From 37a5a3545ef6d8d03dad8bbd888f53e13274c9e5 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 5 May 2016 10:22:18 -0400 Subject: testing --- Makefile.in | 6 +- test/environment/environment.sh | 5 + test/environment/quiet.exp | 21 ++++ test/fs/fs.sh | 50 +++++++++ test/fs/fs_dev_shm.exp | 90 +++++++++++++++++ test/fs/fs_var_lock.exp | 90 +++++++++++++++++ test/fs/fs_var_tmp.exp | 90 +++++++++++++++++ test/fs/invalid_filename.exp | 189 ++++++++++++++++++++++++++++++++++ test/fs/kmsg.exp | 32 ++++++ test/fs/option_bind_user.exp | 15 +++ test/fs/option_blacklist.exp | 38 +++++++ test/fs/option_blacklist_file.exp | 26 +++++ test/fs/private-bin.exp | 71 +++++++++++++ test/fs/private-bin.profile | 1 + test/fs/private-etc.exp | 45 +++++++++ test/fs/private-whitelist.exp | 39 +++++++ test/fs/private.exp | 100 ++++++++++++++++++ test/fs/whitelist-empty.exp | 53 ++++++++++ test/fs_dev_shm.exp | 87 ---------------- test/fs_var_lock.exp | 87 ---------------- test/fs_var_tmp.exp | 87 ---------------- test/invalid_filename.exp | 207 -------------------------------------- test/kmsg.exp | 29 ------ test/option_bind_user.exp | 15 --- test/option_blacklist.exp | 35 ------- test/option_blacklist_file.exp | 26 ----- test/pid.exp | 49 --------- test/private-bin.exp | 71 ------------- test/private-bin.profile | 1 - test/private-etc.exp | 42 -------- test/private-whitelist.exp | 36 ------- test/private.exp | 97 ------------------ test/quiet.exp | 17 ---- test/test-nonet.sh | 44 -------- test/test.sh | 112 --------------------- test/whitelist-empty.exp | 50 --------- 36 files changed, 960 insertions(+), 1093 deletions(-) create mode 100755 test/environment/quiet.exp create mode 100755 test/fs/fs.sh create mode 100755 test/fs/fs_dev_shm.exp create mode 100755 test/fs/fs_var_lock.exp create mode 100755 test/fs/fs_var_tmp.exp create mode 100755 test/fs/invalid_filename.exp create mode 100755 test/fs/kmsg.exp create mode 100755 test/fs/option_bind_user.exp create mode 100755 test/fs/option_blacklist.exp create mode 100755 test/fs/option_blacklist_file.exp create mode 100755 test/fs/private-bin.exp create mode 100644 test/fs/private-bin.profile create mode 100755 test/fs/private-etc.exp create mode 100755 test/fs/private-whitelist.exp create mode 100755 test/fs/private.exp create mode 100755 test/fs/whitelist-empty.exp delete mode 100755 test/fs_dev_shm.exp delete mode 100755 test/fs_var_lock.exp delete mode 100755 test/fs_var_tmp.exp delete mode 100755 test/invalid_filename.exp delete mode 100755 test/kmsg.exp delete mode 100755 test/option_bind_user.exp delete mode 100755 test/option_blacklist.exp delete mode 100755 test/option_blacklist_file.exp delete mode 100755 test/pid.exp delete mode 100755 test/private-bin.exp delete mode 100644 test/private-bin.profile delete mode 100755 test/private-etc.exp delete mode 100755 test/private-whitelist.exp delete mode 100755 test/private.exp delete mode 100755 test/quiet.exp delete mode 100755 test/test-nonet.sh delete mode 100755 test/whitelist-empty.exp diff --git a/Makefile.in b/Makefile.in index 92254fbc0..9a6044fcb 100644 --- a/Makefile.in +++ b/Makefile.in @@ -255,6 +255,7 @@ dist: cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/dist-compile test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/filters test/.; cd .. cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/network test/.; cd .. + cd $(NAME)-$(VERSION); mkdir -p test; cp -a ../test/fs test/.; cd .. cd $(NAME)-$(VERSION); rm -fr `find . -name .svn`; rm -fr $(NAME)-$(VERSION); cd .. tar -cjvf $(NAME)-$(VERSION).tar.bz2 $(NAME)-$(VERSION) rm -fr $(NAME)-$(VERSION) @@ -304,5 +305,8 @@ test-filters: test-network: echo "Please read test/netwok/README file and run the test manually" -test: test-profiles test-utils test-environment test-apps test-apps-x11 test-filters test-network +test-fs: + cd test/fs; ./fs.sh | grep TESTING + +test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters test-network echo "TEST COMPLETE" diff --git a/test/environment/environment.sh b/test/environment/environment.sh index 7b29a3482..49b50797a 100755 --- a/test/environment/environment.sh +++ b/test/environment/environment.sh @@ -62,3 +62,8 @@ fi echo "TESTING: nice (test/environment/nice.exp)" ./nice.exp + +echo "TESTING: quiet (test/environment/quiet.exp)" +./quiet.exp + + diff --git a/test/environment/quiet.exp b/test/environment/quiet.exp new file mode 100755 index 000000000..38da4673e --- /dev/null +++ b/test/environment/quiet.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 4 +spawn $env(SHELL) +match_max 100000 + +# check ip address +send -- "firejail --quiet echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Reading profile" {puts "TESTING ERROR 2\n";exit} + "Child process initialized" {puts "TESTING ERROR 3\n";exit} + "done" +} +sleep 1 + +puts "\nall done\n" + diff --git a/test/fs/fs.sh b/test/fs/fs.sh new file mode 100755 index 000000000..425af45a6 --- /dev/null +++ b/test/fs/fs.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: kmsg access (test/fs/kmsg.exp)" +./kmsg.exp + +echo "TESTING: read/write /var/tmp (test/fs/fs_var_tmp.exp)" +./fs_var_tmp.exp + +echo "TESTING: read/write /var/lock (test/fs/fs_var_lock.exp)" +./fs_var_lock.exp + +echo "TESTING: read/write /dev/shm (test/fs/fs_dev_shm.exp)" +./fs_dev_shm.exp + +echo "TESTING: private (test/fs/private.exp)" +./private.exp `whoami` + +echo "TESTING: private-etc (test/fs/private-etc.exp)" +./private-etc.exp + +echo "TESTING: private-bin (test/fs/private-bin.exp)" +./private-bin.exp + +echo "TESTING: whitelist empty (test/fs/whitelist-empty.exp)" +./whitelist-empty.exp + +echo "TESTING: private whitelist (test/fs/private-whitelist.exp)" +echo "TESTING: (failing on OpenSUSE)" +./private-whitelist.exp + +echo "TESTING: invalid filename (test/fs/invalid_filename.exp)" +./invalid_filename.exp + +echo "TESTING: blacklist directory (test/fs/option_blacklist.exp)" +./option_blacklist.exp + +echo "TESTING: blacklist file (test/fs/option_blacklist_file.exp)" +./option_blacklist_file.exp + +echo "TESTING: bind as user (test/fs/option_bind_user.exp)" +./option_bind_user.exp + + + diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp new file mode 100755 index 000000000..6d27978e2 --- /dev/null +++ b/test/fs/fs_dev_shm.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# testing read-write /dev/shm +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} + +send -- "rm /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" {puts "TESTING ERROR 6\n";exit} + "done" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +# redo the test with --private +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "done" +} + +send -- "rm /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} + +send -- "cat /dev/shm/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mytest" {puts "TESTING ERROR 13\n";exit} + "done" +} + +sleep 1 + +puts "\nall done\n" diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp new file mode 100755 index 000000000..0e2b3181a --- /dev/null +++ b/test/fs/fs_var_lock.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# testing read-write /var/lock +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} + +send -- "rm /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" {puts "TESTING ERROR 6\n";exit} + "done" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +# redo the test with --private +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "done" +} + +send -- "rm /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} + +send -- "cat /var/lock/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mytest" {puts "TESTING ERROR 13\n";exit} + "done" +} + +sleep 1 + +puts "\nall done\n" diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp new file mode 100755 index 000000000..811baac68 --- /dev/null +++ b/test/fs/fs_var_tmp.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# testing read-write /var/tmp +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "done" +} + +send -- "rm /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "mytest" {puts "TESTING ERROR 6\n";exit} + "done" +} + +sleep 1 +send -- "exit\r" +sleep 1 + +# redo the test with --private +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "echo mytest > /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "mytest" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "done" +} + +send -- "rm /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} + +send -- "cat /var/tmp/ttt;echo done\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mytest" {puts "TESTING ERROR 13\n";exit} + "done" +} + +sleep 1 + +puts "\nall done\n" diff --git a/test/fs/invalid_filename.exp b/test/fs/invalid_filename.exp new file mode 100755 index 000000000..1acc85491 --- /dev/null +++ b/test/fs/invalid_filename.exp @@ -0,0 +1,189 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "Checking filename bla&&bla" {puts "normal system\n"} + "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 3.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 4.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 4.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 5.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 5.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 7.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 7.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 7.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 9.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 9.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 9.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 10.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 10.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 10.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 11.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 11.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 11.3\n";exit} + "is an invalid filename" +} +after 100 + +send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 12.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 12.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 12.3\n";exit} + "is an invalid filename" +} +after 100 + + +send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" +expect { + timeout {puts "TESTING ERROR 14.1\n";exit} + "Checking filename bla&&bla" +} +expect { + timeout {puts "TESTING ERROR 14.2\n";exit} + "Error:" +} +expect { + timeout {puts "TESTING ERROR 14.3\n";exit} + "is an invalid filename" +} +after 100 + +puts "\nall done\n" + diff --git a/test/fs/kmsg.exp b/test/fs/kmsg.exp new file mode 100755 index 000000000..abc711aee --- /dev/null +++ b/test/fs/kmsg.exp @@ -0,0 +1,32 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /dev/kmsg\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Permission denied" +} +after 100 + +send -- "cat /proc/kmsg\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Permission denied" +} +after 100 + +puts "\nall done\n" + diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp new file mode 100755 index 000000000..9d2d17d7f --- /dev/null +++ b/test/fs/option_bind_user.exp @@ -0,0 +1,15 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --bind=/tmp/chroot,mntpoint\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "bind option is available only if running as root" +} +sleep 1 + +puts "\n" + diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp new file mode 100755 index 000000000..38fd19237 --- /dev/null +++ b/test/fs/option_blacklist.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --blacklist=/var\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /var;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +send -- "cd /var;echo done\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "done" +} +sleep 1 + +puts "\n" + diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp new file mode 100755 index 000000000..846735d9e --- /dev/null +++ b/test/fs/option_blacklist_file.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --blacklist=/etc/passwd\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/passwd;echo done\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Permission denied" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "done" +} +sleep 1 + +puts "\n" + diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp new file mode 100755 index 000000000..c19702e77 --- /dev/null +++ b/test/fs/private-bin.exp @@ -0,0 +1,71 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private-bin=bash,ls,sh\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "ls" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "sh" +} + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "ping" {puts "TESTING ERROR 6\n";exit} + "sh" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=private-bin.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "bash" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "ls" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "sh" +} + +send -- "ls /bin\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "ping" {puts "TESTING ERROR 6\n";exit} + "sh" +} +send -- "exit\r" + +sleep 1 +puts "\nall done\n" + diff --git a/test/fs/private-bin.profile b/test/fs/private-bin.profile new file mode 100644 index 000000000..24cf5929a --- /dev/null +++ b/test/fs/private-bin.profile @@ -0,0 +1 @@ +private-bin bash,ls,sh diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp new file mode 100755 index 000000000..e5a006585 --- /dev/null +++ b/test/fs/private-etc.exp @@ -0,0 +1,45 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# directory with ~ +send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /etc\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "group" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "passwd" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "resolv.conf" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "X11" +} + +send -- "ls -al /etc\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "shadow" {puts "TESTING ERROR 8\n";exit} + "X11" +} + +sleep 1 +puts "\nall done\n" + diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp new file mode 100755 index 000000000..a3d60369a --- /dev/null +++ b/test/fs/private-whitelist.exp @@ -0,0 +1,39 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private --whitelist=/tmp/.X11-unix\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /tmp\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + ".X11-unix" +} +sleep 1 + +send -- "ls -a /tmp | wc -l\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "3" +} +sleep 1 + +send -- "ls -a ~ | wc -l\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "5" +} + +sleep 1 +puts "\nall done\n" + diff --git a/test/fs/private.exp b/test/fs/private.exp new file mode 100755 index 000000000..01f04d3cb --- /dev/null +++ b/test/fs/private.exp @@ -0,0 +1,100 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +if { $argc != 1 } { + puts "TESTING ERROR: argument missing" + puts "Usage: private.exp username" + puts "where username is the name of the current user" + exit +} + +# testing profile and private +send -- "firejail --private --profile=/etc/firejail/default.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --private --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} + +sleep 1 +send -- "cd ~; ls -al; echo done\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + ".bashrc" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + [lindex $argv 0] +} +send -- "ls -al; echo done\r" +expect { + timeout { + # OpenSUSE doesn't use .Xauthority from user done directory + send -- "env | grep XAUTHORITY\r" + + expect { + timeout {puts "TESTING ERROR 4\n";exit} + "/run/lightdm/netblue/xauthority" + } + } + ".Xauthority" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + [lindex $argv 0] +} + + +# testing private only +send -- "bash\r" +sleep 1 +# owner /done/netblue +send -- "ls -l /done;echo done\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + [lindex $argv 0] +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + [lindex $argv 0] +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + [lindex $argv 0] +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "done" +} +sleep 1 + +# owner /tmp +send -- "stat -c %U%a /tmp;echo done\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "root777" {puts "version 1\n";} + "root1777" {puts "version 2\n";} + "nobody777" {puts "version 3\n";} + "nobody1777" {puts "version 4\n";} +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "done" +} +sleep 1 + +puts "all done\n" diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp new file mode 100755 index 000000000..f44d4fb58 --- /dev/null +++ b/test/fs/whitelist-empty.exp @@ -0,0 +1,53 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l ~/ | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0" +} + +send -- "ls -l /tmp | wc -l\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "0" +} + +send -- "ls -l /media | wc -l\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "0" +} + +send -- "ls -l /var | wc -l\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "0" +} + +send -- "ls -l /dev | wc -l\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "0" +} +send -- "ls -l /opt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "0" +} + + +puts "\nall done\n" diff --git a/test/fs_dev_shm.exp b/test/fs_dev_shm.exp deleted file mode 100755 index b54f24eb5..000000000 --- a/test/fs_dev_shm.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# testing read-write /dev/shm -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} - -send -- "rm /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "mytest" {puts "TESTING ERROR 4.1\n";exit} - "home" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -# redo the test with --private -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "home" -} - -send -- "rm /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "home" -} - -send -- "cat /dev/shm/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "mytest" {puts "TESTING ERROR 14.1\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/fs_var_lock.exp b/test/fs_var_lock.exp deleted file mode 100755 index dfcf571f4..000000000 --- a/test/fs_var_lock.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# testing read-write /var/lock -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} - -send -- "rm /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "mytest" {puts "TESTING ERROR 4.1\n";exit} - "home" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -# redo the test with --private -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "home" -} - -send -- "rm /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "home" -} - -send -- "cat /var/lock/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "mytest" {puts "TESTING ERROR 14.1\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/fs_var_tmp.exp b/test/fs_var_tmp.exp deleted file mode 100755 index 95ceeb2a4..000000000 --- a/test/fs_var_tmp.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# testing read-write /var/tmp -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} - -send -- "rm /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "mytest" {puts "TESTING ERROR 4.1\n";exit} - "home" -} - -sleep 1 -send -- "exit\r" -sleep 1 - -# redo the test with --private -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "echo mytest > /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "mytest" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "home" -} - -send -- "rm /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "home" -} - -send -- "cat /var/tmp/ttt;pwd\r" -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "mytest" {puts "TESTING ERROR 14.1\n";exit} - "home" -} - -sleep 1 - -puts "\n" diff --git a/test/invalid_filename.exp b/test/invalid_filename.exp deleted file mode 100755 index fe8bd8c25..000000000 --- a/test/invalid_filename.exp +++ /dev/null @@ -1,207 +0,0 @@ -#!/usr/bin/expect -f - -#invalid_filename checks: -# -#--bind (two files) - profile.c - Note: The test is not implemented here, need to be root to test it -#--blacklist - profile.c -#--cgroup - cgroup.c -#--chroot - main.c -#--netfilter - netfilter.c -#--output - output.c -#--private - fs_home.c -#--privte-bin (list) - fs_bin.c -#--private-home (list) - fs_home.c -#--private-etc (list) - fs_etc.c -#--profile - main.c -#--read_only - profile.c -#--shell - main.c -#--tmpfs - profile.c -#--white-list - - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug-check-filename --noprofile --blacklist=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --cgroup=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --chroot=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "Checking filename bla&&bla" {puts "normal system\n"} - "Error: --chroot option is not available on Grsecurity systems" { puts "\nall done\n"; exit} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --netfilter=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 4.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 4.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --output=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 5.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 5.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --private=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --private-bin=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 7.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 7.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 7.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --noprofile --private-etc=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 9.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 9.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 9.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --profile=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 10.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 10.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --read-only=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 11.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 11.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 11.3\n";exit} - "is an invalid filename" -} -after 100 - -send -- "firejail --debug-check-filename --shell=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 12.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 12.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 12.3\n";exit} - "is an invalid filename" -} -after 100 - - -send -- "firejail --debug-check-filename --whitelist=\"bla&&bla\"\r" -expect { - timeout {puts "TESTING ERROR 14.1\n";exit} - "Checking filename bla&&bla" -} -expect { - timeout {puts "TESTING ERROR 14.2\n";exit} - "Error:" -} -expect { - timeout {puts "TESTING ERROR 14.3\n";exit} - "is an invalid filename" -} -after 100 - - - -puts "\nall done\n" - diff --git a/test/kmsg.exp b/test/kmsg.exp deleted file mode 100755 index 096bdb708..000000000 --- a/test/kmsg.exp +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /dev/kmsg\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Permission denied" -} -sleep 1 - -send -- "cat /proc/kmsg\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Permission denied" -} -sleep 1 - -puts "\nall done\n" - diff --git a/test/option_bind_user.exp b/test/option_bind_user.exp deleted file mode 100755 index 9d2d17d7f..000000000 --- a/test/option_bind_user.exp +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --bind=/tmp/chroot,mntpoint\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "bind option is available only if running as root" -} -sleep 1 - -puts "\n" - diff --git a/test/option_blacklist.exp b/test/option_blacklist.exp deleted file mode 100755 index b80d0cc60..000000000 --- a/test/option_blacklist.exp +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --blacklist=/var\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l /var;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} -send -- "cd /var;pwd\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - -puts "\n" - diff --git a/test/option_blacklist_file.exp b/test/option_blacklist_file.exp deleted file mode 100755 index ecdfe3b82..000000000 --- a/test/option_blacklist_file.exp +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --blacklist=/etc/passwd\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /etc/passwd;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Permission denied" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "home" -} -sleep 1 - -puts "\n" - diff --git a/test/pid.exp b/test/pid.exp deleted file mode 100755 index cdeb9d5fb..000000000 --- a/test/pid.exp +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -# test processes -send -- "bash\r" -sleep 1 -send -- "ps aux; pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ps aux" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "home" -} -sleep 1 - - -send -- "ps aux |wc -l; pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "6" {puts "normal system\n"} - "5" {puts "grsecurity\n"} -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "home" -} -sleep 1 - -puts "\nall done\n" diff --git a/test/private-bin.exp b/test/private-bin.exp deleted file mode 100755 index a82d2b213..000000000 --- a/test/private-bin.exp +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private-bin=bash,ls,sh\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ls" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "sh" -} - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "ping" {puts "TESTING ERROR 6\n";exit} - "sh" -} -send -- "exit\r" -sleep 1 - -send -- "firejail --profile=private-bin.profile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "ls" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "sh" -} - -send -- "ls /bin\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "ping" {puts "TESTING ERROR 6\n";exit} - "sh" -} -send -- "exit\r" - - - - -sleep 1 -puts "\nall done\n" - diff --git a/test/private-bin.profile b/test/private-bin.profile deleted file mode 100644 index 24cf5929a..000000000 --- a/test/private-bin.profile +++ /dev/null @@ -1 +0,0 @@ -private-bin bash,ls,sh diff --git a/test/private-etc.exp b/test/private-etc.exp deleted file mode 100755 index db1d1df3a..000000000 --- a/test/private-etc.exp +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# directory with ~ -send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al /etc\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "group" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "passwd" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "resolv.conf" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "X11" -} - -send -- "ls -al /etc\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "shadow" {puts "TESTING ERROR 8\n";exit} - "X11" -} - -sleep 1 -puts "\nall done\n" - diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp deleted file mode 100755 index 7379241ef..000000000 --- a/test/private-whitelist.exp +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --private --whitelist=/tmp/.X11-unix\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al /tmp\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - ".X11-unix" -} -sleep 1 - -send -- "ls -a /tmp | wc -l\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "3" -} -sleep 1 - -send -- "ls -a ~ | wc -l\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "5" -} - -sleep 1 -puts "\nall done\n" - diff --git a/test/private.exp b/test/private.exp deleted file mode 100755 index 80a921529..000000000 --- a/test/private.exp +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -if { $argc != 1 } { - puts "TESTING ERROR: argument missing" - puts "Usage: private.exp username" - puts "where username is the name of the current user" - exit -} - -# testing profile and private -send -- "firejail --private --profile=/etc/firejail/default.profile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 -send -- "exit\r" -sleep 1 - -send -- "firejail --private --noprofile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} - -sleep 1 -send -- "ls -al; pwd\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - ".bashrc" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - [lindex $argv 0] -} -send -- "ls -al; pwd\r" -expect { - timeout { - # OpenSUSE doesn't use .Xauthority from user home directory - send -- "env | grep XAUTHORITY\r" - - expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "/run/lightdm/netblue/xauthority" - } - } - ".Xauthority" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - [lindex $argv 0] -} - - -# testing private only -send -- "bash\r" -sleep 1 -# owner /home/netblue -send -- "ls -l /home;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - [lindex $argv 0] -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "home" -} -sleep 1 - -# owner /tmp -send -- "stat -c %U%a /tmp;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "root777" {puts "version 1\n";} - "root1777" {puts "version 2\n";} - "nobody777" {puts "version 3\n";} - "nobody1777" {puts "version 4\n";} -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "home" -} -sleep 1 - -puts "all done\n" diff --git a/test/quiet.exp b/test/quiet.exp deleted file mode 100755 index fa46aebf2..000000000 --- a/test/quiet.exp +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 4 -spawn $env(SHELL) -match_max 100000 - -# check ip address -send -- "firejail --net=br0 --quiet\r" -expect { - "Child process initialized" {puts "TESTING ERROR 1\n";exit} - "Interface" {puts "TESTING ERROR 1\n";exit} -} -sleep 1 -send -- "\r" - -puts "\nall done\n" - diff --git a/test/test-nonet.sh b/test/test-nonet.sh deleted file mode 100755 index 3df8b2d4e..000000000 --- a/test/test-nonet.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -echo "TESTING: version" -./option_version.exp - -echo "TESTING: help" -./option_help.exp - -echo "TESTING: man" -./option_man.exp - -echo "TESTING: list" -./option_list.exp - -echo "TESTING: PID" -./pid.exp - -echo "TESTING: profile no permissions" -./profile_noperm.exp - -echo "TESTING: profile syntax" -./profile_syntax.exp - -echo "TESTING: profile read-only" -./profile_readonly.exp - -echo "TESTING: profile tmpfs" -./profile_tmpfs.exp - -echo "TESTING: private" -./private.exp `whoami` - -echo "TESTING: read/write /var/tmp" -./fs_var_tmp.exp - -echo "TESTING: read/write /var/run" -./fs_var_run.exp - -echo "TESTING: read/write /var/lock" -./fs_var_lock.exp - -echo "TESTING: read/write /dev/shm" -./fs_dev_shm.exp - diff --git a/test/test.sh b/test/test.sh index 78a6adc43..c4f0afd94 100755 --- a/test/test.sh +++ b/test/test.sh @@ -7,38 +7,9 @@ ./fscheck.sh - -echo "TESTING: protocol.print (protocol-print.exp)" -./protocol-print.exp - -echo "TESTING: sound (sound.exp)" -./sound.exp - -echo "TESTING: nice (nice.exp)" -./nice.exp - echo "TESTING: tty (tty.exp)" ./tty.exp -echo "TESTING: protocol (protocol.exp)" -./protocol.exp - -echo "TESTING: invalid filename (invalid_filename.exp)" -./invalid_filename.exp - -echo "TESTING: whitelist empty (whitelist-empty.exp)" -./whitelist-empty.exp - -echo "TESTING: private-etc (private-etc.exp)" -./private-etc.exp - -echo "TESTING: private-bin (private-bin.exp)" -./private-bin.exp - -echo "TESTING: private whitelist (private-whitelist.exp)" -echo "TESTING: failing on OpenSUSE" -./private-whitelist.exp - sleep 1 rm -fr dir\ with\ space mkdir dir\ with\ space @@ -56,14 +27,6 @@ rm -fr auto2 rm -fr auto3 rm -fr auto4 -if [ -f /proc/self/uid_map ]; -then - echo "TESTING: noroot (noroot.exp)" - ./noroot.exp -else - echo "TESTING: user namespaces not available" -fi - echo "TESTING: doubledash" mkdir -- -testdir touch -- -testdir/ttt @@ -71,38 +34,12 @@ cp -- /bin/bash -testdir/. ./doubledash.exp rm -fr -- -testdir -echo "TESTING: trace1 (option-trace.exp)" -./option-trace.exp - -echo "TESTING: trace2 (trace.exp)" -rm -f index.html* -./trace.exp -rm -f index.html* - echo "TESTING: extract command (extract_command.exp)" ./extract_command.exp -echo "TESTING: kmsg access (kmsg.exp)" -./kmsg.exp - echo "TESTING: chroot overlay (option_chroot_overlay.exp)" ./option_chroot_overlay.exp -echo "TESTING: blacklist directory (option_blacklist.exp)" -./option_blacklist.exp - -echo "TESTING: blacklist file (opiton_blacklist_file.exp)" -./option_blacklist_file.exp - -echo "TESTING: bind as user (option_bind_user.exp)" -./option_bind_user.exp - -if [ -d /home/bingo ]; -then - echo "TESTING: home sanitize (opiton_version.exp)" - ./option_version.exp -fi - echo "TESTING: chroot as user (fs_chroot.exp)" ./fs_chroot.exp @@ -116,15 +53,9 @@ sleep 5 rm -f tmpreadonly -echo "TESTING: PID (pid.exp)" -./pid.exp - echo "TESTING: output (output.exp)" ./output.exp -echo "TESTING: private (private.exp)" -./private.exp `whoami` - echo "TESTING: private directory (private_dir.exp)" rm -fr dirprivate mkdir dirprivate @@ -140,52 +71,9 @@ rm -fr dirprivate echo "TESTING: overlayfs (fs_overlay.exp)" ./fs_overlay.exp -echo "TESTING: seccomp debug (seccomp-debug.exp)" -./seccomp-debug.exp - -echo "TESTING: seccomp errno (seccomp-errno.exp)" -./seccomp-errno.exp - -echo "TESTING: seccomp su (seccomp-su.exp)" -./seccomp-su.exp - -echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" -./seccomp-ptrace.exp - -echo "TESTING: seccomp chmod - seccomp lists (seccomp-chmod.exp)" -./seccomp-chmod.exp - -echo "TESTING: seccomp chmod profile - seccomp lists (seccomp-chmod-profile.exp)" -./seccomp-chmod-profile.exp - -echo "TESTING: seccomp empty (seccomp-empty.exp)" -./seccomp-empty.exp - -echo "TESTING: seccomp bad empty (seccomp-bad-empty.exp)" -./seccomp-bad-empty.exp - -echo "TESTING: seccomp dual filter (seccomp-dualfilter.exp)" -./seccomp-dualfilter.exp - -echo "TESTING: read/write /var/tmp (fs_var_tmp.exp)" -./fs_var_tmp.exp - -echo "TESTING: read/write /var/lock (fs_var_lock.exp)" -./fs_var_lock.exp - -echo "TESTING: read/write /dev/shm (fs_dev_shm.exp)" -./fs_dev_shm.exp - -echo "TESTING: quiet (quiet.exp)" -./quiet.exp - - echo "TESTING: login SSH (login_ssh.exp)" ./login_ssh.exp -echo "TESTING: ARP (net_arp.exp)" -./net_arp.exp - echo "TESTING: DNS (dns.exp)" ./dns.exp diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp deleted file mode 100755 index 226b019db..000000000 --- a/test/whitelist-empty.exp +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 30 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -l ~/ | wc -l\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "0" -} - -send -- "ls -l /tmp | wc -l\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "0" -} - -send -- "ls -l /media | wc -l\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "0" -} - -send -- "ls -l /var | wc -l\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "0" -} - -send -- "ls -l /dev | wc -l\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "0" -} -send -- "ls -l /opt | wc -l\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "0" -} - - -puts "\nall done\n" -- cgit v1.2.3-54-g00ecf