diff options
-rwxr-xr-x | configure | 4 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/sbox.c | 2 | ||||
-rw-r--r-- | src/fnet/interface.c | 1 | ||||
-rwxr-xr-x | test/network/interface.exp | 66 | ||||
-rwxr-xr-x | test/network/net_scan.exp | 75 | ||||
-rwxr-xr-x | test/network/network.sh | 6 |
8 files changed, 156 insertions, 10 deletions
@@ -3704,7 +3704,7 @@ fi | |||
3704 | 3704 | ||
3705 | if test "x$enable_gcov" = "xyes"; then : | 3705 | if test "x$enable_gcov" = "xyes"; then : |
3706 | 3706 | ||
3707 | HAVE_GCOV="--coverage " | 3707 | HAVE_GCOV="--coverage -DHAVE_GCOV " |
3708 | EXTRA_LDFLAGS+="-lgcov --coverage " | 3708 | EXTRA_LDFLAGS+="-lgcov --coverage " |
3709 | 3709 | ||
3710 | 3710 | ||
@@ -4970,9 +4970,9 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
4970 | echo " private home support: $HAVE_PRIVATE_HOME" | 4970 | echo " private home support: $HAVE_PRIVATE_HOME" |
4971 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 4971 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
4972 | echo " overlayfs support: $HAVE_OVERLAYFS" | 4972 | echo " overlayfs support: $HAVE_OVERLAYFS" |
4973 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | ||
4974 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 4973 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
4975 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 4974 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
4975 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | ||
4976 | echo " Gcov instrumentation: $HAVE_GCOV" | 4976 | echo " Gcov instrumentation: $HAVE_GCOV" |
4977 | echo | 4977 | echo |
4978 | 4978 | ||
diff --git a/configure.ac b/configure.ac index e05c023f7..74ba09f43 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -140,7 +140,7 @@ HAVE_GCOV="" | |||
140 | AC_ARG_ENABLE([gcov], | 140 | AC_ARG_ENABLE([gcov], |
141 | AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) | 141 | AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) |
142 | AS_IF([test "x$enable_gcov" = "xyes"], [ | 142 | AS_IF([test "x$enable_gcov" = "xyes"], [ |
143 | HAVE_GCOV="--coverage " | 143 | HAVE_GCOV="--coverage -DHAVE_GCOV " |
144 | EXTRA_LDFLAGS+="-lgcov --coverage " | 144 | EXTRA_LDFLAGS+="-lgcov --coverage " |
145 | AC_SUBST(HAVE_GCOV) | 145 | AC_SUBST(HAVE_GCOV) |
146 | ]) | 146 | ]) |
@@ -178,9 +178,9 @@ echo " whitelisting: $HAVE_WHITELIST" | |||
178 | echo " private home support: $HAVE_PRIVATE_HOME" | 178 | echo " private home support: $HAVE_PRIVATE_HOME" |
179 | echo " file transfer support: $HAVE_FILE_TRANSFER" | 179 | echo " file transfer support: $HAVE_FILE_TRANSFER" |
180 | echo " overlayfs support: $HAVE_OVERLAYFS" | 180 | echo " overlayfs support: $HAVE_OVERLAYFS" |
181 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | ||
182 | echo " busybox workaround: $BUSYBOX_WORKAROUND" | 181 | echo " busybox workaround: $BUSYBOX_WORKAROUND" |
183 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" | 182 | echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" |
183 | echo " fatal warnings: $HAVE_FATAL_WARNINGS" | ||
184 | echo " Gcov instrumentation: $HAVE_GCOV" | 184 | echo " Gcov instrumentation: $HAVE_GCOV" |
185 | echo | 185 | echo |
186 | 186 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 556cb1fca..6b7f7f003 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -481,28 +481,24 @@ int sandbox(void* sandbox_arg) { | |||
481 | sandbox_if_up(&cfg.bridge3); | 481 | sandbox_if_up(&cfg.bridge3); |
482 | 482 | ||
483 | 483 | ||
484 | // todo: this code seems to be dead!!! | 484 | // moving an interface in a namespace using --interface will reset the interface configuration; |
485 | // enable interfaces | 485 | // we need to put the configuration back |
486 | if (cfg.interface0.configured && cfg.interface0.ip) { | 486 | if (cfg.interface0.configured && cfg.interface0.ip) { |
487 | assert(0); | ||
488 | if (arg_debug) | 487 | if (arg_debug) |
489 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); | 488 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); |
490 | net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); | 489 | net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); |
491 | } | 490 | } |
492 | if (cfg.interface1.configured && cfg.interface1.ip) { | 491 | if (cfg.interface1.configured && cfg.interface1.ip) { |
493 | assert(0); | ||
494 | if (arg_debug) | 492 | if (arg_debug) |
495 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); | 493 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); |
496 | net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); | 494 | net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); |
497 | } | 495 | } |
498 | if (cfg.interface2.configured && cfg.interface2.ip) { | 496 | if (cfg.interface2.configured && cfg.interface2.ip) { |
499 | assert(0); | ||
500 | if (arg_debug) | 497 | if (arg_debug) |
501 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); | 498 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); |
502 | net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); | 499 | net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); |
503 | } | 500 | } |
504 | if (cfg.interface3.configured && cfg.interface3.ip) { | 501 | if (cfg.interface3.configured && cfg.interface3.ip) { |
505 | assert(0); | ||
506 | if (arg_debug) | 502 | if (arg_debug) |
507 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); | 503 | printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); |
508 | net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); | 504 | net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index b16736dee..3d4eef3aa 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -156,9 +156,11 @@ int sbox_run(unsigned filter, int num, ...) { | |||
156 | caps_drop_all(); | 156 | caps_drop_all(); |
157 | } | 157 | } |
158 | else if (filter & SBOX_CAPS_NETWORK) { | 158 | else if (filter & SBOX_CAPS_NETWORK) { |
159 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | ||
159 | uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; | 160 | uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; |
160 | set |= ((uint64_t) 1) << CAP_NET_RAW; | 161 | set |= ((uint64_t) 1) << CAP_NET_RAW; |
161 | caps_set(set); | 162 | caps_set(set); |
163 | #endif | ||
162 | } | 164 | } |
163 | 165 | ||
164 | if (filter & SBOX_SECCOMP) { | 166 | if (filter & SBOX_SECCOMP) { |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 67af062bf..046b2c972 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -284,6 +284,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | |||
284 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); | 284 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); |
285 | if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { | 285 | if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { |
286 | close(sock); | 286 | close(sock); |
287 | fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname); | ||
287 | errExit("ioctl"); | 288 | errExit("ioctl"); |
288 | } | 289 | } |
289 | 290 | ||
diff --git a/test/network/interface.exp b/test/network/interface.exp new file mode 100755 index 000000000..b15563eec --- /dev/null +++ b/test/network/interface.exp | |||
@@ -0,0 +1,66 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # | ||
3 | # interface | ||
4 | # | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | set overlay [lindex $argv 0] | ||
10 | set chroot [lindex $argv 1] | ||
11 | |||
12 | # | ||
13 | # N | ||
14 | # | ||
15 | # todo: seems to be unable to find interface eth0.7 | ||
16 | #send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r" | ||
17 | send -- "firejail --noprofile --interface=eth0.7 --interface=eth0.6\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 0\n";exit} | ||
20 | "Child process initialized" | ||
21 | } | ||
22 | sleep 1 | ||
23 | |||
24 | send -- "/sbin/ifconfig\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 1\n";exit} | ||
27 | "eth0.5" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 2n";exit} | ||
31 | "Link" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 3\n";exit} | ||
35 | "10.10.205.10" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 4\n";exit} | ||
39 | "UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1" | ||
40 | } | ||
41 | after 100 | ||
42 | |||
43 | send -- "/sbin/ifconfig\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "eth0.6" | ||
47 | } | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "Link" | ||
51 | } | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 7\n";exit} | ||
54 | "10.10.206.10" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 8\n";exit} | ||
58 | "UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1" | ||
59 | } | ||
60 | after 100 | ||
61 | |||
62 | send -- "exit\r" | ||
63 | sleep 1 | ||
64 | |||
65 | |||
66 | puts "\nall done\n" | ||
diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp new file mode 100755 index 000000000..5afbbeea6 --- /dev/null +++ b/test/network/net_scan.exp | |||
@@ -0,0 +1,75 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # | ||
11 | send -- "firejail --net=br1 --ip=10.10.30.50\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "eth0" | ||
15 | } | ||
16 | expect { | ||
17 | timeout {puts "TESTING ERROR 1\n";exit} | ||
18 | "10.10.30.50" | ||
19 | } | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 2\n";exit} | ||
22 | "255.255.255.0" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 3\n";exit} | ||
26 | "Child process initialized" | ||
27 | } | ||
28 | sleep 1 | ||
29 | |||
30 | spawn $env(SHELL) | ||
31 | send -- "firejail --net=br1 --ip=10.10.30.51\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "eth0" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 5\n";exit} | ||
38 | "10.10.30.51" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 6\n";exit} | ||
42 | "255.255.255.0" | ||
43 | } | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 7\n";exit} | ||
46 | "Child process initialized" | ||
47 | } | ||
48 | sleep 1 | ||
49 | |||
50 | spawn $env(SHELL) | ||
51 | send -- "firejail --net=br1 --scan\r" | ||
52 | expect { | ||
53 | timeout {puts "TESTING ERROR 8\n";exit} | ||
54 | "eth0" | ||
55 | } | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 9\n";exit} | ||
58 | "10.10.30.50" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 10\n";exit} | ||
62 | "10.10.30.51" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 11\n";exit} | ||
66 | "Child process initialized" | ||
67 | } | ||
68 | sleep 1 | ||
69 | |||
70 | |||
71 | |||
72 | after 100 | ||
73 | |||
74 | puts "\nall done\n" | ||
75 | |||
diff --git a/test/network/network.sh b/test/network/network.sh index 7b6d66e34..e0087411d 100755 --- a/test/network/network.sh +++ b/test/network/network.sh | |||
@@ -52,6 +52,12 @@ echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" | |||
52 | echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" | 52 | echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" |
53 | ./net_defaultgw3.exp | 53 | ./net_defaultgw3.exp |
54 | 54 | ||
55 | echo "TESTING: scan (net_scan.exp)" | ||
56 | ./net_scan.exp | ||
57 | |||
58 | echo "TESTING: interface (interface.exp)" | ||
59 | ./interface.exp | ||
60 | |||
55 | echo "TESTING: netfilter (net_netfilter.exp)" | 61 | echo "TESTING: netfilter (net_netfilter.exp)" |
56 | ./net_netfilter.exp | 62 | ./net_netfilter.exp |
57 | 63 | ||