diff options
-rw-r--r-- | etc/slack.profile | 2 | ||||
-rwxr-xr-x | gcov.sh | 5 | ||||
-rw-r--r-- | src/fldd/main.c | 5 | ||||
-rwxr-xr-x | test/fs/fs.sh | 3 | ||||
-rwxr-xr-x | test/fs/private-lib.exp | 44 | ||||
-rwxr-xr-x | test/root/checkcfg.exp | 14 | ||||
-rwxr-xr-x | test/root/firecfg.exp | 40 | ||||
-rwxr-xr-x | test/root/seccomp-chown.exp | 17 | ||||
-rwxr-xr-x | test/utils/seccomp-print.exp | 4 |
9 files changed, 105 insertions, 29 deletions
diff --git a/etc/slack.profile b/etc/slack.profile index 9025e4f75..faf875cf1 100644 --- a/etc/slack.profile +++ b/etc/slack.profile | |||
@@ -36,5 +36,5 @@ shell none | |||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin slack | 37 | private-bin slack |
38 | private-dev | 38 | private-dev |
39 | private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime | 39 | private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime |
40 | private-tmp | 40 | private-tmp |
@@ -8,12 +8,13 @@ gcov_init() { | |||
8 | /usr/lib/firejail/fseccomp --help > /dev/null | 8 | /usr/lib/firejail/fseccomp --help > /dev/null |
9 | /usr/lib/firejail/ftee --help > /dev/null | 9 | /usr/lib/firejail/ftee --help > /dev/null |
10 | /usr/lib/firejail/fcopy --help > /dev/null | 10 | /usr/lib/firejail/fcopy --help > /dev/null |
11 | /usr/lib/firejail/fldd --help > /dev/null | ||
11 | firecfg --help > /dev/null | 12 | firecfg --help > /dev/null |
12 | sudo chown $USER:$USER `find .` | 13 | sudo chown $USER:$USER `find .` |
13 | } | 14 | } |
14 | 15 | ||
15 | generate() { | 16 | generate() { |
16 | lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-new | 17 | lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-new |
17 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file | 18 | lcov --add-tracefile gcov-file-old --add-tracefile gcov-file-new --output-file gcov-file |
18 | rm -fr gcov-dir | 19 | rm -fr gcov-dir |
19 | genhtml -q gcov-file --output-directory gcov-dir | 20 | genhtml -q gcov-file --output-directory gcov-dir |
@@ -24,7 +25,7 @@ generate() { | |||
24 | 25 | ||
25 | 26 | ||
26 | gcov_init | 27 | gcov_init |
27 | lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file-old | 28 | lcov -q --capture -d src/firejail -d src/firemon -d src/fcopy -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg -d src/fldd --output-file gcov-file-old |
28 | 29 | ||
29 | #make test-environment | 30 | #make test-environment |
30 | #generate | 31 | #generate |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 947c6b4ae..5fda45266 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -265,6 +265,11 @@ printf("\n"); | |||
265 | } | 265 | } |
266 | 266 | ||
267 | 267 | ||
268 | if (strcmp(argv[1], "--help") == 0) { | ||
269 | usage(); | ||
270 | return 0; | ||
271 | } | ||
272 | |||
268 | // check program access | 273 | // check program access |
269 | if (access(argv[1], R_OK)) { | 274 | if (access(argv[1], R_OK)) { |
270 | fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]); | 275 | fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]); |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 9e7ead3c9..e67ccc476 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -28,6 +28,9 @@ echo "TESTING: kmsg access (test/fs/kmsg.exp)" | |||
28 | echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" | 28 | echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" |
29 | ./fs_var_tmp.exp | 29 | ./fs_var_tmp.exp |
30 | 30 | ||
31 | echo "TESTING: private-lib (test/fs/private-lib.exp)" | ||
32 | ./private-lib.exp | ||
33 | |||
31 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" | 34 | echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" |
32 | ./fs_var_lock.exp | 35 | ./fs_var_lock.exp |
33 | 36 | ||
diff --git a/test/fs/private-lib.exp b/test/fs/private-lib.exp new file mode 100755 index 000000000..dd418da0f --- /dev/null +++ b/test/fs/private-lib.exp | |||
@@ -0,0 +1,44 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --private-lib --private-bin=sh,bash,dash,ps,grep,ls,find,echo \r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | after 100 | ||
16 | |||
17 | send -- "find /bin; echo done\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "rm" {puts "TESTING ERROR 3\n";exit} | ||
21 | "cp" {puts "TESTING ERROR 4\n";exit} | ||
22 | "done" | ||
23 | } | ||
24 | after 100 | ||
25 | |||
26 | send -- "find /lib; echo done\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 5\n";exit} | ||
29 | "modules" {puts "TESTING ERROR 6\n";exit} | ||
30 | "firmware" {puts "TESTING ERROR 7\n";exit} | ||
31 | "libc.so" | ||
32 | } | ||
33 | after 100 | ||
34 | |||
35 | send -- "find /usr/lib; echo done\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 8\n";exit} | ||
38 | "grub" {puts "TESTING ERROR 9\n";exit} | ||
39 | "mozilla" {puts "TESTING ERROR 10\n";exit} | ||
40 | "libdl.so" | ||
41 | } | ||
42 | after 100 | ||
43 | |||
44 | puts "\nall done\n" | ||
diff --git a/test/root/checkcfg.exp b/test/root/checkcfg.exp index 205ef1e0c..e17e9cda2 100755 --- a/test/root/checkcfg.exp +++ b/test/root/checkcfg.exp | |||
@@ -88,6 +88,7 @@ expect { | |||
88 | timeout {puts "TESTING ERROR 9\n";exit} | 88 | timeout {puts "TESTING ERROR 9\n";exit} |
89 | "noroot feature is disabled in Firejail configuration file\r" | 89 | "noroot feature is disabled in Firejail configuration file\r" |
90 | } | 90 | } |
91 | sleep 1 | ||
91 | 92 | ||
92 | # netfilter-default | 93 | # netfilter-default |
93 | send -- "echo \"netfilter-default blablabla\" > /etc/firejail/firejail.config\r" | 94 | send -- "echo \"netfilter-default blablabla\" > /etc/firejail/firejail.config\r" |
@@ -97,6 +98,7 @@ expect { | |||
97 | timeout {puts "TESTING ERROR 10\n";exit} | 98 | timeout {puts "TESTING ERROR 10\n";exit} |
98 | "netfilter-default file blablabla not available\r" | 99 | "netfilter-default file blablabla not available\r" |
99 | } | 100 | } |
101 | after 100 | ||
100 | 102 | ||
101 | # strings | 103 | # strings |
102 | send -- "echo \"xephyr-screen 800x600\" > /etc/firejail/firejail.config\r" | 104 | send -- "echo \"xephyr-screen 800x600\" > /etc/firejail/firejail.config\r" |
@@ -104,17 +106,15 @@ after 100 | |||
104 | send -- "echo \"xvfb-screen 800x600x24\" >> /etc/firejail/firejail.config\r" | 106 | send -- "echo \"xvfb-screen 800x600x24\" >> /etc/firejail/firejail.config\r" |
105 | after 100 | 107 | after 100 |
106 | send -- "echo \"xvfb-extra-params blablabla\" >> /etc/firejail/firejail.config\r" | 108 | send -- "echo \"xvfb-extra-params blablabla\" >> /etc/firejail/firejail.config\r" |
107 | after 100 | 109 | sleep 1 |
108 | send -- "firejail --noprofile\r" | 110 | send -- "firejail --noprofile echo done\r" |
109 | expect { | 111 | expect { |
110 | timeout {puts "TESTING ERROR 11\n";exit} | 112 | timeout {puts "TESTING ERROR 11\n";exit} |
111 | "Child process initialized\r" | 113 | "done\r" |
112 | } | 114 | } |
113 | after 100 | 115 | sleep 1 |
114 | send -- "exit\r" | ||
115 | after 100 | ||
116 | 116 | ||
117 | # error exit | 117 | after 100 |
118 | send -- "echo \"join no\" > /etc/firejail/firejail.config\r" | 118 | send -- "echo \"join no\" > /etc/firejail/firejail.config\r" |
119 | after 100 | 119 | after 100 |
120 | send -- "echo \"cache-tmpfs no\" >> /etc/firejail/firejail.config\r" | 120 | send -- "echo \"cache-tmpfs no\" >> /etc/firejail/firejail.config\r" |
diff --git a/test/root/firecfg.exp b/test/root/firecfg.exp index 8961aed60..8210496bb 100755 --- a/test/root/firecfg.exp +++ b/test/root/firecfg.exp | |||
@@ -15,40 +15,64 @@ expect { | |||
15 | timeout {puts "TESTING ERROR 0\n";exit} | 15 | timeout {puts "TESTING ERROR 0\n";exit} |
16 | "/usr/local/bin/firefox removed" | 16 | "/usr/local/bin/firefox removed" |
17 | } | 17 | } |
18 | after 100 | 18 | sleep 1 |
19 | |||
19 | send -- "file /usr/local/bin/firefox; echo done\r" | 20 | send -- "file /usr/local/bin/firefox; echo done\r" |
20 | expect { | 21 | expect { |
21 | timeout {puts "TESTING ERROR 1\n";exit} | 22 | timeout {puts "TESTING ERROR 1\n";exit} |
22 | "symbolic link to /usr/bin/firejail" {puts "TESTING ERROR 2\n";exit} | 23 | "symbolic link to /usr/bin/firejail" {puts "TESTING ERROR 2\n";exit} |
23 | "done" | 24 | "done" |
24 | } | 25 | } |
25 | after 100 | 26 | sleep 1 |
26 | 27 | ||
27 | send -- "firecfg\r" | 28 | send -- "firecfg\r" |
28 | expect { | 29 | expect { |
29 | timeout {puts "TESTING ERROR 3\n";exit} | 30 | timeout {puts "TESTING ERROR 3\n";exit} |
30 | "/usr/local/bin/firefox created" | 31 | "firefox created" |
31 | } | 32 | } |
32 | after 100 | 33 | sleep 1 |
34 | |||
33 | send -- "file /usr/local/bin/firefox\r" | 35 | send -- "file /usr/local/bin/firefox\r" |
34 | expect { | 36 | expect { |
35 | timeout {puts "TESTING ERROR 4\n";exit} | 37 | timeout {puts "TESTING ERROR 4\n";exit} |
36 | "symbolic link to /usr/bin/firejail" | 38 | "symbolic link to /usr/bin/firejail" |
37 | } | 39 | } |
38 | after 100 | 40 | sleep 1 |
39 | 41 | ||
40 | send -- "firecfg --list\r" | 42 | send -- "firecfg --list\r" |
41 | expect { | 43 | expect { |
42 | timeout {puts "TESTING ERROR 5\n";exit} | 44 | timeout {puts "TESTING ERROR 5\n";exit} |
43 | "/usr/local/bin/firefox" | 45 | "/usr/local/bin/firefox" |
44 | } | 46 | } |
45 | after 100 | 47 | sleep 1 |
46 | 48 | ||
47 | send -- "firecfg --fix\r" | 49 | send -- "firecfg --fix\r" |
48 | expect { | 50 | expect { |
49 | timeout {puts "TESTING ERROR 5\n";exit} | 51 | timeout {puts "TESTING ERROR 6\n";exit} |
50 | "this option is not supported for root user" | 52 | "this option is not supported for root user" |
51 | } | 53 | } |
54 | sleep 1 | ||
55 | |||
56 | send -- "firecfg --fix-sound\r" | ||
57 | expect { | ||
58 | timeout {puts "TESTING ERROR 7\n";exit} | ||
59 | "PulseAudio configured, please logout and login back again" | ||
60 | } | ||
61 | sleep 1 | ||
62 | |||
63 | send -- "firecfg --version\r" | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 8\n";exit} | ||
66 | "firecfg version" | ||
67 | } | ||
68 | sleep 1 | ||
69 | |||
70 | send -- "firecfg --blablabla\r" | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 9\n";exit} | ||
73 | "invalid command line option" | ||
74 | } | ||
75 | sleep 1 | ||
76 | |||
52 | 77 | ||
53 | after 100 | ||
54 | puts "\nall done\n" | 78 | puts "\nall done\n" |
diff --git a/test/root/seccomp-chown.exp b/test/root/seccomp-chown.exp index 7d9da5e5a..174a35ffe 100755 --- a/test/root/seccomp-chown.exp +++ b/test/root/seccomp-chown.exp | |||
@@ -14,33 +14,32 @@ expect { | |||
14 | } | 14 | } |
15 | sleep 2 | 15 | sleep 2 |
16 | 16 | ||
17 | send -- "touch testfile;pwd\r" | 17 | send -- "touch testfile; echo done\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "/root" {puts "running as root"} | 20 | "done" |
21 | "/home" | ||
22 | } | 21 | } |
22 | after 100 | ||
23 | 23 | ||
24 | send -- "ls -l testfile;pwd\r" | 24 | send -- "ls -l testfile; echo done\r" |
25 | expect { | 25 | expect { |
26 | timeout {puts "TESTING ERROR 2\n";exit} | 26 | timeout {puts "TESTING ERROR 2\n";exit} |
27 | "testfile" | 27 | "testfile" |
28 | } | 28 | } |
29 | expect { | 29 | expect { |
30 | timeout {puts "TESTING ERROR 3\n";exit} | 30 | timeout {puts "TESTING ERROR 3\n";exit} |
31 | "/root" {puts "running as root"} | 31 | "done" |
32 | "/home" | ||
33 | } | 32 | } |
33 | after 100 | ||
34 | 34 | ||
35 | send -- "chown netblue:netblue testfile;pwd\r" | 35 | send -- "chown netblue:netblue testfile; echo done\r" |
36 | expect { | 36 | expect { |
37 | timeout {puts "TESTING ERROR 2\n";exit} | 37 | timeout {puts "TESTING ERROR 2\n";exit} |
38 | "Bad system call" | 38 | "Bad system call" |
39 | } | 39 | } |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 3\n";exit} | 41 | timeout {puts "TESTING ERROR 3\n";exit} |
42 | "/root" {puts "running as root"} | 42 | "done" |
43 | "/home" | ||
44 | } | 43 | } |
45 | 44 | ||
46 | 45 | ||
diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index 5a76d7fcc..b3ab5e13c 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp | |||
@@ -22,11 +22,11 @@ expect { | |||
22 | } | 22 | } |
23 | expect { | 23 | expect { |
24 | timeout {puts "TESTING ERROR 2\n";exit} | 24 | timeout {puts "TESTING ERROR 2\n";exit} |
25 | "init_module" | 25 | "delete_module" |
26 | } | 26 | } |
27 | expect { | 27 | expect { |
28 | timeout {puts "TESTING ERROR 3\n";exit} | 28 | timeout {puts "TESTING ERROR 3\n";exit} |
29 | "delete_module" | 29 | "init_module" |
30 | } | 30 | } |
31 | expect { | 31 | expect { |
32 | timeout {puts "TESTING ERROR 4\n";exit} | 32 | timeout {puts "TESTING ERROR 4\n";exit} |