diff options
-rw-r--r-- | src/firejail/fs_var.c | 9 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 98 | ||||
-rw-r--r-- | src/firejail/netfilter.c | 12 | ||||
-rwxr-xr-x | test/environment/dns.exp | 27 | ||||
-rw-r--r-- | test/environment/dns.profile | 3 | ||||
-rwxr-xr-x | test/fs/fs.sh | 3 | ||||
-rwxr-xr-x | test/fs/whitelist-dev.exp | 47 | ||||
-rwxr-xr-x | test/fs/whitelist.exp | 26 | ||||
-rwxr-xr-x | test/network/ip6.exp | 40 | ||||
-rw-r--r-- | test/network/ip6.profile | 3 | ||||
-rwxr-xr-x | test/network/iprange.exp | 103 | ||||
-rw-r--r-- | test/network/iprange.profile | 2 | ||||
-rwxr-xr-x | test/network/network.sh | 6 | ||||
-rwxr-xr-x | test/network/veth-name.exp | 77 | ||||
-rw-r--r-- | test/network/veth-name.profile | 3 | ||||
-rwxr-xr-x | test/root/root.sh | 3 | ||||
-rwxr-xr-x | test/root/whitelist-mnt.exp | 86 |
17 files changed, 454 insertions, 94 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 2aa4a1b54..bdc5ecaf3 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -65,10 +65,9 @@ static void build_list(const char *srcdir) { | |||
65 | struct stat s; | 65 | struct stat s; |
66 | char *name; | 66 | char *name; |
67 | if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) | 67 | if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) |
68 | continue; | 68 | errExit("asprintf"); |
69 | if (stat(name, &s) == -1) | 69 | if (stat(name, &s) == -1 || |
70 | continue; | 70 | S_ISLNK(s.st_mode)) { |
71 | if (S_ISLNK(s.st_mode)) { | ||
72 | free(name); | 71 | free(name); |
73 | continue; | 72 | continue; |
74 | } | 73 | } |
@@ -143,7 +142,7 @@ void fs_var_log(void) { | |||
143 | fs_logger("touch /var/log/btmp"); | 142 | fs_logger("touch /var/log/btmp"); |
144 | } | 143 | } |
145 | else | 144 | else |
146 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); | 145 | fprintf(stderr, "Warning: cannot hide /var/log directory\n"); |
147 | } | 146 | } |
148 | 147 | ||
149 | void fs_var_lib(void) { | 148 | void fs_var_lib(void) { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7b32021be..b10858411 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -95,34 +95,29 @@ static char *resolve_downloads(void) { | |||
95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
96 | errExit("asprintf"); | 96 | errExit("asprintf"); |
97 | 97 | ||
98 | if (stat(fname, &s) == -1) { | 98 | if (stat(fname, &s) == -1) |
99 | fprintf(stderr, "***\n"); | ||
100 | fprintf(stderr, "*** Error: directory %s not found.\n", fname); | ||
101 | fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n"); | ||
102 | fprintf(stderr, "*** \tPlease create a Downloads directory.\n"); | ||
103 | fprintf(stderr, "***\n"); | ||
104 | free(fname); | 99 | free(fname); |
105 | return NULL; | 100 | goto errout; |
106 | } | ||
107 | 101 | ||
108 | char *rv; | 102 | char *rv; |
109 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) | 103 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) |
110 | errExit("asprintf"); | 104 | errExit("asprintf"); |
111 | return rv; | 105 | return rv; |
112 | } | 106 | } |
113 | else { | 107 | else |
114 | fprintf(stderr, "***\n"); | 108 | goto errout; |
115 | fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n"); | ||
116 | fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n"); | ||
117 | fprintf(stderr, "***\n"); | ||
118 | fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n"); | ||
119 | fprintf(stderr, "***\n"); | ||
120 | return NULL; | ||
121 | } | ||
122 | } | 109 | } |
123 | } | 110 | } |
124 | } | 111 | } |
112 | |||
125 | fclose(fp); | 113 | fclose(fp); |
114 | return NULL; | ||
115 | |||
116 | errout: | ||
117 | fprintf(stderr, "***\n"); | ||
118 | fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); | ||
119 | fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); | ||
120 | fprintf(stderr, "***\n"); | ||
126 | 121 | ||
127 | return NULL; | 122 | return NULL; |
128 | } | 123 | } |
@@ -181,10 +176,8 @@ static void whitelist_path(ProfileEntry *entry) { | |||
181 | if (entry->home_dir) { | 176 | if (entry->home_dir) { |
182 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 177 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
183 | fname = path + strlen(cfg.homedir); | 178 | fname = path + strlen(cfg.homedir); |
184 | if (*fname == '\0') { | 179 | if (*fname == '\0') |
185 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 180 | goto errexit; |
186 | exit(1); | ||
187 | } | ||
188 | } | 181 | } |
189 | else | 182 | else |
190 | fname = path; | 183 | fname = path; |
@@ -194,70 +187,56 @@ static void whitelist_path(ProfileEntry *entry) { | |||
194 | } | 187 | } |
195 | else if (entry->tmp_dir) { | 188 | else if (entry->tmp_dir) { |
196 | fname = path + 4; // strlen("/tmp") | 189 | fname = path + 4; // strlen("/tmp") |
197 | if (*fname == '\0') { | 190 | if (*fname == '\0') |
198 | fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path); | 191 | goto errexit; |
199 | exit(1); | ||
200 | } | ||
201 | 192 | ||
202 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) | 193 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
203 | errExit("asprintf"); | 194 | errExit("asprintf"); |
204 | } | 195 | } |
205 | else if (entry->media_dir) { | 196 | else if (entry->media_dir) { |
206 | fname = path + 6; // strlen("/media") | 197 | fname = path + 6; // strlen("/media") |
207 | if (*fname == '\0') { | 198 | if (*fname == '\0') |
208 | fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path); | 199 | goto errexit; |
209 | exit(1); | ||
210 | } | ||
211 | 200 | ||
212 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) | 201 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) |
213 | errExit("asprintf"); | 202 | errExit("asprintf"); |
214 | } | 203 | } |
215 | else if (entry->mnt_dir) { | 204 | else if (entry->mnt_dir) { |
216 | fname = path + 4; // strlen("/mnt") | 205 | fname = path + 4; // strlen("/mnt") |
217 | if (*fname == '\0') { | 206 | if (*fname == '\0') |
218 | fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path); | 207 | goto errexit; |
219 | exit(1); | ||
220 | } | ||
221 | 208 | ||
222 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) | 209 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) |
223 | errExit("asprintf"); | 210 | errExit("asprintf"); |
224 | } | 211 | } |
225 | else if (entry->var_dir) { | 212 | else if (entry->var_dir) { |
226 | fname = path + 4; // strlen("/var") | 213 | fname = path + 4; // strlen("/var") |
227 | if (*fname == '\0') { | 214 | if (*fname == '\0') |
228 | fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path); | 215 | goto errexit; |
229 | exit(1); | ||
230 | } | ||
231 | 216 | ||
232 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) | 217 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
233 | errExit("asprintf"); | 218 | errExit("asprintf"); |
234 | } | 219 | } |
235 | else if (entry->dev_dir) { | 220 | else if (entry->dev_dir) { |
236 | fname = path + 4; // strlen("/dev") | 221 | fname = path + 4; // strlen("/dev") |
237 | if (*fname == '\0') { | 222 | if (*fname == '\0') |
238 | fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path); | 223 | goto errexit; |
239 | exit(1); | ||
240 | } | ||
241 | 224 | ||
242 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) | 225 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
243 | errExit("asprintf"); | 226 | errExit("asprintf"); |
244 | } | 227 | } |
245 | else if (entry->opt_dir) { | 228 | else if (entry->opt_dir) { |
246 | fname = path + 4; // strlen("/opt") | 229 | fname = path + 4; // strlen("/opt") |
247 | if (*fname == '\0') { | 230 | if (*fname == '\0') |
248 | fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path); | 231 | goto errexit; |
249 | exit(1); | ||
250 | } | ||
251 | 232 | ||
252 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) | 233 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
253 | errExit("asprintf"); | 234 | errExit("asprintf"); |
254 | } | 235 | } |
255 | else if (entry->srv_dir) { | 236 | else if (entry->srv_dir) { |
256 | fname = path + 4; // strlen("/srv") | 237 | fname = path + 4; // strlen("/srv") |
257 | if (*fname == '\0') { | 238 | if (*fname == '\0') |
258 | fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); | 239 | goto errexit; |
259 | exit(1); | ||
260 | } | ||
261 | 240 | ||
262 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) | 241 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) |
263 | errExit("asprintf"); | 242 | errExit("asprintf"); |
@@ -305,6 +284,11 @@ static void whitelist_path(ProfileEntry *entry) { | |||
305 | errExit("mount bind"); | 284 | errExit("mount bind"); |
306 | 285 | ||
307 | free(wfile); | 286 | free(wfile); |
287 | return; | ||
288 | |||
289 | errexit: | ||
290 | fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path); | ||
291 | exit(1); | ||
308 | } | 292 | } |
309 | 293 | ||
310 | 294 | ||
@@ -432,8 +416,6 @@ void fs_whitelist(void) { | |||
432 | tmp_dir = 1; | 416 | tmp_dir = 1; |
433 | // both path and absolute path are under /tmp | 417 | // both path and absolute path are under /tmp |
434 | if (strncmp(fname, "/tmp/", 5) != 0) { | 418 | if (strncmp(fname, "/tmp/", 5) != 0) { |
435 | if (arg_debug) | ||
436 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
437 | goto errexit; | 419 | goto errexit; |
438 | } | 420 | } |
439 | } | 421 | } |
@@ -442,8 +424,6 @@ void fs_whitelist(void) { | |||
442 | media_dir = 1; | 424 | media_dir = 1; |
443 | // both path and absolute path are under /media | 425 | // both path and absolute path are under /media |
444 | if (strncmp(fname, "/media/", 7) != 0) { | 426 | if (strncmp(fname, "/media/", 7) != 0) { |
445 | if (arg_debug) | ||
446 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
447 | goto errexit; | 427 | goto errexit; |
448 | } | 428 | } |
449 | } | 429 | } |
@@ -452,8 +432,6 @@ void fs_whitelist(void) { | |||
452 | mnt_dir = 1; | 432 | mnt_dir = 1; |
453 | // both path and absolute path are under /mnt | 433 | // both path and absolute path are under /mnt |
454 | if (strncmp(fname, "/mnt/", 5) != 0) { | 434 | if (strncmp(fname, "/mnt/", 5) != 0) { |
455 | if (arg_debug) | ||
456 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
457 | goto errexit; | 435 | goto errexit; |
458 | } | 436 | } |
459 | } | 437 | } |
@@ -467,8 +445,6 @@ void fs_whitelist(void) { | |||
467 | else if (strcmp(new_name, "/var/lock")== 0) | 445 | else if (strcmp(new_name, "/var/lock")== 0) |
468 | ; | 446 | ; |
469 | else if (strncmp(fname, "/var/", 5) != 0) { | 447 | else if (strncmp(fname, "/var/", 5) != 0) { |
470 | if (arg_debug) | ||
471 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
472 | goto errexit; | 448 | goto errexit; |
473 | } | 449 | } |
474 | } | 450 | } |
@@ -477,8 +453,6 @@ void fs_whitelist(void) { | |||
477 | dev_dir = 1; | 453 | dev_dir = 1; |
478 | // both path and absolute path are under /dev | 454 | // both path and absolute path are under /dev |
479 | if (strncmp(fname, "/dev/", 5) != 0) { | 455 | if (strncmp(fname, "/dev/", 5) != 0) { |
480 | if (arg_debug) | ||
481 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
482 | goto errexit; | 456 | goto errexit; |
483 | } | 457 | } |
484 | } | 458 | } |
@@ -487,8 +461,6 @@ void fs_whitelist(void) { | |||
487 | opt_dir = 1; | 461 | opt_dir = 1; |
488 | // both path and absolute path are under /dev | 462 | // both path and absolute path are under /dev |
489 | if (strncmp(fname, "/opt/", 5) != 0) { | 463 | if (strncmp(fname, "/opt/", 5) != 0) { |
490 | if (arg_debug) | ||
491 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
492 | goto errexit; | 464 | goto errexit; |
493 | } | 465 | } |
494 | } | 466 | } |
@@ -497,14 +469,10 @@ void fs_whitelist(void) { | |||
497 | srv_dir = 1; | 469 | srv_dir = 1; |
498 | // both path and absolute path are under /srv | 470 | // both path and absolute path are under /srv |
499 | if (strncmp(fname, "/srv/", 5) != 0) { | 471 | if (strncmp(fname, "/srv/", 5) != 0) { |
500 | if (arg_debug) | ||
501 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
502 | goto errexit; | 472 | goto errexit; |
503 | } | 473 | } |
504 | } | 474 | } |
505 | else { | 475 | else { |
506 | if (arg_debug) | ||
507 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
508 | goto errexit; | 476 | goto errexit; |
509 | } | 477 | } |
510 | 478 | ||
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ef4915f15..ed411313a 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) { | |||
47 | EUID_ASSERT(); | 47 | EUID_ASSERT(); |
48 | invalid_filename(fname); | 48 | invalid_filename(fname); |
49 | 49 | ||
50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { | 50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { |
51 | fprintf(stderr, "Error: invalid network filter file\n"); | 51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); |
52 | exit(1); | ||
53 | } | ||
54 | |||
55 | // access call checks as real UID/GID, not as effective UID/GID | ||
56 | if (access(fname, R_OK)) { | ||
57 | fprintf(stderr, "Error: cannot access network filter file\n"); | ||
58 | exit(1); | 52 | exit(1); |
59 | } | 53 | } |
60 | } | 54 | } |
@@ -138,7 +132,7 @@ void netfilter6(const char *fname) { | |||
138 | char *filter = read_text_file_or_exit(fname); | 132 | char *filter = read_text_file_or_exit(fname); |
139 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); | 133 | FILE *fp = fopen(SBOX_STDIN_FILE, "w"); |
140 | if (!fp) { | 134 | if (!fp) { |
141 | fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); | 135 | fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE); |
142 | exit(1); | 136 | exit(1); |
143 | } | 137 | } |
144 | fprintf(fp, "%s\n", filter); | 138 | fprintf(fp, "%s\n", filter); |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 40403aade..d00e9fb94 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
@@ -26,10 +26,33 @@ expect { | |||
26 | } | 26 | } |
27 | after 100 | 27 | after 100 |
28 | send -- "exit\r" | 28 | send -- "exit\r" |
29 | after 100 | 29 | sleep 1 |
30 | |||
30 | 31 | ||
32 | send -- "firejail --profile=dns.profile\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 12.1\n";exit} | ||
35 | "Child process initialized" | ||
36 | } | ||
37 | sleep 1 | ||
38 | |||
39 | send -- "cat /etc/resolv.conf\r" | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 12.2\n";exit} | ||
42 | "nameserver 8.8.4.4" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 12.3\n";exit} | ||
46 | "nameserver 8.8.8.8" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 12.4\n";exit} | ||
50 | "nameserver 4.2.2.1" | ||
51 | } | ||
52 | after 100 | ||
53 | send -- "exit\r" | ||
54 | sleep 1 | ||
31 | 55 | ||
32 | # no chroot | ||
33 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | 56 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" |
34 | expect { | 57 | expect { |
35 | timeout {puts "TESTING ERROR 1.1\n";exit} | 58 | timeout {puts "TESTING ERROR 1.1\n";exit} |
diff --git a/test/environment/dns.profile b/test/environment/dns.profile new file mode 100644 index 000000000..d1b842c86 --- /dev/null +++ b/test/environment/dns.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | dns 8.8.4.4 | ||
2 | dns 8.8.8.8 | ||
3 | dns 4.2.2.1 | ||
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d9a425661..611b62b09 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -88,6 +88,9 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" | |||
88 | echo "TESTING: whitelist (test/fs/whitelist.exp)" | 88 | echo "TESTING: whitelist (test/fs/whitelist.exp)" |
89 | ./whitelist.exp | 89 | ./whitelist.exp |
90 | 90 | ||
91 | echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" | ||
92 | ./whitelist-dev.exp | ||
93 | |||
91 | echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" | 94 | echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" |
92 | ./fscheck-bindnoroot.exp | 95 | ./fscheck-bindnoroot.exp |
93 | 96 | ||
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp new file mode 100755 index 000000000..a19d5cedf --- /dev/null +++ b/test/fs/whitelist-dev.exp | |||
@@ -0,0 +1,47 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --whitelist=/dev/null --debug\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls -l /dev | find /dev | wc -l\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "2" | ||
21 | } | ||
22 | after 100 | ||
23 | send -- "exit\r" | ||
24 | sleep 1 | ||
25 | |||
26 | send -- "firejail --whitelist=/var/tmp --debug\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 0\n";exit} | ||
29 | "Child process initialized" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | send -- "ls -l /dev | find /dev | wc -l\r" | ||
34 | expect { | ||
35 | timeout {puts "TESTING ERROR 1\n";exit} | ||
36 | "2" | ||
37 | } | ||
38 | after 100 | ||
39 | send -- "exit\r" | ||
40 | sleep 1 | ||
41 | |||
42 | |||
43 | |||
44 | |||
45 | after 100 | ||
46 | puts "\nall done\n" | ||
47 | |||
diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9a9a0f353..9b631b884 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp | |||
@@ -36,7 +36,7 @@ after 200 | |||
36 | send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" | 36 | send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" |
37 | after 200 | 37 | after 200 |
38 | 38 | ||
39 | send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" | 39 | send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r" |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 0\n";exit} | 41 | timeout {puts "TESTING ERROR 0\n";exit} |
42 | "Child process initialized" | 42 | "Child process initialized" |
@@ -49,19 +49,19 @@ expect { | |||
49 | "2" | 49 | "2" |
50 | } | 50 | } |
51 | 51 | ||
52 | send -- "cat fjtest-file\r" | 52 | send -- "cat ~/fjtest-file\r" |
53 | expect { | 53 | expect { |
54 | timeout {puts "TESTING ERROR 2\n";exit} | 54 | timeout {puts "TESTING ERROR 2\n";exit} |
55 | "123" | 55 | "123" |
56 | } | 56 | } |
57 | 57 | ||
58 | send -- "cat fjtest-dir/fjtest-file\r" | 58 | send -- "cat ~/fjtest-dir/fjtest-file\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 3\n";exit} | 60 | timeout {puts "TESTING ERROR 3\n";exit} |
61 | "123" | 61 | "123" |
62 | } | 62 | } |
63 | 63 | ||
64 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 64 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
65 | expect { | 65 | expect { |
66 | timeout {puts "TESTING ERROR 4\n";exit} | 66 | timeout {puts "TESTING ERROR 4\n";exit} |
67 | "123" | 67 | "123" |
@@ -86,7 +86,7 @@ expect { | |||
86 | "1" | 86 | "1" |
87 | } | 87 | } |
88 | 88 | ||
89 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 89 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
90 | expect { | 90 | expect { |
91 | timeout {puts "TESTING ERROR 12\n";exit} | 91 | timeout {puts "TESTING ERROR 12\n";exit} |
92 | "123" | 92 | "123" |
@@ -111,37 +111,37 @@ expect { | |||
111 | "4" | 111 | "4" |
112 | } | 112 | } |
113 | 113 | ||
114 | send -- "cat fjtest-file\r" | 114 | send -- "cat ~/fjtest-file\r" |
115 | expect { | 115 | expect { |
116 | timeout {puts "TESTING ERROR 22\n";exit} | 116 | timeout {puts "TESTING ERROR 22\n";exit} |
117 | "123" | 117 | "123" |
118 | } | 118 | } |
119 | 119 | ||
120 | send -- "cat fjtest-dir/fjtest-file\r" | 120 | send -- "cat ~/fjtest-dir/fjtest-file\r" |
121 | expect { | 121 | expect { |
122 | timeout {puts "TESTING ERROR 23\n";exit} | 122 | timeout {puts "TESTING ERROR 23\n";exit} |
123 | "123" | 123 | "123" |
124 | } | 124 | } |
125 | 125 | ||
126 | send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" | 126 | send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" |
127 | expect { | 127 | expect { |
128 | timeout {puts "TESTING ERROR 24\n";exit} | 128 | timeout {puts "TESTING ERROR 24\n";exit} |
129 | "123" | 129 | "123" |
130 | } | 130 | } |
131 | 131 | ||
132 | send -- "cat fjtest-file-lnk\r" | 132 | send -- "cat ~/fjtest-file-lnk\r" |
133 | expect { | 133 | expect { |
134 | timeout {puts "TESTING ERROR 25\n";exit} | 134 | timeout {puts "TESTING ERROR 25\n";exit} |
135 | "123" | 135 | "123" |
136 | } | 136 | } |
137 | 137 | ||
138 | send -- "cat fjtest-dir-lnk/fjtest-file\r" | 138 | send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" |
139 | expect { | 139 | expect { |
140 | timeout {puts "TESTING ERROR 26\n";exit} | 140 | timeout {puts "TESTING ERROR 26\n";exit} |
141 | "123" | 141 | "123" |
142 | } | 142 | } |
143 | 143 | ||
144 | send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" | 144 | send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r" |
145 | expect { | 145 | expect { |
146 | timeout {puts "TESTING ERROR 27\n";exit} | 146 | timeout {puts "TESTING ERROR 27\n";exit} |
147 | "123" | 147 | "123" |
@@ -193,13 +193,13 @@ expect { | |||
193 | "2" | 193 | "2" |
194 | } | 194 | } |
195 | 195 | ||
196 | send -- "cat fjtest-file-lnk\r" | 196 | send -- "cat ~/fjtest-file-lnk\r" |
197 | expect { | 197 | expect { |
198 | timeout {puts "TESTING ERROR 42\n";exit} | 198 | timeout {puts "TESTING ERROR 42\n";exit} |
199 | "123" | 199 | "123" |
200 | } | 200 | } |
201 | 201 | ||
202 | send -- "cat fjtest-dir-lnk/fjtest-file\r" | 202 | send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" |
203 | expect { | 203 | expect { |
204 | timeout {puts "TESTING ERROR 43\n";exit} | 204 | timeout {puts "TESTING ERROR 43\n";exit} |
205 | "123" | 205 | "123" |
diff --git a/test/network/ip6.exp b/test/network/ip6.exp index f0fcebcf8..1db16c28a 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp | |||
@@ -43,6 +43,46 @@ expect { | |||
43 | } | 43 | } |
44 | 44 | ||
45 | send -- "exit\r" | 45 | send -- "exit\r" |
46 | sleep 2 | ||
47 | |||
48 | |||
49 | send -- "firejail --debug --profile=ip6.profile\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 10\n";exit} | ||
52 | "Installing network filter" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 11\n";exit} | ||
56 | "DROP" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 12\n";exit} | ||
60 | "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} | ||
61 | "2001:db8:1f0a:3ec::2" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 13\n";exit} | ||
65 | "Child process initialized" | ||
66 | } | ||
67 | sleep 2 | ||
68 | |||
69 | send -- "/sbin/ifconfig\r" | ||
70 | expect { | ||
71 | timeout {puts "TESTING ERROR 14\n";exit} | ||
72 | "inet6" | ||
73 | } | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 15\n";exit} | ||
76 | "2001:db8:0:f101::1" | ||
77 | } | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 16\n";exit} | ||
80 | "Scope:Global" { puts "Debian\n"} | ||
81 | "scopeid 0x0<global>" { puts "Arch\n"} | ||
82 | } | ||
83 | |||
84 | send -- "exit\r" | ||
85 | |||
46 | after 100 | 86 | after 100 |
47 | 87 | ||
48 | puts "\nall done\n" | 88 | puts "\nall done\n" |
diff --git a/test/network/ip6.profile b/test/network/ip6.profile new file mode 100644 index 000000000..87afa3941 --- /dev/null +++ b/test/network/ip6.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | net br0 | ||
2 | ip6 2001:0db8:0:f101::1/64 | ||
3 | netfilter6 ipv6.net | ||
diff --git a/test/network/iprange.exp b/test/network/iprange.exp new file mode 100755 index 000000000..a1b2ccab4 --- /dev/null +++ b/test/network/iprange.exp | |||
@@ -0,0 +1,103 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "eth0" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "10.10.30.50" {puts "10.10.30.50\n"} | ||
18 | "10.10.30.51" {puts "10.10.30.51\n"} | ||
19 | "10.10.30.52" {puts "10.10.30.52\n"} | ||
20 | "10.10.30.53" {puts "10.10.30.53\n"} | ||
21 | "10.10.30.54" {puts "10.10.30.54\n"} | ||
22 | "10.10.30.55" {puts "10.10.30.55\n"} | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | ||
26 | "255.255.255.0" | ||
27 | } | ||
28 | expect { | ||
29 | timeout {puts "TESTING ERROR 3\n";exit} | ||
30 | "Child process initialized" | ||
31 | } | ||
32 | sleep 1 | ||
33 | send -- "exit\r" | ||
34 | sleep 2 | ||
35 | |||
36 | send -- "firejail --profile=iprange.profile\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "eth0" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 6\n";exit} | ||
43 | "10.10.30.50" {puts "10.10.30.50\n"} | ||
44 | "10.10.30.51" {puts "10.10.30.51\n"} | ||
45 | "10.10.30.52" {puts "10.10.30.52\n"} | ||
46 | "10.10.30.53" {puts "10.10.30.53\n"} | ||
47 | "10.10.30.54" {puts "10.10.30.54\n"} | ||
48 | "10.10.30.55" {puts "10.10.30.55\n"} | ||
49 | } | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 7\n";exit} | ||
52 | "255.255.255.0" | ||
53 | } | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 8\n";exit} | ||
56 | "Child process initialized" | ||
57 | } | ||
58 | sleep 1 | ||
59 | send -- "exit\r" | ||
60 | sleep 2 | ||
61 | |||
62 | |||
63 | |||
64 | send -- "firejail --iprange=10.10.30.50,10.10.30.55\r" | ||
65 | expect { | ||
66 | timeout {puts "TESTING ERROR 9\n";exit} | ||
67 | "no network device configured" | ||
68 | } | ||
69 | after 100 | ||
70 | |||
71 | send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 10\n";exit} | ||
74 | "cannot configure the IP range twice for the same interface" | ||
75 | } | ||
76 | after 100 | ||
77 | |||
78 | send -- "firejail --net=br1 --iprange=10.10.30.50\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 11\n";exit} | ||
81 | "invalid IP range" | ||
82 | } | ||
83 | after 100 | ||
84 | |||
85 | send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r" | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 12\n";exit} | ||
88 | "IP range addresses not in network range" | ||
89 | } | ||
90 | after 100 | ||
91 | |||
92 | send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 12\n";exit} | ||
95 | "invalid IP range" | ||
96 | } | ||
97 | after 100 | ||
98 | |||
99 | |||
100 | after 100 | ||
101 | |||
102 | puts "\nall done\n" | ||
103 | |||
diff --git a/test/network/iprange.profile b/test/network/iprange.profile new file mode 100644 index 000000000..ecc01cd93 --- /dev/null +++ b/test/network/iprange.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | net br1 | ||
2 | iprange 10.10.30.50,10.10.30.55 | ||
diff --git a/test/network/network.sh b/test/network/network.sh index e1646d64a..bea5dfb26 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -78,6 +78,12 @@ echo "TESTING: veth (net_veth.exp)" | |||
78 | echo "TESTING: netfilter (net_netfilter.exp)" | 78 | echo "TESTING: netfilter (net_netfilter.exp)" |
79 | ./net_netfilter.exp | 79 | ./net_netfilter.exp |
80 | 80 | ||
81 | echo "TESTING: iprange (iprange.exp)" | ||
82 | ./iprange.exp | ||
83 | |||
84 | echo "TESTING: veth-name (veth-name.exp)" | ||
85 | ./veth-name.exp | ||
86 | |||
81 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" | 87 | echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" |
82 | ./4bridges_arp.exp | 88 | ./4bridges_arp.exp |
83 | 89 | ||
diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp new file mode 100755 index 000000000..36ed41d92 --- /dev/null +++ b/test/network/veth-name.exp | |||
@@ -0,0 +1,77 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # | ||
11 | send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "eth0" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 1\n";exit} | ||
18 | "10.10.30.50" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 2\n";exit} | ||
22 | "255.255.255.0" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | sleep 1 | ||
29 | |||
30 | spawn $env(SHELL) | ||
31 | send -- "ip link show\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "blablabla" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 5\n";exit} | ||
38 | "master br1 state UP" | ||
39 | } | ||
40 | sleep 1 | ||
41 | |||
42 | |||
43 | send -- "firejail --profile=veth-name.profile\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 6\n";exit} | ||
46 | "eth0" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 7\n";exit} | ||
50 | "10.10.60.51" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 8\n";exit} | ||
54 | "255.255.255.0" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 9\n";exit} | ||
58 | "Child process initialized" | ||
59 | } | ||
60 | sleep 1 | ||
61 | |||
62 | spawn $env(SHELL) | ||
63 | send -- "ip link show\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10\n";exit} | ||
66 | "bingo" | ||
67 | } | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 11\n";exit} | ||
70 | "master br4 state UP" | ||
71 | } | ||
72 | sleep 1 | ||
73 | |||
74 | |||
75 | after 100 | ||
76 | puts "\nall done\n" | ||
77 | |||
diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile new file mode 100644 index 000000000..f00a74d63 --- /dev/null +++ b/test/network/veth-name.profile | |||
@@ -0,0 +1,3 @@ | |||
1 | net br4 | ||
2 | ip 10.10.60.51 | ||
3 | veth-name bingo | ||
diff --git a/test/root/root.sh b/test/root/root.sh index 494bd4fe7..01c372f68 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -53,6 +53,9 @@ fi | |||
53 | echo "TESTING: fs private (test/root/private.exp)" | 53 | echo "TESTING: fs private (test/root/private.exp)" |
54 | ./private.exp | 54 | ./private.exp |
55 | 55 | ||
56 | echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)" | ||
57 | ./whitelist-mnt.exp | ||
58 | |||
56 | #******************************** | 59 | #******************************** |
57 | # seccomp | 60 | # seccomp |
58 | #******************************** | 61 | #******************************** |
diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp new file mode 100755 index 000000000..58ae4fffc --- /dev/null +++ b/test/root/whitelist-mnt.exp | |||
@@ -0,0 +1,86 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "touch /mnt/firejail-test-file\r" | ||
11 | after 100 | ||
12 | send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r" | ||
13 | expect { | ||
14 | timeout {puts "TESTING ERROR 0\n";exit} | ||
15 | "Child process initialized" | ||
16 | } | ||
17 | sleep 1 | ||
18 | |||
19 | send -- "find /mnt | wc -l\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "2" | ||
23 | } | ||
24 | after 100 | ||
25 | send -- "exit\r" | ||
26 | sleep 1 | ||
27 | |||
28 | |||
29 | send -- "touch /opt/firejail-test-file\r" | ||
30 | after 100 | ||
31 | send -- "firejail --whitelist=/opt/firejail-test-file --debug\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 0\n";exit} | ||
34 | "Child process initialized" | ||
35 | } | ||
36 | sleep 1 | ||
37 | |||
38 | send -- "find /opt | wc -l\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 1\n";exit} | ||
41 | "2" | ||
42 | } | ||
43 | after 100 | ||
44 | send -- "exit\r" | ||
45 | sleep 1 | ||
46 | |||
47 | send -- "touch /media/firejail-test-file\r" | ||
48 | after 100 | ||
49 | send -- "firejail --whitelist=/media/firejail-test-file --debug\r" | ||
50 | expect { | ||
51 | timeout {puts "TESTING ERROR 0\n";exit} | ||
52 | "Child process initialized" | ||
53 | } | ||
54 | sleep 1 | ||
55 | |||
56 | send -- "find /media | wc -l\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 1\n";exit} | ||
59 | "2" | ||
60 | } | ||
61 | after 100 | ||
62 | send -- "exit\r" | ||
63 | sleep 1 | ||
64 | |||
65 | |||
66 | send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 0\n";exit} | ||
69 | "Child process initialized" | ||
70 | } | ||
71 | sleep 1 | ||
72 | |||
73 | send -- "find /var | wc -l\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 1\n";exit} | ||
76 | "" | ||
77 | } | ||
78 | after 100 | ||
79 | send -- "exit\r" | ||
80 | sleep 1 | ||
81 | |||
82 | |||
83 | |||
84 | after 100 | ||
85 | puts "\nall done\n" | ||
86 | |||