diff options
Diffstat (limited to 'test')
-rwxr-xr-x | test/apparmor/apparmor-norun.exp | 26 | ||||
-rwxr-xr-x | test/apparmor/apparmor-run.exp | 26 | ||||
-rwxr-xr-x | test/apparmor/apparmor.exp | 2 | ||||
-rwxr-xr-x | test/apparmor/apparmor.sh | 36 | ||||
-rw-r--r-- | test/apparmor/test-profile | 3 |
5 files changed, 92 insertions, 1 deletions
diff --git a/test/apparmor/apparmor-norun.exp b/test/apparmor/apparmor-norun.exp new file mode 100755 index 000000000..625d4b4e0 --- /dev/null +++ b/test/apparmor/apparmor-norun.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # start a bash session | ||
11 | send -- "firejail --apparmor\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | # ... and try to run a local program | ||
19 | send -- "./a.out --help\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Usage: ./a.out" {puts "TESTING ERROR 2\n";exit} | ||
23 | "denied" | ||
24 | } | ||
25 | after 500 | ||
26 | puts "\nall done\n" | ||
diff --git a/test/apparmor/apparmor-run.exp b/test/apparmor/apparmor-run.exp new file mode 100755 index 000000000..c11b50151 --- /dev/null +++ b/test/apparmor/apparmor-run.exp | |||
@@ -0,0 +1,26 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | # start a bash session | ||
11 | send -- "firejail --apparmor=test-profile\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
15 | } | ||
16 | sleep 1 | ||
17 | |||
18 | # ... and try to run a local program | ||
19 | send -- "./a.out --help\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "denied" {puts "TESTING ERROR 2\n";exit} | ||
23 | "Usage: ./a.out" | ||
24 | } | ||
25 | after 500 | ||
26 | puts "\nall done\n" | ||
diff --git a/test/apparmor/apparmor.exp b/test/apparmor/apparmor.exp index a8f73c797..4498fadd9 100755 --- a/test/apparmor/apparmor.exp +++ b/test/apparmor/apparmor.exp | |||
@@ -54,6 +54,6 @@ expect { | |||
54 | timeout {puts "TESTING ERROR 7\n";exit} | 54 | timeout {puts "TESTING ERROR 7\n";exit} |
55 | "AppArmor: firejail-default//&unconfined enforce" | 55 | "AppArmor: firejail-default//&unconfined enforce" |
56 | } | 56 | } |
57 | after 100 | 57 | after 500 |
58 | 58 | ||
59 | puts "\nall done\n" | 59 | puts "\nall done\n" |
diff --git a/test/apparmor/apparmor.sh b/test/apparmor/apparmor.sh new file mode 100755 index 000000000..84076fc96 --- /dev/null +++ b/test/apparmor/apparmor.sh | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | export LC_ALL=C | ||
9 | |||
10 | |||
11 | # sudo /usr/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default | ||
12 | |||
13 | |||
14 | if [[ -f /sys/kernel/security/apparmor/profiles ]]; then | ||
15 | # setup | ||
16 | cp test-profile /tmp/. | ||
17 | sudo /usr/sbin/apparmor_parser -r /tmp/test-profile | ||
18 | cp /usr/bin/pwd a.out | ||
19 | |||
20 | echo "TESTING: apparmor firemon (test/filters/apparmor.exp)" | ||
21 | ./apparmor.exp | ||
22 | |||
23 | echo "TESTING: apparmor norun test (test/filters/apparmor-norun.exp)" | ||
24 | ./apparmor-norun.exp | ||
25 | |||
26 | echo "TESTING: apparmor run test (test/filters/apparmor-run.exp)" | ||
27 | ./apparmor-run.exp | ||
28 | |||
29 | # cleanup | ||
30 | rm -f a.out | ||
31 | sudo /usr/sbin/apparmor_parser -R /tmp/test-profile | ||
32 | |||
33 | else | ||
34 | echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)" | ||
35 | fi | ||
36 | |||
diff --git a/test/apparmor/test-profile b/test/apparmor/test-profile new file mode 100644 index 000000000..082ec3dc0 --- /dev/null +++ b/test/apparmor/test-profile | |||
@@ -0,0 +1,3 @@ | |||
1 | profile test-profile flags=(attach_disconnected,mediate_deleted) { | ||
2 | /{,**} rklmwix, | ||
3 | } | ||