diff options
Diffstat (limited to 'test')
-rwxr-xr-x | test/filters/noroot.exp | 130 | ||||
-rwxr-xr-x | test/filters/seccomp-su.exp | 7 |
2 files changed, 52 insertions, 85 deletions
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 68304437f..9b8d2e91c 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp | |||
@@ -7,156 +7,130 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" | 10 | send -- "firejail --name=test --noroot --noprofile\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit} | ||
14 | "noroot option is not available" {puts "TESTING SKIP: user namespace not available\n"; exit} | ||
15 | "Child process initialized" | 13 | "Child process initialized" |
16 | } | 14 | } |
17 | sleep 1 | 15 | sleep 1 |
18 | 16 | ||
17 | # check seccomp disabled and all caps enabled | ||
19 | send -- "cat /proc/self/status\r" | 18 | send -- "cat /proc/self/status\r" |
20 | expect { | 19 | expect { |
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "CapBnd: 0000000000000000" | ||
23 | } | ||
24 | expect { | ||
25 | timeout {puts "TESTING ERROR 2\n";exit} | 20 | timeout {puts "TESTING ERROR 2\n";exit} |
26 | "Seccomp:" | 21 | "CapBnd:" |
27 | } | 22 | } |
28 | expect { | 23 | expect { |
29 | timeout {puts "TESTING ERROR 3\n";exit} | 24 | timeout {puts "TESTING ERROR 3\n";exit} |
30 | "2" | 25 | "ffffffff" |
31 | } | 26 | } |
32 | expect { | 27 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 28 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "Cpus_allowed:" | 29 | "Seccomp:" |
35 | } | 30 | } |
36 | puts "\n" | ||
37 | |||
38 | send -- "ping 0\r" | ||
39 | expect { | 31 | expect { |
40 | timeout {puts "TESTING ERROR 5\n";exit} | 32 | timeout {puts "TESTING ERROR 5\n";exit} |
41 | "Operation not permitted" | 33 | "0" |
42 | } | 34 | } |
43 | send -- "whoami\r" | ||
44 | expect { | 35 | expect { |
45 | timeout {puts "TESTING ERROR 6\n";exit} | 36 | timeout {puts "TESTING ERROR 6\n";exit} |
46 | $env(USER) | 37 | "Cpus_allowed:" |
47 | } | 38 | } |
48 | send -- "sudo -s\r" | 39 | puts "\n" |
40 | |||
41 | send -- "whoami\r" | ||
49 | expect { | 42 | expect { |
50 | timeout {puts "TESTING ERROR 7\n";exit} | 43 | timeout {puts "TESTING ERROR 7\n";exit} |
51 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 44 | $env(USER) |
52 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
53 | "Bad system call" { puts "OK\n";} | ||
54 | } | 45 | } |
55 | send -- "cat /proc/self/uid_map | wc -l\r" | 46 | send -- "sudo -s\r" |
56 | expect { | 47 | expect { |
57 | timeout {puts "TESTING ERROR 8\n";exit} | 48 | timeout {puts "TESTING ERROR 8\n";exit} |
58 | "1" | 49 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
50 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
59 | } | 51 | } |
60 | send -- "cat /proc/self/gid_map | wc -l\r" | 52 | |
53 | send -- "sudo su -\r" | ||
61 | expect { | 54 | expect { |
62 | timeout {puts "TESTING ERROR 9\n";exit} | 55 | timeout {puts "TESTING ERROR 9\n";exit} |
63 | "5" | 56 | "effective uid is not 0" {puts "OK\n"} |
57 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
64 | } | 58 | } |
65 | 59 | ||
66 | puts "\n" | 60 | send -- "sudo ls\r" |
67 | send -- "exit\r" | ||
68 | sleep 2 | ||
69 | |||
70 | |||
71 | |||
72 | send -- "firejail --name=test --noroot --noprofile\r" | ||
73 | expect { | 61 | expect { |
74 | timeout {puts "TESTING ERROR 10\n";exit} | 62 | timeout {puts "TESTING ERROR 10\n";exit} |
75 | "Child process initialized" | 63 | "effective uid is not 0" {puts "OK\n"} |
64 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
76 | } | 65 | } |
77 | sleep 1 | ||
78 | 66 | ||
79 | send -- "cat /proc/self/status\r" | 67 | send -- "cat /proc/self/uid_map | wc -l\r" |
80 | expect { | 68 | expect { |
81 | timeout {puts "TESTING ERROR 11\n";exit} | 69 | timeout {puts "TESTING ERROR 11\n";exit} |
82 | "CapBnd:" | 70 | "1" |
83 | } | 71 | } |
72 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
84 | expect { | 73 | expect { |
85 | timeout {puts "TESTING ERROR 12\n";exit} | 74 | timeout {puts "TESTING ERROR 12\n";exit} |
86 | "ffffffff" | 75 | "5" |
87 | } | 76 | } |
77 | |||
78 | |||
79 | |||
80 | spawn $env(SHELL) | ||
81 | send -- "firejail --debug --join=test\r" | ||
88 | expect { | 82 | expect { |
89 | timeout {puts "TESTING ERROR 13\n";exit} | 83 | timeout {puts "TESTING ERROR 13\n";exit} |
90 | "Seccomp:" | 84 | "User namespace detected" |
91 | } | 85 | } |
92 | expect { | 86 | expect { |
93 | timeout {puts "TESTING ERROR 14\n";exit} | 87 | timeout {puts "TESTING ERROR 14\n";exit} |
94 | "2" {puts "seccomp already active\n";} | 88 | "Joining user namespace" |
95 | "0" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 15\n";exit} | ||
99 | "Cpus_allowed:" | ||
100 | } | 89 | } |
101 | puts "\n" | 90 | sleep 1 |
102 | 91 | ||
103 | send -- "whoami\r" | ||
104 | expect { | ||
105 | timeout {puts "TESTING ERROR 16\n";exit} | ||
106 | $env(USER) | ||
107 | } | ||
108 | send -- "sudo -s\r" | 92 | send -- "sudo -s\r" |
109 | expect { | 93 | expect { |
110 | timeout {puts "TESTING ERROR 17\n";exit} | 94 | timeout {puts "TESTING ERROR 15\n";exit} |
111 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 95 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} |
112 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | 96 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} |
113 | } | 97 | "Permission denied" { puts "OK\n";} |
114 | send -- "ping 0\r" | ||
115 | expect { | ||
116 | timeout {puts "TESTING ERROR 18\n";exit} | ||
117 | "Operation not permitted" | ||
118 | } | 98 | } |
119 | send -- "cat /proc/self/uid_map | wc -l\r" | 99 | send -- "cat /proc/self/uid_map | wc -l\r" |
120 | expect { | 100 | expect { |
121 | timeout {puts "TESTING ERROR 19\n";exit} | 101 | timeout {puts "TESTING ERROR 16\n";exit} |
122 | "1" | 102 | "1" |
123 | } | 103 | } |
124 | send -- "cat /proc/self/gid_map | wc -l\r" | 104 | send -- "cat /proc/self/gid_map | wc -l\r" |
125 | expect { | 105 | expect { |
126 | timeout {puts "TESTING ERROR 20\n";exit} | 106 | timeout {puts "TESTING ERROR 17\n";exit} |
127 | "5" | 107 | "5" |
128 | } | 108 | } |
129 | 109 | ||
130 | 110 | # check seccomp disabled and all caps enabled | |
131 | 111 | send -- "cat /proc/self/status\r" | |
132 | spawn $env(SHELL) | ||
133 | send -- "firejail --debug --join=test\r" | ||
134 | expect { | 112 | expect { |
135 | timeout {puts "TESTING ERROR 21\n";exit} | 113 | timeout {puts "TESTING ERROR 18\n";exit} |
136 | "User namespace detected" | 114 | "CapBnd:" |
137 | } | 115 | } |
138 | expect { | 116 | expect { |
139 | timeout {puts "TESTING ERROR 22\n";exit} | 117 | timeout {puts "TESTING ERROR 19\n";exit} |
140 | "Joining user namespace" | 118 | "ffffffff" |
141 | } | 119 | } |
142 | sleep 1 | ||
143 | |||
144 | send -- "sudo -s\r" | ||
145 | expect { | 120 | expect { |
146 | timeout {puts "TESTING ERROR 23\n";exit} | 121 | timeout {puts "TESTING ERROR 20\n";exit} |
147 | "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} | 122 | "Seccomp:" |
148 | "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} | ||
149 | "Permission denied" { puts "OK\n";} | ||
150 | } | 123 | } |
151 | send -- "cat /proc/self/uid_map | wc -l\r" | ||
152 | expect { | 124 | expect { |
153 | timeout {puts "TESTING ERROR 24\n";exit} | 125 | timeout {puts "TESTING ERROR 21\n";exit} |
154 | "1" | 126 | "0" |
155 | } | 127 | } |
156 | send -- "cat /proc/self/gid_map | wc -l\r" | ||
157 | expect { | 128 | expect { |
158 | timeout {puts "TESTING ERROR 25\n";exit} | 129 | timeout {puts "TESTING ERROR 22\n";exit} |
159 | "5" | 130 | "Cpus_allowed:" |
160 | } | 131 | } |
132 | puts "\n" | ||
133 | |||
134 | |||
161 | after 100 | 135 | after 100 |
162 | puts "\nall done\n" | 136 | puts "\nall done\n" |
diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 3ff75b3b6..8417cadaf 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp | |||
@@ -28,13 +28,6 @@ expect { | |||
28 | "Bad system call" {puts "OK\n"} | 28 | "Bad system call" {puts "OK\n"} |
29 | } | 29 | } |
30 | 30 | ||
31 | send -- "ping google.com\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3\n";exit} | ||
34 | "Operation not permitted" {puts "OK\n"} | ||
35 | "unknown host" {puts "OK\n"} | ||
36 | } | ||
37 | |||
38 | send -- "exit\r" | 31 | send -- "exit\r" |
39 | after 100 | 32 | after 100 |
40 | puts "all done\n" | 33 | puts "all done\n" |