From 2775b37ed206e5650b1ec4398d33718562f4d657 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 5 Aug 2016 12:37:53 -0400 Subject: whitelist test --- test/fs/fs.sh | 13 +++ test/fs/whitelist-double.exp | 2 +- test/fs/whitelist.exp | 226 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 240 insertions(+), 1 deletion(-) create mode 100755 test/fs/whitelist.exp diff --git a/test/fs/fs.sh b/test/fs/fs.sh index ee6351e2e..d45ef48bd 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -56,3 +56,16 @@ echo "TESTING: recursive mkdir (test/fs/mkdir.exp)" echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" ./whitelist-double.exp + + +echo "TESTING: whitelist (test/fs/whitelist.exp)" +./whitelist.exp +rm -fr ~/fjtest-dir +rm -fr ~/fjtest-dir-lnk +rm -f ~/fjtest-file +rm -f ~/fjtest-file-lnk +rm -f /tmp/fjtest-file +rm -fr /tmp/fjtest-dir + + + diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 87d6ed686..43e4d6fc0 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -3,7 +3,7 @@ # Copyright (C) 2014-2016 Firejail Authors # License GPL v2 -set timeout 30 +set timeout 10 spawn $env(SHELL) match_max 100000 diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp new file mode 100755 index 000000000..9a9a0f353 --- /dev/null +++ b/test/fs/whitelist.exp @@ -0,0 +1,226 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# cleanup +send -- "rm -fr ~/fjtest-dir\r" +after 200 +send -- "rm -fr ~/fjtest-dir-lnk\r" +after 200 +send -- "rm ~/fjtest-file\r" +after 200 +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "rm /tmp/fjtest-file\r" +after 200 +send -- "rm -fr /tmp/fjtest-dir\r" +after 200 + + +# simple files and directories +send -- "mkdir -p ~/fjtest-dir/fjtest-dir\r" +after 200 +send -- "echo 123 > ~/fjtest-file\r" +after 200 +send -- "echo 123 > ~/fjtest-dir/fjtest-file\r" +after 200 +send -- "echo 123 > ~/fjtest-dir/fjtest-dir/fjtest-file\r" +after 200 +send -- "ln -s ~/fjtest-file ~/fjtest-file-lnk\r" +after 200 +send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" +after 200 + +send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} + +send -- "cat fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "123" +} + +send -- "exit\r" +sleep 1 + + + +# simple files and directories +send -- "firejail --whitelist=~/fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "1" +} + +send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "123" +} + +send -- "exit\r" +sleep 1 + + + +# symlinks +send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "4" +} + +send -- "cat fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "123" +} + +send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "123" +} + +send -- "cat fjtest-file-lnk\r" +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "123" +} + +send -- "cat fjtest-dir-lnk/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 26\n";exit} + "123" +} + +send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "123" +} +send -- "exit\r" +sleep 1 + +# symlinks outside home to a file we don't own +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "ln -s /etc/passwd ~/fjtest-file-lnk\r" +after 200 +send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" +expect { + timeout {puts "TESTING ERROR 30\n";exit} + "invalid whitelist path" +} +expect { + timeout {puts "TESTING ERROR 31\n";exit} + "exiting" +} +sleep 1 + +# symlinks outside home to a file we own +send -- "rm -fr ~/fjtest-dir-lnk\r" +after 200 +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "echo 123 > /tmp/fjtest-file\r" +after 200 +send -- "mkdir /tmp/fjtest-dir\r" +after 200 +send -- "echo 123 > /tmp/fjtest-dir/fjtest-file\r" +after 200 +send -- "ln -s /tmp/fjtest-file ~/fjtest-file-lnk\r" +after 200 +send -- "ln -s /tmp/fjtest-dir ~/fjtest-dir-lnk\r" +after 200 +send -- "firejail --whitelist=~/fjtest-file-lnk --whitelist=~/fjtest-dir-lnk\r" +expect { + timeout {puts "TESTING ERROR 40\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | grep -v total | wc -l\r" +expect { + timeout {puts "TESTING ERROR 41\n";exit} + "2" +} + +send -- "cat fjtest-file-lnk\r" +expect { + timeout {puts "TESTING ERROR 42\n";exit} + "123" +} + +send -- "cat fjtest-dir-lnk/fjtest-file\r" +expect { + timeout {puts "TESTING ERROR 43\n";exit} + "123" +} +send -- "exit\r" +sleep 1 + +# cleanup +send -- "rm -fr ~/fjtest-dir\r" +after 200 +send -- "rm -fr ~/fjtest-dir-lnk\r" +after 200 +send -- "rm ~/fjtest-file\r" +after 200 +send -- "rm ~/fjtest-file-lnk\r" +after 200 +send -- "rm /tmp/fjtest-file\r" +after 200 +send -- "rm -fr /tmp/fjtest-dir\r" +after 200 + + +puts "\nall done\n" + -- cgit v1.2.3-70-g09d2