diff options
| -rw-r--r-- | etc/server.profile | 3 | ||||
| -rwxr-xr-x | test/test-root.sh | 37 | ||||
| -rw-r--r-- | todo | 2 |
3 files changed, 22 insertions, 20 deletions
diff --git a/etc/server.profile b/etc/server.profile index dde80bd18..61d10ba64 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
| @@ -2,6 +2,9 @@ | |||
| 2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed | 2 | # it allows /sbin and /usr/sbin directories - this is where servers are installed |
| 3 | noblacklist /sbin | 3 | noblacklist /sbin |
| 4 | noblacklist /usr/sbin | 4 | noblacklist /usr/sbin |
| 5 | include /etc/firejail/disable-common.inc | ||
| 6 | include /etc/firejail/disable-programs.inc | ||
| 7 | |||
| 5 | private | 8 | private |
| 6 | private-dev | 9 | private-dev |
| 7 | private-tmp | 10 | private-tmp |
diff --git a/test/test-root.sh b/test/test-root.sh index 1c3fc4c96..7e1a0b968 100755 --- a/test/test-root.sh +++ b/test/test-root.sh | |||
| @@ -2,80 +2,81 @@ | |||
| 2 | 2 | ||
| 3 | ./chk_config.exp | 3 | ./chk_config.exp |
| 4 | 4 | ||
| 5 | echo "TESTING: tmpfs" | 5 | echo "TESTING: tmpfs (option_tmpfs.exp)" |
| 6 | ./option_tmpfs.exp | 6 | ./option_tmpfs.exp |
| 7 | 7 | ||
| 8 | echo "TESTING: profile tmpfs" | 8 | echo "TESTING: profile tmpfs (profile_tmpfs)" |
| 9 | ./profile_tmpfs.exp | 9 | ./profile_tmpfs.exp |
| 10 | 10 | ||
| 11 | echo "TESTING: network interfaces" | 11 | echo "TESTING: network interfaces (net_interface.exp)" |
| 12 | ./net_interface.exp | 12 | ./net_interface.exp |
| 13 | 13 | ||
| 14 | echo "TESTING: chroot" | 14 | echo "TESTING: chroot (fs_chroot_asroot.exp)" |
| 15 | ./fs_chroot_asroot.exp | 15 | ./fs_chroot_asroot.exp |
| 16 | 16 | ||
| 17 | if [ -f /etc/init.d/snmpd ] | 17 | if [ -f /etc/init.d/snmpd ] |
| 18 | then | 18 | then |
| 19 | echo "TESTING: servers snmpd, private-dev" | 19 | echo "TESTING: servers snmpd, private-dev (servers2.exp)" |
| 20 | ./servers2.exp | 20 | ./servers2.exp |
| 21 | fi | 21 | fi |
| 22 | 22 | ||
| 23 | if [ -f /etc/init.d/apache2 ] | 23 | if [ -f /etc/init.d/apache2 ] |
| 24 | then | 24 | then |
| 25 | echo "TESTING: servers apache2, private-dev, private-tmp" | 25 | echo "TESTING: servers apache2, private-dev, private-tmp (servers3.exp)" |
| 26 | ./servers3.exp | 26 | ./servers3.exp |
| 27 | fi | 27 | fi |
| 28 | 28 | ||
| 29 | if [ -f /etc/init.d/isc-dhcp-server ] | 29 | if [ -f /etc/init.d/isc-dhcp-server ] |
| 30 | then | 30 | then |
| 31 | echo "TESTING: servers isc dhcp server, private-dev" | 31 | echo "TESTING: servers isc dhcp server, private-dev (servers4.exp)" |
| 32 | ./servers4.exp | 32 | ./servers4.exp |
| 33 | fi | 33 | fi |
| 34 | 34 | ||
| 35 | if [ -f /etc/init.d/unbound ] | 35 | if [ -f /etc/init.d/unbound ] |
| 36 | then | 36 | then |
| 37 | echo "TESTING: servers unbound, private-dev, private-tmp" | 37 | echo "TESTING: servers unbound, private-dev, private-tmp (servers5.exp)" |
| 38 | ./servers5.exp | 38 | ./servers5.exp |
| 39 | fi | 39 | fi |
| 40 | 40 | ||
| 41 | if [ -f /etc/init.d/nginx ] | 41 | if [ -f /etc/init.d/nginx ] |
| 42 | then | 42 | then |
| 43 | echo "TESTING: servers nginx, private-dev, private-tmp" | 43 | echo "TESTING: servers nginx, private-dev, private-tmp (servers6.exp)" |
| 44 | ./servers6.exp | 44 | ./servers6.exp |
| 45 | fi | 45 | fi |
| 46 | 46 | ||
| 47 | echo "TESTING: /proc/sysrq-trigger reset disabled" | 47 | echo "TESTING: /proc/sysrq-trigger reset disabled (sysrq-trigger.exp)" |
| 48 | ./sysrq-trigger.exp | 48 | ./sysrq-trigger.exp |
| 49 | 49 | ||
| 50 | echo "TESTING: seccomp umount" | 50 | echo "TESTING: seccomp umount (seccomp-umount.exp)" |
| 51 | ./seccomp-umount.exp | 51 | ./seccomp-umount.exp |
| 52 | 52 | ||
| 53 | echo "TESTING: seccomp chmod (seccomp lists)" | 53 | echo "TESTING: seccomp chmod (seccomp-chmod.exp)" |
| 54 | ./seccomp-chmod.exp | 54 | ./seccomp-chmod.exp |
| 55 | 55 | ||
| 56 | echo "TESTING: seccomp chown (seccomp lists)" | 56 | echo "TESTING: seccomp chown (seccomp-chown.exp)" |
| 57 | ./seccomp-chown.exp | 57 | ./seccomp-chown.exp |
| 58 | 58 | ||
| 59 | echo "TESTING: bind directory" | 59 | echo "TESTING: bind directory (option_bind_directory.exp)" |
| 60 | ./option_bind_directory.exp | 60 | ./option_bind_directory.exp |
| 61 | 61 | ||
| 62 | echo "TESTING: bind file" | 62 | echo "TESTING: bind file (option_bind_file.exp)" |
| 63 | echo hello > tmpfile | 63 | echo hello > tmpfile |
| 64 | ./option_bind_file.exp | 64 | ./option_bind_file.exp |
| 65 | rm -f tmpfile | 65 | rm -f tmpfile |
| 66 | 66 | ||
| 67 | echo "TESTING: firemon --interface" | 67 | echo "TESTING: firemon --interface (firemon-interface.exp)" |
| 68 | ./firemon-interface.exp | 68 | ./firemon-interface.exp |
| 69 | 69 | ||
| 70 | if [ -f /sys/fs/cgroup/g1/tasks ] | 70 | if [ -f /sys/fs/cgroup/g1/tasks ] |
| 71 | then | 71 | then |
| 72 | echo "TESTING: firemon --cgroup" | 72 | echo "TESTING: firemon --cgroup (firemon-cgroup.exp)" |
| 73 | ./firemon-cgroup.exp | 73 | ./firemon-cgroup.exp |
| 74 | fi | 74 | fi |
| 75 | 75 | ||
| 76 | echo "TESTING: chroot resolv.conf" | 76 | echo "TESTING: chroot resolv.conf (chroot-resolvconf.exp)" |
| 77 | rm -f tmpfile | 77 | rm -f tmpfile |
| 78 | touch tmpfile | 78 | touch tmpfile |
| 79 | rm -f /tmp/chroot/etc/resolv.conf | ||
| 79 | ln -s tmp /tmp/chroot/etc/resolv.conf | 80 | ln -s tmp /tmp/chroot/etc/resolv.conf |
| 80 | ./chroot-resolvconf.exp | 81 | ./chroot-resolvconf.exp |
| 81 | rm -f tmpfile | 82 | rm -f tmpfile |
| @@ -75,5 +75,3 @@ CapBnd: 0000003fffffffff | |||
| 75 | CapAmb: 0000000000000000 | 75 | CapAmb: 0000000000000000 |
| 76 | 76 | ||
| 77 | 11. cleanup thunderbird profile - disable-common was commented out | 77 | 11. cleanup thunderbird profile - disable-common was commented out |
| 78 | |||
| 79 | 12. removed disable_mgmgt.inc form server.profile, replace the information | ||