10 files changed, 526 insertions, 31 deletions
diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh
new file mode 100755
index 000000000..b05914b52
--- /dev/null
+++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+which firefox
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: firefox x11 xorg"
+        ./firefox.exp
+else
+        echo "TESTING SKIP: firefox not found"
+fi
+which transmission-gtk
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: transmission-gtk x11 xorg"
+        ./transmission-gtk.exp
+else
+        echo "TESTING SKIP: transmission-gtk not found"
+fi
+which icedove
+if [ "$?" -eq 0 ];
+then
+        echo "TESTING: icedove x11 xorg"
+        ./icedove.exp
+else
+        echo "TESTING SKIP: icedove not found"
+fi
diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp
new file mode 100755
index 000000000..5231bf8ed
--- /dev/null
+++ b/test/apps-x11-xorg/firefox.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "firefox" {puts "firefox detected\n";}
+        "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 3.2\n";exit}
+        "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        " firefox" {puts "firefox detected\n";}
+        " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "no-remote"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp
new file mode 100755
index 000000000..f676264ed
--- /dev/null
+++ b/test/apps-x11-xorg/icedove.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg icedove\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "icedove"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 2
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "icedove"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp
new file mode 100755
index 000000000..a91a1be08
--- /dev/null
+++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -0,0 +1,85 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test --x11=xorg transmission-gtk\r"
+sleep 10
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 3.1\n";exit}
+        "transmission-gtk"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+        timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+        "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+        "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.0\n";exit}
+        "transmission-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+        "Seccomp:       2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        ":firejail"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.0\n";exit}
+        "transmission-gtk"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "CapBnd"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "0000000000000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+puts "\nall done\n"
diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp
index dde9c4cc1..8a404decb 100755
--- a/test/environment/allow-debuggers.exp
+++ b/test/environment/allow-debuggers.exp
@@ -11,19 +11,27 @@ expect {
        "Child process initialized"
 }
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
-        "exited with 0"
+        "ioctl"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "exit_group"
 }
 after 100
 send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
        "Child process initialized"
 }
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
-        "exited with 0"
+        "ioctl"
+}       
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "exit_group"
 }
 after 100
diff --git a/test/filters/filters.sh b/test/filters/filters.sh
index 5093c8614..5c7c98b3e 100755
--- a/test/filters/filters.sh
+++ b/test/filters/filters.sh
@@ -12,11 +12,21 @@ echo "TESTING: noroot (test/filters/noroot.exp)"
 echo "TESTING: capabilities (test/filters/caps.exp)"
 ./caps.exp
+rm -f seccomp-test-file
+if [ "$(uname -m)" = "x86_64" ]; then
+       echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
+        ./fseccomp.exp
+else
+        echo "TESTING SKIP: fseccomp test implemented only for x86_64"
+fi
+rm -f seccomp-test-file
 if [ "$(uname -m)" = "x86_64" ]; then
        echo "TESTING: protocol (test/filters/protocol.exp)"
        ./protocol.exp
 else
-        echo "TESTING SKIP: protocol, not running on x86_64"
+        echo "TESTING SKIP: protocol, running only on x86_64"
 fi
 echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
@@ -50,9 +60,6 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod
 echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
 ./seccomp-empty.exp
-echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
-./seccomp-bad-empty.exp
 if [ "$(uname -m)" = "x86_64" ]; then
        echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
        ./seccomp-dualfilter.exp
diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp
new file mode 100755
index 000000000..8a9a8f9dc
--- /dev/null
+++ b/test/filters/fseccomp.exp
@@ -0,0 +1,138 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-syscalls\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "1      - write"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-errnos\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "1      - EPERM"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp debug-protocols\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "unix, inet, inet6, netlink, packet,"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp protocol build unix,inet seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 4.1\n";exit}
+        "WHITELIST 41 socket"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp secondary 64 seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 5.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 5.3\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp default seccomp-test-file\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 6.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 6.3\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp drop seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 7.1\n";exit}
+        "BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit}
+        "BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit}
+        "BLACKLIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.4\n";exit}
+        "BLACKLIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 7.5\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp default drop seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 8.1\n";exit}
+        "BLACKLIST 165 mount"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.2\n";exit}
+        "BLACKLIST 166 umount2"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.3\n";exit}
+        "BLACKLIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.4\n";exit}
+        "BLACKLIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 8.5\n";exit}
+        "RETURN_ALLOW"
+}
+after 100
+send -- "/usr/lib/firejail/fseccomp keep seccomp-test-file chmod,chown\r"
+after 100
+send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
+expect {
+        timeout {puts "TESTING ERROR 9.1\n";exit}
+        "WHITELIST 90 chmod"
+}
+expect {
+        timeout {puts "TESTING ERROR 9.2\n";exit}
+        "WHITELIST 92 chown"
+}
+expect {
+        timeout {puts "TESTING ERROR 9.3\n";exit}
+        "KILL_PROCESS"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp
index 2a7cb7975..b011f2bf9 100755
--- a/test/filters/noroot.exp
+++ b/test/filters/noroot.exp
@@ -46,20 +46,20 @@ expect {
 }
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
        "Bad system call" { puts "OK\n";}
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 7\n";exit}
+        timeout {puts "TESTING ERROR 8\n";exit}
        "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
+        timeout {puts "TESTING ERROR 9\n";exit}
-        "3"
+        "5"
 }
 puts "\n"
@@ -70,59 +70,59 @@ sleep 2
 send -- "firejail --name=test --noroot --noprofile\r"
 expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
+        timeout {puts "TESTING ERROR 10\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "cat /proc/self/status\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
        "CapBnd:"
 }
 expect {
-        timeout {puts "TESTING ERROR 11\n";exit}
+        timeout {puts "TESTING ERROR 12\n";exit}
        "ffffffff"
 }
 expect {
-        timeout {puts "TESTING ERROR 12\n";exit}
+        timeout {puts "TESTING ERROR 13\n";exit}
        "Seccomp:"
 }
 expect {
-        timeout {puts "TESTING ERROR 13\n";exit}
+        timeout {puts "TESTING ERROR 14\n";exit}
        "0"
 }
 expect {
-        timeout {puts "TESTING ERROR 14\n";exit}
+        timeout {puts "TESTING ERROR 15\n";exit}
        "Cpus_allowed:"
 }
 puts "\n"
 send -- "whoami\r"
 expect {
-        timeout {puts "TESTING ERROR 15\n";exit}
+        timeout {puts "TESTING ERROR 16\n";exit}
        $env(USER)
 }
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 16\n";exit}
+        timeout {puts "TESTING ERROR 17\n";exit}
        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
 }
 send -- "ping 0\r"
 expect {
-        timeout {puts "TESTING ERROR 17\n";exit}
+        timeout {puts "TESTING ERROR 18\n";exit}
        "Operation not permitted"
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 18\n";exit}
+        timeout {puts "TESTING ERROR 19\n";exit}
        "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 19\n";exit}
+        timeout {puts "TESTING ERROR 20\n";exit}
-        "3"
+        "5"
 }
@@ -130,31 +130,31 @@ expect {
 spawn $env(SHELL)
 send -- "firejail --debug --join=test\r"
 expect {
-        timeout {puts "TESTING ERROR 20\n";exit}
+        timeout {puts "TESTING ERROR 21\n";exit}
        "User namespace detected"
 }
 expect {
-        timeout {puts "TESTING ERROR 21\n";exit}
+        timeout {puts "TESTING ERROR 22\n";exit}
        "Joining user namespace"
 }
 sleep 1
 send -- "sudo -s\r"
 expect {
-        timeout {puts "TESTING ERROR 22\n";exit}
+        timeout {puts "TESTING ERROR 23\n";exit}
        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
        "Permission denied" { puts "OK\n";}
 }
 send -- "cat /proc/self/uid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 23\n";exit}
+        timeout {puts "TESTING ERROR 24\n";exit}
        "1"
 }
 send -- "cat /proc/self/gid_map | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 24\n";exit}
+        timeout {puts "TESTING ERROR 25\n";exit}
-        "3"
+        "5"
 }
 after 100
 puts "\nall done\n"
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index d45ef48bd..3139b8eae 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -6,6 +6,9 @@
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
+./sys_fs.exp
 echo "TESTING: kmsg access (test/fs/kmsg.exp)"
 ./kmsg.exp
diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp
new file mode 100755
index 000000000..f512776d9
--- /dev/null
+++ b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Permission denied"
+}
+after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --noblacklist=/sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls /sys/fs\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "cgroup"
+}
+after 100
+send -- "exit\r"
+after 100
+puts "\nall done\n"

diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh new file mode 100755 index 000000000..b05914b52 --- /dev/null +++ b/test/apps-x11-xorg/apps-x11-xorg.sh
@@ -0,0 +1,35 @@
		1	#!/bin/bash
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	export MALLOC_CHECK_=3
		7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
		8
		9	which firefox
		10	if [ "$?" -eq 0 ];
		11	then
		12	echo "TESTING: firefox x11 xorg"
		13	./firefox.exp
		14	else
		15	echo "TESTING SKIP: firefox not found"
		16	fi
		17
		18	which transmission-gtk
		19	if [ "$?" -eq 0 ];
		20	then
		21	echo "TESTING: transmission-gtk x11 xorg"
		22	./transmission-gtk.exp
		23	else
		24	echo "TESTING SKIP: transmission-gtk not found"
		25	fi
		26
		27	which icedove
		28	if [ "$?" -eq 0 ];
		29	then
		30	echo "TESTING: icedove x11 xorg"
		31	./icedove.exp
		32	else
		33	echo "TESTING SKIP: icedove not found"
		34	fi
		35


diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp new file mode 100755 index 000000000..5231bf8ed --- /dev/null +++ b/test/apps-x11-xorg/firefox.exp
@@ -0,0 +1,90 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
		11	sleep 10
		12
		13	spawn $env(SHELL)
		14	send -- "firejail --list\r"
		15	expect {
		16	timeout {puts "TESTING ERROR 3\n";exit}
		17	":firejail"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 3.1\n";exit}
		21	"firefox" {puts "firefox detected\n";}
		22	"iceweasel" {puts "iceweasel detected\n";}
		23	}
		24	expect {
		25	timeout {puts "TESTING ERROR 3.2\n";exit}
		26	"no-remote"
		27	}
		28	sleep 1
		29	# grsecurity exit
		30	send -- "file /proc/sys/kernel/grsecurity\r"
		31	expect {
		32	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		33	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		34	"cannot open" {puts "grsecurity not present\n"}
		35	}
		36	send -- "firejail --name=blablabla\r"
		37	expect {
		38	timeout {puts "TESTING ERROR 4\n";exit}
		39	"Child process initialized"
		40	}
		41	sleep 2
		42
		43	spawn $env(SHELL)
		44	send -- "firemon --seccomp\r"
		45	expect {
		46	timeout {puts "TESTING ERROR 5\n";exit}
		47	" firefox" {puts "firefox detected\n";}
		48	" iceweasel" {puts "iceweasel detected\n";}
		49	}
		50	expect {
		51	timeout {puts "TESTING ERROR 5.0\n";exit}
		52	"no-remote"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		56	"Seccomp: 2"
		57	}
		58	expect {
		59	timeout {puts "TESTING ERROR 5.1\n";exit}
		60	"name=blablabla"
		61	}
		62	sleep 1
		63	send -- "firemon --caps\r"
		64	expect {
		65	timeout {puts "TESTING ERROR 6\n";exit}
		66	" firefox" {puts "firefox detected\n";}
		67	" iceweasel" {puts "iceweasel detected\n";}
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.0\n";exit}
		71	"no-remote"
		72	}
		73	expect {
		74	timeout {puts "TESTING ERROR 6.1\n";exit}
		75	"CapBnd:"
		76	}
		77	expect {
		78	timeout {puts "TESTING ERROR 6.2\n";exit}
		79	"0000000000000000"
		80	}
		81	expect {
		82	timeout {puts "TESTING ERROR 6.3\n";exit}
		83	"name=blablabla"
		84	}
		85	sleep 1
		86	send -- "firejail --shutdown=test\r"
		87	sleep 3
		88
		89	puts "\nall done\n"
		90


diff --git a/test/apps-x11-xorg/icedove.exp b/test/apps-x11-xorg/icedove.exp new file mode 100755 index 000000000..f676264ed --- /dev/null +++ b/test/apps-x11-xorg/icedove.exp
@@ -0,0 +1,85 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --name=test --x11=xorg icedove\r"
		11	sleep 10
		12
		13	spawn $env(SHELL)
		14	send -- "firejail --list\r"
		15	expect {
		16	timeout {puts "TESTING ERROR 3\n";exit}
		17	":firejail"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 3.1\n";exit}
		21	"icedove"
		22	}
		23	sleep 1
		24
		25	# grsecurity exit
		26	send -- "file /proc/sys/kernel/grsecurity\r"
		27	expect {
		28	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		29	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		30	"cannot open" {puts "grsecurity not present\n"}
		31	}
		32
		33	send -- "firejail --name=blablabla\r"
		34	expect {
		35	timeout {puts "TESTING ERROR 4\n";exit}
		36	"Child process initialized"
		37	}
		38	sleep 2
		39
		40	spawn $env(SHELL)
		41	send -- "firemon --seccomp\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 5\n";exit}
		44	":firejail"
		45	}
		46	expect {
		47	timeout {puts "TESTING ERROR 5.0\n";exit}
		48	"icedove"
		49	}
		50	expect {
		51	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		52	"Seccomp: 2"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 5.1\n";exit}
		56	"name=blablabla"
		57	}
		58	sleep 2
		59	send -- "firemon --caps\r"
		60	expect {
		61	timeout {puts "TESTING ERROR 6\n";exit}
		62	":firejail"
		63	}
		64	expect {
		65	timeout {puts "TESTING ERROR 6.0\n";exit}
		66	"icedove"
		67	}
		68	expect {
		69	timeout {puts "TESTING ERROR 6.1\n";exit}
		70	"CapBnd"
		71	}
		72	expect {
		73	timeout {puts "TESTING ERROR 6.2\n";exit}
		74	"0000000000000000"
		75	}
		76	expect {
		77	timeout {puts "TESTING ERROR 6.3\n";exit}
		78	"name=blablabla"
		79	}
		80	sleep 1
		81	send -- "firejail --shutdown=test\r"
		82	sleep 3
		83
		84	puts "\nall done\n"
		85


diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp new file mode 100755 index 000000000..a91a1be08 --- /dev/null +++ b/test/apps-x11-xorg/transmission-gtk.exp
@@ -0,0 +1,85 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --name=test --x11=xorg transmission-gtk\r"
		11	sleep 10
		12
		13	spawn $env(SHELL)
		14	send -- "firejail --list\r"
		15	expect {
		16	timeout {puts "TESTING ERROR 3\n";exit}
		17	":firejail"
		18	}
		19	expect {
		20	timeout {puts "TESTING ERROR 3.1\n";exit}
		21	"transmission-gtk"
		22	}
		23	sleep 1
		24
		25	# grsecurity exit
		26	send -- "file /proc/sys/kernel/grsecurity\r"
		27	expect {
		28	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
		29	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
		30	"cannot open" {puts "grsecurity not present\n"}
		31	}
		32
		33	send -- "firejail --name=blablabla\r"
		34	expect {
		35	timeout {puts "TESTING ERROR 4\n";exit}
		36	"Child process initialized"
		37	}
		38	sleep 2
		39
		40	spawn $env(SHELL)
		41	send -- "firemon --seccomp\r"
		42	expect {
		43	timeout {puts "TESTING ERROR 5\n";exit}
		44	":firejail"
		45	}
		46	expect {
		47	timeout {puts "TESTING ERROR 5.0\n";exit}
		48	"transmission-gtk"
		49	}
		50	expect {
		51	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
		52	"Seccomp: 2"
		53	}
		54	expect {
		55	timeout {puts "TESTING ERROR 5.1\n";exit}
		56	"name=blablabla"
		57	}
		58	sleep 1
		59	send -- "firemon --caps\r"
		60	expect {
		61	timeout {puts "TESTING ERROR 6\n";exit}
		62	":firejail"
		63	}
		64	expect {
		65	timeout {puts "TESTING ERROR 6.0\n";exit}
		66	"transmission-gtk"
		67	}
		68	expect {
		69	timeout {puts "TESTING ERROR 6.1\n";exit}
		70	"CapBnd"
		71	}
		72	expect {
		73	timeout {puts "TESTING ERROR 6.2\n";exit}
		74	"0000000000000000"
		75	}
		76	expect {
		77	timeout {puts "TESTING ERROR 6.3\n";exit}
		78	"name=blablabla"
		79	}
		80	sleep 1
		81	send -- "firejail --shutdown=test\r"
		82	sleep 3
		83
		84	puts "\nall done\n"
		85


diff --git a/test/environment/allow-debuggers.exp b/test/environment/allow-debuggers.exp index dde9c4cc1..8a404decb 100755 --- a/test/environment/allow-debuggers.exp +++ b/test/environment/allow-debuggers.exp
@@ -11,19 +11,27 @@ expect {
11	"Child process initialized"	11	"Child process initialized"
12	}	12	}
13	expect {	13	expect {
14	timeout {puts "TESTING ERROR 1\n";exit}	14	timeout {puts "TESTING ERROR 1\n";exit}
15	"exited with 0"	15	"ioctl"
		16	}
		17	expect {
		18	timeout {puts "TESTING ERROR 2\n";exit}
		19	"exit_group"
16	}	20	}
17	after 100	21	after 100
18		22
19	send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"	23	send -- "firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace ls\r"
20	expect {	24	expect {
21	timeout {puts "TESTING ERROR 2\n";exit}	25	timeout {puts "TESTING ERROR 3\n";exit}
22	"Child process initialized"	26	"Child process initialized"
23	}	27	}
24	expect {	28	expect {
25	timeout {puts "TESTING ERROR 3\n";exit}	29	timeout {puts "TESTING ERROR 4\n";exit}
26	"exited with 0"	30	"ioctl"
		31	}
		32	expect {
		33	timeout {puts "TESTING ERROR 5\n";exit}
		34	"exit_group"
27	}	35	}
28	after 100	36	after 100
29		37


diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 5093c8614..5c7c98b3e 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh
@@ -12,11 +12,21 @@ echo "TESTING: noroot (test/filters/noroot.exp)"
12	echo "TESTING: capabilities (test/filters/caps.exp)"	12	echo "TESTING: capabilities (test/filters/caps.exp)"
13	./caps.exp	13	./caps.exp
14		14
		15	rm -f seccomp-test-file
		16	if [ "$(uname -m)" = "x86_64" ]; then
		17	echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
		18	./fseccomp.exp
		19	else
		20	echo "TESTING SKIP: fseccomp test implemented only for x86_64"
		21	fi
		22	rm -f seccomp-test-file
		23
		24
15	if [ "$(uname -m)" = "x86_64" ]; then	25	if [ "$(uname -m)" = "x86_64" ]; then
16	echo "TESTING: protocol (test/filters/protocol.exp)"	26	echo "TESTING: protocol (test/filters/protocol.exp)"
17	./protocol.exp	27	./protocol.exp
18	else	28	else
19	echo "TESTING SKIP: protocol, not running on x86_64"	29	echo "TESTING SKIP: protocol, running only on x86_64"
20	fi	30	fi
21		31
22	echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"	32	echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
@@ -50,9 +60,6 @@ echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod
50	echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"	60	echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)"
51	./seccomp-empty.exp	61	./seccomp-empty.exp
52		62
53	echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)"
54	./seccomp-bad-empty.exp
55
56	if [ "$(uname -m)" = "x86_64" ]; then	63	if [ "$(uname -m)" = "x86_64" ]; then
57	echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"	64	echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)"
58	./seccomp-dualfilter.exp	65	./seccomp-dualfilter.exp


diff --git a/test/filters/fseccomp.exp b/test/filters/fseccomp.exp new file mode 100755 index 000000000..8a9a8f9dc --- /dev/null +++ b/test/filters/fseccomp.exp
@@ -0,0 +1,138 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	after 100
		11	send -- "/usr/lib/firejail/fseccomp debug-syscalls\r"
		12	expect {
		13	timeout {puts "TESTING ERROR 1\n";exit}
		14	"1 - write"
		15	}
		16
		17	after 100
		18	send -- "/usr/lib/firejail/fseccomp debug-errnos\r"
		19	expect {
		20	timeout {puts "TESTING ERROR 2\n";exit}
		21	"1 - EPERM"
		22	}
		23
		24	after 100
		25	send -- "/usr/lib/firejail/fseccomp debug-protocols\r"
		26	expect {
		27	timeout {puts "TESTING ERROR 3\n";exit}
		28	"unix, inet, inet6, netlink, packet,"
		29	}
		30
		31	after 100
		32	send -- "/usr/lib/firejail/fseccomp protocol build unix,inet seccomp-test-file\r"
		33	after 100
		34	send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 4.1\n";exit}
		37	"WHITELIST 41 socket"
		38	}
		39
		40	after 100
		41	send -- "/usr/lib/firejail/fseccomp secondary 64 seccomp-test-file\r"
		42	after 100
		43	send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
		44	expect {
		45	timeout {puts "TESTING ERROR 5.1\n";exit}
		46	"BLACKLIST 165 mount"
		47	}
		48	expect {
		49	timeout {puts "TESTING ERROR 5.2\n";exit}
		50	"BLACKLIST 166 umount2"
		51	}
		52	expect {
		53	timeout {puts "TESTING ERROR 5.3\n";exit}
		54	"RETURN_ALLOW"
		55	}
		56
		57	after 100
		58	send -- "/usr/lib/firejail/fseccomp default seccomp-test-file\r"
		59	after 100
		60	send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
		61	expect {
		62	timeout {puts "TESTING ERROR 6.1\n";exit}
		63	"BLACKLIST 165 mount"
		64	}
		65	expect {
		66	timeout {puts "TESTING ERROR 6.2\n";exit}
		67	"BLACKLIST 166 umount2"
		68	}
		69	expect {
		70	timeout {puts "TESTING ERROR 6.3\n";exit}
		71	"RETURN_ALLOW"
		72	}
		73
		74	after 100
		75	send -- "/usr/lib/firejail/fseccomp drop seccomp-test-file chmod,chown\r"
		76	after 100
		77	send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
		78	expect {
		79	timeout {puts "TESTING ERROR 7.1\n";exit}
		80	"BLACKLIST 165 mount" {puts "TESTING ERROR 7.2\n";exit}
		81	"BLACKLIST 166 umount2" {puts "TESTING ERROR 7.3\n";exit}
		82	"BLACKLIST 90 chmod"
		83	}
		84	expect {
		85	timeout {puts "TESTING ERROR 7.4\n";exit}
		86	"BLACKLIST 92 chown"
		87	}
		88	expect {
		89	timeout {puts "TESTING ERROR 7.5\n";exit}
		90	"RETURN_ALLOW"
		91	}
		92
		93	after 100
		94	send -- "/usr/lib/firejail/fseccomp default drop seccomp-test-file chmod,chown\r"
		95	after 100
		96	send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
		97	expect {
		98	timeout {puts "TESTING ERROR 8.1\n";exit}
		99	"BLACKLIST 165 mount"
		100	}
		101	expect {
		102	timeout {puts "TESTING ERROR 8.2\n";exit}
		103	"BLACKLIST 166 umount2"
		104	}
		105	expect {
		106	timeout {puts "TESTING ERROR 8.3\n";exit}
		107	"BLACKLIST 90 chmod"
		108	}
		109	expect {
		110	timeout {puts "TESTING ERROR 8.4\n";exit}
		111	"BLACKLIST 92 chown"
		112	}
		113	expect {
		114	timeout {puts "TESTING ERROR 8.5\n";exit}
		115	"RETURN_ALLOW"
		116	}
		117	after 100
		118	send -- "/usr/lib/firejail/fseccomp keep seccomp-test-file chmod,chown\r"
		119	after 100
		120	send -- "/usr/lib/firejail/fseccomp print seccomp-test-file\r"
		121	expect {
		122	timeout {puts "TESTING ERROR 9.1\n";exit}
		123	"WHITELIST 90 chmod"
		124	}
		125	expect {
		126	timeout {puts "TESTING ERROR 9.2\n";exit}
		127	"WHITELIST 92 chown"
		128	}
		129	expect {
		130	timeout {puts "TESTING ERROR 9.3\n";exit}
		131	"KILL_PROCESS"
		132	}
		133
		134
		135
		136	after 100
		137	puts "\nall done\n"
		138


diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 2a7cb7975..b011f2bf9 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp
@@ -46,20 +46,20 @@ expect {
46	}	46	}
47	send -- "sudo -s\r"	47	send -- "sudo -s\r"
48	expect {	48	expect {
49	timeout {puts "TESTING ERROR 8\n";exit}	49	timeout {puts "TESTING ERROR 7\n";exit}
50	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}	50	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
51	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}	51	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
52	"Bad system call" { puts "OK\n";}	52	"Bad system call" { puts "OK\n";}
53	}	53	}
54	send -- "cat /proc/self/uid_map \| wc -l\r"	54	send -- "cat /proc/self/uid_map \| wc -l\r"
55	expect {	55	expect {
56	timeout {puts "TESTING ERROR 7\n";exit}	56	timeout {puts "TESTING ERROR 8\n";exit}
57	"1"	57	"1"
58	}	58	}
59	send -- "cat /proc/self/gid_map \| wc -l\r"	59	send -- "cat /proc/self/gid_map \| wc -l\r"
60	expect {	60	expect {
61	timeout {puts "TESTING ERROR 8\n";exit}	61	timeout {puts "TESTING ERROR 9\n";exit}
62	"3"	62	"5"
63	}	63	}
64		64
65	puts "\n"	65	puts "\n"
@@ -70,59 +70,59 @@ sleep 2
70		70
71	send -- "firejail --name=test --noroot --noprofile\r"	71	send -- "firejail --name=test --noroot --noprofile\r"
72	expect {	72	expect {
73	timeout {puts "TESTING ERROR 9\n";exit}	73	timeout {puts "TESTING ERROR 10\n";exit}
74	"Child process initialized"	74	"Child process initialized"
75	}	75	}
76	sleep 1	76	sleep 1
77		77
78	send -- "cat /proc/self/status\r"	78	send -- "cat /proc/self/status\r"
79	expect {	79	expect {
80	timeout {puts "TESTING ERROR 10\n";exit}	80	timeout {puts "TESTING ERROR 11\n";exit}
81	"CapBnd:"	81	"CapBnd:"
82	}	82	}
83	expect {	83	expect {
84	timeout {puts "TESTING ERROR 11\n";exit}	84	timeout {puts "TESTING ERROR 12\n";exit}
85	"ffffffff"	85	"ffffffff"
86	}	86	}
87	expect {	87	expect {
88	timeout {puts "TESTING ERROR 12\n";exit}	88	timeout {puts "TESTING ERROR 13\n";exit}
89	"Seccomp:"	89	"Seccomp:"
90	}	90	}
91	expect {	91	expect {
92	timeout {puts "TESTING ERROR 13\n";exit}	92	timeout {puts "TESTING ERROR 14\n";exit}
93	"0"	93	"0"
94	}	94	}
95	expect {	95	expect {
96	timeout {puts "TESTING ERROR 14\n";exit}	96	timeout {puts "TESTING ERROR 15\n";exit}
97	"Cpus_allowed:"	97	"Cpus_allowed:"
98	}	98	}
99	puts "\n"	99	puts "\n"
100		100
101	send -- "whoami\r"	101	send -- "whoami\r"
102	expect {	102	expect {
103	timeout {puts "TESTING ERROR 15\n";exit}	103	timeout {puts "TESTING ERROR 16\n";exit}
104	$env(USER)	104	$env(USER)
105	}	105	}
106	send -- "sudo -s\r"	106	send -- "sudo -s\r"
107	expect {	107	expect {
108	timeout {puts "TESTING ERROR 16\n";exit}	108	timeout {puts "TESTING ERROR 17\n";exit}
109	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}	109	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
110	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}	110	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
111	}	111	}
112	send -- "ping 0\r"	112	send -- "ping 0\r"
113	expect {	113	expect {
114	timeout {puts "TESTING ERROR 17\n";exit}	114	timeout {puts "TESTING ERROR 18\n";exit}
115	"Operation not permitted"	115	"Operation not permitted"
116	}	116	}
117	send -- "cat /proc/self/uid_map \| wc -l\r"	117	send -- "cat /proc/self/uid_map \| wc -l\r"
118	expect {	118	expect {
119	timeout {puts "TESTING ERROR 18\n";exit}	119	timeout {puts "TESTING ERROR 19\n";exit}
120	"1"	120	"1"
121	}	121	}
122	send -- "cat /proc/self/gid_map \| wc -l\r"	122	send -- "cat /proc/self/gid_map \| wc -l\r"
123	expect {	123	expect {
124	timeout {puts "TESTING ERROR 19\n";exit}	124	timeout {puts "TESTING ERROR 20\n";exit}
125	"3"	125	"5"
126	}	126	}
127		127
128		128
@@ -130,31 +130,31 @@ expect {
130	spawn $env(SHELL)	130	spawn $env(SHELL)
131	send -- "firejail --debug --join=test\r"	131	send -- "firejail --debug --join=test\r"
132	expect {	132	expect {
133	timeout {puts "TESTING ERROR 20\n";exit}	133	timeout {puts "TESTING ERROR 21\n";exit}
134	"User namespace detected"	134	"User namespace detected"
135	}	135	}
136	expect {	136	expect {
137	timeout {puts "TESTING ERROR 21\n";exit}	137	timeout {puts "TESTING ERROR 22\n";exit}
138	"Joining user namespace"	138	"Joining user namespace"
139	}	139	}
140	sleep 1	140	sleep 1
141		141
142	send -- "sudo -s\r"	142	send -- "sudo -s\r"
143	expect {	143	expect {
144	timeout {puts "TESTING ERROR 22\n";exit}	144	timeout {puts "TESTING ERROR 23\n";exit}
145	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}	145	"effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
146	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}	146	"sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
147	"Permission denied" { puts "OK\n";}	147	"Permission denied" { puts "OK\n";}
148	}	148	}
149	send -- "cat /proc/self/uid_map \| wc -l\r"	149	send -- "cat /proc/self/uid_map \| wc -l\r"
150	expect {	150	expect {
151	timeout {puts "TESTING ERROR 23\n";exit}	151	timeout {puts "TESTING ERROR 24\n";exit}
152	"1"	152	"1"
153	}	153	}
154	send -- "cat /proc/self/gid_map \| wc -l\r"	154	send -- "cat /proc/self/gid_map \| wc -l\r"
155	expect {	155	expect {
156	timeout {puts "TESTING ERROR 24\n";exit}	156	timeout {puts "TESTING ERROR 25\n";exit}
157	"3"	157	"5"
158	}	158	}
159	after 100	159	after 100
160	puts "\nall done\n"	160	puts "\nall done\n"


diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d45ef48bd..3139b8eae 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh
@@ -6,6 +6,9 @@
6	export MALLOC_CHECK_=3	6	export MALLOC_CHECK_=3
7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))	7	export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
8		8
		9	echo "TESTING: /sys/fs access (test/fs/sys_fs.exp)"
		10	./sys_fs.exp
		11
9	echo "TESTING: kmsg access (test/fs/kmsg.exp)"	12	echo "TESTING: kmsg access (test/fs/kmsg.exp)"
10	./kmsg.exp	13	./kmsg.exp
11		14


diff --git a/test/fs/sys_fs.exp b/test/fs/sys_fs.exp new file mode 100755 index 000000000..f512776d9 --- /dev/null +++ b/test/fs/sys_fs.exp
@@ -0,0 +1,44 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 10
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 1\n";exit}
		13	"Child process initialized"
		14	}
		15	sleep 1
		16
		17	send -- "ls /sys/fs\r"
		18	expect {
		19	timeout {puts "TESTING ERROR 2\n";exit}
		20	"Permission denied"
		21	}
		22	after 100
		23
		24	send -- "exit\r"
		25	sleep 1
		26
		27	send -- "firejail --noblacklist=/sys/fs\r"
		28	expect {
		29	timeout {puts "TESTING ERROR 1\n";exit}
		30	"Child process initialized"
		31	}
		32	sleep 1
		33
		34	send -- "ls /sys/fs\r"
		35	expect {
		36	timeout {puts "TESTING ERROR 2\n";exit}
		37	"cgroup"
		38	}
		39	after 100
		40	send -- "exit\r"
		41	after 100
		42
		43	puts "\nall done\n"
		44