diff options
Diffstat (limited to 'test')
-rwxr-xr-x | test/apparmor/apparmor-norun.exp | 26 | ||||
-rwxr-xr-x | test/apparmor/apparmor-run.exp | 26 | ||||
-rwxr-xr-x | test/apparmor/apparmor.exp (renamed from test/filters/apparmor.exp) | 2 | ||||
-rwxr-xr-x | test/apparmor/apparmor.sh | 36 | ||||
-rw-r--r-- | test/apparmor/test-profile | 3 | ||||
-rwxr-xr-x | test/filters/filters.sh | 12 | ||||
-rwxr-xr-x | test/firecfg/firecfg.exp | 18 | ||||
-rwxr-xr-x | test/firecfg/firecfg.sh | 12 |
8 files changed, 128 insertions, 7 deletions
diff --git a/test/apparmor/apparmor-norun.exp b/test/apparmor/apparmor-norun.exp new file mode 100755 index 000000000..625d4b4e0 --- /dev/null +++ b/test/apparmor/apparmor-norun.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # start a bash session | ||
11 | send -- "firejail --apparmor\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | # ... and try to run a local program | ||
19 | send -- "./a.out --help\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Usage: ./a.out" {puts "TESTING ERROR 2\n";exit} | ||
23 | "denied" | ||
24 | } | ||
25 | after 500 | ||
26 | puts "\nall done\n" | ||
diff --git a/test/apparmor/apparmor-run.exp b/test/apparmor/apparmor-run.exp new file mode 100755 index 000000000..c11b50151 --- /dev/null +++ b/test/apparmor/apparmor-run.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # start a bash session | ||
11 | send -- "firejail --apparmor=test-profile\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | # ... and try to run a local program | ||
19 | send -- "./a.out --help\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "denied" {puts "TESTING ERROR 2\n";exit} | ||
23 | "Usage: ./a.out" | ||
24 | } | ||
25 | after 500 | ||
26 | puts "\nall done\n" | ||
diff --git a/test/filters/apparmor.exp b/test/apparmor/apparmor.exp index a8f73c797..4498fadd9 100755 --- a/test/filters/apparmor.exp +++ b/test/apparmor/apparmor.exp | |||
@@ -54,6 +54,6 @@ expect { | |||
54 | timeout {puts "TESTING ERROR 7\n";exit} | 54 | timeout {puts "TESTING ERROR 7\n";exit} |
55 | "AppArmor: firejail-default//&unconfined enforce" | 55 | "AppArmor: firejail-default//&unconfined enforce" |
56 | } | 56 | } |
57 | after 100 | 57 | after 500 |
58 | 58 | ||
59 | puts "\nall done\n" | 59 | puts "\nall done\n" |
diff --git a/test/apparmor/apparmor.sh b/test/apparmor/apparmor.sh new file mode 100755 index 000000000..84076fc96 --- /dev/null +++ b/test/apparmor/apparmor.sh | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | export LC_ALL=C | ||
9 | |||
10 | |||
11 | # sudo /usr/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default | ||
12 | |||
13 | |||
14 | if [[ -f /sys/kernel/security/apparmor/profiles ]]; then | ||
15 | # setup | ||
16 | cp test-profile /tmp/. | ||
17 | sudo /usr/sbin/apparmor_parser -r /tmp/test-profile | ||
18 | cp /usr/bin/pwd a.out | ||
19 | |||
20 | echo "TESTING: apparmor firemon (test/filters/apparmor.exp)" | ||
21 | ./apparmor.exp | ||
22 | |||
23 | echo "TESTING: apparmor norun test (test/filters/apparmor-norun.exp)" | ||
24 | ./apparmor-norun.exp | ||
25 | |||
26 | echo "TESTING: apparmor run test (test/filters/apparmor-run.exp)" | ||
27 | ./apparmor-run.exp | ||
28 | |||
29 | # cleanup | ||
30 | rm -f a.out | ||
31 | sudo /usr/sbin/apparmor_parser -R /tmp/test-profile | ||
32 | |||
33 | else | ||
34 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" | ||
35 | fi | ||
36 | |||
diff --git a/test/apparmor/test-profile b/test/apparmor/test-profile new file mode 100644 index 000000000..082ec3dc0 --- /dev/null +++ b/test/apparmor/test-profile | |||
@@ -0,0 +1,3 @@ | |||
1 | profile test-profile flags=(attach_disconnected,mediate_deleted) { | ||
2 | /{,**} rklmwix, | ||
3 | } | ||
diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 1d145ac4b..2d115db1b 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh | |||
@@ -13,12 +13,12 @@ if [[ -f /etc/debian_version ]]; then | |||
13 | fi | 13 | fi |
14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" | 14 | export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" |
15 | 15 | ||
16 | if [[ -f /sys/kernel/security/apparmor/profiles ]]; then | 16 | #if [[ -f /sys/kernel/security/apparmor/profiles ]]; then |
17 | echo "TESTING: apparmor (test/filters/apparmor.exp)" | 17 | # echo "TESTING: apparmor (test/filters/apparmor.exp)" |
18 | ./apparmor.exp | 18 | # ./apparmor.exp |
19 | else | 19 | #else |
20 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" | 20 | # echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" |
21 | fi | 21 | #fi |
22 | 22 | ||
23 | if [[ $(uname -m) == "x86_64" ]]; then | 23 | if [[ $(uname -m) == "x86_64" ]]; then |
24 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" | 24 | echo "TESTING: memory-deny-write-execute (test/filters/memwrexe.exp)" |
diff --git a/test/firecfg/firecfg.exp b/test/firecfg/firecfg.exp new file mode 100755 index 000000000..0249fb7fa --- /dev/null +++ b/test/firecfg/firecfg.exp | |||
@@ -0,0 +1,18 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "file /usr/local/bin/ping\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "ping: symbolic link to /usr/bin/firejail" | ||
14 | } | ||
15 | |||
16 | after 100 | ||
17 | |||
18 | puts "\nall done\n" | ||
diff --git a/test/firecfg/firecfg.sh b/test/firecfg/firecfg.sh new file mode 100755 index 000000000..6b03cc841 --- /dev/null +++ b/test/firecfg/firecfg.sh | |||
@@ -0,0 +1,12 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | export LC_ALL=C | ||
9 | |||
10 | sudo firecfg | ||
11 | echo "TESTING: firecfg (test/firecfg/firecfg.exp)" | ||
12 | ./firecfg.exp | ||