diff options
38 files changed, 336 insertions, 192 deletions
@@ -34,7 +34,7 @@ FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/ | |||
34 | ````` | 34 | ````` |
35 | 35 | ||
36 | ````` | 36 | ````` |
37 | # Current development version: 0.9.39 | 37 | # Current development version: 0.9.40-rc2 |
38 | Version 0.9.40-rc1 released! | 38 | Version 0.9.40-rc1 released! |
39 | 39 | ||
40 | ## X11 sandboxing support | 40 | ## X11 sandboxing support |
@@ -1,6 +1,6 @@ | |||
1 | #! /bin/sh | 1 | #! /bin/sh |
2 | # Guess values for system-dependent variables and create Makefiles. | 2 | # Guess values for system-dependent variables and create Makefiles. |
3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc1. | 3 | # Generated by GNU Autoconf 2.69 for firejail 0.9.40-rc2. |
4 | # | 4 | # |
5 | # Report bugs to <netblue30@yahoo.com>. | 5 | # Report bugs to <netblue30@yahoo.com>. |
6 | # | 6 | # |
@@ -580,8 +580,8 @@ MAKEFLAGS= | |||
580 | # Identity of this package. | 580 | # Identity of this package. |
581 | PACKAGE_NAME='firejail' | 581 | PACKAGE_NAME='firejail' |
582 | PACKAGE_TARNAME='firejail' | 582 | PACKAGE_TARNAME='firejail' |
583 | PACKAGE_VERSION='0.9.40-rc1' | 583 | PACKAGE_VERSION='0.9.40-rc2' |
584 | PACKAGE_STRING='firejail 0.9.40-rc1' | 584 | PACKAGE_STRING='firejail 0.9.40-rc2' |
585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' | 585 | PACKAGE_BUGREPORT='netblue30@yahoo.com' |
586 | PACKAGE_URL='http://firejail.wordpress.com' | 586 | PACKAGE_URL='http://firejail.wordpress.com' |
587 | 587 | ||
@@ -1246,7 +1246,7 @@ if test "$ac_init_help" = "long"; then | |||
1246 | # Omit some internal or obsolete options to make the list less imposing. | 1246 | # Omit some internal or obsolete options to make the list less imposing. |
1247 | # This message is too long to be a string in the A/UX 3.1 sh. | 1247 | # This message is too long to be a string in the A/UX 3.1 sh. |
1248 | cat <<_ACEOF | 1248 | cat <<_ACEOF |
1249 | \`configure' configures firejail 0.9.40-rc1 to adapt to many kinds of systems. | 1249 | \`configure' configures firejail 0.9.40-rc2 to adapt to many kinds of systems. |
1250 | 1250 | ||
1251 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1251 | Usage: $0 [OPTION]... [VAR=VALUE]... |
1252 | 1252 | ||
@@ -1307,7 +1307,7 @@ fi | |||
1307 | 1307 | ||
1308 | if test -n "$ac_init_help"; then | 1308 | if test -n "$ac_init_help"; then |
1309 | case $ac_init_help in | 1309 | case $ac_init_help in |
1310 | short | recursive ) echo "Configuration of firejail 0.9.40-rc1:";; | 1310 | short | recursive ) echo "Configuration of firejail 0.9.40-rc2:";; |
1311 | esac | 1311 | esac |
1312 | cat <<\_ACEOF | 1312 | cat <<\_ACEOF |
1313 | 1313 | ||
@@ -1403,7 +1403,7 @@ fi | |||
1403 | test -n "$ac_init_help" && exit $ac_status | 1403 | test -n "$ac_init_help" && exit $ac_status |
1404 | if $ac_init_version; then | 1404 | if $ac_init_version; then |
1405 | cat <<\_ACEOF | 1405 | cat <<\_ACEOF |
1406 | firejail configure 0.9.40-rc1 | 1406 | firejail configure 0.9.40-rc2 |
1407 | generated by GNU Autoconf 2.69 | 1407 | generated by GNU Autoconf 2.69 |
1408 | 1408 | ||
1409 | Copyright (C) 2012 Free Software Foundation, Inc. | 1409 | Copyright (C) 2012 Free Software Foundation, Inc. |
@@ -1705,7 +1705,7 @@ cat >config.log <<_ACEOF | |||
1705 | This file contains any messages produced by compilers while | 1705 | This file contains any messages produced by compilers while |
1706 | running configure, to aid debugging if configure makes a mistake. | 1706 | running configure, to aid debugging if configure makes a mistake. |
1707 | 1707 | ||
1708 | It was created by firejail $as_me 0.9.40-rc1, which was | 1708 | It was created by firejail $as_me 0.9.40-rc2, which was |
1709 | generated by GNU Autoconf 2.69. Invocation command line was | 1709 | generated by GNU Autoconf 2.69. Invocation command line was |
1710 | 1710 | ||
1711 | $ $0 $@ | 1711 | $ $0 $@ |
@@ -4184,7 +4184,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
4184 | # report actual input values of CONFIG_FILES etc. instead of their | 4184 | # report actual input values of CONFIG_FILES etc. instead of their |
4185 | # values after options handling. | 4185 | # values after options handling. |
4186 | ac_log=" | 4186 | ac_log=" |
4187 | This file was extended by firejail $as_me 0.9.40-rc1, which was | 4187 | This file was extended by firejail $as_me 0.9.40-rc2, which was |
4188 | generated by GNU Autoconf 2.69. Invocation command line was | 4188 | generated by GNU Autoconf 2.69. Invocation command line was |
4189 | 4189 | ||
4190 | CONFIG_FILES = $CONFIG_FILES | 4190 | CONFIG_FILES = $CONFIG_FILES |
@@ -4238,7 +4238,7 @@ _ACEOF | |||
4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 4238 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | 4239 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" |
4240 | ac_cs_version="\\ | 4240 | ac_cs_version="\\ |
4241 | firejail config.status 0.9.40-rc1 | 4241 | firejail config.status 0.9.40-rc2 |
4242 | configured by $0, generated by GNU Autoconf 2.69, | 4242 | configured by $0, generated by GNU Autoconf 2.69, |
4243 | with options \\"\$ac_cs_config\\" | 4243 | with options \\"\$ac_cs_config\\" |
4244 | 4244 | ||
diff --git a/configure.ac b/configure.ac index 9a57ea774..a4486b3ff 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,5 +1,5 @@ | |||
1 | AC_PREREQ([2.68]) | 1 | AC_PREREQ([2.68]) |
2 | AC_INIT(firejail, 0.9.40-rc1, netblue30@yahoo.com, , http://firejail.wordpress.com) | 2 | AC_INIT(firejail, 0.9.40-rc2, netblue30@yahoo.com, , http://firejail.wordpress.com) |
3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) | 3 | AC_CONFIG_SRCDIR([src/firejail/main.c]) |
4 | #AC_CONFIG_HEADERS([config.h]) | 4 | #AC_CONFIG_HEADERS([config.h]) |
5 | 5 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index f01d3e8fa..c066d5aab 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -1,4 +1,4 @@ | |||
1 | # /etc/firejail/firecfg.config - firecfg utility configuration file | 1 | # /usr/lib/firejail/firecfg.config - firecfg utility configuration file |
2 | # This is the list of programs handled by firecfg utility | 2 | # This is the list of programs handled by firecfg utility |
3 | # | 3 | # |
4 | 4 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d58c6291d..e50b22b4e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -264,6 +264,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child); | |||
264 | void net_check_cfg(void); | 264 | void net_check_cfg(void); |
265 | void net_dns_print_name(const char *name); | 265 | void net_dns_print_name(const char *name); |
266 | void net_dns_print(pid_t pid); | 266 | void net_dns_print(pid_t pid); |
267 | void network_main(pid_t child); | ||
267 | 268 | ||
268 | // network.c | 269 | // network.c |
269 | void net_if_up(const char *ifname); | 270 | void net_if_up(const char *ifname); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 251260091..98e140ce4 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -201,7 +201,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
201 | extract_command(argc, argv, index); | 201 | extract_command(argc, argv, index); |
202 | 202 | ||
203 | // if the pid is that of a firejail process, use the pid of the first child process | 203 | // if the pid is that of a firejail process, use the pid of the first child process |
204 | EUID_ROOT(); | ||
204 | char *comm = pid_proc_comm(pid); | 205 | char *comm = pid_proc_comm(pid); |
206 | EUID_USER(); | ||
205 | if (comm) { | 207 | if (comm) { |
206 | if (strcmp(comm, "firejail") == 0) { | 208 | if (strcmp(comm, "firejail") == 0) { |
207 | pid_t child; | 209 | pid_t child; |
diff --git a/src/firejail/list.c b/src/firejail/list.c index 676df6a14..e6f0cc7ac 100644 --- a/src/firejail/list.c +++ b/src/firejail/list.c | |||
@@ -18,9 +18,25 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | |||
24 | void static grsec_elevate_privileges(void) { | ||
25 | struct stat s; | ||
26 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
27 | EUID_ROOT(); | ||
28 | |||
29 | // elevate privileges | ||
30 | if (setreuid(0, 0)) | ||
31 | errExit("setreuid"); | ||
32 | if (setregid(0, 0)) | ||
33 | errExit("setregid"); | ||
34 | } | ||
35 | } | ||
21 | 36 | ||
22 | void top(void) { | 37 | void top(void) { |
23 | EUID_ASSERT(); | 38 | EUID_ASSERT(); |
39 | grsec_elevate_privileges(); | ||
24 | 40 | ||
25 | char *arg[4]; | 41 | char *arg[4]; |
26 | arg[0] = "bash"; | 42 | arg[0] = "bash"; |
@@ -32,6 +48,7 @@ void top(void) { | |||
32 | 48 | ||
33 | void netstats(void) { | 49 | void netstats(void) { |
34 | EUID_ASSERT(); | 50 | EUID_ASSERT(); |
51 | grsec_elevate_privileges(); | ||
35 | 52 | ||
36 | char *arg[4]; | 53 | char *arg[4]; |
37 | arg[0] = "bash"; | 54 | arg[0] = "bash"; |
@@ -43,6 +60,7 @@ void netstats(void) { | |||
43 | 60 | ||
44 | void list(void) { | 61 | void list(void) { |
45 | EUID_ASSERT(); | 62 | EUID_ASSERT(); |
63 | grsec_elevate_privileges(); | ||
46 | 64 | ||
47 | char *arg[4]; | 65 | char *arg[4]; |
48 | arg[0] = "bash"; | 66 | arg[0] = "bash"; |
@@ -54,6 +72,7 @@ void list(void) { | |||
54 | 72 | ||
55 | void tree(void) { | 73 | void tree(void) { |
56 | EUID_ASSERT(); | 74 | EUID_ASSERT(); |
75 | grsec_elevate_privileges(); | ||
57 | 76 | ||
58 | char *arg[4]; | 77 | char *arg[4]; |
59 | arg[0] = "bash"; | 78 | arg[0] = "bash"; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 24efae814..e86aa85ac 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -174,9 +174,11 @@ static void init_cfg(int argc, char **argv) { | |||
174 | cfg.bridge3.devsandbox = "eth3"; | 174 | cfg.bridge3.devsandbox = "eth3"; |
175 | 175 | ||
176 | // extract user data | 176 | // extract user data |
177 | EUID_ROOT(); // rise permissions for grsecurity | ||
177 | struct passwd *pw = getpwuid(getuid()); | 178 | struct passwd *pw = getpwuid(getuid()); |
178 | if (!pw) | 179 | if (!pw) |
179 | errExit("getpwuid"); | 180 | errExit("getpwuid"); |
181 | EUID_USER(); | ||
180 | cfg.username = strdup(pw->pw_name); | 182 | cfg.username = strdup(pw->pw_name); |
181 | if (!cfg.username) | 183 | if (!cfg.username) |
182 | errExit("strdup"); | 184 | errExit("strdup"); |
@@ -701,7 +703,9 @@ int main(int argc, char **argv) { | |||
701 | run_symlink(argc, argv); | 703 | run_symlink(argc, argv); |
702 | 704 | ||
703 | // check if we already have a sandbox running | 705 | // check if we already have a sandbox running |
706 | EUID_ROOT(); | ||
704 | int rv = check_kernel_procs(); | 707 | int rv = check_kernel_procs(); |
708 | EUID_USER(); | ||
705 | if (rv == 0) { | 709 | if (rv == 0) { |
706 | // if --force option is passed to the program, disregard the existing sandbox | 710 | // if --force option is passed to the program, disregard the existing sandbox |
707 | int found = 0; | 711 | int found = 0; |
@@ -1961,54 +1965,27 @@ int main(int argc, char **argv) { | |||
1961 | printf("The new log directory is /proc/%d/root/var/log\n", child); | 1965 | printf("The new log directory is /proc/%d/root/var/log\n", child); |
1962 | } | 1966 | } |
1963 | 1967 | ||
1964 | |||
1965 | EUID_ROOT(); | ||
1966 | if (!arg_nonetwork) { | 1968 | if (!arg_nonetwork) { |
1967 | // create veth pair or macvlan device | 1969 | EUID_ROOT(); |
1968 | if (cfg.bridge0.configured) { | 1970 | pid_t net_child = fork(); |
1969 | if (cfg.bridge0.macvlan == 0) { | 1971 | if (net_child < 0) |
1970 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | 1972 | errExit("fork"); |
1971 | } | 1973 | if (net_child == 0) { |
1972 | else | 1974 | // elevate privileges in order to get grsecurity working |
1973 | net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); | 1975 | if (setreuid(0, 0)) |
1974 | } | 1976 | errExit("setreuid"); |
1975 | 1977 | if (setregid(0, 0)) | |
1976 | if (cfg.bridge1.configured) { | 1978 | errExit("setregid"); |
1977 | if (cfg.bridge1.macvlan == 0) | 1979 | network_main(child); |
1978 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 1980 | if (arg_debug) |
1979 | else | 1981 | printf("Host network configured\n"); |
1980 | net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); | 1982 | exit(0); |
1981 | } | ||
1982 | |||
1983 | if (cfg.bridge2.configured) { | ||
1984 | if (cfg.bridge2.macvlan == 0) | ||
1985 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | ||
1986 | else | ||
1987 | net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); | ||
1988 | } | ||
1989 | |||
1990 | if (cfg.bridge3.configured) { | ||
1991 | if (cfg.bridge3.macvlan == 0) | ||
1992 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | ||
1993 | else | ||
1994 | net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); | ||
1995 | } | ||
1996 | |||
1997 | // move interfaces in sandbox | ||
1998 | if (cfg.interface0.configured) { | ||
1999 | net_move_interface(cfg.interface0.dev, child); | ||
2000 | } | ||
2001 | if (cfg.interface1.configured) { | ||
2002 | net_move_interface(cfg.interface1.dev, child); | ||
2003 | } | ||
2004 | if (cfg.interface2.configured) { | ||
2005 | net_move_interface(cfg.interface2.dev, child); | ||
2006 | } | ||
2007 | if (cfg.interface3.configured) { | ||
2008 | net_move_interface(cfg.interface3.dev, child); | ||
2009 | } | 1983 | } |
1984 | |||
1985 | // wait for the child to finish | ||
1986 | waitpid(net_child, NULL, 0); | ||
1987 | EUID_USER(); | ||
2010 | } | 1988 | } |
2011 | EUID_USER(); | ||
2012 | 1989 | ||
2013 | // close each end of the unused pipes | 1990 | // close each end of the unused pipes |
2014 | close(parent_to_child_fds[0]); | 1991 | close(parent_to_child_fds[0]); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 4a5499699..71abfb53d 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -139,7 +139,6 @@ void netfilter(const char *fname) { | |||
139 | exit(1); | 139 | exit(1); |
140 | } | 140 | } |
141 | dup2(fd,STDIN_FILENO); | 141 | dup2(fd,STDIN_FILENO); |
142 | close(fd); | ||
143 | 142 | ||
144 | // wipe out environment variables | 143 | // wipe out environment variables |
145 | environ = NULL; | 144 | environ = NULL; |
@@ -155,6 +154,11 @@ void netfilter(const char *fname) { | |||
155 | if (child < 0) | 154 | if (child < 0) |
156 | errExit("fork"); | 155 | errExit("fork"); |
157 | if (child == 0) { | 156 | if (child == 0) { |
157 | // elevate privileges in order to get grsecurity working | ||
158 | if (setreuid(0, 0)) | ||
159 | errExit("setreuid"); | ||
160 | if (setregid(0, 0)) | ||
161 | errExit("setregid"); | ||
158 | environ = NULL; | 162 | environ = NULL; |
159 | execl(iptables, iptables, "-vL", NULL); | 163 | execl(iptables, iptables, "-vL", NULL); |
160 | // it will never get here!!! | 164 | // it will never get here!!! |
@@ -246,7 +250,6 @@ void netfilter6(const char *fname) { | |||
246 | exit(1); | 250 | exit(1); |
247 | } | 251 | } |
248 | dup2(fd,STDIN_FILENO); | 252 | dup2(fd,STDIN_FILENO); |
249 | close(fd); | ||
250 | 253 | ||
251 | // wipe out environment variables | 254 | // wipe out environment variables |
252 | environ = NULL; | 255 | environ = NULL; |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 3fb79b9f4..80f3bd579 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -212,7 +212,10 @@ void net_check_cfg(void) { | |||
212 | // first network is a mac device | 212 | // first network is a mac device |
213 | else { | 213 | else { |
214 | // get the host default gw | 214 | // get the host default gw |
215 | EUID_ROOT(); // rise permissions for grsecurity | ||
216 | // Error fopen:network_get_defaultgw(479): Permission denied | ||
215 | uint32_t gw = network_get_defaultgw(); | 217 | uint32_t gw = network_get_defaultgw(); |
218 | EUID_USER(); | ||
216 | // check the gateway is network range | 219 | // check the gateway is network range |
217 | if (in_netrange(gw, cfg.bridge0.ip, cfg.bridge0.mask)) | 220 | if (in_netrange(gw, cfg.bridge0.ip, cfg.bridge0.mask)) |
218 | gw = 0; | 221 | gw = 0; |
@@ -275,3 +278,49 @@ void net_dns_print(pid_t pid) { | |||
275 | free(fname); | 278 | free(fname); |
276 | exit(0); | 279 | exit(0); |
277 | } | 280 | } |
281 | |||
282 | void network_main(pid_t child) { | ||
283 | // create veth pair or macvlan device | ||
284 | if (cfg.bridge0.configured) { | ||
285 | if (cfg.bridge0.macvlan == 0) { | ||
286 | net_configure_veth_pair(&cfg.bridge0, "eth0", child); | ||
287 | } | ||
288 | else | ||
289 | net_create_macvlan(cfg.bridge0.devsandbox, cfg.bridge0.dev, child); | ||
290 | } | ||
291 | |||
292 | if (cfg.bridge1.configured) { | ||
293 | if (cfg.bridge1.macvlan == 0) | ||
294 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | ||
295 | else | ||
296 | net_create_macvlan(cfg.bridge1.devsandbox, cfg.bridge1.dev, child); | ||
297 | } | ||
298 | |||
299 | if (cfg.bridge2.configured) { | ||
300 | if (cfg.bridge2.macvlan == 0) | ||
301 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | ||
302 | else | ||
303 | net_create_macvlan(cfg.bridge2.devsandbox, cfg.bridge2.dev, child); | ||
304 | } | ||
305 | |||
306 | if (cfg.bridge3.configured) { | ||
307 | if (cfg.bridge3.macvlan == 0) | ||
308 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | ||
309 | else | ||
310 | net_create_macvlan(cfg.bridge3.devsandbox, cfg.bridge3.dev, child); | ||
311 | } | ||
312 | |||
313 | // move interfaces in sandbox | ||
314 | if (cfg.interface0.configured) { | ||
315 | net_move_interface(cfg.interface0.dev, child); | ||
316 | } | ||
317 | if (cfg.interface1.configured) { | ||
318 | net_move_interface(cfg.interface1.dev, child); | ||
319 | } | ||
320 | if (cfg.interface2.configured) { | ||
321 | net_move_interface(cfg.interface2.dev, child); | ||
322 | } | ||
323 | if (cfg.interface3.configured) { | ||
324 | net_move_interface(cfg.interface3.dev, child); | ||
325 | } | ||
326 | } | ||
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9f9ace527..a9242f035 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -26,8 +26,10 @@ | |||
26 | // check process space for kernel processes | 26 | // check process space for kernel processes |
27 | // return 1 if found, 0 if not found | 27 | // return 1 if found, 0 if not found |
28 | int check_kernel_procs(void) { | 28 | int check_kernel_procs(void) { |
29 | EUID_ASSERT(); | 29 | // we run this function with EUID set in order to detect grsecurity |
30 | 30 | // only user processes are available in /proc when running grsecurity | |
31 | // EUID_ASSERT(); | ||
32 | |||
31 | char *kern_proc[] = { | 33 | char *kern_proc[] = { |
32 | "kthreadd", | 34 | "kthreadd", |
33 | "ksoftirqd", | 35 | "ksoftirqd", |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 3671901d0..b7ef48c8d 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -44,7 +44,9 @@ void shut(pid_t pid) { | |||
44 | 44 | ||
45 | pid_t parent = pid; | 45 | pid_t parent = pid; |
46 | // if the pid is that of a firejail process, use the pid of a child process inside the sandbox | 46 | // if the pid is that of a firejail process, use the pid of a child process inside the sandbox |
47 | EUID_ROOT(); | ||
47 | char *comm = pid_proc_comm(pid); | 48 | char *comm = pid_proc_comm(pid); |
49 | EUID_USER(); | ||
48 | if (comm) { | 50 | if (comm) { |
49 | if (strcmp(comm, "firejail") == 0) { | 51 | if (strcmp(comm, "firejail") == 0) { |
50 | pid_t child; | 52 | pid_t child; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 1fa60bb4d..da73bbfd5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -346,6 +346,7 @@ int find_child(pid_t parent, pid_t *child) { | |||
346 | *child = 0; // use it to flag a found child | 346 | *child = 0; // use it to flag a found child |
347 | 347 | ||
348 | DIR *dir; | 348 | DIR *dir; |
349 | EUID_ROOT(); // grsecurity fix | ||
349 | if (!(dir = opendir("/proc"))) { | 350 | if (!(dir = opendir("/proc"))) { |
350 | // sleep 2 seconds and try again | 351 | // sleep 2 seconds and try again |
351 | sleep(2); | 352 | sleep(2); |
@@ -397,7 +398,7 @@ int find_child(pid_t parent, pid_t *child) { | |||
397 | free(file); | 398 | free(file); |
398 | } | 399 | } |
399 | closedir(dir); | 400 | closedir(dir); |
400 | 401 | EUID_USER(); | |
401 | return (*child)? 0:1; // 0 = found, 1 = not found | 402 | return (*child)? 0:1; // 0 = found, 1 = not found |
402 | } | 403 | } |
403 | 404 | ||
@@ -576,6 +577,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
576 | perror("asprintf"); | 577 | perror("asprintf"); |
577 | exit(1); | 578 | exit(1); |
578 | } | 579 | } |
580 | EUID_ROOT(); // grsecurity fix | ||
579 | FILE *fp = fopen(file, "r"); | 581 | FILE *fp = fopen(file, "r"); |
580 | if (!fp) { | 582 | if (!fp) { |
581 | free(file); | 583 | free(file); |
@@ -602,6 +604,7 @@ uid_t pid_get_uid(pid_t pid) { | |||
602 | 604 | ||
603 | fclose(fp); | 605 | fclose(fp); |
604 | free(file); | 606 | free(file); |
607 | EUID_USER(); // grsecurity fix | ||
605 | 608 | ||
606 | if (rv == 0) { | 609 | if (rv == 0) { |
607 | fprintf(stderr, "Error: cannot read /proc file\n"); | 610 | fprintf(stderr, "Error: cannot read /proc file\n"); |
diff --git a/test/4bridges_arp.exp b/test/4bridges_arp.exp index 3004082e6..6a3e6db2a 100755 --- a/test/4bridges_arp.exp +++ b/test/4bridges_arp.exp | |||
@@ -115,7 +115,7 @@ sleep 2 | |||
115 | 115 | ||
116 | 116 | ||
117 | # check loopback | 117 | # check loopback |
118 | send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r" | 118 | send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r" |
119 | expect { | 119 | expect { |
120 | timeout {puts "TESTING ERROR 5\n";exit} | 120 | timeout {puts "TESTING ERROR 5\n";exit} |
121 | "lo" | 121 | "lo" |
@@ -136,40 +136,35 @@ expect { | |||
136 | timeout {puts "TESTING ERROR 9\n";exit} | 136 | timeout {puts "TESTING ERROR 9\n";exit} |
137 | "Child process initialized" | 137 | "Child process initialized" |
138 | } | 138 | } |
139 | sleep 1 | ||
139 | 140 | ||
140 | # check default gateway | 141 | # check default gateway |
141 | send -- "bash\r" | 142 | send -- "ip route show\r" |
142 | sleep 1 | ||
143 | send -- "netstat -rn;pwd\r" | ||
144 | expect { | 143 | expect { |
145 | timeout {puts "TESTING ERROR 10.1\n";exit} | 144 | timeout {puts "TESTING ERROR 10.1\n";exit} |
146 | "0.0.0.0" | 145 | "default via 10.10.20.1 dev eth0" |
147 | } | 146 | } |
147 | send -- "ip route show\r" | ||
148 | expect { | 148 | expect { |
149 | timeout {puts "TESTING ERROR 10.2\n";exit} | 149 | timeout {puts "TESTING ERROR 10.2\n";exit} |
150 | "10.10.20.1" | 150 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
151 | } | ||
152 | expect { | ||
153 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
154 | "eth0" | ||
155 | } | 151 | } |
152 | send -- "ip route show\r" | ||
156 | expect { | 153 | expect { |
157 | timeout {puts "TESTING ERROR 10.4\n";exit} | 154 | timeout {puts "TESTING ERROR 10.2\n";exit} |
158 | "10.10.20.0" | 155 | "10.10.30.0/24 dev eth1 proto kernel scope link" |
159 | } | ||
160 | expect { | ||
161 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
162 | "0.0.0.0" | ||
163 | } | 156 | } |
157 | send -- "ip route show\r" | ||
164 | expect { | 158 | expect { |
165 | timeout {puts "TESTING ERROR 10.6\n";exit} | 159 | timeout {puts "TESTING ERROR 10.2\n";exit} |
166 | "eth0" | 160 | "10.10.40.0/24 dev eth2 proto kernel scope link" |
167 | } | 161 | } |
162 | send -- "ip route show\r" | ||
168 | expect { | 163 | expect { |
169 | timeout {puts "TESTING ERROR 10\n";exit} | 164 | timeout {puts "TESTING ERROR 10.2\n";exit} |
170 | "home" | 165 | "10.10.50.0/24 dev eth3 proto kernel scope link" |
171 | } | 166 | } |
172 | sleep 1 | 167 | sleep 1 |
173 | 168 | ||
174 | puts "\n" | 169 | puts "\nall done\n" |
175 | 170 | ||
diff --git a/test/4bridges_ip.exp b/test/4bridges_ip.exp index 9e37b4ff4..8068aeebb 100755 --- a/test/4bridges_ip.exp +++ b/test/4bridges_ip.exp | |||
@@ -115,7 +115,7 @@ sleep 2 | |||
115 | 115 | ||
116 | 116 | ||
117 | # check loopback | 117 | # check loopback |
118 | send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r" | 118 | send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r" |
119 | expect { | 119 | expect { |
120 | timeout {puts "TESTING ERROR 5\n";exit} | 120 | timeout {puts "TESTING ERROR 5\n";exit} |
121 | "lo" | 121 | "lo" |
@@ -138,38 +138,37 @@ expect { | |||
138 | } | 138 | } |
139 | 139 | ||
140 | # check default gateway | 140 | # check default gateway |
141 | send -- "bash\r" | 141 | send -- "ip route show\r" |
142 | sleep 1 | ||
143 | send -- "netstat -rn;pwd\r" | ||
144 | expect { | 142 | expect { |
145 | timeout {puts "TESTING ERROR 10.1\n";exit} | 143 | timeout {puts "TESTING ERROR 10.1\n";exit} |
146 | "0.0.0.0" | 144 | "default via 10.10.20.1 dev eth0" |
147 | } | 145 | } |
146 | |||
147 | send -- "ip route show\r" | ||
148 | expect { | 148 | expect { |
149 | timeout {puts "TESTING ERROR 10.2\n";exit} | 149 | timeout {puts "TESTING ERROR 10.2\n";exit} |
150 | "10.10.20.1" | 150 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
151 | } | 151 | } |
152 | |||
153 | send -- "ip route show\r" | ||
152 | expect { | 154 | expect { |
153 | timeout {puts "TESTING ERROR 10.3\n";exit} | 155 | timeout {puts "TESTING ERROR 10.3\n";exit} |
154 | "eth0" | 156 | "10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" |
155 | } | 157 | } |
158 | |||
159 | send -- "ip route show\r" | ||
156 | expect { | 160 | expect { |
157 | timeout {puts "TESTING ERROR 10.4\n";exit} | 161 | timeout {puts "TESTING ERROR 10.4\n";exit} |
158 | "10.10.20.0" | 162 | "10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" |
159 | } | 163 | } |
164 | |||
165 | send -- "ip route show\r" | ||
160 | expect { | 166 | expect { |
161 | timeout {puts "TESTING ERROR 10.5\n";exit} | 167 | timeout {puts "TESTING ERROR 10.5\n";exit} |
162 | "0.0.0.0" | 168 | "10.10.50.0/24 dev eth3 proto kernel scope link" |
163 | } | ||
164 | expect { | ||
165 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
166 | "eth0" | ||
167 | } | ||
168 | expect { | ||
169 | timeout {puts "TESTING ERROR 10\n";exit} | ||
170 | "home" | ||
171 | } | 169 | } |
170 | |||
172 | sleep 1 | 171 | sleep 1 |
173 | 172 | ||
174 | puts "\n" | 173 | puts "\nall done\n" |
175 | 174 | ||
diff --git a/test/chromium-x11.exp b/test/chromium-x11.exp index 0d8a5dfb3..bcac3233c 100755 --- a/test/chromium-x11.exp +++ b/test/chromium-x11.exp | |||
@@ -19,6 +19,13 @@ expect { | |||
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
21 | 21 | ||
22 | # grsecurity exit | ||
23 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
26 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
27 | "cannot open" {puts "grsecurity not present\n"} | ||
28 | } | ||
22 | send -- "firejail --name=blablabla\r" | 29 | send -- "firejail --name=blablabla\r" |
23 | expect { | 30 | expect { |
24 | timeout {puts "TESTING ERROR 4\n";exit} | 31 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/chromium.exp b/test/chromium.exp index 77325d070..676f7e314 100755 --- a/test/chromium.exp +++ b/test/chromium.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/deluge.exp b/test/deluge.exp index 49266813e..9f5063495 100755 --- a/test/deluge.exp +++ b/test/deluge.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/evince.exp b/test/evince.exp index 0c57f3871..3c3ad4bdd 100755 --- a/test/evince.exp +++ b/test/evince.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/fbreader.exp b/test/fbreader.exp index a4df50932..d2bee880e 100755 --- a/test/fbreader.exp +++ b/test/fbreader.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/firefox-x11.exp b/test/firefox-x11.exp index 8bc7fbd25..7e30437db 100755 --- a/test/firefox-x11.exp +++ b/test/firefox-x11.exp | |||
@@ -23,6 +23,13 @@ expect { | |||
23 | "no-remote" | 23 | "no-remote" |
24 | } | 24 | } |
25 | sleep 1 | 25 | sleep 1 |
26 | # grsecurity exit | ||
27 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
30 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
31 | "cannot open" {puts "grsecurity not present\n"} | ||
32 | } | ||
26 | send -- "firejail --name=blablabla\r" | 33 | send -- "firejail --name=blablabla\r" |
27 | expect { | 34 | expect { |
28 | timeout {puts "TESTING ERROR 4\n";exit} | 35 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/firefox.exp b/test/firefox.exp index d531cf977..2585e4b5c 100755 --- a/test/firefox.exp +++ b/test/firefox.exp | |||
@@ -31,6 +31,16 @@ expect { | |||
31 | "no-remote" | 31 | "no-remote" |
32 | } | 32 | } |
33 | sleep 1 | 33 | sleep 1 |
34 | |||
35 | # grsecurity exit | ||
36 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
39 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
40 | "cannot open" {puts "grsecurity not present\n"} | ||
41 | } | ||
42 | |||
43 | |||
34 | send -- "firejail --name=blablabla\r" | 44 | send -- "firejail --name=blablabla\r" |
35 | expect { | 45 | expect { |
36 | timeout {puts "TESTING ERROR 4\n";exit} | 46 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/gnome-mplayer.exp b/test/gnome-mplayer.exp index 193d532ae..6965322fc 100755 --- a/test/gnome-mplayer.exp +++ b/test/gnome-mplayer.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/google-chrome.exp b/test/google-chrome.exp index 7999831d7..389988e3c 100755 --- a/test/google-chrome.exp +++ b/test/google-chrome.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/hexchat.exp b/test/hexchat.exp index 0653bcb13..7e99c8cdf 100755 --- a/test/hexchat.exp +++ b/test/hexchat.exp | |||
@@ -26,6 +26,15 @@ expect { | |||
26 | "hexchat" | 26 | "hexchat" |
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | |||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
29 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
30 | expect { | 39 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/icedove.exp b/test/icedove.exp index be5309e07..344febb93 100755 --- a/test/icedove.exp +++ b/test/icedove.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/midori.exp b/test/midori.exp index ec33816dd..470f5de77 100755 --- a/test/midori.exp +++ b/test/midori.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/net_defaultgw.exp b/test/net_defaultgw.exp index 9820660b7..840f2ccac 100755 --- a/test/net_defaultgw.exp +++ b/test/net_defaultgw.exp | |||
@@ -5,7 +5,7 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # check ip address | 7 | # check ip address |
8 | send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2\r" | 8 | send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "eth0" | 11 | "eth0" |
@@ -26,40 +26,21 @@ expect { | |||
26 | timeout {puts "TESTING ERROR 4\n";exit} | 26 | timeout {puts "TESTING ERROR 4\n";exit} |
27 | "Child process initialized" | 27 | "Child process initialized" |
28 | } | 28 | } |
29 | sleep 1 | ||
29 | 30 | ||
30 | # check default gateway | 31 | # check default gateway |
31 | send -- "bash\r" | 32 | send -- "ip route show\r" |
32 | sleep 1 | ||
33 | send -- "netstat -rn;pwd\r" | ||
34 | expect { | 33 | expect { |
35 | timeout {puts "TESTING ERROR 10.1\n";exit} | 34 | timeout {puts "TESTING ERROR 10.1\n";exit} |
36 | "0.0.0.0" | 35 | "default via 10.10.20.2 dev eth0" |
37 | } | 36 | } |
37 | |||
38 | send -- "ip route show\r" | ||
38 | expect { | 39 | expect { |
39 | timeout {puts "TESTING ERROR 10.2\n";exit} | 40 | timeout {puts "TESTING ERROR 10.2\n";exit} |
40 | "10.10.20.2" | 41 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
44 | "eth0" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
48 | "10.10.20.0" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
52 | "0.0.0.0" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
56 | "eth0" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 10\n";exit} | ||
60 | "home" | ||
61 | } | 42 | } |
62 | sleep 1 | 43 | sleep 1 |
63 | 44 | ||
64 | puts "\n" | 45 | puts "\nall done\n" |
65 | 46 | ||
diff --git a/test/net_defaultgw2.exp b/test/net_defaultgw2.exp index be9b4882a..db14e17cb 100755 --- a/test/net_defaultgw2.exp +++ b/test/net_defaultgw2.exp | |||
@@ -5,7 +5,7 @@ spawn $env(SHELL) | |||
5 | match_max 100000 | 5 | match_max 100000 |
6 | 6 | ||
7 | # check ip address | 7 | # check ip address |
8 | send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89\r" | 8 | send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r" |
9 | expect { | 9 | expect { |
10 | timeout {puts "TESTING ERROR 0\n";exit} | 10 | timeout {puts "TESTING ERROR 0\n";exit} |
11 | "eth1" | 11 | "eth1" |
@@ -14,52 +14,27 @@ expect { | |||
14 | timeout {puts "TESTING ERROR 4\n";exit} | 14 | timeout {puts "TESTING ERROR 4\n";exit} |
15 | "Child process initialized" | 15 | "Child process initialized" |
16 | } | 16 | } |
17 | sleep 1 | ||
17 | 18 | ||
18 | # check default gateway | 19 | # check default gateway |
19 | send -- "bash\r" | 20 | send -- "ip route show\r" |
20 | sleep 1 | ||
21 | send -- "netstat -rn;pwd\r" | ||
22 | expect { | 21 | expect { |
23 | timeout {puts "TESTING ERROR 10.1\n";exit} | 22 | timeout {puts "TESTING ERROR 10.1\n";exit} |
24 | "0.0.0.0" | 23 | "default via 10.10.30.89 dev eth1" |
25 | } | 24 | } |
25 | |||
26 | send -- "ip route show\r" | ||
26 | expect { | 27 | expect { |
27 | timeout {puts "TESTING ERROR 10.2\n";exit} | 28 | timeout {puts "TESTING ERROR 10.2\n";exit} |
28 | "10.10.30.89" | 29 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
29 | } | 30 | } |
31 | |||
32 | send -- "ip route show\r" | ||
30 | expect { | 33 | expect { |
31 | timeout {puts "TESTING ERROR 10.3\n";exit} | 34 | timeout {puts "TESTING ERROR 10.3\n";exit} |
32 | "eth1" | 35 | "10.10.30.0/24 dev eth1 proto kernel scope link" |
33 | } | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
36 | "10.10.20.0" | ||
37 | } | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
40 | "0.0.0.0" | ||
41 | } | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
44 | "eth0" | ||
45 | } | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
48 | "10.10.30.0" | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
52 | "0.0.0.0" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
56 | "eth1" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 10\n";exit} | ||
60 | "home" | ||
61 | } | 36 | } |
62 | sleep 1 | 37 | sleep 1 |
63 | 38 | ||
64 | puts "\n" | 39 | puts "\nall done\n" |
65 | 40 | ||
diff --git a/test/net_ip.exp b/test/net_ip.exp index 5995296c7..f5d487ecc 100755 --- a/test/net_ip.exp +++ b/test/net_ip.exp | |||
@@ -31,7 +31,7 @@ send -- "exit\r" | |||
31 | sleep 2 | 31 | sleep 2 |
32 | 32 | ||
33 | # check loopback | 33 | # check loopback |
34 | send -- "firejail --net=br0 --ip=10.10.20.5\r" | 34 | send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r" |
35 | expect { | 35 | expect { |
36 | timeout {puts "TESTING ERROR 5\n";exit} | 36 | timeout {puts "TESTING ERROR 5\n";exit} |
37 | "lo" | 37 | "lo" |
@@ -52,38 +52,19 @@ expect { | |||
52 | timeout {puts "TESTING ERROR 9\n";exit} | 52 | timeout {puts "TESTING ERROR 9\n";exit} |
53 | "Child process initialized" | 53 | "Child process initialized" |
54 | } | 54 | } |
55 | sleep 1 | ||
55 | 56 | ||
56 | # check default gateway | 57 | # check default gateway |
57 | send -- "bash\r" | 58 | send -- "ip route show\r" |
58 | sleep 1 | ||
59 | send -- "netstat -rn;pwd\r" | ||
60 | expect { | 59 | expect { |
61 | timeout {puts "TESTING ERROR 10.1\n";exit} | 60 | timeout {puts "TESTING ERROR 10.1\n";exit} |
62 | "0.0.0.0" | 61 | "default via 10.10.20.1 dev eth0" |
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10.2\n";exit} | ||
66 | "10.10.20.1" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 10.3\n";exit} | ||
70 | "eth0" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 10.4\n";exit} | ||
74 | "10.10.20.0" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 10.5\n";exit} | ||
78 | "0.0.0.0" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 10.6\n";exit} | ||
82 | "eth0" | ||
83 | } | 62 | } |
63 | |||
64 | send -- "ip route show\r" | ||
84 | expect { | 65 | expect { |
85 | timeout {puts "TESTING ERROR 10\n";exit} | 66 | timeout {puts "TESTING ERROR 10\n";exit} |
86 | "home" | 67 | "10.10.20.0/29 dev eth0 proto kernel scope link" |
87 | } | 68 | } |
88 | sleep 1 | 69 | sleep 1 |
89 | 70 | ||
diff --git a/test/opera.exp b/test/opera.exp index f536ae866..23eed5504 100755 --- a/test/opera.exp +++ b/test/opera.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/pid.exp b/test/pid.exp index d382feb96..fb5b90f04 100755 --- a/test/pid.exp +++ b/test/pid.exp | |||
@@ -37,7 +37,8 @@ sleep 1 | |||
37 | send -- "ps aux |wc -l; pwd\r" | 37 | send -- "ps aux |wc -l; pwd\r" |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 5\n";exit} | 39 | timeout {puts "TESTING ERROR 5\n";exit} |
40 | "6" | 40 | "6" {puts "normal system\n'} |
41 | "5" {puts "grsecurity\n"} | ||
41 | } | 42 | } |
42 | expect { | 43 | expect { |
43 | timeout {puts "TESTING ERROR 6\n";exit} | 44 | timeout {puts "TESTING ERROR 6\n";exit} |
@@ -45,4 +46,4 @@ expect { | |||
45 | } | 46 | } |
46 | sleep 1 | 47 | sleep 1 |
47 | 48 | ||
48 | puts "\n" | 49 | puts "\nall done\n" |
diff --git a/test/transmission-gtk-x11.exp b/test/transmission-gtk-x11.exp index 6192b277c..4ee3de701 100755 --- a/test/transmission-gtk-x11.exp +++ b/test/transmission-gtk-x11.exp | |||
@@ -19,6 +19,14 @@ expect { | |||
19 | } | 19 | } |
20 | sleep 1 | 20 | sleep 1 |
21 | 21 | ||
22 | # grsecurity exit | ||
23 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
26 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
27 | "cannot open" {puts "grsecurity not present\n"} | ||
28 | } | ||
29 | |||
22 | send -- "firejail --name=blablabla\r" | 30 | send -- "firejail --name=blablabla\r" |
23 | expect { | 31 | expect { |
24 | timeout {puts "TESTING ERROR 4\n";exit} | 32 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/transmission-gtk.exp b/test/transmission-gtk.exp index 77d5dd30c..1acfc6f94 100755 --- a/test/transmission-gtk.exp +++ b/test/transmission-gtk.exp | |||
@@ -23,6 +23,13 @@ expect { | |||
23 | } | 23 | } |
24 | sleep 1 | 24 | sleep 1 |
25 | 25 | ||
26 | # grsecurity exit | ||
27 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
30 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
31 | "cannot open" {puts "grsecurity not present\n"} | ||
32 | } | ||
26 | send -- "firejail --name=blablabla\r" | 33 | send -- "firejail --name=blablabla\r" |
27 | expect { | 34 | expect { |
28 | timeout {puts "TESTING ERROR 4\n";exit} | 35 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/transmission-qt.exp b/test/transmission-qt.exp index d27c16d6d..944fd28a2 100755 --- a/test/transmission-qt.exp +++ b/test/transmission-qt.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/vlc.exp b/test/vlc.exp index 53d25c9dd..290c0fc2f 100755 --- a/test/vlc.exp +++ b/test/vlc.exp | |||
@@ -27,6 +27,14 @@ expect { | |||
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | 29 | ||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
30 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
31 | expect { | 39 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/weechat.exp b/test/weechat.exp index ac2430280..630af55ee 100755 --- a/test/weechat.exp +++ b/test/weechat.exp | |||
@@ -26,6 +26,15 @@ expect { | |||
26 | "weechat-curses" | 26 | "weechat-curses" |
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | |||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
29 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
30 | expect { | 39 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/xchat.exp b/test/xchat.exp index babbcf87d..cde89d754 100755 --- a/test/xchat.exp +++ b/test/xchat.exp | |||
@@ -26,6 +26,15 @@ expect { | |||
26 | "xchat" | 26 | "xchat" |
27 | } | 27 | } |
28 | sleep 1 | 28 | sleep 1 |
29 | |||
30 | # grsecurity exit | ||
31 | send -- "file /proc/sys/kernel/grsecurity\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR - grsecurity detection\n";exit} | ||
34 | "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} | ||
35 | "cannot open" {puts "grsecurity not present\n"} | ||
36 | } | ||
37 | |||
29 | send -- "firejail --name=blablabla\r" | 38 | send -- "firejail --name=blablabla\r" |
30 | expect { | 39 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 40 | timeout {puts "TESTING ERROR 4\n";exit} |