8 files changed, 390 insertions, 0 deletions
diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh
new file mode 100755
index 000000000..2d345025a
--- /dev/null
+++ b/test/capabilities/capabilities.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
+        echo "TESTING: capabilities (test/filters/caps.exp)"
+        ./caps.exp
+#else
+#       echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
+#fi
+echo "TESTING: capabilities print (test/filters/caps-print.exp)"
+./caps-print.exp
+echo "TESTING: capabilities join (test/filters/caps-join.exp)"
+./caps-join.exp
+echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
+./firemon-caps.exp
diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp
new file mode 100755
index 000000000..ecb43d943
--- /dev/null
+++ b/test/capabilities/caps-join.exp
@@ -0,0 +1,96 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+match_max 100000
+spawn $env(SHELL)
+set id1 $spawn_id
+spawn $env(SHELL)
+set id2 $spawn_id
+send -- "stty -echo\r"
+after 100
+#
+# regular run
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "CapBnd:        0000000000000000"
+}
+sleep 1
+set spawn_id $id1
+send -- "exit\r"
+sleep 1
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "fffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "CapAmb:"
+}
+sleep 1
+set spawn_id $id1
+send -- "exit\r"
+after 500
+#
+# no caps
+#
+set spawn_id $id1
+send --  "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
+expect {
+        timeout {puts "TESTING ERROR20\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+set spawn_id $id2
+send --  "firejail --join=jointesting cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "CapBnd:        0000000000000009"
+}
+sleep 1
+set spawn_id $id1
+send -- "exit\r"
+after 500
+puts "all done\n"
diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp
new file mode 100755
index 000000000..66a7e093b
--- /dev/null
+++ b/test/capabilities/caps-print.exp
@@ -0,0 +1,103 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --noprofile --caps --debug\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Drop CAP_SYS_RAWIO"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Drop CAP_SYS_BOOT"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Drop CAP_SYS_NICE"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Drop CAP_SYS_TTY_CONFIG"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Drop CAP_SYSLOG"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Drop CAP_MKNOD"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firejail --caps.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "chown               - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "setgid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "setuid              - enabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "mknod               - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "syslog              - disabled"
+}
+after 500
+send -- "firejail --debug-caps\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "21     - sys_admin"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "22     - sys_boot"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "23     - sys_nice"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "24     - sys_resource"
+}
+after 500
+send -- "firejail --caps.keep=\"bla bla bla\"\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "capability"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "not found"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp
new file mode 100755
index 000000000..bd7ab04eb
--- /dev/null
+++ b/test/capabilities/caps.exp
@@ -0,0 +1,115 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:        0000000000000009"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Seccomp:"
+}
+after 500
+send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "CapBnd:        0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Seccomp:"
+}
+after 500
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "Seccomp:"
+}
+after 500
+send -- "firejail --profile=caps1.profile --debug ls\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "Drop CAP_SYS_MODULE"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "Drop CAP_SYS_ADMIN"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+after 500
+## tofix: possible problem with caps.keep in profile files
+##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+#send -- "firejail --profile=caps2.profile\r"
+#expect {
+#       timeout {puts "TESTING ERROR 15\n";exit}
+#       -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+#}
+#after 100
+#
+#send -- "cat /proc/self/status\r"
+#expect {
+#       timeout {puts "TESTING ERROR 16\n";exit}
+#       "CapBnd:        0000000000000009"
+#}
+#expect {
+#       timeout {puts "TESTING ERROR 17\n";exit}
+#       "Seccomp:"
+#}
+#send -- "exit\r"
+#sleep 1
+#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+send -- "firejail --profile=caps3.profile cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "fffffff0"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "Seccomp:"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/capabilities/caps1.profile b/test/capabilities/caps1.profile
new file mode 100644
index 000000000..8b0c3b340
--- /dev/null
+++ b/test/capabilities/caps1.profile
@@ -0,0 +1 @@
+caps
diff --git a/test/capabilities/caps2.profile b/test/capabilities/caps2.profile
new file mode 100644
index 000000000..ad49719f1
--- /dev/null
+++ b/test/capabilities/caps2.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
diff --git a/test/capabilities/caps3.profile b/test/capabilities/caps3.profile
new file mode 100644
index 000000000..ad49719f1
--- /dev/null
+++ b/test/capabilities/caps3.profile
@@ -0,0 +1 @@
+caps.drop chown,dac_override,dac_read_search,fowner
diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp
new file mode 100755
index 000000000..905c8cba9
--- /dev/null
+++ b/test/capabilities/firemon-caps.exp
@@ -0,0 +1,47 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=bingo1 --noprofile --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=bingo2 --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
+        "bingo1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "31cffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "bingo2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "fffffff"
+}
+after 500
+puts "all done\n"

diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh new file mode 100755 index 000000000..2d345025a --- /dev/null +++ b/test/capabilities/capabilities.sh
@@ -0,0 +1,26 @@
	1	#!/bin/bash
	2	# This file is part of Firejail project
	3	# Copyright (C) 2014-2023 Firejail Authors
	4	# License GPL v2
	5
	6	export MALLOC_CHECK_=3
	7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
	8	export LC_ALL=C
	9
	10
	11	#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
	12	echo "TESTING: capabilities (test/filters/caps.exp)"
	13	./caps.exp
	14	#else
	15	# echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)"
	16	#fi
	17
	18	echo "TESTING: capabilities print (test/filters/caps-print.exp)"
	19	./caps-print.exp
	20
	21	echo "TESTING: capabilities join (test/filters/caps-join.exp)"
	22	./caps-join.exp
	23
	24	echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
	25	./firemon-caps.exp
	26


diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp new file mode 100755 index 000000000..ecb43d943 --- /dev/null +++ b/test/capabilities/caps-join.exp
@@ -0,0 +1,96 @@
	1	#!/usr/bin/expect -f
	2	# This file is part of Firejail project
	3	# Copyright (C) 2014-2023 Firejail Authors
	4	# License GPL v2
	5
	6	set timeout 10
	7	match_max 100000
	8	spawn $env(SHELL)
	9	set id1 $spawn_id
	10	spawn $env(SHELL)
	11	set id2 $spawn_id
	12
	13	send -- "stty -echo\r"
	14	after 100
	15
	16	#
	17	# regular run
	18	#
	19	set spawn_id $id1
	20	send -- "firejail --name=jointesting\r"
	21	expect {
	22	timeout {puts "TESTING ERROR 0\n";exit}
	23	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	24	}
	25	sleep 1
	26
	27	set spawn_id $id2
	28
	29	send -- "firejail --join=jointesting cat /proc/self/status\r"
	30	expect {
	31	timeout {puts "TESTING ERROR 1\n";exit}
	32	"CapBnd: 0000000000000000"
	33	}
	34	sleep 1
	35
	36	set spawn_id $id1
	37	send -- "exit\r"
	38	sleep 1
	39
	40	#
	41	# no caps
	42	#
	43	set spawn_id $id1
	44	send -- "firejail --name=jointesting --noprofile\r"
	45	expect {
	46	timeout {puts "TESTING ERROR 10\n";exit}
	47	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	48	}
	49	sleep 1
	50
	51	set spawn_id $id2
	52
	53	send -- "firejail --join=jointesting cat /proc/self/status\r"
	54	expect {
	55	timeout {puts "TESTING ERROR 11\n";exit}
	56	"CapBnd:"
	57	}
	58	expect {
	59	timeout {puts "TESTING ERROR 12\n";exit}
	60	"fffffffff"
	61	}
	62	expect {
	63	timeout {puts "TESTING ERROR 13\n";exit}
	64	"CapAmb:"
	65	}
	66	sleep 1
	67
	68	set spawn_id $id1
	69	send -- "exit\r"
	70	after 500
	71
	72	#
	73	# no caps
	74	#
	75	set spawn_id $id1
	76	send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
	77	expect {
	78	timeout {puts "TESTING ERROR20\n";exit}
	79	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	80	}
	81	sleep 1
	82
	83	set spawn_id $id2
	84
	85	send -- "firejail --join=jointesting cat /proc/self/status\r"
	86	expect {
	87	timeout {puts "TESTING ERROR 21\n";exit}
	88	"CapBnd: 0000000000000009"
	89	}
	90	sleep 1
	91
	92	set spawn_id $id1
	93	send -- "exit\r"
	94	after 500
	95
	96	puts "all done\n"


diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp new file mode 100755 index 000000000..66a7e093b --- /dev/null +++ b/test/capabilities/caps-print.exp
@@ -0,0 +1,103 @@
	1	#!/usr/bin/expect -f
	2	# This file is part of Firejail project
	3	# Copyright (C) 2014-2023 Firejail Authors
	4	# License GPL v2
	5
	6	set timeout 10
	7	spawn $env(SHELL)
	8	match_max 100000
	9
	10	send -- "firejail --name=test --noprofile --caps --debug\r"
	11	expect {
	12	timeout {puts "TESTING ERROR 0\n";exit}
	13	"Drop CAP_SYS_MODULE"
	14	}
	15	expect {
	16	timeout {puts "TESTING ERROR 1\n";exit}
	17	"Drop CAP_SYS_RAWIO"
	18	}
	19	expect {
	20	timeout {puts "TESTING ERROR 2\n";exit}
	21	"Drop CAP_SYS_BOOT"
	22	}
	23	expect {
	24	timeout {puts "TESTING ERROR 3\n";exit}
	25	"Drop CAP_SYS_NICE"
	26	}
	27	expect {
	28	timeout {puts "TESTING ERROR 4\n";exit}
	29	"Drop CAP_SYS_TTY_CONFIG"
	30	}
	31	expect {
	32	timeout {puts "TESTING ERROR 5\n";exit}
	33	"Drop CAP_SYSLOG"
	34	}
	35	expect {
	36	timeout {puts "TESTING ERROR 6\n";exit}
	37	"Drop CAP_MKNOD"
	38	}
	39	expect {
	40	timeout {puts "TESTING ERROR 7\n";exit}
	41	"Drop CAP_SYS_ADMIN"
	42	}
	43	expect {
	44	timeout {puts "TESTING ERROR 8\n";exit}
	45	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	46	}
	47	sleep 1
	48
	49	spawn $env(SHELL)
	50	send -- "firejail --caps.print=test\r"
	51	expect {
	52	timeout {puts "TESTING ERROR 9\n";exit}
	53	"chown - enabled"
	54	}
	55	expect {
	56	timeout {puts "TESTING ERROR 10\n";exit}
	57	"setgid - enabled"
	58	}
	59	expect {
	60	timeout {puts "TESTING ERROR 11\n";exit}
	61	"setuid - enabled"
	62	}
	63	expect {
	64	timeout {puts "TESTING ERROR 12\n";exit}
	65	"mknod - disabled"
	66	}
	67	expect {
	68	timeout {puts "TESTING ERROR 13\n";exit}
	69	"syslog - disabled"
	70	}
	71	after 500
	72
	73	send -- "firejail --debug-caps\r"
	74	expect {
	75	timeout {puts "TESTING ERROR 9\n";exit}
	76	"21 - sys_admin"
	77	}
	78	expect {
	79	timeout {puts "TESTING ERROR 9\n";exit}
	80	"22 - sys_boot"
	81	}
	82	expect {
	83	timeout {puts "TESTING ERROR 9\n";exit}
	84	"23 - sys_nice"
	85	}
	86	expect {
	87	timeout {puts "TESTING ERROR 9\n";exit}
	88	"24 - sys_resource"
	89	}
	90	after 500
	91
	92	send -- "firejail --caps.keep=\"bla bla bla\"\r"
	93	expect {
	94	timeout {puts "TESTING ERROR 10\n";exit}
	95	"capability"
	96	}
	97	expect {
	98	timeout {puts "TESTING ERROR 11\n";exit}
	99	"not found"
	100	}
	101
	102	after 500
	103	puts "\nall done\n"


diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp new file mode 100755 index 000000000..bd7ab04eb --- /dev/null +++ b/test/capabilities/caps.exp
@@ -0,0 +1,115 @@
	1	#!/usr/bin/expect -f
	2	# This file is part of Firejail project
	3	# Copyright (C) 2014-2023 Firejail Authors
	4	# License GPL v2
	5
	6	set timeout 10
	7	spawn $env(SHELL)
	8	match_max 100000
	9
	10	send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r"
	11	expect {
	12	timeout {puts "TESTING ERROR 1\n";exit}
	13	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	14	}
	15	expect {
	16	timeout {puts "TESTING ERROR 2\n";exit}
	17	"CapBnd: 0000000000000009"
	18	}
	19	expect {
	20	timeout {puts "TESTING ERROR 3\n";exit}
	21	"Seccomp:"
	22	}
	23	after 500
	24
	25	send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r"
	26	expect {
	27	timeout {puts "TESTING ERROR 4\n";exit}
	28	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	29	}
	30	expect {
	31	timeout {puts "TESTING ERROR 5\n";exit}
	32	"CapBnd: 0000000000000000"
	33	}
	34	expect {
	35	timeout {puts "TESTING ERROR 6\n";exit}
	36	"Seccomp:"
	37	}
	38	after 500
	39
	40	send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r"
	41	expect {
	42	timeout {puts "TESTING ERROR 7\n";exit}
	43	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	44	}
	45	expect {
	46	timeout {puts "TESTING ERROR 8\n";exit}
	47	"CapBnd:"
	48	}
	49	expect {
	50	timeout {puts "TESTING ERROR 9\n";exit}
	51	"fffffff0"
	52	}
	53	expect {
	54	timeout {puts "TESTING ERROR 10\n";exit}
	55	"Seccomp:"
	56	}
	57	after 500
	58
	59	send -- "firejail --profile=caps1.profile --debug ls\r"
	60	expect {
	61	timeout {puts "TESTING ERROR 11\n";exit}
	62	"Drop CAP_SYS_MODULE"
	63	}
	64	expect {
	65	timeout {puts "TESTING ERROR 12\n";exit}
	66	"Drop CAP_SYS_ADMIN"
	67	}
	68	expect {
	69	timeout {puts "TESTING ERROR 13\n";exit}
	70	"Drop CAP_" {puts "TESTING ERROR 14\n";exit}
	71	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	72	}
	73	after 500
	74
	75	## tofix: possible problem with caps.keep in profile files
	76	##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
	77	#send -- "firejail --profile=caps2.profile\r"
	78	#expect {
	79	# timeout {puts "TESTING ERROR 15\n";exit}
	80	# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	81	#}
	82	#after 100
	83	#
	84	#send -- "cat /proc/self/status\r"
	85	#expect {
	86	# timeout {puts "TESTING ERROR 16\n";exit}
	87	# "CapBnd: 0000000000000009"
	88	#}
	89	#expect {
	90	# timeout {puts "TESTING ERROR 17\n";exit}
	91	# "Seccomp:"
	92	#}
	93	#send -- "exit\r"
	94	#sleep 1
	95
	96	#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
	97	send -- "firejail --profile=caps3.profile cat /proc/self/status\r"
	98	expect {
	99	timeout {puts "TESTING ERROR 18\n";exit}
	100	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	101	}
	102	expect {
	103	timeout {puts "TESTING ERROR 19\n";exit}
	104	"CapBnd:"
	105	}
	106	expect {
	107	timeout {puts "TESTING ERROR 20\n";exit}
	108	"fffffff0"
	109	}
	110	expect {
	111	timeout {puts "TESTING ERROR 21\n";exit}
	112	"Seccomp:"
	113	}
	114	after 500
	115	puts "\nall done\n"


diff --git a/test/capabilities/caps1.profile b/test/capabilities/caps1.profile new file mode 100644 index 000000000..8b0c3b340 --- /dev/null +++ b/test/capabilities/caps1.profile
@@ -0,0 +1 @@
		caps


diff --git a/test/capabilities/caps2.profile b/test/capabilities/caps2.profile new file mode 100644 index 000000000..ad49719f1 --- /dev/null +++ b/test/capabilities/caps2.profile
@@ -0,0 +1 @@
		caps.drop chown,dac_override,dac_read_search,fowner


diff --git a/test/capabilities/caps3.profile b/test/capabilities/caps3.profile new file mode 100644 index 000000000..ad49719f1 --- /dev/null +++ b/test/capabilities/caps3.profile
@@ -0,0 +1 @@
		caps.drop chown,dac_override,dac_read_search,fowner


diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp new file mode 100755 index 000000000..905c8cba9 --- /dev/null +++ b/test/capabilities/firemon-caps.exp
@@ -0,0 +1,47 @@
	1	#!/usr/bin/expect -f
	2	# This file is part of Firejail project
	3	# Copyright (C) 2014-2023 Firejail Authors
	4	# License GPL v2
	5
	6	set timeout 10
	7	spawn $env(SHELL)
	8	match_max 100000
	9
	10	send -- "firejail --name=bingo1 --noprofile --caps\r"
	11	expect {
	12	timeout {puts "TESTING ERROR 0\n";exit}
	13	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	14	}
	15	sleep 1
	16
	17	spawn $env(SHELL)
	18	send -- "firejail --name=bingo2 --noprofile\r"
	19	expect {
	20	timeout {puts "TESTING ERROR 1\n";exit}
	21	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
	22	}
	23	sleep 1
	24
	25	spawn $env(SHELL)
	26	send -- "firemon --caps\r"
	27	expect {
	28	timeout {puts "TESTING ERROR 2\n";exit}
	29	"need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
	30	"bingo1"
	31	}
	32	expect {
	33	timeout {puts "TESTING ERROR 3\n";exit}
	34	"31cffff"
	35	}
	36	expect {
	37	timeout {puts "TESTING ERROR 4\n";exit}
	38	"bingo2"
	39	}
	40	expect {
	41	timeout {puts "TESTING ERROR 5\n";exit}
	42	"fffffff"
	43	}
	44
	45	after 500
	46
	47	puts "all done\n"