From 2acc910daf73c284965ca96bc70b4eb980c865cf Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 8 Nov 2018 10:49:44 -0500 Subject: profile parser testing --- README.md | 8 +++----- src/firejail/firejail.h | 3 +-- src/firejail/profile.c | 12 ++++++++++-- test/profiles/profile_appname.exp | 25 +++++++++++++++++++++++++ test/profiles/profile_noperm.exp | 2 +- test/profiles/profile_recursivity.exp | 25 +++++++++++++++++++++++++ test/profiles/profile_syntax2.exp | 27 +++------------------------ test/profiles/profiles.sh | 27 +++++++++++++++++++++++++++ test/profiles/test2.profile | 4 +++- test/profiles/test3.profile | 1 + 10 files changed, 99 insertions(+), 35 deletions(-) create mode 100755 test/profiles/profile_appname.exp create mode 100755 test/profiles/profile_recursivity.exp create mode 100644 test/profiles/test3.profile diff --git a/README.md b/README.md index d6a7877ca..9e61e5633 100644 --- a/README.md +++ b/README.md @@ -101,17 +101,15 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ````` ## Current development version: 0.9.57 -## New Long Term Support (LTS) version +## New Long Term Support (0.9.56-LTS) version released -We are rebasing our Long Term Support branch of Firejail. The current LTS version (0.9.38.x) is more than two years old. The new version updates the code base to 0.9.56. We target a reduction of approx. 40% of the code by removing rarely used features (chroot, overlay, rlimits, cgroups), incomplete features (private-bin, private-lib), and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. -We have an rc1 release out, the final version will follow in the next few weeks: ````` -firejail (0.9.56-LTS~rc1) baseline; urgency=low +firejail (0.9.56-LTS) baseline; urgency=low * code based on Firejail version 0.9.56 * much smaller code base for SUID executable * command line options removed: @@ -124,7 +122,7 @@ firejail (0.9.56-LTS~rc1) baseline; urgency=low --disable-globalcfg, --disable-network, --disable-userns, --disable-whitelist, --disable-suid, --enable-fatal-warnings, --enable-busybox-workaround - -- netblue30 Wed, 3 Oct 2018 08:00:00 -0500 + -- netblue30 Sun, 21 Oct 2018 08:00:00 -0500 ````` The new LTS branch is here: https://github.com/netblue30/firejail/tree/LTSbase diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d996e1dac..46aea4bd4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -461,8 +461,7 @@ void fs_mnt(const int enforce); // profile.c // find and read the profile specified by name from dir directory -int profile_find(const char *name, const char *dir, int add_ext); -int profile_find_firejail(const char *name, int add_ext); +//int profile_find_firejail(const char *name, int add_ext); // read a profile file void profile_read(const char *fname); // check profile line; if line == 0, this was generated from a command line option diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a85c8f815..5f5d94ddf 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -25,7 +25,8 @@ extern char *xephyr_screen; #define MAX_READ 8192 // line buffer for profile files // find and read the profile specified by name from dir directory -int profile_find(const char *name, const char *dir, int add_ext) { +// return 1 if a profile was found +static int profile_find(const char *name, const char *dir, int add_ext) { EUID_ASSERT(); assert(name); assert(dir); @@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) { } // search and read the profile specified by name from firejail directories +// return 1 if a profile was found int profile_find_firejail(const char *name, int add_ext) { // look for a profile in ~/.config/firejail directory char *usercfgdir; @@ -1438,7 +1440,13 @@ void profile_read(const char *fname) { ptr2++; // profile path contains no / chars, do a search if (*ptr2 == '\0') { - profile_find_firejail(newprofile, 0); + int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory + if (!rv) { + // maybe this is a file in the local working directory? + // it will stop the sandbox if not! + // Note: if the file ends in .local it will not stop the program + profile_read(newprofile); + } } else { profile_read(newprofile); diff --git a/test/profiles/profile_appname.exp b/test/profiles/profile_appname.exp new file mode 100755 index 000000000..c70e7ad57 --- /dev/null +++ b/test/profiles/profile_appname.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2018 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=firefox\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/firefox.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile /etc/firejail/firefox-common.profile" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "shell=none configured, but no program specified" +} + +after 100 +puts "\nall done\n" diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index b3b031cb2..9f8cb54e2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp @@ -7,7 +7,7 @@ match_max 100000 send -- "firejail --profile=/etc/shadow\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "cannot access profile" + "inaccessible profile file" } after 100 puts "\nall done\n" diff --git a/test/profiles/profile_recursivity.exp b/test/profiles/profile_recursivity.exp new file mode 100755 index 000000000..66e4510bf --- /dev/null +++ b/test/profiles/profile_recursivity.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2018 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=test3.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile test3.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile test3.profile" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "maximum profile include level was reached" +} + +after 100 +puts "\nall done\n" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index 4d621f3ec..da34b67e8 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -7,7 +7,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --debug --profile=test2.profile\r" +send -- "firejail --profile=test2.profile\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Reading profile test2.profile" @@ -18,29 +18,8 @@ expect { } expect { timeout {puts "TESTING ERROR 2\n";exit} - "Mounting a new /home directory" + "cannot access profile file" } -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Disable /bin/rmdir" {puts "Most Linux platforms\n"} - "Disable /usr/bin/rmdir" { puts "OpenSUSE platform\n"} -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Drop CAP_SYS_MODULE" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "seccomp entries in /run/firejail/mnt/seccomp" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "jeq mount" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Child process initialized" -} -send -- "exit\r" + after 100 puts "\nall done\n" diff --git a/test/profiles/profiles.sh b/test/profiles/profiles.sh index 7c3549aea..a3d24ac0c 100755 --- a/test/profiles/profiles.sh +++ b/test/profiles/profiles.sh @@ -6,6 +6,33 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)" +./profile_recursivity.exp + +echo "TESTING: profile application name (test/profiles/profile_appname.exp)" +./profile_appname.exp + +echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)" +./profile_syntax.exp + +echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)" +./profile_syntax2.exp + +echo "TESTING: ignore command (test/profiles/ignore.exp)" +./ignore.exp + +echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)" +./profile_readonly.exp + +echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)" +./profile_followlnk.exp + +echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)" +./profile_noperm.exp + + + + echo "TESTING: default profiles installed in /etc" PROFILES=`ls /etc/firejail/*.profile` for PROFILE in $PROFILES diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index e219d800d..9fbd5219a 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile @@ -1,4 +1,6 @@ -caps +caps seccomp private include test.profile + include test.local + include test25.profile diff --git a/test/profiles/test3.profile b/test/profiles/test3.profile new file mode 100644 index 000000000..c28ddadb5 --- /dev/null +++ b/test/profiles/test3.profile @@ -0,0 +1 @@ +include test3.profile \ No newline at end of file -- cgit v1.2.3-54-g00ecf