8 files changed, 270 insertions, 82 deletions
diff --git a/src/jailtest/access.c b/src/jailtest/access.c
index e68227bd2..4e737dc7a 100644
--- a/src/jailtest/access.c
+++ b/src/jailtest/access.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <dirent.h>
 #include <sys/wait.h>
diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c
new file mode 100644
index 000000000..43ab8fad0
--- /dev/null
+++ b/src/jailtest/apparmor.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#ifdef HAVE_APPARMOR
+#include <sys/apparmor.h>
+void apparmor_test(pid_t pid) {
+        char *label = NULL;
+        char *mode = NULL;
+        int rv = aa_gettaskcon(pid, &label, &mode);
+        if (rv == -1 || mode == NULL)
+                printf("   Warning: AppArmor not enabled\n");
+}
+#else
+void apparmor_test(uid_t pid) {
+        (void) pid;
+        return;
+}
+#endif
diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
index 678f94bef..10174cc9a 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailtest/jailtest.h
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #ifndef JAILTEST_H
 #define JAILTEST_H
@@ -8,6 +27,7 @@ extern uid_t user_uid;
 extern gid_t user_gid;
 extern char *user_name;
 extern char *user_home_dir;
+extern char *user_run_dir;
 // access.c
 void access_setup(const char *directory);
@@ -23,10 +43,16 @@ void virtual_setup(const char *directory);
 void virtual_destroy(void);
 void virtual_test(void);
+// apparmor.c
+void apparmor_test(pid_t pid);
+// seccomp.c
+void seccomp_test(pid_t pid);
 // utils.c
 char *get_sudo_user(void);
 char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
-int find_child(pid_t parent, pid_t *child);
+int find_child(pid_t pid);
 pid_t switch_to_child(pid_t pid);
 #endif
 \ No newline at end of file
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
index 78f162706..850277bc5 100644
--- a/src/jailtest/main.c
+++ b/src/jailtest/main.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include "../include/firejail_user.h"
 #include "../include/pid.h"
@@ -7,6 +26,7 @@ uid_t user_uid = 0;
 gid_t user_gid = 0;
 char *user_name = NULL;
 char *user_home_dir = NULL;
+char *user_run_dir = NULL;
 int arg_debug = 0;
 static char *usage_str =
@@ -73,9 +93,13 @@ int main(int argc, char **argv) {
                fprintf(stderr, "Error: root user not supported\n");
                exit(1);
        }
+        if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
+                errExit("asprintf");
        // test setup
        atexit(cleanup);
+        access_setup("~/.ssh");
+        access_setup("~/.gnupg");
        if (findex > 0) {
                for (i = findex; i < argc; i++)
                        access_setup(argv[i]);
@@ -88,6 +112,10 @@ int main(int argc, char **argv) {
        virtual_setup("/dev");
        virtual_setup("/etc");
        virtual_setup("/bin");
+        virtual_setup("/usr/share");
+        virtual_setup(user_run_dir);
        // print processes
        pid_read(0);
@@ -98,8 +126,12 @@ int main(int argc, char **argv) {
                                continue;
                        // in case the pid is that of a firejail process, use the pid of the first child process
-                        uid_t pid = switch_to_child(i);
+                        uid_t pid = find_child(i);
+                        printf("\n");
                        pid_print_list(i, 0); //  no wrapping
+                        apparmor_test(pid);
+                        seccomp_test(pid);
+                        fflush(0);
                        pid_t child = fork();
                        if (child == -1)
@@ -111,6 +143,7 @@ int main(int argc, char **argv) {
                                        noexec_test(user_home_dir);
                                        noexec_test("/tmp");
                                        noexec_test("/var/tmp");
+                                        noexec_test(user_run_dir);
                                        access_test();
                                }
                                else {
diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c
index d2f85514a..4347b7eef 100644
--- a/src/jailtest/noexec.c
+++ b/src/jailtest/noexec.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <sys/wait.h>
 #include <sys/stat.h>
diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c
new file mode 100644
index 000000000..2cecb4b4d
--- /dev/null
+++ b/src/jailtest/seccomp.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#define MAXBUF 4096
+void seccomp_test(pid_t pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1)
+                errExit("asprintf");
+        FILE *fp = fopen(file, "r");
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Seccomp:", 8) == 0) {
+                        int val = -1;
+                        int rv = sscanf(buf + 8, "\t%d", &val);
+                        if (rv != 1 || val == 0)
+                                printf("   Warning: seccomp not enabled\n");
+                        break;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c
index b24783355..41c21b753 100644
--- a/src/jailtest/utils.c
+++ b/src/jailtest/utils.c
@@ -1,4 +1,24 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
+#include "../include/pid.h"
 #include <errno.h>
 #include <pwd.h>
 #include <dirent.h>
@@ -38,87 +58,45 @@ errexit:
        exit(1);
 }
-int find_child(pid_t parent, pid_t *child) {
+// find the second child process for the specified pid
-        *child = 0;                               // use it to flag a found child
+// return -1 if not found
+//
+// Example:
+//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//  14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
+//    14792:netblue:/usr/bin/transmission-qt
+// We need 14792, the first real sandboxed process
+// duplicate from src/firemon/main.c
+int find_child(int id) {
+        int i;
+        int first_child = -1;
-        DIR *dir;
+        // find the first child
-        if (!(dir = opendir("/proc"))) {
+        for (i = 0; i < max_pids; i++) {
-                // sleep 2 seconds and try again
+                if (pids[i].level == 2 && pids[i].parent == id) {
-                sleep(2);
+                        // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
-                if (!(dir = opendir("/proc"))) {
+                        char *cmdline = pid_proc_cmdline(i);
-                        fprintf(stderr, "Error: cannot open /proc directory\n");
+                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
-                        exit(1);
+                                free(cmdline);
-                }
+                                continue;
-        }
-        struct dirent *entry;
-        char *end;
-        while (*child == 0 && (entry = readdir(dir))) {
-                pid_t pid = strtol(entry->d_name, &end, 10);
-                if (end == entry->d_name || *end)
-                        continue;
-                if (pid == parent)
-                        continue;
-                // open stat file
-                char *file;
-                if (asprintf(&file, "/proc/%u/status", pid) == -1) {
-                        perror("asprintf");
-                        exit(1);
-                }
-                FILE *fp = fopen(file, "r");
-                if (!fp) {
-                        free(file);
-                        continue;
-                }
-                // look for firejail executable name
-                char buf[BUFLEN];
-                while (fgets(buf, BUFLEN - 1, fp)) {
-                        if (strncmp(buf, "PPid:", 5) == 0) {
-                                char *ptr = buf + 5;
-                                while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) {
-                                        ptr++;
-                                }
-                                if (*ptr == '\0') {
-                                        fprintf(stderr, "Error: cannot read /proc file\n");
-                                        exit(1);
-                                }
-                                if (parent == atoi(ptr)) {
-                                        // we don't want /usr/bin/xdg-dbus-proxy!
-                                        char *cmdline = pid_proc_cmdline(pid);
-                                        if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
-                                                *child = pid;
-                                        free(cmdline);
-                                }
-                                break;            // stop reading the file
                        }
+                        free(cmdline);
+                        first_child = i;
+                        break;
                }
-                fclose(fp);
-                free(file);
        }
-        closedir(dir);
-        return (*child)? 0:1;                     // 0 = found, 1 = not found
-}
-pid_t switch_to_child(pid_t pid) {
+        if (first_child == -1)
-        pid_t rv = pid;
+                return -1;
-        errno = 0;
-        char *comm = pid_proc_comm(pid);
-        if (!comm) {
-                if (errno == ENOENT)
-                        fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
-                else
-                        fprintf(stderr, "Error: cannot read /proc file\n");
-                exit(1);
-        }
-        if (strcmp(comm, "firejail") == 0) {
+        // find the second-level child
-                if (find_child(pid, &rv) == 1) {
+        for (i = 0; i < max_pids; i++) {
-                        fprintf(stderr, "Error: no valid sandbox\n");
+                if (pids[i].level == 3 && pids[i].parent == first_child)
-                        exit(1);
+                        return i;
-                }
        }
-        free(comm);
-        return rv;
+        // if a second child is not found, return the first child pid
+        // this happens for processes sandboxed with --join
+        return first_child;
 }
diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c
index 48296fdb1..fcdcf9720 100644
--- a/src/jailtest/virtual.c
+++ b/src/jailtest/virtual.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
 #include "jailtest.h"
 #include <dirent.h>
 #include <sys/wait.h>
@@ -64,7 +83,8 @@ void virtual_test(void) {
        assert(user_uid);
        int i;
-        printf("   Virtual dirs: "); fflush(0);
+        int cnt = 0;
+        cnt += printf("   Virtual dirs: "); fflush(0);
        for (i = 0; i < files_cnt; i++) {
                assert(files[i]);
@@ -85,15 +105,21 @@ void virtual_test(void) {
                        FILE *fp = fopen(files[i], "r");
                        if (fp)
                                fclose(fp);
-                        else
+                        else {
-                                printf("%s, ", dirs[i]);
+                                if (cnt == 0)
+                                        cnt += printf("\n                 ");
+                                cnt += printf("%s, ", dirs[i]);
+                                if (cnt > 60)
+                                        cnt = 0;
+                        }
                        fflush(0);
-                        exit(0);
+                        exit(cnt);
                }
                // wait for the child to finish
                int status;
                wait(&status);
+                cnt = WEXITSTATUS(status);
        }
        printf("\n");
 }

diff --git a/src/jailtest/access.c b/src/jailtest/access.c index e68227bd2..4e737dc7a 100644 --- a/src/jailtest/access.c +++ b/src/jailtest/access.c
@@ -1,3 +1,22 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "jailtest.h"	20	#include "jailtest.h"
2	#include <dirent.h>	21	#include <dirent.h>
3	#include <sys/wait.h>	22	#include <sys/wait.h>


diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c new file mode 100644 index 000000000..43ab8fad0 --- /dev/null +++ b/src/jailtest/apparmor.c
@@ -0,0 +1,40 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "jailtest.h"
		21
		22	#ifdef HAVE_APPARMOR
		23	#include <sys/apparmor.h>
		24
		25	void apparmor_test(pid_t pid) {
		26	char *label = NULL;
		27	char *mode = NULL;
		28	int rv = aa_gettaskcon(pid, &label, &mode);
		29	if (rv == -1 \|\| mode == NULL)
		30	printf(" Warning: AppArmor not enabled\n");
		31	}
		32
		33
		34	#else
		35	void apparmor_test(uid_t pid) {
		36	(void) pid;
		37	return;
		38	}
		39	#endif
		40


diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h index 678f94bef..10174cc9a 100644 --- a/src/jailtest/jailtest.h +++ b/src/jailtest/jailtest.h
@@ -1,3 +1,22 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#ifndef JAILTEST_H	20	#ifndef JAILTEST_H
2	#define JAILTEST_H	21	#define JAILTEST_H
3		22
@@ -8,6 +27,7 @@ extern uid_t user_uid;
8	extern gid_t user_gid;	27	extern gid_t user_gid;
9	extern char *user_name;	28	extern char *user_name;
10	extern char *user_home_dir;	29	extern char *user_home_dir;
		30	extern char *user_run_dir;
11		31
12	// access.c	32	// access.c
13	void access_setup(const char *directory);	33	void access_setup(const char *directory);
@@ -23,10 +43,16 @@ void virtual_setup(const char *directory);
23	void virtual_destroy(void);	43	void virtual_destroy(void);
24	void virtual_test(void);	44	void virtual_test(void);
25		45
		46	// apparmor.c
		47	void apparmor_test(pid_t pid);
		48
		49	// seccomp.c
		50	void seccomp_test(pid_t pid);
		51
26	// utils.c	52	// utils.c
27	char *get_sudo_user(void);	53	char *get_sudo_user(void);
28	char get_homedir(const char user, uid_t uid, gid_t gid);	54	char get_homedir(const char user, uid_t uid, gid_t gid);
29	int find_child(pid_t parent, pid_t *child);	55	int find_child(pid_t pid);
30	pid_t switch_to_child(pid_t pid);	56	pid_t switch_to_child(pid_t pid);
31		57
32	#endif \ No newline at end of file	58	#endif \ No newline at end of file


diff --git a/src/jailtest/main.c b/src/jailtest/main.c index 78f162706..850277bc5 100644 --- a/src/jailtest/main.c +++ b/src/jailtest/main.c
@@ -1,3 +1,22 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "jailtest.h"	20	#include "jailtest.h"
2	#include "../include/firejail_user.h"	21	#include "../include/firejail_user.h"
3	#include "../include/pid.h"	22	#include "../include/pid.h"
@@ -7,6 +26,7 @@ uid_t user_uid = 0;
7	gid_t user_gid = 0;	26	gid_t user_gid = 0;
8	char *user_name = NULL;	27	char *user_name = NULL;
9	char *user_home_dir = NULL;	28	char *user_home_dir = NULL;
		29	char *user_run_dir = NULL;
10	int arg_debug = 0;	30	int arg_debug = 0;
11		31
12	static char *usage_str =	32	static char *usage_str =
@@ -73,9 +93,13 @@ int main(int argc, char **argv) {
73	fprintf(stderr, "Error: root user not supported\n");	93	fprintf(stderr, "Error: root user not supported\n");
74	exit(1);	94	exit(1);
75	}	95	}
		96	if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1)
		97	errExit("asprintf");
76		98
77	// test setup	99	// test setup
78	atexit(cleanup);	100	atexit(cleanup);
		101	access_setup("~/.ssh");
		102	access_setup("~/.gnupg");
79	if (findex > 0) {	103	if (findex > 0) {
80	for (i = findex; i < argc; i++)	104	for (i = findex; i < argc; i++)
81	access_setup(argv[i]);	105	access_setup(argv[i]);
@@ -88,6 +112,10 @@ int main(int argc, char **argv) {
88	virtual_setup("/dev");	112	virtual_setup("/dev");
89	virtual_setup("/etc");	113	virtual_setup("/etc");
90	virtual_setup("/bin");	114	virtual_setup("/bin");
		115	virtual_setup("/usr/share");
		116	virtual_setup(user_run_dir);
		117
		118
91		119
92	// print processes	120	// print processes
93	pid_read(0);	121	pid_read(0);
@@ -98,8 +126,12 @@ int main(int argc, char **argv) {
98	continue;	126	continue;
99		127
100	// in case the pid is that of a firejail process, use the pid of the first child process	128	// in case the pid is that of a firejail process, use the pid of the first child process
101	uid_t pid = switch_to_child(i);	129	uid_t pid = find_child(i);
		130	printf("\n");
102	pid_print_list(i, 0); // no wrapping	131	pid_print_list(i, 0); // no wrapping
		132	apparmor_test(pid);
		133	seccomp_test(pid);
		134	fflush(0);
103		135
104	pid_t child = fork();	136	pid_t child = fork();
105	if (child == -1)	137	if (child == -1)
@@ -111,6 +143,7 @@ int main(int argc, char **argv) {
111	noexec_test(user_home_dir);	143	noexec_test(user_home_dir);
112	noexec_test("/tmp");	144	noexec_test("/tmp");
113	noexec_test("/var/tmp");	145	noexec_test("/var/tmp");
		146	noexec_test(user_run_dir);
114	access_test();	147	access_test();
115	}	148	}
116	else {	149	else {


diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c index d2f85514a..4347b7eef 100644 --- a/src/jailtest/noexec.c +++ b/src/jailtest/noexec.c
@@ -1,3 +1,22 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "jailtest.h"	20	#include "jailtest.h"
2	#include <sys/wait.h>	21	#include <sys/wait.h>
3	#include <sys/stat.h>	22	#include <sys/stat.h>


diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c new file mode 100644 index 000000000..2cecb4b4d --- /dev/null +++ b/src/jailtest/seccomp.c
@@ -0,0 +1,47 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "jailtest.h"
		21	#define MAXBUF 4096
		22
		23	void seccomp_test(pid_t pid) {
		24	char *file;
		25	if (asprintf(&file, "/proc/%d/status", pid) == -1)
		26	errExit("asprintf");
		27
		28	FILE *fp = fopen(file, "r");
		29	if (!fp) {
		30	printf(" Error: cannot open %s\n", file);
		31	free(file);
		32	return;
		33	}
		34
		35	char buf[MAXBUF];
		36	while (fgets(buf, MAXBUF, fp)) {
		37	if (strncmp(buf, "Seccomp:", 8) == 0) {
		38	int val = -1;
		39	int rv = sscanf(buf + 8, "\t%d", &val);
		40	if (rv != 1 \|\| val == 0)
		41	printf(" Warning: seccomp not enabled\n");
		42	break;
		43	}
		44	}
		45	fclose(fp);
		46	free(file);
		47	}


diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c index b24783355..41c21b753 100644 --- a/src/jailtest/utils.c +++ b/src/jailtest/utils.c
@@ -1,4 +1,24 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "jailtest.h"	20	#include "jailtest.h"
		21	#include "../include/pid.h"
2	#include <errno.h>	22	#include <errno.h>
3	#include <pwd.h>	23	#include <pwd.h>
4	#include <dirent.h>	24	#include <dirent.h>
@@ -38,87 +58,45 @@ errexit:
38	exit(1);	58	exit(1);
39	}	59	}
40		60
41	int find_child(pid_t parent, pid_t *child) {	61	// find the second child process for the specified pid
42	*child = 0; // use it to flag a found child	62	// return -1 if not found
		63	//
		64	// Example:
		65	//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
		66	// 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
		67	// 14792:netblue:/usr/bin/transmission-qt
		68	// We need 14792, the first real sandboxed process
		69	// duplicate from src/firemon/main.c
		70	int find_child(int id) {
		71	int i;
		72	int first_child = -1;
43		73
44	DIR *dir;	74	// find the first child
45	if (!(dir = opendir("/proc"))) {	75	for (i = 0; i < max_pids; i++) {
46	// sleep 2 seconds and try again	76	if (pids[i].level == 2 && pids[i].parent == id) {
47	sleep(2);	77	// skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering)
48	if (!(dir = opendir("/proc"))) {	78	char *cmdline = pid_proc_cmdline(i);
49	fprintf(stderr, "Error: cannot open /proc directory\n");	79	if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) {
50	exit(1);	80	free(cmdline);
51	}	81	continue;
52	}
53
54	struct dirent *entry;
55	char *end;
56	while (*child == 0 && (entry = readdir(dir))) {
57	pid_t pid = strtol(entry->d_name, &end, 10);
58	if (end == entry->d_name \|\| *end)
59	continue;
60	if (pid == parent)
61	continue;
62
63	// open stat file
64	char *file;
65	if (asprintf(&file, "/proc/%u/status", pid) == -1) {
66	perror("asprintf");
67	exit(1);
68	}
69	FILE *fp = fopen(file, "r");
70	if (!fp) {
71	free(file);
72	continue;
73	}
74
75	// look for firejail executable name
76	char buf[BUFLEN];
77	while (fgets(buf, BUFLEN - 1, fp)) {
78	if (strncmp(buf, "PPid:", 5) == 0) {
79	char *ptr = buf + 5;
80	while (ptr != '\0' && (ptr == ' ' \|\| *ptr == '\t')) {
81	ptr++;
82	}
83	if (*ptr == '\0') {
84	fprintf(stderr, "Error: cannot read /proc file\n");
85	exit(1);
86	}
87	if (parent == atoi(ptr)) {
88	// we don't want /usr/bin/xdg-dbus-proxy!
89	char *cmdline = pid_proc_cmdline(pid);
90	if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0)
91	*child = pid;
92	free(cmdline);
93	}
94	break; // stop reading the file
95	}	82	}
		83	free(cmdline);
		84	first_child = i;
		85	break;
96	}	86	}
97	fclose(fp);
98	free(file);
99	}	87	}
100	closedir(dir);
101	return (*child)? 0:1; // 0 = found, 1 = not found
102	}
103		88
104	pid_t switch_to_child(pid_t pid) {	89	if (first_child == -1)
105	pid_t rv = pid;	90	return -1;
106	errno = 0;
107	char *comm = pid_proc_comm(pid);
108	if (!comm) {
109	if (errno == ENOENT)
110	fprintf(stderr, "Error: cannot find process with pid %d\n", pid);
111	else
112	fprintf(stderr, "Error: cannot read /proc file\n");
113	exit(1);
114	}
115		91
116	if (strcmp(comm, "firejail") == 0) {	92	// find the second-level child
117	if (find_child(pid, &rv) == 1) {	93	for (i = 0; i < max_pids; i++) {
118	fprintf(stderr, "Error: no valid sandbox\n");	94	if (pids[i].level == 3 && pids[i].parent == first_child)
119	exit(1);	95	return i;
120	}
121	}	96	}
122	free(comm);	97
123	return rv;	98	// if a second child is not found, return the first child pid
		99	// this happens for processes sandboxed with --join
		100	return first_child;
124	}	101	}
		102


diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c index 48296fdb1..fcdcf9720 100644 --- a/src/jailtest/virtual.c +++ b/src/jailtest/virtual.c
@@ -1,3 +1,22 @@
		1	/*
		2	* Copyright (C) 2014-2021 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "jailtest.h"	20	#include "jailtest.h"
2	#include <dirent.h>	21	#include <dirent.h>
3	#include <sys/wait.h>	22	#include <sys/wait.h>
@@ -64,7 +83,8 @@ void virtual_test(void) {
64	assert(user_uid);	83	assert(user_uid);
65	int i;	84	int i;
66		85
67	printf(" Virtual dirs: "); fflush(0);	86	int cnt = 0;
		87	cnt += printf(" Virtual dirs: "); fflush(0);
68		88
69	for (i = 0; i < files_cnt; i++) {	89	for (i = 0; i < files_cnt; i++) {
70	assert(files[i]);	90	assert(files[i]);
@@ -85,15 +105,21 @@ void virtual_test(void) {
85	FILE *fp = fopen(files[i], "r");	105	FILE *fp = fopen(files[i], "r");
86	if (fp)	106	if (fp)
87	fclose(fp);	107	fclose(fp);
88	else	108	else {
89	printf("%s, ", dirs[i]);	109	if (cnt == 0)
		110	cnt += printf("\n ");
		111	cnt += printf("%s, ", dirs[i]);
		112	if (cnt > 60)
		113	cnt = 0;
		114	}
90	fflush(0);	115	fflush(0);
91	exit(0);	116	exit(cnt);
92	}	117	}
93		118
94	// wait for the child to finish	119	// wait for the child to finish
95	int status;	120	int status;
96	wait(&status);	121	wait(&status);
		122	cnt = WEXITSTATUS(status);
97	}	123	}
98	printf("\n");	124	printf("\n");
99	}	125	}