diff options
Diffstat (limited to 'test/filters/noroot.exp')
-rwxr-xr-x | test/filters/noroot.exp | 160 |
1 files changed, 160 insertions, 0 deletions
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp new file mode 100755 index 000000000..b011f2bf9 --- /dev/null +++ b/test/filters/noroot.exp | |||
@@ -0,0 +1,160 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | send -- "cat /proc/self/status\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "CapBnd: 0000000000000000" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "Seccomp:" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "2" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 4\n";exit} | ||
33 | "Cpus_allowed:" | ||
34 | } | ||
35 | puts "\n" | ||
36 | |||
37 | send -- "ping 0\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 5\n";exit} | ||
40 | "Operation not permitted" | ||
41 | } | ||
42 | send -- "whoami\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 6\n";exit} | ||
45 | $env(USER) | ||
46 | } | ||
47 | send -- "sudo -s\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 7\n";exit} | ||
50 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
51 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
52 | "Bad system call" { puts "OK\n";} | ||
53 | } | ||
54 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 8\n";exit} | ||
57 | "1" | ||
58 | } | ||
59 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 9\n";exit} | ||
62 | "5" | ||
63 | } | ||
64 | |||
65 | puts "\n" | ||
66 | send -- "exit\r" | ||
67 | sleep 2 | ||
68 | |||
69 | |||
70 | |||
71 | send -- "firejail --name=test --noroot --noprofile\r" | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 10\n";exit} | ||
74 | "Child process initialized" | ||
75 | } | ||
76 | sleep 1 | ||
77 | |||
78 | send -- "cat /proc/self/status\r" | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR 11\n";exit} | ||
81 | "CapBnd:" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 12\n";exit} | ||
85 | "ffffffff" | ||
86 | } | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 13\n";exit} | ||
89 | "Seccomp:" | ||
90 | } | ||
91 | expect { | ||
92 | timeout {puts "TESTING ERROR 14\n";exit} | ||
93 | "0" | ||
94 | } | ||
95 | expect { | ||
96 | timeout {puts "TESTING ERROR 15\n";exit} | ||
97 | "Cpus_allowed:" | ||
98 | } | ||
99 | puts "\n" | ||
100 | |||
101 | send -- "whoami\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 16\n";exit} | ||
104 | $env(USER) | ||
105 | } | ||
106 | send -- "sudo -s\r" | ||
107 | expect { | ||
108 | timeout {puts "TESTING ERROR 17\n";exit} | ||
109 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
110 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
111 | } | ||
112 | send -- "ping 0\r" | ||
113 | expect { | ||
114 | timeout {puts "TESTING ERROR 18\n";exit} | ||
115 | "Operation not permitted" | ||
116 | } | ||
117 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 19\n";exit} | ||
120 | "1" | ||
121 | } | ||
122 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
123 | expect { | ||
124 | timeout {puts "TESTING ERROR 20\n";exit} | ||
125 | "5" | ||
126 | } | ||
127 | |||
128 | |||
129 | |||
130 | spawn $env(SHELL) | ||
131 | send -- "firejail --debug --join=test\r" | ||
132 | expect { | ||
133 | timeout {puts "TESTING ERROR 21\n";exit} | ||
134 | "User namespace detected" | ||
135 | } | ||
136 | expect { | ||
137 | timeout {puts "TESTING ERROR 22\n";exit} | ||
138 | "Joining user namespace" | ||
139 | } | ||
140 | sleep 1 | ||
141 | |||
142 | send -- "sudo -s\r" | ||
143 | expect { | ||
144 | timeout {puts "TESTING ERROR 23\n";exit} | ||
145 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
146 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
147 | "Permission denied" { puts "OK\n";} | ||
148 | } | ||
149 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
150 | expect { | ||
151 | timeout {puts "TESTING ERROR 24\n";exit} | ||
152 | "1" | ||
153 | } | ||
154 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
155 | expect { | ||
156 | timeout {puts "TESTING ERROR 25\n";exit} | ||
157 | "5" | ||
158 | } | ||
159 | after 100 | ||
160 | puts "\nall done\n" | ||