5 files changed, 275 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9c96f976a..96407d081 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -464,6 +464,9 @@ static void close_file_descriptors(void) {
        if (arg_keep_fd_all)
                return;
+        if (arg_debug)
+                printf("Closing non-standard file descriptors\n");
        if (!cfg.keep_fd) {
                close_all(NULL, 0);
                return;
diff --git a/test/environment/deterministic-shutdown.exp b/test/environment/deterministic-shutdown.exp
index dbbe226bb..be4e9c42e 100755
--- a/test/environment/deterministic-shutdown.exp
+++ b/test/environment/deterministic-shutdown.exp
@@ -3,14 +3,15 @@
 # Copyright (C) 2014-2022 Firejail Authors
 # License GPL v2
-set timeout 5
+set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --deterministic-shutdown bash -c \"sleep 10 & exec sleep 1\"\r"
+send -- "firejail --deterministic-shutdown bash -c \"sleep 100 & exec sleep 1\"\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Parent is shutting down, bye..."
 }
+after 100
 puts "\nall done\n"
diff --git a/test/environment/environment.sh b/test/environment/environment.sh
index ce0bb306c..2b77973ac 100755
--- a/test/environment/environment.sh
+++ b/test/environment/environment.sh
@@ -127,5 +127,11 @@ echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code
 echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)"
 ./deterministic-shutdown.exp
+echo "TESTING: keep fd (test/environment/keep-fd.exp)"
+./keep-fd.exp
+echo "TESTING: keep fd errors (test/environment/keep-fd-bad.exp)"
+./keep-fd-bad.exp
 echo "TESTING: retain umask (test/environment/umask.exp)"
 (umask 123 && ./umask.exp)
diff --git a/test/environment/keep-fd-bad.exp b/test/environment/keep-fd-bad.exp
new file mode 100755
index 000000000..e8b411ea0
--- /dev/null
+++ b/test/environment/keep-fd-bad.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --noprofile --keep-fd=\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+send -- "firejail --noprofile --keep-fd=,,,\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+send -- "firejail --noprofile --keep-fd=dall\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+send -- "firejail --noprofile --keep-fd=6,7,8,10b,11\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Error: invalid keep-fd option"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/environment/keep-fd.exp b/test/environment/keep-fd.exp
new file mode 100755
index 000000000..222234ceb
--- /dev/null
+++ b/test/environment/keep-fd.exp
@@ -0,0 +1,223 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+#
+# obtain some open file descriptors
+#
+send -- "exec {WRITE_FD}> blabla\r"
+after 100
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "/blabla"
+}
+after 100
+send -- "exec {READ_FD}< blabla\r"
+after 100
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "/blabla"
+}
+after 100
+#
+# inherit environment variables
+#
+send -- "export READ_FD\r"
+send -- "export WRITE_FD\r"
+after 100
+#
+# close all file descriptors
+# 0, 1, 2 stay open
+#
+send -- "firejail --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Child process initialized"
+}
+after 100
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "4"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "exit\r"
+after 500
+#
+# keep one file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
+after 100
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "5"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "/blabla"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "exit\r"
+after 500
+#
+# keep other file descriptor
+#
+send -- "firejail --noprofile --keep-fd=\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Child process initialized"
+}
+after 100
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "5"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "No such file or directory"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "/blabla"
+}
+after 100
+send -- "exit\r"
+after 500
+#
+# keep both file descriptors
+#
+send -- "firejail --noprofile --keep-fd=\$READ_FD,\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Child process initialized"
+}
+after 100
+# off by one because of ls
+send -- "ls /proc/self/fd | wc -w\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "6"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "/blabla"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "/blabla"
+}
+after 100
+send -- "exit\r"
+after 500
+#
+# keep all file descriptors
+#
+send -- "firejail --noprofile --keep-fd=all\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$READ_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "/blabla"
+}
+after 100
+send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "/blabla"
+}
+after 100
+send -- "exit\r"
+after 500
+#
+# cleanup
+#
+send -- "rm -f blabla\r"
+after 100
+puts "\nall done\n"

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9c96f976a..96407d081 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -464,6 +464,9 @@ static void close_file_descriptors(void) {
464	if (arg_keep_fd_all)	464	if (arg_keep_fd_all)
465	return;	465	return;
466		466
		467	if (arg_debug)
		468	printf("Closing non-standard file descriptors\n");
		469
467	if (!cfg.keep_fd) {	470	if (!cfg.keep_fd) {
468	close_all(NULL, 0);	471	close_all(NULL, 0);
469	return;	472	return;


diff --git a/test/environment/deterministic-shutdown.exp b/test/environment/deterministic-shutdown.exp index dbbe226bb..be4e9c42e 100755 --- a/test/environment/deterministic-shutdown.exp +++ b/test/environment/deterministic-shutdown.exp
@@ -3,14 +3,15 @@
3	# Copyright (C) 2014-2022 Firejail Authors	3	# Copyright (C) 2014-2022 Firejail Authors
4	# License GPL v2	4	# License GPL v2
5		5
6	set timeout 5	6	set timeout 10
7	spawn $env(SHELL)	7	spawn $env(SHELL)
8	match_max 100000	8	match_max 100000
9		9
10	send -- "firejail --deterministic-shutdown bash -c \"sleep 10 & exec sleep 1\"\r"	10	send -- "firejail --deterministic-shutdown bash -c \"sleep 100 & exec sleep 1\"\r"
11	expect {	11	expect {
12	timeout {puts "TESTING ERROR 0\n";exit}	12	timeout {puts "TESTING ERROR 0\n";exit}
13	"Parent is shutting down, bye..."	13	"Parent is shutting down, bye..."
14	}	14	}
		15	after 100
15		16
16	puts "\nall done\n"	17	puts "\nall done\n"


diff --git a/test/environment/environment.sh b/test/environment/environment.sh index ce0bb306c..2b77973ac 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh
@@ -127,5 +127,11 @@ echo "TESTING: deterministic exit code (test/environment/deterministic-exit-code
127	echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)"	127	echo "TESTING: deterministic shutdown (test/environment/deterministic-shutdown.exp)"
128	./deterministic-shutdown.exp	128	./deterministic-shutdown.exp
129		129
		130	echo "TESTING: keep fd (test/environment/keep-fd.exp)"
		131	./keep-fd.exp
		132
		133	echo "TESTING: keep fd errors (test/environment/keep-fd-bad.exp)"
		134	./keep-fd-bad.exp
		135
130	echo "TESTING: retain umask (test/environment/umask.exp)"	136	echo "TESTING: retain umask (test/environment/umask.exp)"
131	(umask 123 && ./umask.exp)	137	(umask 123 && ./umask.exp)


diff --git a/test/environment/keep-fd-bad.exp b/test/environment/keep-fd-bad.exp new file mode 100755 index 000000000..e8b411ea0 --- /dev/null +++ b/test/environment/keep-fd-bad.exp
@@ -0,0 +1,40 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2022 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10
		11	send -- "firejail --noprofile --keep-fd=\r"
		12	expect {
		13	timeout {puts "TESTING ERROR 0\n";exit}
		14	"Error: invalid keep-fd option"
		15	}
		16	after 100
		17
		18	send -- "firejail --noprofile --keep-fd=,,,\r"
		19	expect {
		20	timeout {puts "TESTING ERROR 1\n";exit}
		21	"Error: invalid keep-fd option"
		22	}
		23	after 100
		24
		25	send -- "firejail --noprofile --keep-fd=dall\r"
		26	expect {
		27	timeout {puts "TESTING ERROR 2\n";exit}
		28	"Error: invalid keep-fd option"
		29	}
		30	after 100
		31
		32	send -- "firejail --noprofile --keep-fd=6,7,8,10b,11\r"
		33	expect {
		34	timeout {puts "TESTING ERROR 3\n";exit}
		35	"Error: invalid keep-fd option"
		36	}
		37	after 100
		38
		39
		40	puts "\nall done\n"


diff --git a/test/environment/keep-fd.exp b/test/environment/keep-fd.exp new file mode 100755 index 000000000..222234ceb --- /dev/null +++ b/test/environment/keep-fd.exp
@@ -0,0 +1,223 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2022 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10
		11	#
		12	# obtain some open file descriptors
		13	#
		14	send -- "exec {WRITE_FD}> blabla\r"
		15	after 100
		16
		17	send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
		18	expect {
		19	timeout {puts "TESTING ERROR 0\n";exit}
		20	"/blabla"
		21	}
		22	after 100
		23
		24	send -- "exec {READ_FD}< blabla\r"
		25	after 100
		26
		27	send -- "readlink -v /proc/self/fd/\$READ_FD\r"
		28	expect {
		29	timeout {puts "TESTING ERROR 1\n";exit}
		30	"/blabla"
		31	}
		32	after 100
		33
		34
		35	#
		36	# inherit environment variables
		37	#
		38	send -- "export READ_FD\r"
		39	send -- "export WRITE_FD\r"
		40	after 100
		41
		42
		43	#
		44	# close all file descriptors
		45	# 0, 1, 2 stay open
		46	#
		47	send -- "firejail --noprofile\r"
		48	expect {
		49	timeout {puts "TESTING ERROR 2\n";exit}
		50	"Child process initialized"
		51	}
		52	after 100
		53
		54	# off by one because of ls
		55	send -- "ls /proc/self/fd \| wc -w\r"
		56	expect {
		57	timeout {puts "TESTING ERROR 3\n";exit}
		58	"4"
		59	}
		60	after 100
		61
		62	send -- "readlink -v /proc/self/fd/\$READ_FD\r"
		63	expect {
		64	timeout {puts "TESTING ERROR 4\n";exit}
		65	"No such file or directory"
		66	}
		67	after 100
		68
		69	send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
		70	expect {
		71	timeout {puts "TESTING ERROR 5\n";exit}
		72	"No such file or directory"
		73	}
		74	after 100
		75
		76	send -- "exit\r"
		77	after 500
		78
		79
		80	#
		81	# keep one file descriptor
		82	#
		83	send -- "firejail --noprofile --keep-fd=\$READ_FD\r"
		84	expect {
		85	timeout {puts "TESTING ERROR 6\n";exit}
		86	"Child process initialized"
		87	}
		88	after 100
		89
		90	# off by one because of ls
		91	send -- "ls /proc/self/fd \| wc -w\r"
		92	expect {
		93	timeout {puts "TESTING ERROR 7\n";exit}
		94	"5"
		95	}
		96	after 100
		97
		98	send -- "readlink -v /proc/self/fd/\$READ_FD\r"
		99	expect {
		100	timeout {puts "TESTING ERROR 8\n";exit}
		101	"/blabla"
		102	}
		103	after 100
		104
		105	send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
		106	expect {
		107	timeout {puts "TESTING ERROR 9\n";exit}
		108	"No such file or directory"
		109	}
		110	after 100
		111
		112	send -- "exit\r"
		113	after 500
		114
		115
		116	#
		117	# keep other file descriptor
		118	#
		119	send -- "firejail --noprofile --keep-fd=\$WRITE_FD\r"
		120	expect {
		121	timeout {puts "TESTING ERROR 10\n";exit}
		122	"Child process initialized"
		123	}
		124	after 100
		125
		126	# off by one because of ls
		127	send -- "ls /proc/self/fd \| wc -w\r"
		128	expect {
		129	timeout {puts "TESTING ERROR 11\n";exit}
		130	"5"
		131	}
		132	after 100
		133
		134	send -- "readlink -v /proc/self/fd/\$READ_FD\r"
		135	expect {
		136	timeout {puts "TESTING ERROR 12\n";exit}
		137	"No such file or directory"
		138	}
		139	after 100
		140
		141	send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
		142	expect {
		143	timeout {puts "TESTING ERROR 13\n";exit}
		144	"/blabla"
		145	}
		146	after 100
		147
		148	send -- "exit\r"
		149	after 500
		150
		151
		152	#
		153	# keep both file descriptors
		154	#
		155	send -- "firejail --noprofile --keep-fd=\$READ_FD,\$WRITE_FD\r"
		156	expect {
		157	timeout {puts "TESTING ERROR 14\n";exit}
		158	"Child process initialized"
		159	}
		160	after 100
		161
		162	# off by one because of ls
		163	send -- "ls /proc/self/fd \| wc -w\r"
		164	expect {
		165	timeout {puts "TESTING ERROR 15\n";exit}
		166	"6"
		167	}
		168	after 100
		169
		170	send -- "readlink -v /proc/self/fd/\$READ_FD\r"
		171	expect {
		172	timeout {puts "TESTING ERROR 16\n";exit}
		173	"/blabla"
		174	}
		175	after 100
		176
		177	send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
		178	expect {
		179	timeout {puts "TESTING ERROR 17\n";exit}
		180	"/blabla"
		181	}
		182	after 100
		183
		184	send -- "exit\r"
		185	after 500
		186
		187
		188	#
		189	# keep all file descriptors
		190	#
		191	send -- "firejail --noprofile --keep-fd=all\r"
		192	expect {
		193	timeout {puts "TESTING ERROR 18\n";exit}
		194	"Child process initialized"
		195	}
		196	after 100
		197
		198	send -- "readlink -v /proc/self/fd/\$READ_FD\r"
		199	expect {
		200	timeout {puts "TESTING ERROR 19\n";exit}
		201	"/blabla"
		202	}
		203	after 100
		204
		205	send -- "readlink -v /proc/self/fd/\$WRITE_FD\r"
		206	expect {
		207	timeout {puts "TESTING ERROR 20\n";exit}
		208	"/blabla"
		209	}
		210	after 100
		211
		212	send -- "exit\r"
		213	after 500
		214
		215
		216	#
		217	# cleanup
		218	#
		219	send -- "rm -f blabla\r"
		220	after 100
		221
		222
		223	puts "\nall done\n"