diff options
Diffstat (limited to 'test')
-rwxr-xr-x | test/capabilities/capabilities.sh | 3 | ||||
-rwxr-xr-x | test/capabilities/caps-join.exp | 6 | ||||
-rwxr-xr-x | test/capabilities/caps-print.exp | 6 | ||||
-rwxr-xr-x | test/capabilities/caps.exp | 44 | ||||
-rwxr-xr-x | test/capabilities/firemon-caps.exp | 47 | ||||
-rwxr-xr-x | test/utils/caps-print.exp | 32 | ||||
-rw-r--r-- | test/utils/caps1.profile | 1 | ||||
-rw-r--r-- | test/utils/caps2.profile | 1 | ||||
-rwxr-xr-x | test/utils/firemon-caps.exp | 129 | ||||
-rwxr-xr-x | test/utils/utils.sh | 10 |
10 files changed, 66 insertions, 213 deletions
diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh index 50279cd4f..2d345025a 100755 --- a/test/capabilities/capabilities.sh +++ b/test/capabilities/capabilities.sh | |||
@@ -21,3 +21,6 @@ echo "TESTING: capabilities print (test/filters/caps-print.exp)" | |||
21 | echo "TESTING: capabilities join (test/filters/caps-join.exp)" | 21 | echo "TESTING: capabilities join (test/filters/caps-join.exp)" |
22 | ./caps-join.exp | 22 | ./caps-join.exp |
23 | 23 | ||
24 | echo "TESTING: firemon caps (test/utils/firemon-caps.exp)" | ||
25 | ./firemon-caps.exp | ||
26 | |||
diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp index 1830143fb..ecb43d943 100755 --- a/test/capabilities/caps-join.exp +++ b/test/capabilities/caps-join.exp | |||
@@ -35,7 +35,7 @@ sleep 1 | |||
35 | 35 | ||
36 | set spawn_id $id1 | 36 | set spawn_id $id1 |
37 | send -- "exit\r" | 37 | send -- "exit\r" |
38 | after 100 | 38 | sleep 1 |
39 | 39 | ||
40 | # | 40 | # |
41 | # no caps | 41 | # no caps |
@@ -67,7 +67,7 @@ sleep 1 | |||
67 | 67 | ||
68 | set spawn_id $id1 | 68 | set spawn_id $id1 |
69 | send -- "exit\r" | 69 | send -- "exit\r" |
70 | after 100 | 70 | after 500 |
71 | 71 | ||
72 | # | 72 | # |
73 | # no caps | 73 | # no caps |
@@ -91,6 +91,6 @@ sleep 1 | |||
91 | 91 | ||
92 | set spawn_id $id1 | 92 | set spawn_id $id1 |
93 | send -- "exit\r" | 93 | send -- "exit\r" |
94 | after 100 | 94 | after 500 |
95 | 95 | ||
96 | puts "all done\n" | 96 | puts "all done\n" |
diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp index b403f9ffe..66a7e093b 100755 --- a/test/capabilities/caps-print.exp +++ b/test/capabilities/caps-print.exp | |||
@@ -68,7 +68,7 @@ expect { | |||
68 | timeout {puts "TESTING ERROR 13\n";exit} | 68 | timeout {puts "TESTING ERROR 13\n";exit} |
69 | "syslog - disabled" | 69 | "syslog - disabled" |
70 | } | 70 | } |
71 | after 100 | 71 | after 500 |
72 | 72 | ||
73 | send -- "firejail --debug-caps\r" | 73 | send -- "firejail --debug-caps\r" |
74 | expect { | 74 | expect { |
@@ -87,7 +87,7 @@ expect { | |||
87 | timeout {puts "TESTING ERROR 9\n";exit} | 87 | timeout {puts "TESTING ERROR 9\n";exit} |
88 | "24 - sys_resource" | 88 | "24 - sys_resource" |
89 | } | 89 | } |
90 | after 100 | 90 | after 500 |
91 | 91 | ||
92 | send -- "firejail --caps.keep=\"bla bla bla\"\r" | 92 | send -- "firejail --caps.keep=\"bla bla bla\"\r" |
93 | expect { | 93 | expect { |
@@ -99,5 +99,5 @@ expect { | |||
99 | "not found" | 99 | "not found" |
100 | } | 100 | } |
101 | 101 | ||
102 | after 100 | 102 | after 500 |
103 | puts "\nall done\n" | 103 | puts "\nall done\n" |
diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp index dbd63efda..bd7ab04eb 100755 --- a/test/capabilities/caps.exp +++ b/test/capabilities/caps.exp | |||
@@ -7,14 +7,11 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "firejail --caps.keep=chown,fowner --noprofile\r" | 10 | send -- "firejail --caps.keep=chown,fowner --noprofile cat /proc/self/status\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
14 | } | 14 | } |
15 | after 100 | ||
16 | |||
17 | send -- "cat /proc/self/status\r" | ||
18 | expect { | 15 | expect { |
19 | timeout {puts "TESTING ERROR 2\n";exit} | 16 | timeout {puts "TESTING ERROR 2\n";exit} |
20 | "CapBnd: 0000000000000009" | 17 | "CapBnd: 0000000000000009" |
@@ -23,17 +20,13 @@ expect { | |||
23 | timeout {puts "TESTING ERROR 3\n";exit} | 20 | timeout {puts "TESTING ERROR 3\n";exit} |
24 | "Seccomp:" | 21 | "Seccomp:" |
25 | } | 22 | } |
26 | send -- "exit\r" | 23 | after 500 |
27 | sleep 1 | ||
28 | 24 | ||
29 | send -- "firejail --caps.drop=all --noprofile\r" | 25 | send -- "firejail --caps.drop=all --noprofile cat /proc/self/status\r" |
30 | expect { | 26 | expect { |
31 | timeout {puts "TESTING ERROR 4\n";exit} | 27 | timeout {puts "TESTING ERROR 4\n";exit} |
32 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 28 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
33 | } | 29 | } |
34 | after 100 | ||
35 | |||
36 | send -- "cat /proc/self/status\r" | ||
37 | expect { | 30 | expect { |
38 | timeout {puts "TESTING ERROR 5\n";exit} | 31 | timeout {puts "TESTING ERROR 5\n";exit} |
39 | "CapBnd: 0000000000000000" | 32 | "CapBnd: 0000000000000000" |
@@ -42,17 +35,13 @@ expect { | |||
42 | timeout {puts "TESTING ERROR 6\n";exit} | 35 | timeout {puts "TESTING ERROR 6\n";exit} |
43 | "Seccomp:" | 36 | "Seccomp:" |
44 | } | 37 | } |
45 | send -- "exit\r" | 38 | after 500 |
46 | sleep 1 | ||
47 | 39 | ||
48 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | 40 | send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile cat /proc/self/status\r" |
49 | expect { | 41 | expect { |
50 | timeout {puts "TESTING ERROR 7\n";exit} | 42 | timeout {puts "TESTING ERROR 7\n";exit} |
51 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 43 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
52 | } | 44 | } |
53 | after 100 | ||
54 | |||
55 | send -- "cat /proc/self/status\r" | ||
56 | expect { | 45 | expect { |
57 | timeout {puts "TESTING ERROR 8\n";exit} | 46 | timeout {puts "TESTING ERROR 8\n";exit} |
58 | "CapBnd:" | 47 | "CapBnd:" |
@@ -65,11 +54,9 @@ expect { | |||
65 | timeout {puts "TESTING ERROR 10\n";exit} | 54 | timeout {puts "TESTING ERROR 10\n";exit} |
66 | "Seccomp:" | 55 | "Seccomp:" |
67 | } | 56 | } |
68 | send -- "exit\r" | 57 | after 500 |
69 | sleep 1 | ||
70 | 58 | ||
71 | 59 | send -- "firejail --profile=caps1.profile --debug ls\r" | |
72 | send -- "firejail --profile=caps1.profile --debug\r" | ||
73 | expect { | 60 | expect { |
74 | timeout {puts "TESTING ERROR 11\n";exit} | 61 | timeout {puts "TESTING ERROR 11\n";exit} |
75 | "Drop CAP_SYS_MODULE" | 62 | "Drop CAP_SYS_MODULE" |
@@ -83,10 +70,7 @@ expect { | |||
83 | "Drop CAP_" {puts "TESTING ERROR 14\n";exit} | 70 | "Drop CAP_" {puts "TESTING ERROR 14\n";exit} |
84 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 71 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
85 | } | 72 | } |
86 | after 100 | 73 | after 500 |
87 | send -- "exit\r" | ||
88 | sleep 1 | ||
89 | |||
90 | 74 | ||
91 | ## tofix: possible problem with caps.keep in profile files | 75 | ## tofix: possible problem with caps.keep in profile files |
92 | ##send -- "firejail --caps.keep=chown,fowner --noprofile\r" | 76 | ##send -- "firejail --caps.keep=chown,fowner --noprofile\r" |
@@ -110,14 +94,11 @@ sleep 1 | |||
110 | #sleep 1 | 94 | #sleep 1 |
111 | 95 | ||
112 | #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" | 96 | #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" |
113 | send -- "firejail --profile=caps3.profile\r" | 97 | send -- "firejail --profile=caps3.profile cat /proc/self/status\r" |
114 | expect { | 98 | expect { |
115 | timeout {puts "TESTING ERROR 18\n";exit} | 99 | timeout {puts "TESTING ERROR 18\n";exit} |
116 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | 100 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" |
117 | } | 101 | } |
118 | after 100 | ||
119 | |||
120 | send -- "cat /proc/self/status\r" | ||
121 | expect { | 102 | expect { |
122 | timeout {puts "TESTING ERROR 19\n";exit} | 103 | timeout {puts "TESTING ERROR 19\n";exit} |
123 | "CapBnd:" | 104 | "CapBnd:" |
@@ -130,10 +111,5 @@ expect { | |||
130 | timeout {puts "TESTING ERROR 21\n";exit} | 111 | timeout {puts "TESTING ERROR 21\n";exit} |
131 | "Seccomp:" | 112 | "Seccomp:" |
132 | } | 113 | } |
133 | send -- "exit\r" | 114 | after 500 |
134 | sleep 1 | ||
135 | |||
136 | |||
137 | |||
138 | after 100 | ||
139 | puts "\nall done\n" | 115 | puts "\nall done\n" |
diff --git a/test/capabilities/firemon-caps.exp b/test/capabilities/firemon-caps.exp new file mode 100755 index 000000000..905c8cba9 --- /dev/null +++ b/test/capabilities/firemon-caps.exp | |||
@@ -0,0 +1,47 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=bingo1 --noprofile --caps\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --name=bingo2 --noprofile\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firemon --caps\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} | ||
30 | "bingo1" | ||
31 | } | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3\n";exit} | ||
34 | "31cffff" | ||
35 | } | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 4\n";exit} | ||
38 | "bingo2" | ||
39 | } | ||
40 | expect { | ||
41 | timeout {puts "TESTING ERROR 5\n";exit} | ||
42 | "fffffff" | ||
43 | } | ||
44 | |||
45 | after 500 | ||
46 | |||
47 | puts "all done\n" | ||
diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp deleted file mode 100755 index 381f27574..000000000 --- a/test/utils/caps-print.exp +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=test\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 2 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --caps.print=test\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | "setgid - disabled" | ||
22 | } | ||
23 | expect { | ||
24 | timeout {puts "TESTING ERROR 2\n";exit} | ||
25 | "setuid - disabled" | ||
26 | } | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "net_raw - disabled" | ||
30 | } | ||
31 | after 100 | ||
32 | puts "\nall done\n" | ||
diff --git a/test/utils/caps1.profile b/test/utils/caps1.profile deleted file mode 100644 index 78c18fc64..000000000 --- a/test/utils/caps1.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps.drop chown,kill | ||
diff --git a/test/utils/caps2.profile b/test/utils/caps2.profile deleted file mode 100644 index e760d4cb5..000000000 --- a/test/utils/caps2.profile +++ /dev/null | |||
@@ -1 +0,0 @@ | |||
1 | caps.keep chown,kill | ||
diff --git a/test/utils/firemon-caps.exp b/test/utils/firemon-caps.exp deleted file mode 100755 index 621447d45..000000000 --- a/test/utils/firemon-caps.exp +++ /dev/null | |||
@@ -1,129 +0,0 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2023 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --name=bingo1 --noprofile --caps\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | spawn $env(SHELL) | ||
18 | send -- "firejail --name=bingo2 --noprofile\r" | ||
19 | expect { | ||
20 | timeout {puts "TESTING ERROR 1\n";exit} | ||
21 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
22 | } | ||
23 | sleep 1 | ||
24 | |||
25 | spawn $env(SHELL) | ||
26 | send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 2\n";exit} | ||
29 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
30 | } | ||
31 | sleep 1 | ||
32 | |||
33 | spawn $env(SHELL) | ||
34 | send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" | ||
35 | expect { | ||
36 | timeout {puts "TESTING ERROR 3\n";exit} | ||
37 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
38 | } | ||
39 | sleep 1 | ||
40 | |||
41 | spawn $env(SHELL) | ||
42 | send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 4\n";exit} | ||
45 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
46 | } | ||
47 | sleep 1 | ||
48 | |||
49 | spawn $env(SHELL) | ||
50 | send -- "firejail --name=bingo6 --profile=caps1.profile\r" | ||
51 | expect { | ||
52 | timeout {puts "TESTING ERROR 5\n";exit} | ||
53 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
54 | } | ||
55 | sleep 1 | ||
56 | |||
57 | spawn $env(SHELL) | ||
58 | send -- "firejail --name=bingo7 --profile=caps2.profile\r" | ||
59 | expect { | ||
60 | timeout {puts "TESTING ERROR 0\n";exit} | ||
61 | -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" | ||
62 | } | ||
63 | sleep 1 | ||
64 | |||
65 | spawn $env(SHELL) | ||
66 | send -- "firemon --caps\r" | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 8.1\n";exit} | ||
69 | "need to be root" {puts "TESTING SKIP: /proc mounted as hidepid\n"; exit} | ||
70 | "bingo1" | ||
71 | } | ||
72 | expect { | ||
73 | timeout {puts "TESTING ERROR 8.2\n";exit} | ||
74 | "31cffff" | ||
75 | } | ||
76 | expect { | ||
77 | timeout {puts "TESTING ERROR 8.3\n";exit} | ||
78 | "bingo2" | ||
79 | } | ||
80 | expect { | ||
81 | timeout {puts "TESTING ERROR 8.4\n";exit} | ||
82 | "fffffff" | ||
83 | } | ||
84 | expect { | ||
85 | timeout {puts "TESTING ERROR 8.5\n";exit} | ||
86 | "bingo3" | ||
87 | } | ||
88 | expect { | ||
89 | timeout {puts "TESTING ERROR 8.6\n";exit} | ||
90 | "000000000000" | ||
91 | } | ||
92 | |||
93 | expect { | ||
94 | timeout {puts "TESTING ERROR 8.7\n";exit} | ||
95 | "bingo4" | ||
96 | } | ||
97 | expect { | ||
98 | timeout {puts "TESTING ERROR 8.8\n";exit} | ||
99 | "ffffffde" | ||
100 | } | ||
101 | expect { | ||
102 | timeout {puts "TESTING ERROR 8.9\n";exit} | ||
103 | "bingo5" | ||
104 | } | ||
105 | expect { | ||
106 | timeout {puts "TESTING ERROR 8.10\n";exit} | ||
107 | "0000000000000021" | ||
108 | } | ||
109 | |||
110 | expect { | ||
111 | timeout {puts "TESTING ERROR 8.11\n";exit} | ||
112 | "bingo6" | ||
113 | } | ||
114 | expect { | ||
115 | timeout {puts "TESTING ERROR 8.12\n";exit} | ||
116 | "ffffffde" | ||
117 | } | ||
118 | expect { | ||
119 | timeout {puts "TESTING ERROR 8.13\n";exit} | ||
120 | "bingo7" | ||
121 | } | ||
122 | expect { | ||
123 | timeout {puts "TESTING ERROR 8.14\n";exit} | ||
124 | "0000000000000021" | ||
125 | } | ||
126 | |||
127 | after 100 | ||
128 | |||
129 | puts "all done\n" | ||
diff --git a/test/utils/utils.sh b/test/utils/utils.sh index 9f04c2625..49ff8e6de 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh | |||
@@ -61,9 +61,6 @@ echo "TESTING: fs.print (test/utils/fs-print.exp)" | |||
61 | echo "TESTING: dns.print (test/utils/dns-print.exp)" | 61 | echo "TESTING: dns.print (test/utils/dns-print.exp)" |
62 | ./dns-print.exp | 62 | ./dns-print.exp |
63 | 63 | ||
64 | echo "TESTING: caps.print (test/utils/caps-print.exp)" | ||
65 | ./caps-print.exp | ||
66 | |||
67 | echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" | 64 | echo "TESTING: seccomp.print (test/utils/seccomp-print.exp)" |
68 | ./seccomp-print.exp | 65 | ./seccomp-print.exp |
69 | 66 | ||
@@ -112,13 +109,6 @@ else | |||
112 | echo "TESTING SKIP: seccomp already active (test/utils/firemon-seccomp.exp)" | 109 | echo "TESTING SKIP: seccomp already active (test/utils/firemon-seccomp.exp)" |
113 | fi | 110 | fi |
114 | 111 | ||
115 | if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then | ||
116 | echo "TESTING: firemon caps (test/utils/firemon-caps.exp)" | ||
117 | ./firemon-caps.exp | ||
118 | else | ||
119 | echo "TESTING SKIP: other capabilities than expected (test/utils/firemon-caps.exp)" | ||
120 | fi | ||
121 | |||
122 | echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" | 112 | echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" |
123 | ./firemon-cpu.exp | 113 | ./firemon-cpu.exp |
124 | 114 | ||