syscall(__NR_clone3, &args, sizeof(struct clone_args)); | ||
106 | if (pid < 0) | ||
107 | die("clone3"); | ||
108 | if (pid == 0) { | ||
109 | fprintf(stderr, "clone3 successful\n"); | ||
110 | exit(0); | ||
111 | } | ||
112 | waitpid(pid, NULL, 0); | ||
85 | } | 113 | } |
86 | else if (strcmp(argv[1], "unshare") == 0) { | 114 | else if (strcmp(argv[1], "unshare") == 0) { |
87 | if (unshare(flags)) | 115 | if (unshare(flags)) |
diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp index 96e4a774a..394826de7 100755 --- a/test/filters/namespaces.exp +++ b/test/filters/namespaces.exp | |||
@@ -20,7 +20,7 @@ expect { | |||
20 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "clone successful" | 21 | "clone successful" |
22 | } | 22 | } |
23 | after 100 | 23 | after 200 |
24 | 24 | ||
25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" | 25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" |
26 | expect { | 26 | expect { |
@@ -31,7 +31,7 @@ expect { | |||
31 | timeout {puts "TESTING ERROR 3\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
32 | "Error: clone: Operation not permitted" | 32 | "Error: clone: Operation not permitted" |
33 | } | 33 | } |
34 | after 100 | 34 | after 200 |
35 | 35 | ||
36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" | 36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" |
37 | expect { | 37 | expect { |
@@ -42,7 +42,7 @@ expect { | |||
42 | timeout {puts "TESTING ERROR 5\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
43 | "Error: clone: Operation not permitted" | 43 | "Error: clone: Operation not permitted" |
44 | } | 44 | } |
45 | after 100 | 45 | after 200 |
46 | 46 | ||
47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | 47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" |
48 | expect { | 48 | expect { |
@@ -53,9 +53,9 @@ expect { | |||
53 | timeout {puts "TESTING ERROR 7\n";exit} | 53 | timeout {puts "TESTING ERROR 7\n";exit} |
54 | "Error: clone: Operation not permitted" | 54 | "Error: clone: Operation not permitted" |
55 | } | 55 | } |
56 | after 100 | 56 | after 200 |
57 | 57 | ||
58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" | 58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup,user\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 8\n";exit} | 60 | timeout {puts "TESTING ERROR 8\n";exit} |
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -64,9 +64,9 @@ expect { | |||
64 | timeout {puts "TESTING ERROR 9\n";exit} | 64 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "Error: clone: Operation not permitted" | 65 | "Error: clone: Operation not permitted" |
66 | } | 66 | } |
67 | after 100 | 67 | after 200 |
68 | 68 | ||
69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" | 69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc,user\r" |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 10\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -75,9 +75,9 @@ expect { | |||
75 | timeout {puts "TESTING ERROR 11\n";exit} | 75 | timeout {puts "TESTING ERROR 11\n";exit} |
76 | "Error: clone: Operation not permitted" | 76 | "Error: clone: Operation not permitted" |
77 | } | 77 | } |
78 | after 100 | 78 | after 200 |
79 | 79 | ||
80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" | 80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,user,uts\r" |
81 | expect { | 81 | expect { |
82 | timeout {puts "TESTING ERROR 12\n";exit} | 82 | timeout {puts "TESTING ERROR 12\n";exit} |
83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -86,7 +86,7 @@ expect { | |||
86 | timeout {puts "TESTING ERROR 13\n";exit} | 86 | timeout {puts "TESTING ERROR 13\n";exit} |
87 | "clone successful" | 87 | "clone successful" |
88 | } | 88 | } |
89 | after 100 | 89 | after 200 |
90 | 90 | ||
91 | # | 91 | # |
92 | # unshare | 92 | # unshare |
@@ -101,7 +101,7 @@ expect { | |||
101 | timeout {puts "TESTING ERROR 15\n";exit} | 101 | timeout {puts "TESTING ERROR 15\n";exit} |
102 | "unshare successful" | 102 | "unshare successful" |
103 | } | 103 | } |
104 | after 100 | 104 | after 200 |
105 | 105 | ||
106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" | 106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" |
107 | expect { | 107 | expect { |
@@ -112,7 +112,7 @@ expect { | |||
112 | timeout {puts "TESTING ERROR 17\n";exit} | 112 | timeout {puts "TESTING ERROR 17\n";exit} |
113 | "Error: unshare: Operation not permitted" | 113 | "Error: unshare: Operation not permitted" |
114 | } | 114 | } |
115 | after 100 | 115 | after 200 |
116 | 116 | ||
117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" | 117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" |
118 | expect { | 118 | expect { |
@@ -123,7 +123,7 @@ expect { | |||
123 | timeout {puts "TESTING ERROR 19\n";exit} | 123 | timeout {puts "TESTING ERROR 19\n";exit} |
124 | "Error: unshare: Operation not permitted" | 124 | "Error: unshare: Operation not permitted" |
125 | } | 125 | } |
126 | after 100 | 126 | after 200 |
127 | 127 | ||
128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | 128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" |
129 | expect { | 129 | expect { |
@@ -134,9 +134,9 @@ expect { | |||
134 | timeout {puts "TESTING ERROR 21\n";exit} | 134 | timeout {puts "TESTING ERROR 21\n";exit} |
135 | "Error: unshare: Operation not permitted" | 135 | "Error: unshare: Operation not permitted" |
136 | } | 136 | } |
137 | after 100 | 137 | after 200 |
138 | 138 | ||
139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" | 139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup,user\r" |
140 | expect { | 140 | expect { |
141 | timeout {puts "TESTING ERROR 22\n";exit} | 141 | timeout {puts "TESTING ERROR 22\n";exit} |
142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -145,9 +145,9 @@ expect { | |||
145 | timeout {puts "TESTING ERROR 23\n";exit} | 145 | timeout {puts "TESTING ERROR 23\n";exit} |
146 | "Error: unshare: Operation not permitted" | 146 | "Error: unshare: Operation not permitted" |
147 | } | 147 | } |
148 | after 100 | 148 | after 200 |
149 | 149 | ||
150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" | 150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc,user\r" |
151 | expect { | 151 | expect { |
152 | timeout {puts "TESTING ERROR 24\n";exit} | 152 | timeout {puts "TESTING ERROR 24\n";exit} |
153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -156,9 +156,9 @@ expect { | |||
156 | timeout {puts "TESTING ERROR 25\n";exit} | 156 | timeout {puts "TESTING ERROR 25\n";exit} |
157 | "Error: unshare: Operation not permitted" | 157 | "Error: unshare: Operation not permitted" |
158 | } | 158 | } |
159 | after 100 | 159 | after 200 |
160 | 160 | ||
161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" | 161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,user,uts\r" |
162 | expect { | 162 | expect { |
163 | timeout {puts "TESTING ERROR 26\n";exit} | 163 | timeout {puts "TESTING ERROR 26\n";exit} |
164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -167,7 +167,47 @@ expect { | |||
167 | timeout {puts "TESTING ERROR 27\n";exit} | 167 | timeout {puts "TESTING ERROR 27\n";exit} |
168 | "unshare successful" | 168 | "unshare successful" |
169 | } | 169 | } |
170 | after 200 | ||
170 | 171 | ||
171 | 172 | ||
172 | after 100 | 173 | # |
174 | # clone3 | ||
175 | # | ||
176 | |||
177 | send -- "firejail --noprofile ./namespaces clone3 cgroup,ipc,mnt,net,pid,user,uts\r" | ||
178 | expect { | ||
179 | timeout {puts "TESTING ERROR 28\n";exit} | ||
180 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
181 | } | ||
182 | expect { | ||
183 | timeout {puts "TESTING ERROR 29\n";exit} | ||
184 | "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"} | ||
185 | "clone3 successful" { | ||
186 | after 200 | ||
187 | |||
188 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone3 user\r" | ||
189 | expect { | ||
190 | timeout {puts "TESTING ERROR 30\n";exit} | ||
191 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
192 | } | ||
193 | expect { | ||
194 | timeout {puts "TESTING ERROR 31\n";exit} | ||
195 | "Error: clone3: Function not implemented" | ||
196 | } | ||
197 | after 200 | ||
198 | |||
199 | # clone3 arguments are not checked | ||
200 | send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces clone3 cgroup,ipc,net,pid,user,uts\r" | ||
201 | expect { | ||
202 | timeout {puts "TESTING ERROR 32\n";exit} | ||
203 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
204 | } | ||
205 | expect { | ||
206 | timeout {puts "TESTING ERROR 33\n";exit} | ||
207 | "Error: clone3: Function not implemented" | ||
208 | } | ||
209 | } | ||
210 | } | ||
211 | |||
212 | after 200 | ||
173 | puts "\nall done\n" | 213 | puts "\nall done\n" |