From 2155203b3e01354c93d7cb68751f520704fcea1e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 7 Aug 2018 09:08:21 -0400 Subject: xdg macro testing --- src/firejail/fs_whitelist.c | 1 + src/firejail/macros.c | 123 +++------------------------- test/fs/fs.sh | 3 + test/fs/macro-blacklist.profile | 6 ++ test/fs/macro-readonly.profile | 6 ++ test/fs/macro-whitelist.profile | 6 ++ test/fs/macro.exp | 174 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 209 insertions(+), 110 deletions(-) create mode 100644 test/fs/macro-blacklist.profile create mode 100644 test/fs/macro-readonly.profile create mode 100644 test/fs/macro-whitelist.profile create mode 100755 test/fs/macro.exp diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index a2803ccbc..bfcf9c209 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -35,6 +35,7 @@ #define EMPTY_STRING ("") #define MAXBUF 4098 +// returns mallocated memory char *parse_nowhitelist(int nowhitelist_flag, char *ptr1) { char *rv; if (nowhitelist_flag) { diff --git a/src/firejail/macros.c b/src/firejail/macros.c index f111802d7..ef8e0cd79 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c @@ -69,7 +69,7 @@ Macro macro[] = { }; // return -1 if not found -int macro_id(const char *name) { +static int macro_id(const char *name) { int i = 0; while (macro[i].name != NULL) { if (strcmp(name, macro[i].name) == 0) @@ -90,6 +90,7 @@ int is_macro(const char *name) { return 0; } +// returns mallocated memory static char *resolve_xdg(const char *var) { char *fname; struct stat s; @@ -145,6 +146,7 @@ static char *resolve_xdg(const char *var) { return NULL; } +// returns mallocated memory static char *resolve_hardcoded(char *entries[]) { char *fname; struct stat s; @@ -156,7 +158,10 @@ static char *resolve_hardcoded(char *entries[]) { if (stat(fname, &s) == 0) { free(fname); - return entries[i]; + char *rv = strdup(entries[i]); + if (!rv) + errExit("strdup"); + return rv; } free(fname); i++; @@ -165,6 +170,7 @@ static char *resolve_hardcoded(char *entries[]) { return NULL; } +// returns mallocated memory char *resolve_macro(const char *name) { char *rv = NULL; int id = macro_id(name); @@ -223,121 +229,18 @@ char *expand_home(const char *path, const char *homedir) { EUID_ROOT(); return new_name; } -#if 0 - else if (strncmp(path, "${DOWNLOADS}", 12) == 0) { - char *tmp = resolve_xdg("XDG_DOWNLOAD_DIR=\"$HOME/", 24, "Downloads"); - char *tmp2 = resolve_hardcoded(dentry, "Downloads"); - if(tmp) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - else if(tmp2) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 12) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - } - - else if (strncmp(path, "${MUSIC}", 8) == 0) { - char *tmp = resolve_xdg("XDG_MUSIC_DIR=\"$HOME/", 21, "Music"); - char *tmp2 = resolve_hardcoded(mentry, "Music"); - if(tmp) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 8) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - else if(tmp2) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 8) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - } - - else if (strncmp(path, "${VIDEOS}", 9) == 0) { - char *tmp = resolve_xdg("XDG_VIDEOS_DIR=\"$HOME/", 22, "Videos"); - char *tmp2 = resolve_hardcoded(ventry, "Videos"); - if(tmp) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 9) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - else if(tmp2) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 9) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - } - - else if (strncmp(path, "${PICTURES}", 11) == 0) { - char *tmp = resolve_xdg("XDG_PICTURES_DIR=\"$HOME/", 24, "Pictures"); - char *tmp2 = resolve_hardcoded(pentry, "Pictures"); - if(tmp) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 11) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - else if(tmp2) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 11) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - } - - else if (strncmp(path, "${DESKTOP}", 10) == 0) { - char *tmp = resolve_xdg("XDG_DESKTOP_DIR=\"$HOME/", 24, "Desktop"); - char *tmp2 = resolve_hardcoded(deentry, "Desktop"); - if(tmp) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 10) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - else if(tmp2) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 10) == -1) + else { + char *directory = resolve_macro(path); + if (directory) { + if (asprintf(&new_name, "%s/%s", cfg.homedir, directory) == -1) errExit("asprintf"); if(called_as_root) EUID_ROOT(); + free(directory); return new_name; } } - else if (strncmp(path, "${DOCUMENTS}", 12) == 0) { - char *tmp = resolve_xdg("XDG_DOCUMENTS_DIR=\"$HOME/", 25, "Documents"); - char *tmp2 = resolve_hardcoded(doentry, "Documents"); - if(tmp) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp, path + 12) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - else if(tmp2) { - if (asprintf(&new_name, "%s/%s%s", homedir, tmp2, path + 12) == -1) - errExit("asprintf"); - if(called_as_root) - EUID_ROOT(); - return new_name; - } - } -#endif char *rv = strdup(path); if (!rv) errExit("strdup"); diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 774c61750..c1b589c29 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -58,6 +58,9 @@ echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" echo "TESTING: private-bin (test/fs/private-bin.exp)" ./private-bin.exp +echo "TESTING: macros (test/fs/macro..exp)" +./macro.exp + echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" ./whitelist-empty.exp diff --git a/test/fs/macro-blacklist.profile b/test/fs/macro-blacklist.profile new file mode 100644 index 000000000..2421d1b7c --- /dev/null +++ b/test/fs/macro-blacklist.profile @@ -0,0 +1,6 @@ +blacklist ${VIDEOS} +blacklist ${DOCUMENTS} +blacklist ${MUSIC} +blacklist ${DOWNLOADS} +blacklist ${PICTURES} +blacklist ${DESKTOP} diff --git a/test/fs/macro-readonly.profile b/test/fs/macro-readonly.profile new file mode 100644 index 000000000..2f3d5bd78 --- /dev/null +++ b/test/fs/macro-readonly.profile @@ -0,0 +1,6 @@ +read-only ${VIDEOS} +read-only ${DOCUMENTS} +read-only ${MUSIC} +read-only ${DOWNLOADS} +read-only ${PICTURES} +read-only ${DESKTOP} diff --git a/test/fs/macro-whitelist.profile b/test/fs/macro-whitelist.profile new file mode 100644 index 000000000..fed7f76fc --- /dev/null +++ b/test/fs/macro-whitelist.profile @@ -0,0 +1,6 @@ +whitelist ${VIDEOS} +whitelist ${DOCUMENTS} +whitelist ${MUSIC} +whitelist ${DOWNLOADS} +whitelist ${PICTURES} +whitelist ${DESKTOP} diff --git a/test/fs/macro.exp b/test/fs/macro.exp new file mode 100755 index 000000000..8080a8108 --- /dev/null +++ b/test/fs/macro.exp @@ -0,0 +1,174 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2018 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + + +send -- "firejail --profile=macro-whitelist.profile ls ~\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Desktop" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Documents" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Downloads" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Music" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Pictures" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Videos" +} +sleep 1 + +send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Permission denied" +} +sleep 1 + +send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r" +expect { + timeout {puts "TESTING ERROR 9n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Permission denied" +} +sleep 1 + +send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r" +expect { + timeout {puts "TESTING ERROR 11n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 12n";exit} + "Permission denied" +} +sleep 1 + +send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "Permission denied" +} +sleep 1 + +send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r" +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "Permission denied" +} +sleep 1 + +send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r" +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 18\n";exit} + "Permission denied" +} +sleep 1 + +send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r" +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 22\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r" +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r" +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 26\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r" +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 28\n";exit} + "Read-only file system" +} +sleep 1 + +send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r" +expect { + timeout {puts "TESTING ERROR 29\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 30\n";exit} + "Read-only file system" +} +sleep 1 + +puts "\nall done\n" -- cgit v1.2.3-54-g00ecf