5 files changed, 66 insertions, 40 deletions
diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh
index 50279cd4f..2d345025a 100755
--- a/test/capabilities/capabilities.sh
+++ b/test/capabilities/capabilities.sh
@@ -21,3 +21,6 @@ echo "TESTING: capabilities print (test/filters/caps-print.exp)"
 echo "TESTING: capabilities join (test/filters/caps-join.exp)"
 ./caps-join.exp
+echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
+./firemon-caps.exp
diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp
index 1830143fb..ecb43d943 100755
--- a/test/capabilities/caps-join.exp
+++ b/test/capabilities/caps-join.exp
@@ -35,7 +35,7 @@ sleep 1
 set spawn_id $id1
 send -- "exit\r"
-after 100
+sleep 1
 #
 # no caps
@@ -67,7 +67,7 @@ sleep 1
 set spawn_id $id1
 send -- "exit\r"
-after 100
+after 500
 #
 # no caps
@@ -91,6 +91,6 @@ sleep 1
 set spawn_id $id1
 send -- "exit\r"
-after 100
+after 500
 puts "all done\n"
diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp
index b403f9ffe..66a7e093b 100755
--- a/test/capabilities/caps-print.exp
+++ b/test/capabilities/caps-print.exp
@@ -68,7 +68,7 @@ expect {
        timeout {puts "TESTING ERROR 13\n";exit}
        "syslog              - disabled"
 }
-after 100
+after 500
 send -- "firejail --debug-caps\r"
 expect {
@@ -87,7 +87,7 @@ expect {
        timeout {puts "TESTING ERROR 9\n";exit}
        "24     - sys_resource"
 }
-after 100
+after 500
 send -- "firejail --caps.keep=\"bla bla bla\"\r"
 expect {
@@ -99,5 +99,5 @@ expect {
        "not found"
 }
-after 100
+after 500
 puts "\nall done\n"
diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp
index dbd63efda..bd7ab04eb 100755
--- a/test/capabilities/caps.exp
+++ b/test/capabilities/caps.exp
@@ -7,14 +7,11 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail --caps.keep=chown,fowner --noprofile\r"
+send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 1\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-send -- "cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 2\n";exit}
        "CapBnd:        0000000000000009"
@@ -23,17 +20,13 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Seccomp:"
 }
-send -- "exit\r"
+after 500
-sleep 1
-send -- "firejail --caps.drop=all --noprofile\r"
+send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-send -- "cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "CapBnd:        0000000000000000"
@@ -42,17 +35,13 @@ expect {
        timeout {puts "TESTING ERROR 6\n";exit}
        "Seccomp:"
 }
-send -- "exit\r"
+after 500
-sleep 1
-send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
+send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 7\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-send -- "cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 8\n";exit}
        "CapBnd:"
@@ -65,11 +54,9 @@ expect {
        timeout {puts "TESTING ERROR 10\n";exit}
        "Seccomp:"
 }
-send -- "exit\r"
+after 500
-sleep 1
+send -- "firejail --profile=caps1.profile --debug ls\r"
-send -- "firejail --profile=caps1.profile --debug\r"
 expect {
        timeout {puts "TESTING ERROR 11\n";exit}
        "Drop CAP_SYS_MODULE"
@@ -83,10 +70,7 @@ expect {
        "Drop CAP_" {puts "TESTING ERROR 14\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
+after 500
-send -- "exit\r"
-sleep 1
 ## tofix: possible problem with caps.keep in profile files
 ##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
@@ -110,14 +94,11 @@ sleep 1
 #sleep 1
 #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
-send -- "firejail --profile=caps3.profile\r"
+send -- "firejail --profile=caps3.profile cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 18\n";exit}
        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-after 100
-send -- "cat /proc/self/status\r"
 expect {
        timeout {puts "TESTING ERROR 19\n";exit}
        "CapBnd:"
@@ -130,10 +111,5 @@ expect {
        timeout {puts "TESTING ERROR 21\n";exit}
        "Seccomp:"
 }
-send -- "exit\r"
+after 500
-sleep 1
-after 100
 puts "\nall done\n"
diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp
new file mode 100755
index 000000000..905c8cba9
--- /dev/null
+++ b/test/capabilities/firemon-caps.exp
@@ -0,0 +1,47 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send --  "firejail --name=bingo1 --noprofile --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+spawn $env(SHELL)
+send --  "firejail --name=bingo2 --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+spawn $env(SHELL)
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
+        "bingo1"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "31cffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "bingo2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "fffffff"
+}
+after 500
+puts "all done\n"

diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh index 50279cd4f..2d345025a 100755 --- a/test/capabilities/capabilities.sh +++ b/test/capabilities/capabilities.sh
@@ -21,3 +21,6 @@ echo "TESTING: capabilities print (test/filters/caps-print.exp)"
21	echo "TESTING: capabilities join (test/filters/caps-join.exp)"	21	echo "TESTING: capabilities join (test/filters/caps-join.exp)"
22	./caps-join.exp	22	./caps-join.exp
23		23
		24	echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
		25	./firemon-caps.exp
		26


diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp index 1830143fb..ecb43d943 100755 --- a/test/capabilities/caps-join.exp +++ b/test/capabilities/caps-join.exp
@@ -35,7 +35,7 @@ sleep 1
35		35
36	set spawn_id $id1	36	set spawn_id $id1
37	send -- "exit\r"	37	send -- "exit\r"
38	after 100	38	sleep 1
39		39
40	#	40	#
41	# no caps	41	# no caps
@@ -67,7 +67,7 @@ sleep 1
67		67
68	set spawn_id $id1	68	set spawn_id $id1
69	send -- "exit\r"	69	send -- "exit\r"
70	after 100	70	after 500
71		71
72	#	72	#
73	# no caps	73	# no caps
@@ -91,6 +91,6 @@ sleep 1
91		91
92	set spawn_id $id1	92	set spawn_id $id1
93	send -- "exit\r"	93	send -- "exit\r"
94	after 100	94	after 500
95		95
96	puts "all done\n"	96	puts "all done\n"


diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp index b403f9ffe..66a7e093b 100755 --- a/test/capabilities/caps-print.exp +++ b/test/capabilities/caps-print.exp
@@ -68,7 +68,7 @@ expect {
68	timeout {puts "TESTING ERROR 13\n";exit}	68	timeout {puts "TESTING ERROR 13\n";exit}
69	"syslog - disabled"	69	"syslog - disabled"
70	}	70	}
71	after 100	71	after 500
72		72
73	send -- "firejail --debug-caps\r"	73	send -- "firejail --debug-caps\r"
74	expect {	74	expect {
@@ -87,7 +87,7 @@ expect {
87	timeout {puts "TESTING ERROR 9\n";exit}	87	timeout {puts "TESTING ERROR 9\n";exit}
88	"24 - sys_resource"	88	"24 - sys_resource"
89	}	89	}
90	after 100	90	after 500
91		91
92	send -- "firejail --caps.keep=\"bla bla bla\"\r"	92	send -- "firejail --caps.keep=\"bla bla bla\"\r"
93	expect {	93	expect {
@@ -99,5 +99,5 @@ expect {
99	"not found"	99	"not found"
100	}	100	}
101		101
102	after 100	102	after 500
103	puts "\nall done\n"	103	puts "\nall done\n"


diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp index dbd63efda..bd7ab04eb 100755 --- a/test/capabilities/caps.exp +++ b/test/capabilities/caps.exp
@@ -7,14 +7,11 @@ set timeout 10
7	spawn $env(SHELL)	7	spawn $env(SHELL)
8	match_max 100000	8	match_max 100000
9		9
10	send -- "firejail --caps.keep=chown,fowner --noprofile\r"	10	send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r"
11	expect {	11	expect {
12	timeout {puts "TESTING ERROR 1\n";exit}	12	timeout {puts "TESTING ERROR 1\n";exit}
13	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	13	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
14	}	14	}
15	after 100
16
17	send -- "cat /proc/self/status\r"
18	expect {	15	expect {
19	timeout {puts "TESTING ERROR 2\n";exit}	16	timeout {puts "TESTING ERROR 2\n";exit}
20	"CapBnd: 0000000000000009"	17	"CapBnd: 0000000000000009"
@@ -23,17 +20,13 @@ expect {
23	timeout {puts "TESTING ERROR 3\n";exit}	20	timeout {puts "TESTING ERROR 3\n";exit}
24	"Seccomp:"	21	"Seccomp:"
25	}	22	}
26	send -- "exit\r"	23	after 500
27	sleep 1
28		24
29	send -- "firejail --caps.drop=all --noprofile\r"	25	send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r"
30	expect {	26	expect {
31	timeout {puts "TESTING ERROR 4\n";exit}	27	timeout {puts "TESTING ERROR 4\n";exit}
32	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	28	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
33	}	29	}
34	after 100
35
36	send -- "cat /proc/self/status\r"
37	expect {	30	expect {
38	timeout {puts "TESTING ERROR 5\n";exit}	31	timeout {puts "TESTING ERROR 5\n";exit}
39	"CapBnd: 0000000000000000"	32	"CapBnd: 0000000000000000"
@@ -42,17 +35,13 @@ expect {
42	timeout {puts "TESTING ERROR 6\n";exit}	35	timeout {puts "TESTING ERROR 6\n";exit}
43	"Seccomp:"	36	"Seccomp:"
44	}	37	}
45	send -- "exit\r"	38	after 500
46	sleep 1
47		39
48	send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"	40	send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r"
49	expect {	41	expect {
50	timeout {puts "TESTING ERROR 7\n";exit}	42	timeout {puts "TESTING ERROR 7\n";exit}
51	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	43	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
52	}	44	}
53	after 100
54
55	send -- "cat /proc/self/status\r"
56	expect {	45	expect {
57	timeout {puts "TESTING ERROR 8\n";exit}	46	timeout {puts "TESTING ERROR 8\n";exit}
58	"CapBnd:"	47	"CapBnd:"
@@ -65,11 +54,9 @@ expect {
65	timeout {puts "TESTING ERROR 10\n";exit}	54	timeout {puts "TESTING ERROR 10\n";exit}
66	"Seccomp:"	55	"Seccomp:"
67	}	56	}
68	send -- "exit\r"	57	after 500
69	sleep 1
70		58
71		59	send -- "firejail --profile=caps1.profile --debug ls\r"
72	send -- "firejail --profile=caps1.profile --debug\r"
73	expect {	60	expect {
74	timeout {puts "TESTING ERROR 11\n";exit}	61	timeout {puts "TESTING ERROR 11\n";exit}
75	"Drop CAP_SYS_MODULE"	62	"Drop CAP_SYS_MODULE"
@@ -83,10 +70,7 @@ expect {
83	"Drop CAP_" {puts "TESTING ERROR 14\n";exit}	70	"Drop CAP_" {puts "TESTING ERROR 14\n";exit}
84	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	71	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
85	}	72	}
86	after 100	73	after 500
87	send -- "exit\r"
88	sleep 1
89
90		74
91	## tofix: possible problem with caps.keep in profile files	75	## tofix: possible problem with caps.keep in profile files
92	##send -- "firejail --caps.keep=chown,fowner --noprofile\r"	76	##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
@@ -110,14 +94,11 @@ sleep 1
110	#sleep 1	94	#sleep 1
111		95
112	#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"	96	#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
113	send -- "firejail --profile=caps3.profile\r"	97	send -- "firejail --profile=caps3.profile cat /proc/self/status\r"
114	expect {	98	expect {
115	timeout {puts "TESTING ERROR 18\n";exit}	99	timeout {puts "TESTING ERROR 18\n";exit}
116	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"	100	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
117	}	101	}
118	after 100
119
120	send -- "cat /proc/self/status\r"
121	expect {	102	expect {
122	timeout {puts "TESTING ERROR 19\n";exit}	103	timeout {puts "TESTING ERROR 19\n";exit}
123	"CapBnd:"	104	"CapBnd:"
@@ -130,10 +111,5 @@ expect {
130	timeout {puts "TESTING ERROR 21\n";exit}	111	timeout {puts "TESTING ERROR 21\n";exit}
131	"Seccomp:"	112	"Seccomp:"
132	}	113	}
133	send -- "exit\r"	114	after 500
134	sleep 1
135
136
137
138	after 100
139	puts "\nall done\n"	115	puts "\nall done\n"


diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp new file mode 100755 index 000000000..905c8cba9 --- /dev/null +++ b/test/capabilities/firemon-caps.exp
@@ -0,0 +1,47 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2023 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --name=bingo1 --noprofile --caps\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		14	}
		15	sleep 1
		16
		17	spawn $env(SHELL)
		18	send -- "firejail --name=bingo2 --noprofile\r"
		19	expect {
		20	timeout {puts "TESTING ERROR 1\n";exit}
		21	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
		22	}
		23	sleep 1
		24
		25	spawn $env(SHELL)
		26	send -- "firemon --caps\r"
		27	expect {
		28	timeout {puts "TESTING ERROR 2\n";exit}
		29	"need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit}
		30	"bingo1"
		31	}
		32	expect {
		33	timeout {puts "TESTING ERROR 3\n";exit}
		34	"31cffff"
		35	}
		36	expect {
		37	timeout {puts "TESTING ERROR 4\n";exit}
		38	"bingo2"
		39	}
		40	expect {
		41	timeout {puts "TESTING ERROR 5\n";exit}
		42	"fffffff"
		43	}
		44
		45	after 500
		46
		47	puts "all done\n"