diff options
Diffstat (limited to 'test/filters')
-rwxr-xr-x | test/filters/apparmor.exp | 59 | ||||
-rw-r--r-- | test/filters/block-secondary.profile | 1 | ||||
-rwxr-xr-x | test/filters/caps-join.exp | 96 | ||||
-rwxr-xr-x | test/filters/caps-print.exp | 103 | ||||
-rwxr-xr-x | test/filters/caps.exp | 139 | ||||
-rw-r--r-- | test/filters/caps1.profile | 1 | ||||
-rw-r--r-- | test/filters/caps2.profile | 1 | ||||
-rw-r--r-- | test/filters/caps3.profile | 1 | ||||
-rwxr-xr-x | test/filters/filters.sh | 39 | ||||
-rwxr-xr-x | test/filters/memwrexe | bin | 17096 -> 0 bytes | |||
-rw-r--r-- | test/filters/memwrexe.c | 105 | ||||
-rwxr-xr-x | test/filters/memwrexe.exp | 46 | ||||
-rwxr-xr-x | test/filters/namespaces | bin | 17392 -> 17496 bytes | |||
-rwxr-xr-x | test/filters/namespaces-32 | bin | 16104 -> 16180 bytes | |||
-rwxr-xr-x | test/filters/namespaces-32.exp | 80 | ||||
-rw-r--r-- | test/filters/namespaces.c | 38 | ||||
-rwxr-xr-x | test/filters/namespaces.exp | 80 | ||||
-rwxr-xr-x | test/filters/noroot.exp | 136 | ||||
-rwxr-xr-x | test/filters/protocol.exp | 97 | ||||
-rw-r--r-- | test/filters/protocol1.profile | 1 | ||||
-rw-r--r-- | test/filters/protocol2.profile | 1 | ||||
-rwxr-xr-x | test/filters/seccomp-debug.exp | 57 |
22 files changed, 171 insertions, 910 deletions
diff --git a/test/filters/apparmor.exp b/test/filters/apparmor.exp deleted file mode 100755 index a8f73c797..000000000 --- a/test/filters/apparmor.exp +++ /dev/null | |||
@@ -1,59 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test1 --apparmor\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --name=test2 --apparmor\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firemon --apparmor\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "test1:firejail --name=test1 --apparmor" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 3\n";exit} | ||
33 | "AppArmor: firejail-default//&unconfined enforce" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 4\n";exit} | ||
37 | "test2:firejail --name=test2 --apparmor" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | "AppArmor: firejail-default//&unconfined enforce" | ||
42 | } | ||
43 | after 100 | ||
44 | |||
45 | send -- "firejail --apparmor.print=test1\r" | ||
46 | expect { | ||
47 | timeout {puts "TESTING ERROR 6\n";exit} | ||
48 | "AppArmor: firejail-default//&unconfined enforce" | ||
49 | } | ||
50 | after 100 | ||
51 | |||
52 | send -- "firejail --apparmor.print=test2\r" | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 7\n";exit} | ||
55 | "AppArmor: firejail-default//&unconfined enforce" | ||
56 | } | ||
57 | after 100 | ||
58 | |||
59 | puts "\nall done\n" | ||
diff --git a/test/filters/block-secondary.profile b/test/filters/block-secondary.profile deleted file mode 100644 index e32056c3d..000000000 --- a/test/filters/block-secondary.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | seccomp.block-secondary | ||
diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp deleted file mode 100755 index 1830143fb..000000000 --- a/test/filters/caps-join.exp +++ /dev/null | |||
@@ -1,96 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | match_max 100000 | ||
8 | spawn $env(SHELL) | ||
9 | set id1 $spawn_id | ||
10 | spawn $env(SHELL) | ||
11 | set id2 $spawn_id | ||
12 | |||
13 | send -- "stty -echo\r" | ||
14 | after 100 | ||
15 | |||
16 | # | ||
17 | # regular run | ||
18 | # | ||
19 | set spawn_id $id1 | ||
20 | send -- "firejail --name=jointesting\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 0\n";exit} | ||
23 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
24 | } | ||
25 | sleep 1 | ||
26 | |||
27 | set spawn_id $id2 | ||
28 | |||
29 | send -- "firejail --join=jointesting cat /proc/self/status\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 1\n";exit} | ||
32 | "CapBnd: 0000000000000000" | ||
33 | } | ||
34 | sleep 1 | ||
35 | |||
36 | set spawn_id $id1 | ||
37 | send -- "exit\r" | ||
38 | after 100 | ||
39 | |||
40 | # | ||
41 | # no caps | ||
42 | # | ||
43 | set spawn_id $id1 | ||
44 | send -- "firejail --name=jointesting --noprofile\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 10\n";exit} | ||
47 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
48 | } | ||
49 | sleep 1 | ||
50 | |||
51 | set spawn_id $id2 | ||
52 | |||
53 | send -- "firejail --join=jointesting cat /proc/self/status\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 11\n";exit} | ||
56 | "CapBnd:" | ||
57 | } | ||
58 | expect { | ||
59 | timeout {puts "TESTING ERROR 12\n";exit} | ||
60 | "fffffffff" | ||
61 | } | ||
62 | expect { | ||
63 | timeout {puts "TESTING ERROR 13\n";exit} | ||
64 | "CapAmb:" | ||
65 | } | ||
66 | sleep 1 | ||
67 | |||
68 | set spawn_id $id1 | ||
69 | send -- "exit\r" | ||
70 | after 100 | ||
71 | |||
72 | # | ||
73 | # no caps | ||
74 | # | ||
75 | set spawn_id $id1 | ||
76 | send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r" | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR20\n";exit} | ||
79 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
80 | } | ||
81 | sleep 1 | ||
82 | |||
83 | set spawn_id $id2 | ||
84 | |||
85 | send -- "firejail --join=jointesting cat /proc/self/status\r" | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 21\n";exit} | ||
88 | "CapBnd: 0000000000000009" | ||
89 | } | ||
90 | sleep 1 | ||
91 | |||
92 | set spawn_id $id1 | ||
93 | send -- "exit\r" | ||
94 | after 100 | ||
95 | |||
96 | puts "all done\n" | ||
diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp deleted file mode 100755 index b403f9ffe..000000000 --- a/test/filters/caps-print.exp +++ /dev/null | |||
@@ -1,103 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --noprofile --caps --debug\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Drop CAP_SYS_MODULE" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "Drop CAP_SYS_RAWIO" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "Drop CAP_SYS_BOOT" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "Drop CAP_SYS_NICE" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "Drop CAP_SYS_TTY_CONFIG" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "Drop CAP_SYSLOG" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 6\n";exit} | ||
37 | "Drop CAP_MKNOD" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 7\n";exit} | ||
41 | "Drop CAP_SYS_ADMIN" | ||
42 | } | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 8\n";exit} | ||
45 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | spawn $env(SHELL) | ||
50 | send -- "firejail --caps.print=test\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 9\n";exit} | ||
53 | "chown - enabled" | ||
54 | } | ||
55 | expect { | ||
56 | timeout {puts "TESTING ERROR 10\n";exit} | ||
57 | "setgid - enabled" | ||
58 | } | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 11\n";exit} | ||
61 | "setuid - enabled" | ||
62 | } | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 12\n";exit} | ||
65 | "mknod - disabled" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 13\n";exit} | ||
69 | "syslog - disabled" | ||
70 | } | ||
71 | after 100 | ||
72 | |||
73 | send -- "firejail --debug-caps\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 9\n";exit} | ||
76 | "21 - sys_admin" | ||
77 | } | ||
78 | expect { | ||
79 | timeout {puts "TESTING ERROR 9\n";exit} | ||
80 | "22 - sys_boot" | ||
81 | } | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 9\n";exit} | ||
84 | "23 - sys_nice" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 9\n";exit} | ||
88 | "24 - sys_resource" | ||
89 | } | ||
90 | after 100 | ||
91 | |||
92 | send -- "firejail --caps.keep=\"bla bla bla\"\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 10\n";exit} | ||
95 | "capability" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 11\n";exit} | ||
99 | "not found" | ||
100 | } | ||
101 | |||
102 | after 100 | ||
103 | puts "\nall done\n" | ||
diff --git a/test/filters/caps.exp b/test/filters/caps.exp deleted file mode 100755 index dbd63efda..000000000 --- a/test/filters/caps.exp +++ /dev/null | |||
@@ -1,139 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --caps.keep=chown,fowner --noprofile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | after 100 | ||
16 | |||
17 | send -- "cat /proc/self/status\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "CapBnd: 0000000000000009" | ||
21 | } | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "Seccomp:" | ||
25 | } | ||
26 | send -- "exit\r" | ||
27 | sleep 1 | ||
28 | |||
29 | send -- "firejail --caps.drop=all --noprofile\r" | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 4\n";exit} | ||
32 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
33 | } | ||
34 | after 100 | ||
35 | |||
36 | send -- "cat /proc/self/status\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 5\n";exit} | ||
39 | "CapBnd: 0000000000000000" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 6\n";exit} | ||
43 | "Seccomp:" | ||
44 | } | ||
45 | send -- "exit\r" | ||
46 | sleep 1 | ||
47 | |||
48 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 7\n";exit} | ||
51 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
52 | } | ||
53 | after 100 | ||
54 | |||
55 | send -- "cat /proc/self/status\r" | ||
56 | expect { | ||
57 | timeout {puts "TESTING ERROR 8\n";exit} | ||
58 | "CapBnd:" | ||
59 | } | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 9\n";exit} | ||
62 | "fffffff0" | ||
63 | } | ||
64 | expect { | ||
65 | timeout {puts "TESTING ERROR 10\n";exit} | ||
66 | "Seccomp:" | ||
67 | } | ||
68 | send -- "exit\r" | ||
69 | sleep 1 | ||
70 | |||
71 | |||
72 | send -- "firejail --profile=caps1.profile --debug\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 11\n";exit} | ||
75 | "Drop CAP_SYS_MODULE" | ||
76 | } | ||
77 | expect { | ||
78 | timeout {puts "TESTING ERROR 12\n";exit} | ||
79 | "Drop CAP_SYS_ADMIN" | ||
80 | } | ||
81 | expect { | ||
82 | timeout {puts "TESTING ERROR 13\n";exit} | ||
83 | "Drop CAP_" {puts "TESTING ERROR 14\n";exit} | ||
84 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
85 | } | ||
86 | after 100 | ||
87 | send -- "exit\r" | ||
88 | sleep 1 | ||
89 | |||
90 | |||
91 | ## tofix: possible problem with caps.keep in profile files | ||
92 | ##send -- "firejail --caps.keep=chown,fowner --noprofile\r" | ||
93 | #send -- "firejail --profile=caps2.profile\r" | ||
94 | #expect { | ||
95 | # timeout {puts "TESTING ERROR 15\n";exit} | ||
96 | # -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
97 | #} | ||
98 | #after 100 | ||
99 | # | ||
100 | #send -- "cat /proc/self/status\r" | ||
101 | #expect { | ||
102 | # timeout {puts "TESTING ERROR 16\n";exit} | ||
103 | # "CapBnd: 0000000000000009" | ||
104 | #} | ||
105 | #expect { | ||
106 | # timeout {puts "TESTING ERROR 17\n";exit} | ||
107 | # "Seccomp:" | ||
108 | #} | ||
109 | #send -- "exit\r" | ||
110 | #sleep 1 | ||
111 | |||
112 | #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | ||
113 | send -- "firejail --profile=caps3.profile\r" | ||
114 | expect { | ||
115 | timeout {puts "TESTING ERROR 18\n";exit} | ||
116 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
117 | } | ||
118 | after 100 | ||
119 | |||
120 | send -- "cat /proc/self/status\r" | ||
121 | expect { | ||
122 | timeout {puts "TESTING ERROR 19\n";exit} | ||
123 | "CapBnd:" | ||
124 | } | ||
125 | expect { | ||
126 | timeout {puts "TESTING ERROR 20\n";exit} | ||
127 | "fffffff0" | ||
128 | } | ||
129 | expect { | ||
130 | timeout {puts "TESTING ERROR 21\n";exit} | ||
131 | "Seccomp:" | ||
132 | } | ||
133 | send -- "exit\r" | ||
134 | sleep 1 | ||
135 | |||
136 | |||
137 | |||
138 | after 100 | ||
139 | puts "\nall done\n" | ||
diff --git a/test/filters/caps1.profile b/test/filters/caps1.profile deleted file mode 100644 index 8b0c3b340..000000000 --- a/test/filters/caps1.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps | ||
diff --git a/test/filters/caps2.profile b/test/filters/caps2.profile deleted file mode 100644 index ad49719f1..000000000 --- a/test/filters/caps2.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps.drop chown,dac_override,dac_read_search,fowner | ||
diff --git a/test/filters/caps3.profile b/test/filters/caps3.profile deleted file mode 100644 index ad49719f1..000000000 --- a/test/filters/caps3.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps.drop chown,dac_override,dac_read_search,fowner | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 1d145ac4b..56c97482e 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -13,12 +13,12 @@ if [[ -f /etc/debian_version ]]; then | |||
13 | fi | 13 | fi |
14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
15 | 15 | ||
16 | if [[ -f /sys/kernel/security/apparmor/profiles ]]; then | 16 | #if [[ -f /sys/kernel/security/apparmor/profiles ]]; then |
17 | echo "TESTING: apparmor (test/filters/apparmor.exp)" | 17 | # echo "TESTING: apparmor (test/filters/apparmor.exp)" |
18 | ./apparmor.exp | 18 | # ./apparmor.exp |
19 | else | 19 | #else |
20 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" | 20 | # echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" |
21 | fi | 21 | #fi |
22 | 22 | ||
23 | if [[ $(uname -m) == "x86_64" ]]; then | 23 | if [[ $(uname -m) == "x86_64" ]]; then |
24 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" | 24 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" |
@@ -53,22 +53,19 @@ fi | |||
53 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" | 53 | echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)" |
54 | ./seccomp-postexec.exp | 54 | ./seccomp-postexec.exp |
55 | 55 | ||
56 | echo "TESTING: noroot (test/filters/noroot.exp)" | ||
57 | ./noroot.exp | ||
58 | |||
59 | |||
60 | if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | ||
61 | echo "TESTING: capabilities (test/filters/caps.exp)" | ||
62 | ./caps.exp | ||
63 | else | ||
64 | echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" | ||
65 | fi | ||
66 | |||
67 | echo "TESTING: capabilities print (test/filters/caps-print.exp)" | ||
68 | ./caps-print.exp | ||
69 | 56 | ||
70 | echo "TESTING: capabilities join (test/filters/caps-join.exp)" | 57 | #if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then |
71 | ./caps-join.exp | 58 | # echo "TESTING: capabilities (test/filters/caps.exp)" |
59 | # ./caps.exp | ||
60 | #else | ||
61 | # echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" | ||
62 | #fi | ||
63 | # | ||
64 | #echo "TESTING: capabilities print (test/filters/caps-print.exp)" | ||
65 | #./caps-print.exp | ||
66 | # | ||
67 | #echo "TESTING: capabilities join (test/filters/caps-join.exp)" | ||
68 | #./caps-join.exp | ||
72 | 69 | ||
73 | rm -f seccomp-test-file | 70 | rm -f seccomp-test-file |
74 | if [[ $(uname -m) == "x86_64" ]]; then | 71 | if [[ $(uname -m) == "x86_64" ]]; then |
diff --git a/test/filters/memwrexe b/test/filters/memwrexe deleted file mode 100755 index 1173cdc07..000000000 --- a/test/filters/memwrexe +++ /dev/null | |||
Binary files differ | |||
diff --git a/test/filters/memwrexe.c b/test/filters/memwrexe.c deleted file mode 100644 index 548320df9..000000000 --- a/test/filters/memwrexe.c +++ /dev/null | |||
@@ -1,105 +0,0 @@ | |||
1 | // This file is part of Firejail project | ||
2 | // Copyright (C) 2014-2023 Firejail Authors | ||
3 | // License GPL v2 | ||
4 | |||
5 | #include <stdio.h> | ||
6 | #include <stdlib.h> | ||
7 | #include <string.h> | ||
8 | #include <unistd.h> | ||
9 | #include <sys/types.h> | ||
10 | #include <sys/stat.h> | ||
11 | #include <fcntl.h> | ||
12 | #include <sys/mman.h> | ||
13 | #include <sys/syscall.h> | ||
14 | |||
15 | static void usage(void) { | ||
16 | printf("memwrexe options\n"); | ||
17 | printf("where options is:\n"); | ||
18 | printf("\tmmap - mmap test\n"); | ||
19 | printf("\tmprotect - mprotect test\n"); | ||
20 | printf("\tmemfd_create - memfd_create test\n"); | ||
21 | } | ||
22 | |||
23 | int main(int argc, char **argv) { | ||
24 | if (argc != 2) { | ||
25 | fprintf(stderr, "TESTING ERROR: memwrexe insufficient params\n"); | ||
26 | usage(); | ||
27 | return 1; | ||
28 | } | ||
29 | |||
30 | if (strcmp(argv[1], "mmap") == 0) { | ||
31 | // open some file | ||
32 | int fd = open("memwrexe.c", O_RDONLY); | ||
33 | if (fd == -1) { | ||
34 | fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n"); | ||
35 | return 1; | ||
36 | } | ||
37 | |||
38 | int size = lseek(fd, 0, SEEK_END); | ||
39 | if (size == -1) { | ||
40 | fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n"); | ||
41 | return 1; | ||
42 | } | ||
43 | |||
44 | void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); | ||
45 | if (p == MAP_FAILED) { | ||
46 | printf("mmap failed\n"); | ||
47 | return 0; | ||
48 | } | ||
49 | |||
50 | printf("mmap successful\n"); | ||
51 | |||
52 | // wait for expect to timeout | ||
53 | sleep(100); | ||
54 | |||
55 | return 0; | ||
56 | } | ||
57 | |||
58 | else if (strcmp(argv[1], "mprotect") == 0) { | ||
59 | // open some file | ||
60 | int fd = open("memwrexe.c", O_RDWR); | ||
61 | if (fd == -1) { | ||
62 | fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n"); | ||
63 | return 1; | ||
64 | } | ||
65 | |||
66 | int size = lseek(fd, 0, SEEK_END); | ||
67 | if (size == -1) { | ||
68 | fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n"); | ||
69 | return 1; | ||
70 | } | ||
71 | |||
72 | void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0); | ||
73 | if (p == MAP_FAILED) { | ||
74 | fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n"); | ||
75 | return 1; | ||
76 | } | ||
77 | |||
78 | int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC); | ||
79 | if (rv) { | ||
80 | printf("mprotect failed\n"); | ||
81 | return 1; | ||
82 | } | ||
83 | |||
84 | printf("mprotect successful\n"); | ||
85 | |||
86 | // wait for expect to timeout | ||
87 | sleep(100); | ||
88 | |||
89 | return 0; | ||
90 | } | ||
91 | |||
92 | else if (strcmp(argv[1], "memfd_create") == 0) { | ||
93 | int fd = syscall(SYS_memfd_create, "memfd_create", 0); | ||
94 | if (fd == -1) { | ||
95 | printf("memfd_create failed\n"); | ||
96 | return 1; | ||
97 | } | ||
98 | printf("memfd_create successful\n"); | ||
99 | |||
100 | // wait for expect to timeout | ||
101 | sleep(100); | ||
102 | |||
103 | return 0; | ||
104 | } | ||
105 | } | ||
diff --git a/test/filters/memwrexe.exp b/test/filters/memwrexe.exp deleted file mode 100755 index e51b3372e..000000000 --- a/test/filters/memwrexe.exp +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --memory-deny-write-execute ./memwrexe mmap\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "mmap successful" {puts "TESTING ERROR 2\n";exit} | ||
18 | "Parent is shutting down" | ||
19 | } | ||
20 | after 100 | ||
21 | |||
22 | send -- "firejail --memory-deny-write-execute ./memwrexe mprotect\r" | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 10\n";exit} | ||
25 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 11\n";exit} | ||
29 | "mprotect successful" {puts "TESTING ERROR 12\n";exit} | ||
30 | "Parent is shutting down" | ||
31 | } | ||
32 | after 100 | ||
33 | |||
34 | send -- "firejail --memory-deny-write-execute ./memwrexe memfd_create\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 20\n";exit} | ||
37 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
38 | } | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 21\n";exit} | ||
41 | "memfd_create successful" {puts "TESTING ERROR 22\n";exit} | ||
42 | "Parent is shutting down" | ||
43 | } | ||
44 | |||
45 | after 100 | ||
46 | puts "\nall done\n" | ||
diff --git a/test/filters/namespaces b/test/filters/namespaces index 721ba092e..6d36ae8e9 100755 --- a/test/filters/namespaces +++ b/test/filters/namespaces | |||
Binary files differ | |||
diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 index 4df674d1b..a5ba488a4 100755 --- a/test/filters/namespaces-32 +++ b/test/filters/namespaces-32 | |||
Binary files differ | |||
diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp index 3b618bd01..f2310db3b 100755 --- a/test/filters/namespaces-32.exp +++ b/test/filters/namespaces-32.exp | |||
@@ -20,7 +20,7 @@ expect { | |||
20 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "clone successful" | 21 | "clone successful" |
22 | } | 22 | } |
23 | after 100 | 23 | after 200 |
24 | 24 | ||
25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" | 25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" |
26 | expect { | 26 | expect { |
@@ -31,7 +31,7 @@ expect { | |||
31 | timeout {puts "TESTING ERROR 3\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
32 | "Error: clone: Operation not permitted" | 32 | "Error: clone: Operation not permitted" |
33 | } | 33 | } |
34 | after 100 | 34 | after 200 |
35 | 35 | ||
36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" | 36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" |
37 | expect { | 37 | expect { |
@@ -42,7 +42,7 @@ expect { | |||
42 | timeout {puts "TESTING ERROR 5\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
43 | "Error: clone: Operation not permitted" | 43 | "Error: clone: Operation not permitted" |
44 | } | 44 | } |
45 | after 100 | 45 | after 200 |
46 | 46 | ||
47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" | 47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" |
48 | expect { | 48 | expect { |
@@ -53,9 +53,9 @@ expect { | |||
53 | timeout {puts "TESTING ERROR 7\n";exit} | 53 | timeout {puts "TESTING ERROR 7\n";exit} |
54 | "Error: clone: Operation not permitted" | 54 | "Error: clone: Operation not permitted" |
55 | } | 55 | } |
56 | after 100 | 56 | after 200 |
57 | 57 | ||
58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" | 58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup,user\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 8\n";exit} | 60 | timeout {puts "TESTING ERROR 8\n";exit} |
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -64,9 +64,9 @@ expect { | |||
64 | timeout {puts "TESTING ERROR 9\n";exit} | 64 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "Error: clone: Operation not permitted" | 65 | "Error: clone: Operation not permitted" |
66 | } | 66 | } |
67 | after 100 | 67 | after 200 |
68 | 68 | ||
69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" | 69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc,user\r" |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 10\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -75,9 +75,9 @@ expect { | |||
75 | timeout {puts "TESTING ERROR 11\n";exit} | 75 | timeout {puts "TESTING ERROR 11\n";exit} |
76 | "Error: clone: Operation not permitted" | 76 | "Error: clone: Operation not permitted" |
77 | } | 77 | } |
78 | after 100 | 78 | after 200 |
79 | 79 | ||
80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" | 80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,user,uts\r" |
81 | expect { | 81 | expect { |
82 | timeout {puts "TESTING ERROR 12\n";exit} | 82 | timeout {puts "TESTING ERROR 12\n";exit} |
83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -86,7 +86,7 @@ expect { | |||
86 | timeout {puts "TESTING ERROR 13\n";exit} | 86 | timeout {puts "TESTING ERROR 13\n";exit} |
87 | "clone successful" | 87 | "clone successful" |
88 | } | 88 | } |
89 | after 100 | 89 | after 200 |
90 | 90 | ||
91 | # | 91 | # |
92 | # unshare | 92 | # unshare |
@@ -101,7 +101,7 @@ expect { | |||
101 | timeout {puts "TESTING ERROR 15\n";exit} | 101 | timeout {puts "TESTING ERROR 15\n";exit} |
102 | "unshare successful" | 102 | "unshare successful" |
103 | } | 103 | } |
104 | after 100 | 104 | after 200 |
105 | 105 | ||
106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" | 106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" |
107 | expect { | 107 | expect { |
@@ -112,7 +112,7 @@ expect { | |||
112 | timeout {puts "TESTING ERROR 17\n";exit} | 112 | timeout {puts "TESTING ERROR 17\n";exit} |
113 | "Error: unshare: Operation not permitted" | 113 | "Error: unshare: Operation not permitted" |
114 | } | 114 | } |
115 | after 100 | 115 | after 200 |
116 | 116 | ||
117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" | 117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" |
118 | expect { | 118 | expect { |
@@ -123,7 +123,7 @@ expect { | |||
123 | timeout {puts "TESTING ERROR 19\n";exit} | 123 | timeout {puts "TESTING ERROR 19\n";exit} |
124 | "Error: unshare: Operation not permitted" | 124 | "Error: unshare: Operation not permitted" |
125 | } | 125 | } |
126 | after 100 | 126 | after 200 |
127 | 127 | ||
128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" | 128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" |
129 | expect { | 129 | expect { |
@@ -134,9 +134,9 @@ expect { | |||
134 | timeout {puts "TESTING ERROR 21\n";exit} | 134 | timeout {puts "TESTING ERROR 21\n";exit} |
135 | "Error: unshare: Operation not permitted" | 135 | "Error: unshare: Operation not permitted" |
136 | } | 136 | } |
137 | after 100 | 137 | after 200 |
138 | 138 | ||
139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" | 139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup,user\r" |
140 | expect { | 140 | expect { |
141 | timeout {puts "TESTING ERROR 22\n";exit} | 141 | timeout {puts "TESTING ERROR 22\n";exit} |
142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -145,9 +145,9 @@ expect { | |||
145 | timeout {puts "TESTING ERROR 23\n";exit} | 145 | timeout {puts "TESTING ERROR 23\n";exit} |
146 | "Error: unshare: Operation not permitted" | 146 | "Error: unshare: Operation not permitted" |
147 | } | 147 | } |
148 | after 100 | 148 | after 200 |
149 | 149 | ||
150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" | 150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc,user\r" |
151 | expect { | 151 | expect { |
152 | timeout {puts "TESTING ERROR 24\n";exit} | 152 | timeout {puts "TESTING ERROR 24\n";exit} |
153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -156,9 +156,9 @@ expect { | |||
156 | timeout {puts "TESTING ERROR 25\n";exit} | 156 | timeout {puts "TESTING ERROR 25\n";exit} |
157 | "Error: unshare: Operation not permitted" | 157 | "Error: unshare: Operation not permitted" |
158 | } | 158 | } |
159 | after 100 | 159 | after 200 |
160 | 160 | ||
161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" | 161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,user,uts\r" |
162 | expect { | 162 | expect { |
163 | timeout {puts "TESTING ERROR 26\n";exit} | 163 | timeout {puts "TESTING ERROR 26\n";exit} |
164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -167,7 +167,47 @@ expect { | |||
167 | timeout {puts "TESTING ERROR 27\n";exit} | 167 | timeout {puts "TESTING ERROR 27\n";exit} |
168 | "unshare successful" | 168 | "unshare successful" |
169 | } | 169 | } |
170 | after 200 | ||
170 | 171 | ||
171 | 172 | ||
172 | after 100 | 173 | # |
174 | # clone3 | ||
175 | # | ||
176 | |||
177 | send -- "firejail --noprofile ./namespaces-32 clone3 cgroup,ipc,mnt,net,pid,user,uts\r" | ||
178 | expect { | ||
179 | timeout {puts "TESTING ERROR 28\n";exit} | ||
180 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
181 | } | ||
182 | expect { | ||
183 | timeout {puts "TESTING ERROR 29\n";exit} | ||
184 | "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"} | ||
185 | "clone3 successful" { | ||
186 | after 200 | ||
187 | |||
188 | send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone3 user\r" | ||
189 | expect { | ||
190 | timeout {puts "TESTING ERROR 30\n";exit} | ||
191 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
192 | } | ||
193 | expect { | ||
194 | timeout {puts "TESTING ERROR 31\n";exit} | ||
195 | "Error: clone3: Function not implemented" | ||
196 | } | ||
197 | after 200 | ||
198 | |||
199 | # clone3 arguments are not checked | ||
200 | send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces-32 clone3 cgroup,ipc,net,pid,user,uts\r" | ||
201 | expect { | ||
202 | timeout {puts "TESTING ERROR 32\n";exit} | ||
203 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
204 | } | ||
205 | expect { | ||
206 | timeout {puts "TESTING ERROR 33\n";exit} | ||
207 | "Error: clone3: Function not implemented" | ||
208 | } | ||
209 | } | ||
210 | } | ||
211 | |||
212 | after 200 | ||
173 | puts "\nall done\n" | 213 | puts "\nall done\n" |
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index ecf0fdcd1..18ebc8faa 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c | |||
@@ -1,21 +1,29 @@ | |||
1 | #define _GNU_SOURCE | 1 | #define _GNU_SOURCE |
2 | #include <errno.h> | 2 | #include <errno.h> |
3 | #include <sched.h> | 3 | #include <linux/sched.h> |
4 | #include <signal.h> | 4 | #include <signal.h> |
5 | #include <stdio.h> | 5 | #include <stdio.h> |
6 | #include <stdlib.h> | 6 | #include <stdlib.h> |
7 | #include <string.h> | 7 | #include <string.h> |
8 | #include <sys/mman.h> | 8 | #include <sys/mman.h> |
9 | #include <sys/wait.h> | ||
9 | #include <unistd.h> | 10 | #include <unistd.h> |
10 | 11 | ||
12 | #include <sched.h> | ||
11 | #ifndef CLONE_NEWTIME | 13 | #ifndef CLONE_NEWTIME |
12 | #define CLONE_NEWTIME 0x00000080 | 14 | #define CLONE_NEWTIME 0x00000080 |
13 | #endif | 15 | #endif |
14 | 16 | ||
17 | #include <sys/syscall.h> | ||
18 | #ifndef __NR_clone3 | ||
19 | #define __NR_clone3 435 | ||
20 | #endif | ||
21 | |||
15 | #define STACK_SIZE 1024 * 1024 | 22 | #define STACK_SIZE 1024 * 1024 |
16 | 23 | ||
24 | |||
17 | static int usage() { | 25 | static int usage() { |
18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | 26 | fprintf(stderr, "Usage: namespaces <system call>[clone,clone3,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); |
19 | exit(1); | 27 | exit(1); |
20 | } | 28 | } |
21 | 29 | ||
@@ -71,8 +79,11 @@ int main (int argc, char **argv) { | |||
71 | usage(); | 79 | usage(); |
72 | 80 | ||
73 | int flags = ns_flags(argv[2]); | 81 | int flags = ns_flags(argv[2]); |
74 | if (getuid() != 0) | 82 | |
75 | flags |= CLONE_NEWUSER; | 83 | if (getuid() != 0 && (flags & CLONE_NEWUSER) != CLONE_NEWUSER) { |
84 | fprintf(stderr, "Error: add \"user\" to namespaces list\n"); | ||
85 | exit(1); | ||
86 | } | ||
76 | 87 | ||
77 | if (strcmp(argv[1], "clone") == 0) { | 88 | if (strcmp(argv[1], "clone") == 0) { |
78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | 89 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, |
@@ -80,8 +91,25 @@ int main (int argc, char **argv) { | |||
80 | if (stack == MAP_FAILED) | 91 | if (stack == MAP_FAILED) |
81 | die("mmap"); | 92 | die("mmap"); |
82 | 93 | ||
83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | 94 | pid_t pid = clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL); |
95 | if (pid < 0) | ||
84 | die("clone"); | 96 | die("clone"); |
97 | waitpid(pid, NULL, 0); | ||
98 | } | ||
99 | else if (strcmp(argv[1], "clone3") == 0) { | ||
100 | struct clone_args args = { | ||
101 | .flags = flags, | ||
102 | .exit_signal = SIGCHLD, | ||
103 | }; | ||
104 | |||
105 | pid_t pid = syscall(__NR_clone3, &args, sizeof(struct clone_args)); | ||
106 | if (pid < 0) | ||
107 | die("clone3"); | ||
108 | if (pid == 0) { | ||
109 | fprintf(stderr, "clone3 successful\n"); | ||
110 | exit(0); | ||
111 | } | ||
112 | waitpid(pid, NULL, 0); | ||
85 | } | 113 | } |
86 | else if (strcmp(argv[1], "unshare") == 0) { | 114 | else if (strcmp(argv[1], "unshare") == 0) { |
87 | if (unshare(flags)) | 115 | if (unshare(flags)) |
diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp index 96e4a774a..394826de7 100755 --- a/test/filters/namespaces.exp +++ b/test/filters/namespaces.exp | |||
@@ -20,7 +20,7 @@ expect { | |||
20 | timeout {puts "TESTING ERROR 1\n";exit} | 20 | timeout {puts "TESTING ERROR 1\n";exit} |
21 | "clone successful" | 21 | "clone successful" |
22 | } | 22 | } |
23 | after 100 | 23 | after 200 |
24 | 24 | ||
25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" | 25 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" |
26 | expect { | 26 | expect { |
@@ -31,7 +31,7 @@ expect { | |||
31 | timeout {puts "TESTING ERROR 3\n";exit} | 31 | timeout {puts "TESTING ERROR 3\n";exit} |
32 | "Error: clone: Operation not permitted" | 32 | "Error: clone: Operation not permitted" |
33 | } | 33 | } |
34 | after 100 | 34 | after 200 |
35 | 35 | ||
36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" | 36 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" |
37 | expect { | 37 | expect { |
@@ -42,7 +42,7 @@ expect { | |||
42 | timeout {puts "TESTING ERROR 5\n";exit} | 42 | timeout {puts "TESTING ERROR 5\n";exit} |
43 | "Error: clone: Operation not permitted" | 43 | "Error: clone: Operation not permitted" |
44 | } | 44 | } |
45 | after 100 | 45 | after 200 |
46 | 46 | ||
47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" | 47 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" |
48 | expect { | 48 | expect { |
@@ -53,9 +53,9 @@ expect { | |||
53 | timeout {puts "TESTING ERROR 7\n";exit} | 53 | timeout {puts "TESTING ERROR 7\n";exit} |
54 | "Error: clone: Operation not permitted" | 54 | "Error: clone: Operation not permitted" |
55 | } | 55 | } |
56 | after 100 | 56 | after 200 |
57 | 57 | ||
58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" | 58 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup,user\r" |
59 | expect { | 59 | expect { |
60 | timeout {puts "TESTING ERROR 8\n";exit} | 60 | timeout {puts "TESTING ERROR 8\n";exit} |
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -64,9 +64,9 @@ expect { | |||
64 | timeout {puts "TESTING ERROR 9\n";exit} | 64 | timeout {puts "TESTING ERROR 9\n";exit} |
65 | "Error: clone: Operation not permitted" | 65 | "Error: clone: Operation not permitted" |
66 | } | 66 | } |
67 | after 100 | 67 | after 200 |
68 | 68 | ||
69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" | 69 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc,user\r" |
70 | expect { | 70 | expect { |
71 | timeout {puts "TESTING ERROR 10\n";exit} | 71 | timeout {puts "TESTING ERROR 10\n";exit} |
72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 72 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -75,9 +75,9 @@ expect { | |||
75 | timeout {puts "TESTING ERROR 11\n";exit} | 75 | timeout {puts "TESTING ERROR 11\n";exit} |
76 | "Error: clone: Operation not permitted" | 76 | "Error: clone: Operation not permitted" |
77 | } | 77 | } |
78 | after 100 | 78 | after 200 |
79 | 79 | ||
80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" | 80 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,user,uts\r" |
81 | expect { | 81 | expect { |
82 | timeout {puts "TESTING ERROR 12\n";exit} | 82 | timeout {puts "TESTING ERROR 12\n";exit} |
83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 83 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -86,7 +86,7 @@ expect { | |||
86 | timeout {puts "TESTING ERROR 13\n";exit} | 86 | timeout {puts "TESTING ERROR 13\n";exit} |
87 | "clone successful" | 87 | "clone successful" |
88 | } | 88 | } |
89 | after 100 | 89 | after 200 |
90 | 90 | ||
91 | # | 91 | # |
92 | # unshare | 92 | # unshare |
@@ -101,7 +101,7 @@ expect { | |||
101 | timeout {puts "TESTING ERROR 15\n";exit} | 101 | timeout {puts "TESTING ERROR 15\n";exit} |
102 | "unshare successful" | 102 | "unshare successful" |
103 | } | 103 | } |
104 | after 100 | 104 | after 200 |
105 | 105 | ||
106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" | 106 | send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" |
107 | expect { | 107 | expect { |
@@ -112,7 +112,7 @@ expect { | |||
112 | timeout {puts "TESTING ERROR 17\n";exit} | 112 | timeout {puts "TESTING ERROR 17\n";exit} |
113 | "Error: unshare: Operation not permitted" | 113 | "Error: unshare: Operation not permitted" |
114 | } | 114 | } |
115 | after 100 | 115 | after 200 |
116 | 116 | ||
117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" | 117 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" |
118 | expect { | 118 | expect { |
@@ -123,7 +123,7 @@ expect { | |||
123 | timeout {puts "TESTING ERROR 19\n";exit} | 123 | timeout {puts "TESTING ERROR 19\n";exit} |
124 | "Error: unshare: Operation not permitted" | 124 | "Error: unshare: Operation not permitted" |
125 | } | 125 | } |
126 | after 100 | 126 | after 200 |
127 | 127 | ||
128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" | 128 | send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" |
129 | expect { | 129 | expect { |
@@ -134,9 +134,9 @@ expect { | |||
134 | timeout {puts "TESTING ERROR 21\n";exit} | 134 | timeout {puts "TESTING ERROR 21\n";exit} |
135 | "Error: unshare: Operation not permitted" | 135 | "Error: unshare: Operation not permitted" |
136 | } | 136 | } |
137 | after 100 | 137 | after 200 |
138 | 138 | ||
139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" | 139 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup,user\r" |
140 | expect { | 140 | expect { |
141 | timeout {puts "TESTING ERROR 22\n";exit} | 141 | timeout {puts "TESTING ERROR 22\n";exit} |
142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 142 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -145,9 +145,9 @@ expect { | |||
145 | timeout {puts "TESTING ERROR 23\n";exit} | 145 | timeout {puts "TESTING ERROR 23\n";exit} |
146 | "Error: unshare: Operation not permitted" | 146 | "Error: unshare: Operation not permitted" |
147 | } | 147 | } |
148 | after 100 | 148 | after 200 |
149 | 149 | ||
150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" | 150 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc,user\r" |
151 | expect { | 151 | expect { |
152 | timeout {puts "TESTING ERROR 24\n";exit} | 152 | timeout {puts "TESTING ERROR 24\n";exit} |
153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 153 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -156,9 +156,9 @@ expect { | |||
156 | timeout {puts "TESTING ERROR 25\n";exit} | 156 | timeout {puts "TESTING ERROR 25\n";exit} |
157 | "Error: unshare: Operation not permitted" | 157 | "Error: unshare: Operation not permitted" |
158 | } | 158 | } |
159 | after 100 | 159 | after 200 |
160 | 160 | ||
161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" | 161 | send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,user,uts\r" |
162 | expect { | 162 | expect { |
163 | timeout {puts "TESTING ERROR 26\n";exit} | 163 | timeout {puts "TESTING ERROR 26\n";exit} |
164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 164 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
@@ -167,7 +167,47 @@ expect { | |||
167 | timeout {puts "TESTING ERROR 27\n";exit} | 167 | timeout {puts "TESTING ERROR 27\n";exit} |
168 | "unshare successful" | 168 | "unshare successful" |
169 | } | 169 | } |
170 | after 200 | ||
170 | 171 | ||
171 | 172 | ||
172 | after 100 | 173 | # |
174 | # clone3 | ||
175 | # | ||
176 | |||
177 | send -- "firejail --noprofile ./namespaces clone3 cgroup,ipc,mnt,net,pid,user,uts\r" | ||
178 | expect { | ||
179 | timeout {puts "TESTING ERROR 28\n";exit} | ||
180 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
181 | } | ||
182 | expect { | ||
183 | timeout {puts "TESTING ERROR 29\n";exit} | ||
184 | "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"} | ||
185 | "clone3 successful" { | ||
186 | after 200 | ||
187 | |||
188 | send -- "firejail --noprofile --restrict-namespaces ./namespaces clone3 user\r" | ||
189 | expect { | ||
190 | timeout {puts "TESTING ERROR 30\n";exit} | ||
191 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
192 | } | ||
193 | expect { | ||
194 | timeout {puts "TESTING ERROR 31\n";exit} | ||
195 | "Error: clone3: Function not implemented" | ||
196 | } | ||
197 | after 200 | ||
198 | |||
199 | # clone3 arguments are not checked | ||
200 | send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces clone3 cgroup,ipc,net,pid,user,uts\r" | ||
201 | expect { | ||
202 | timeout {puts "TESTING ERROR 32\n";exit} | ||
203 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
204 | } | ||
205 | expect { | ||
206 | timeout {puts "TESTING ERROR 33\n";exit} | ||
207 | "Error: clone3: Function not implemented" | ||
208 | } | ||
209 | } | ||
210 | } | ||
211 | |||
212 | after 200 | ||
173 | puts "\nall done\n" | 213 | puts "\nall done\n" |
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp deleted file mode 100755 index 8a8842cd9..000000000 --- a/test/filters/noroot.exp +++ /dev/null | |||
@@ -1,136 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test --noroot --noprofile\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | # check seccomp disabled and all caps enabled | ||
18 | send -- "cat /proc/self/status\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 2\n";exit} | ||
21 | "CapBnd:" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 3\n";exit} | ||
25 | "ffffffff" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 4\n";exit} | ||
29 | "Seccomp:" | ||
30 | } | ||
31 | expect { | ||
32 | timeout {puts "TESTING ERROR 5\n";exit} | ||
33 | "0" | ||
34 | } | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 6\n";exit} | ||
37 | "Cpus_allowed:" | ||
38 | } | ||
39 | puts "\n" | ||
40 | |||
41 | send -- "whoami\r" | ||
42 | expect { | ||
43 | timeout {puts "TESTING ERROR 7\n";exit} | ||
44 | $env(USER) | ||
45 | } | ||
46 | send -- "sudo -s\r" | ||
47 | expect { | ||
48 | timeout {puts "TESTING ERROR 8\n";exit} | ||
49 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
50 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
51 | } | ||
52 | |||
53 | send -- "sudo su -\r" | ||
54 | expect { | ||
55 | timeout {puts "TESTING ERROR 9\n";exit} | ||
56 | "effective uid is not 0" {puts "OK\n"} | ||
57 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
58 | } | ||
59 | |||
60 | send -- "sudo ls\r" | ||
61 | expect { | ||
62 | timeout {puts "TESTING ERROR 10\n";exit} | ||
63 | "effective uid is not 0" {puts "OK\n"} | ||
64 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
65 | } | ||
66 | |||
67 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
68 | expect { | ||
69 | timeout {puts "TESTING ERROR 11\n";exit} | ||
70 | "1" | ||
71 | } | ||
72 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
73 | expect { | ||
74 | timeout {puts "TESTING ERROR 12\n";exit} | ||
75 | "9" | ||
76 | } | ||
77 | |||
78 | |||
79 | |||
80 | spawn $env(SHELL) | ||
81 | send -- "firejail --debug --join=test\r" | ||
82 | expect { | ||
83 | timeout {puts "TESTING ERROR 13\n";exit} | ||
84 | "Joining user namespace" | ||
85 | } | ||
86 | expect { | ||
87 | timeout {puts "TESTING ERROR 14\n";exit} | ||
88 | "Child process initialized" | ||
89 | } | ||
90 | sleep 1 | ||
91 | |||
92 | send -- "sudo -s\r" | ||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 15\n";exit} | ||
95 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | ||
96 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
97 | "Permission denied" { puts "OK\n";} | ||
98 | } | ||
99 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
100 | expect { | ||
101 | timeout {puts "TESTING ERROR 16\n";exit} | ||
102 | "1" | ||
103 | } | ||
104 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 17\n";exit} | ||
107 | "9" | ||
108 | } | ||
109 | |||
110 | # check seccomp disabled and all caps enabled | ||
111 | send -- "cat /proc/self/status\r" | ||
112 | expect { | ||
113 | timeout {puts "TESTING ERROR 18\n";exit} | ||
114 | "CapBnd:" | ||
115 | } | ||
116 | expect { | ||
117 | timeout {puts "TESTING ERROR 19\n";exit} | ||
118 | "ffffffff" | ||
119 | } | ||
120 | expect { | ||
121 | timeout {puts "TESTING ERROR 20\n";exit} | ||
122 | "Seccomp:" | ||
123 | } | ||
124 | expect { | ||
125 | timeout {puts "TESTING ERROR 21\n";exit} | ||
126 | "0" | ||
127 | } | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 22\n";exit} | ||
130 | "Cpus_allowed:" | ||
131 | } | ||
132 | puts "\n" | ||
133 | |||
134 | |||
135 | after 100 | ||
136 | puts "\nall done\n" | ||
diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp deleted file mode 100755 index 5320dde6f..000000000 --- a/test/filters/protocol.exp +++ /dev/null | |||
@@ -1,97 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --noprofile --protocol=unix --debug\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "0009: 20 00 00 00000000" | ||
14 | } | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | "000f: 20 00 00 00000010" | ||
18 | } | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 3\n";exit} | ||
21 | "0010: 15 00 01 00000001" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 4\n";exit} | ||
25 | "0011: 06 00 00 7fff0000" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 5\n";exit} | ||
29 | "0012: 06 00 00 0005005f" | ||
30 | } | ||
31 | |||
32 | after 100 | ||
33 | send -- "exit\r" | ||
34 | sleep 1 | ||
35 | |||
36 | send -- "firejail --noprofile --protocol=bluetooth --debug\r" | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 11\n";exit} | ||
39 | "0009: 20 00 00 00000000" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 12\n";exit} | ||
43 | "000f: 20 00 00 00000010" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 13\n";exit} | ||
47 | "0010: 15 00 01 0000001f" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 14\n";exit} | ||
51 | "0011: 06 00 00 7fff0000" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR1 5\n";exit} | ||
55 | "0012: 06 00 00 0005005f" | ||
56 | } | ||
57 | |||
58 | after 100 | ||
59 | send -- "exit\r" | ||
60 | sleep 1 | ||
61 | |||
62 | send -- "firejail --noprofile --protocol=inet,inet6 --debug\r" | ||
63 | expect { | ||
64 | timeout {puts "TESTING ERROR 31\n";exit} | ||
65 | "0009: 20 00 00 00000000" | ||
66 | } | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 32\n";exit} | ||
69 | "000f: 20 00 00 00000010" | ||
70 | } | ||
71 | expect { | ||
72 | timeout {puts "TESTING ERROR 33\n";exit} | ||
73 | "0010: 15 00 01 00000002" | ||
74 | } | ||
75 | expect { | ||
76 | timeout {puts "TESTING ERROR 34\n";exit} | ||
77 | "0011: 06 00 00 7fff0000" | ||
78 | } | ||
79 | expect { | ||
80 | timeout {puts "TESTING ERROR1 35\n";exit} | ||
81 | "0012: 15 00 01 0000000a" | ||
82 | } | ||
83 | expect { | ||
84 | timeout {puts "TESTING ERROR 36\n";exit} | ||
85 | "0013: 06 00 00 7fff0000" | ||
86 | } | ||
87 | expect { | ||
88 | timeout {puts "TESTING ERROR 37\n";exit} | ||
89 | "0014: 06 00 00 0005005f" | ||
90 | } | ||
91 | |||
92 | after 100 | ||
93 | send -- "exit\r" | ||
94 | |||
95 | |||
96 | after 100 | ||
97 | puts "\nall done\n" | ||
diff --git a/test/filters/protocol1.profile b/test/filters/protocol1.profile deleted file mode 100644 index 3e1ea2a29..000000000 --- a/test/filters/protocol1.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | protocol unix | ||
diff --git a/test/filters/protocol2.profile b/test/filters/protocol2.profile deleted file mode 100644 index b7eb4ab91..000000000 --- a/test/filters/protocol2.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | protocol inet6,packet | ||
diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp index dc6befcfe..33a992a93 100755 --- a/test/filters/seccomp-debug.exp +++ b/test/filters/seccomp-debug.exp | |||
@@ -97,61 +97,4 @@ expect { | |||
97 | } | 97 | } |
98 | after 100 | 98 | after 100 |
99 | 99 | ||
100 | # memory-deny-write-execute | ||
101 | send -- "firejail --debug --memory-deny-write-execute sleep 1; echo done\r" | ||
102 | expect { | ||
103 | timeout {puts "TESTING ERROR 24\n";exit} | ||
104 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
105 | } | ||
106 | expect { | ||
107 | timeout {puts "TESTING ERROR 25\n";exit} | ||
108 | "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter" | ||
109 | } | ||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 26\n";exit} | ||
112 | "done" | ||
113 | } | ||
114 | |||
115 | |||
116 | # 64 bit architecture - seccomp.block-secondary | ||
117 | send -- "firejail --debug --seccomp.block-secondary sleep 1; echo done\r" | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 27\n";exit} | ||
120 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 28\n";exit} | ||
121 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
122 | } | ||
123 | expect { | ||
124 | timeout {puts "TESTING ERROR 29\n";exit} | ||
125 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 30\n";exit} | ||
126 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" | ||
127 | } | ||
128 | expect { | ||
129 | timeout {puts "TESTING ERROR 31\n";exit} | ||
130 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 32\n";exit} | ||
131 | "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter" | ||
132 | } | ||
133 | expect { | ||
134 | timeout {puts "TESTING ERROR 33\n";exit} | ||
135 | "done" | ||
136 | } | ||
137 | after 100 | ||
138 | |||
139 | # 64 bit architecture - seccomp.block-secondary, profile | ||
140 | send -- "firejail --debug --profile=block-secondary.profile sleep 1; echo done\r" | ||
141 | expect { | ||
142 | timeout {puts "TESTING ERROR 33\n";exit} | ||
143 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 34\n";exit} | ||
144 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
145 | } | ||
146 | expect { | ||
147 | timeout {puts "TESTING ERROR 35\n";exit} | ||
148 | "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit} | ||
149 | "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter" | ||
150 | } | ||
151 | expect { | ||
152 | timeout {puts "TESTING ERROR 37\n";exit} | ||
153 | "done" | ||
154 | } | ||
155 | after 100 | ||
156 | |||
157 | puts "all done\n" | 100 | puts "all done\n" |