From 3cf75fe9a34c0bb579502b106649a1fc58d39f35 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Fri, 27 Jul 2018 12:56:41 -0400 Subject: phase 1 --- Makefile.in | 39 +- configure | 24 +- configure.ac | 14 +- contrib/fix_private-bin.py | 157 ---- contrib/fj-mkdeb.py | 74 -- contrib/fjclip.py | 35 - contrib/fjdisplay.py | 43 - contrib/fjresize.py | 25 - contrib/update_deb.sh | 12 - src/faudit/Makefile.in | 14 - src/faudit/caps.c | 78 -- src/faudit/dbus.c | 92 --- src/faudit/dev.c | 47 -- src/faudit/faudit.h | 68 -- src/faudit/files.c | 75 -- src/faudit/main.c | 98 --- src/faudit/network.c | 101 --- src/faudit/pid.c | 99 --- src/faudit/seccomp.c | 101 --- src/faudit/syscall.c | 105 --- src/faudit/x11.c | 63 -- src/fbuilder/Makefile.in | 14 - src/fbuilder/build_bin.c | 126 --- src/fbuilder/build_fs.c | 317 -------- src/fbuilder/build_home.c | 199 ----- src/fbuilder/build_profile.c | 170 ---- src/fbuilder/build_seccomp.c | 192 ----- src/fbuilder/fbuilder.h | 69 -- src/fbuilder/filedb.c | 79 -- src/fbuilder/main.c | 93 --- src/fbuilder/utils.c | 72 -- src/firejail/fs.c | 3 +- src/firejail/fs_bin.c | 309 -------- src/firejail/fs_home.c | 2 + src/firejail/fs_lib.c | 378 --------- src/firejail/fs_lib2.c | 314 -------- src/firejail/main.c | 23 +- src/firejail/profile.c | 8 +- src/firejail/sandbox.c | 13 +- src/firejail/x11.c | 1311 ------------------------------- src/fldd/Makefile.in | 14 - src/fldd/main.c | 353 --------- status | 7 +- test/apps-x11-xorg/apps-x11-xorg.sh | 34 - test/apps-x11-xorg/firefox.exp | 90 --- test/apps-x11-xorg/thunderbird.exp | 85 -- test/apps-x11-xorg/transmission-gtk.exp | 85 -- test/apps-x11/apps-x11.sh | 87 -- test/apps-x11/chromium.exp | 85 -- test/apps-x11/firefox.exp | 90 --- test/apps-x11/thunderbird.exp | 85 -- test/apps-x11/transmission-gtk.exp | 85 -- test/apps-x11/x11-none.exp | 47 -- test/apps-x11/x11-xephyr.exp | 58 -- test/apps-x11/xterm-xephyr.exp | 85 -- test/apps-x11/xterm-xorg.exp | 85 -- test/apps-x11/xterm-xpra.exp | 97 --- test/chroot/chroot.sh | 21 - test/chroot/configure | 46 -- test/chroot/fs_chroot.exp | 61 -- test/chroot/unchroot-as-root.exp | 26 - test/chroot/unchroot.c | 40 - test/overlay/firefox-x11-xorg.exp | 89 --- test/overlay/firefox-x11.exp | 89 --- test/overlay/firefox.exp | 98 --- test/overlay/fs-named.exp | 69 -- test/overlay/fs-tmpfs.exp | 67 -- test/overlay/fs.exp | 59 -- test/overlay/overlay.sh | 67 -- test/private-lib/atril.exp | 83 -- test/private-lib/eog.exp | 83 -- test/private-lib/eom.exp | 83 -- test/private-lib/evince.exp | 83 -- test/private-lib/galculator.exp | 83 -- test/private-lib/gedit.exp | 83 -- test/private-lib/gnome-calculator.exp | 85 -- test/private-lib/gpicview.exp | 83 -- test/private-lib/leafpad.exp | 83 -- test/private-lib/mousepad.exp | 83 -- test/private-lib/pluma.exp | 83 -- test/private-lib/private-lib.sh | 20 - test/private-lib/transmission-gtk.exp | 83 -- test/private-lib/xcalc.exp | 83 -- test/utils/audit.exp | 159 ---- test/utils/build.exp | 91 --- test/utils/utils.sh | 12 - 86 files changed, 53 insertions(+), 8570 deletions(-) delete mode 100755 contrib/fix_private-bin.py delete mode 100755 contrib/fj-mkdeb.py delete mode 100755 contrib/fjclip.py delete mode 100755 contrib/fjdisplay.py delete mode 100755 contrib/fjresize.py delete mode 100755 contrib/update_deb.sh delete mode 100644 src/faudit/Makefile.in delete mode 100644 src/faudit/caps.c delete mode 100644 src/faudit/dbus.c delete mode 100644 src/faudit/dev.c delete mode 100644 src/faudit/faudit.h delete mode 100644 src/faudit/files.c delete mode 100644 src/faudit/main.c delete mode 100644 src/faudit/network.c delete mode 100644 src/faudit/pid.c delete mode 100644 src/faudit/seccomp.c delete mode 100644 src/faudit/syscall.c delete mode 100644 src/faudit/x11.c delete mode 100644 src/fbuilder/Makefile.in delete mode 100644 src/fbuilder/build_bin.c delete mode 100644 src/fbuilder/build_fs.c delete mode 100644 src/fbuilder/build_home.c delete mode 100644 src/fbuilder/build_profile.c delete mode 100644 src/fbuilder/build_seccomp.c delete mode 100644 src/fbuilder/fbuilder.h delete mode 100644 src/fbuilder/filedb.c delete mode 100644 src/fbuilder/main.c delete mode 100644 src/fbuilder/utils.c delete mode 100644 src/firejail/fs_bin.c delete mode 100644 src/firejail/fs_lib.c delete mode 100644 src/firejail/fs_lib2.c delete mode 100644 src/firejail/x11.c delete mode 100644 src/fldd/Makefile.in delete mode 100644 src/fldd/main.c delete mode 100755 test/apps-x11-xorg/apps-x11-xorg.sh delete mode 100755 test/apps-x11-xorg/firefox.exp delete mode 100755 test/apps-x11-xorg/thunderbird.exp delete mode 100755 test/apps-x11-xorg/transmission-gtk.exp delete mode 100755 test/apps-x11/apps-x11.sh delete mode 100755 test/apps-x11/chromium.exp delete mode 100755 test/apps-x11/firefox.exp delete mode 100755 test/apps-x11/thunderbird.exp delete mode 100755 test/apps-x11/transmission-gtk.exp delete mode 100755 test/apps-x11/x11-none.exp delete mode 100755 test/apps-x11/x11-xephyr.exp delete mode 100755 test/apps-x11/xterm-xephyr.exp delete mode 100755 test/apps-x11/xterm-xorg.exp delete mode 100755 test/apps-x11/xterm-xpra.exp delete mode 100755 test/chroot/chroot.sh delete mode 100755 test/chroot/configure delete mode 100755 test/chroot/fs_chroot.exp delete mode 100755 test/chroot/unchroot-as-root.exp delete mode 100644 test/chroot/unchroot.c delete mode 100755 test/overlay/firefox-x11-xorg.exp delete mode 100755 test/overlay/firefox-x11.exp delete mode 100755 test/overlay/firefox.exp delete mode 100755 test/overlay/fs-named.exp delete mode 100755 test/overlay/fs-tmpfs.exp delete mode 100755 test/overlay/fs.exp delete mode 100755 test/overlay/overlay.sh delete mode 100755 test/private-lib/atril.exp delete mode 100755 test/private-lib/eog.exp delete mode 100755 test/private-lib/eom.exp delete mode 100755 test/private-lib/evince.exp delete mode 100755 test/private-lib/galculator.exp delete mode 100755 test/private-lib/gedit.exp delete mode 100755 test/private-lib/gnome-calculator.exp delete mode 100755 test/private-lib/gpicview.exp delete mode 100755 test/private-lib/leafpad.exp delete mode 100755 test/private-lib/mousepad.exp delete mode 100755 test/private-lib/pluma.exp delete mode 100755 test/private-lib/private-lib.sh delete mode 100755 test/private-lib/transmission-gtk.exp delete mode 100755 test/private-lib/xcalc.exp delete mode 100755 test/utils/audit.exp delete mode 100755 test/utils/build.exp diff --git a/Makefile.in b/Makefile.in index cbcf252df..c09b1cd4c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,6 +1,6 @@ all: apps man filters MYLIBS = src/lib -APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp +APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/fnet src/fseccomp src/fcopy src/libpostexecseccomp MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx @@ -93,12 +93,9 @@ endif install -c -m 0755 src/fshaper/fshaper.sh $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/. ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) install -c -m 0755 src/fsec-print/fsec-print $(DESTDIR)/$(libdir)/firejail/. install -c -m 0755 src/fsec-optimize/fsec-optimize $(DESTDIR)/$(libdir)/firejail/. @@ -108,13 +105,6 @@ ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP) install -c -m 0644 seccomp.32 $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp.block_secondary $(DESTDIR)/$(libdir)/firejail/. install -c -m 0644 seccomp.mdwx $(DESTDIR)/$(libdir)/firejail/. -endif -ifeq ($(HAVE_CONTRIB_INSTALL),yes) - install -c -m 0755 contrib/fix_private-bin.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fjclip.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fjdisplay.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fjresize.py $(DESTDIR)/$(libdir)/firejail/. - install -c -m 0755 contrib/fj-mkdeb.py $(DESTDIR)/$(libdir)/firejail/. endif # documents install -m 0755 -d $(DESTDIR)/$(DOCDIR) @@ -165,15 +155,12 @@ install-strip: all strip src/libtracelog/libtracelog.so strip src/libpostexecseccomp/libpostexecseccomp.so strip src/ftee/ftee - strip src/faudit/faudit strip src/fnet/fnet strip src/fnetfilter/fnetfilter strip src/fseccomp/fseccomp strip src/fsec-print/fsec-print strip src/fsec-optimize/fsec-optimize strip src/fcopy/fcopy - strip src/fldd/fldd - strip src/fbuilder/fbuilder $(MAKE) realinstall uninstall: @@ -190,7 +177,7 @@ uninstall: rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firemon rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg -DISTFILES = "src etc platform contrib configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES" +DISTFILES = "src etc platform configure configure.ac dummy.c Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh COPYING README RELNOTES" DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot" dist: @@ -214,9 +201,6 @@ deb: dist snap: all cd platform/snap; ./snap.sh -install-snap: snap - sudo snap remove faudit; sudo snap install faudit*.snap - test-compile: dist cd test/compile; ./compile.sh $(NAME)-$(VERSION) @@ -242,18 +226,9 @@ scan-build: clean test-profiles: cd test/profiles; ./profiles.sh | grep TESTING -test-private-lib: - cd test/private-lib; ./private-lib.sh | grep TESTING - test-apps: cd test/apps; ./apps.sh | grep TESTING -test-apps-x11: - cd test/apps-x11; ./apps-x11.sh | grep TESTING - -test-apps-x11-xorg: - cd test/apps-x11-xorg; ./apps-x11-xorg.sh | grep TESTING - test-sysutils: cd test/sysutils; ./sysutils.sh | grep TESTING @@ -280,7 +255,7 @@ test-fcopy: test-fnetfilter: cd test/fnetfilter; ./fnetfilter.sh | grep TESTING -test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-filters test-arguments echo "TEST COMPLETE" test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments @@ -296,10 +271,6 @@ test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sy test-ssh: cd test/ssh; ./ssh.sh | grep TESTING -# requires root access -test-chroot: - cd test/chroot; ./chroot.sh | grep testing - # Huge appimage files, not included in "make dist" archive test-appimage: cd test/appimage; ./appimage.sh | grep TESTING @@ -317,10 +288,6 @@ test-stress: test-root: cd test/root; su -c ./root.sh | grep TESTING -# OverlayFS is not available on all platforms -test-overlay: - cd test/overlay; ./overlay.sh | grep TESTING - # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" test-all: test-root test-chroot test-network test-appimage test-overlay diff --git a/configure b/configure index bad17d97d..bc86756ff 100755 --- a/configure +++ b/configure @@ -625,7 +625,6 @@ ac_includes_default="\ ac_subst_vars='LTLIBOBJS LIBOBJS HAVE_SECCOMP_H -HAVE_CONTRIB_INSTALL HAVE_GCOV BUSYBOX_WORKAROUND HAVE_FATAL_WARNINGS @@ -716,7 +715,6 @@ enable_suid enable_fatal_warnings enable_busybox_workaround enable_gcov -enable_contrib_install ' ac_precious_vars='build_alias host_alias @@ -1365,8 +1363,6 @@ Optional Features: --enable-busybox-workaround enable busybox workaround --enable-gcov Gcov instrumentation - --enable-contrib-install - install contrib scripts Some influential environment variables: CC C compiler command @@ -3776,20 +3772,6 @@ if test "x$enable_gcov" = "xyes"; then : fi -HAVE_CONTRIB_INSTALL="yes" -# Check whether --enable-contrib-install was given. -if test "${enable_contrib_install+set}" = set; then : - enableval=$enable_contrib_install; -fi - -if test "x$enable_contrib_install" = "xno"; then : - HAVE_CONTRIB_INSTALL="no" -else - HAVE_CONTRIB_INSTALL="yes" - -fi - - # checking pthread library { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpthread" >&5 $as_echo_n "checking for main in -lpthread... " >&6; } @@ -3855,7 +3837,7 @@ if test "$prefix" = /usr; then sysconfdir="/etc" fi -ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" +ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -4575,12 +4557,9 @@ do "src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;; "src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;; "src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;; - "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;; "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;; "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;; - "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;; "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;; - "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; @@ -5061,6 +5040,5 @@ echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " Gcov instrumentation: $HAVE_GCOV" -echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" echo " Install as a SUID executable: $HAVE_SUID" echo diff --git a/configure.ac b/configure.ac index ea569eb2f..9dc01bc8f 100644 --- a/configure.ac +++ b/configure.ac @@ -178,15 +178,6 @@ AS_IF([test "x$enable_gcov" = "xyes"], [ AC_SUBST(HAVE_GCOV) ]) -HAVE_CONTRIB_INSTALL="yes" -AC_ARG_ENABLE([contrib-install], - AS_HELP_STRING([--enable-contrib-install], [install contrib scripts])) -AS_IF([test "x$enable_contrib_install" = "xno"], - [HAVE_CONTRIB_INSTALL="no"], - [HAVE_CONTRIB_INSTALL="yes"] -) -AC_SUBST(HAVE_CONTRIB_INSTALL) - # checking pthread library AC_CHECK_LIB([pthread], [main], [], AC_MSG_ERROR([*** POSIX thread support not installed ***])) AC_CHECK_HEADER(pthread.h,,AC_MSG_ERROR([*** POSIX thread support not installed ***])) @@ -199,8 +190,8 @@ if test "$prefix" = /usr; then fi AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ -src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ -src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) +src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fsec-print/Makefile \ +src/ftee/Makefile src/fseccomp/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) echo echo "Configuration options:" @@ -225,6 +216,5 @@ echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" echo " EXTRA_CFLAGS: $EXTRA_CFLAGS" echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " Gcov instrumentation: $HAVE_GCOV" -echo " Install contrib scripts: $HAVE_CONTRIB_INSTALL" echo " Install as a SUID executable: $HAVE_SUID" echo diff --git a/contrib/fix_private-bin.py b/contrib/fix_private-bin.py deleted file mode 100755 index 86fd3d16b..000000000 --- a/contrib/fix_private-bin.py +++ /dev/null @@ -1,157 +0,0 @@ -#!/usr/bin/python3 - -__author__ = "KOLANICH" -__copyright__ = """This is free and unencumbered software released into the public domain. - -Anyone is free to copy, modify, publish, use, compile, sell, or -distribute this software, either in source code form or as a compiled -binary, for any purpose, commercial or non-commercial, and by any -means. - -In jurisdictions that recognize copyright laws, the author or authors -of this software dedicate any and all copyright interest in the -software to the public domain. We make this dedication for the benefit -of the public at large and to the detriment of our heirs and -successors. We intend this dedication to be an overt act of -relinquishment in perpetuity of all present and future rights to this -software under copyright law. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR -OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -OTHER DEALINGS IN THE SOFTWARE. - -For more information, please refer to """ -__license__ = "Unlicense" - -import sys, os, glob, re - -privRx=re.compile("^(?:#\s*)?private-bin") - -def fixSymlinkedBins(files, replMap): - """ - Used to add filenames to private-bin directives of files if the ones present are mentioned in replMap - replMap is a dict where key is the marker filename and value is the filename to add - """ - - rxs=dict() - for (old,new) in replMap.items(): - rxs[old]=re.compile("\\b"+old+"\\b") - rxs[new]=re.compile("\\b"+new+"\\b") - #print(rxs) - - for filename in files: - lines=None - with open(filename,"r") as file: - lines=file.readlines() - - shouldUpdate=False - for (i,line) in enumerate(lines): - if privRx.search(line): - for (old,new) in replMap.items(): - if rxs[old].search(line) and not rxs[new].search(line): - lines[i]=rxs[old].sub(old+","+new, line) - shouldUpdate=True - print(lines[i]) - - if shouldUpdate: - with open(filename,"w") as file: - file.writelines(lines) - pass - -def createSetOfBinaries(files): - """ - Creates a set of binaries mentioned in private-bin directives of files. - """ - s=set() - for filename in files: - lines=None - with open(filename,"r") as file: - for line in file: - if privRx.search(line): - bins=line.split(",") - bins[0]=bins[0].split(" ")[-1] - bins = [n.strip() for n in bins] - s=s|set(bins) - return s - -def createSymlinkTable(binDirs, binariesSet): - """ - creates a dict of symlinked binaries in the system where a key is a symlink name and value is a symlinked binary. - binDirs are folders to look into for binaries symlinks - binariesSet is a set of binaries to be checked if they are actually a symlinks - """ - m=dict() - toProcess=binariesSet - while len(toProcess)!=0: - additional=set() - for sh in toProcess: - for bD in binDirs: - p=bD+os.path.sep+sh - if os.path.exists(p): - if os.path.islink(p): - m[sh]=os.readlink(p) - additional.add(m[sh].split(" ")[0]) - else: - pass - break - toProcess=additional - return m - -def doTheFixes(profilesPath, binDirs): - """ - Fixes private-bin in .profiles for firejail. The pipeline is as follows: - discover files -> discover mentioned binaries -> - discover the ones which are symlinks -> - make a look-up table for fix -> - filter the ones can be fixed (we cannot fix the ones which are not in directories for binaries) -> - apply fix - """ - files=glob.glob(profilesPath+os.path.sep+"*.profile") - bins=createSetOfBinaries(files) - #print("The binaries used are:") - #print(bins) - stbl=createSymlinkTable(binDirs,bins) - print("The replacement table is:") - print(stbl) - stbl={a[0]:a[1] for a in stbl.items() if a[0].find(os.path.sep) < 0 and a[1].find(os.path.sep)<0} - print("Filtered replacement table is:") - print(stbl) - fixSymlinkedBins(files,stbl) - -def printHelp(): - print("python3 "+os.path.basename(__file__)+" \nThe default dir is "+defaultProfilesPath+"\n"+doTheFixes.__doc__) - -def main(): - """The main function. Parses the commandline args, shows messages and calles the function actually doing the work.""" - print(repr(sys.argv)) - defaultProfilesPath="../etc" - if len(sys.argv)>2 or (len(sys.argv)==2 and (sys.argv[1] == '-h' or sys.argv[1] == '--help') ): - printHelp() - exit(1) - - profilesPath=None - if len(sys.argv)==2: - if os.path.isdir(sys.argv[1]): - profilesPath=os.path.abspath(sys.argv[1]) - else: - if os.path.exists(sys.argv[1]): - print(sys.argv[1]+" is not a dir") - else: - print(sys.argv[1]+" does not exist") - printHelp() - exit(1) - else: - print("Using default profiles dir: " + defaultProfilesPath) - profilesPath=defaultProfilesPath - - binDirs=["/bin","/usr/bin","/usr/sbin","/usr/local/bin","/usr/local/sbin"] - print("Binaries dirs are:") - print(binDirs) - doTheFixes(profilesPath, binDirs) - -if __name__ == "__main__": - main() diff --git a/contrib/fj-mkdeb.py b/contrib/fj-mkdeb.py deleted file mode 100755 index 3cc13b758..000000000 --- a/contrib/fj-mkdeb.py +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python3 - -# This script is automate the workaround for https://github.com/netblue30/firejail/issues/772 - -import os, re, shlex, subprocess, sys - -def run(srcdir, args): - if srcdir: os.chdir(srcdir) - - dry_run=False - escaped_args=[] - # We need to modify the list as we go. So be sure to copy the list to be iterated! - for a in args[:]: - if a.startswith('--prefix'): - # prefix should ALWAYS be /usr here. Discard user-set values - args.remove(a) - elif a == '--only-fix-mkdeb': - # for us, not configure - dry_run=True - args.remove(a) - else: - escaped_args.append(shlex.quote(a)) - - # Fix up mkdeb.sh to include custom configure options. - with open('mkdeb.sh', 'rb') as f: - sh=str(f.read(), 'utf_8') - rx=re.compile(r'^\./configure\s.*$', re.M) - with open('mkdeb.sh', 'wb') as f: - f.write(bytes(rx.sub('./configure --prefix=/usr '+(' '.join(escaped_args)), sh), 'utf_8')) - - if dry_run: return 0 - - # now run configure && make - if subprocess.call(['./configure', '--prefix=/usr']+args) == 0: - subprocess.call(['make', 'deb']) - - return 0 - - -if __name__ == '__main__': - if len(sys.argv) == 2 and sys.argv[1] == '--help': - print('''Build a .deb of firejail with custom configure options - -usage: -{script} [--fj-src=SRCDIR] [--only-fix-mkdeb] [CONFIGURE_OPTIONS [...]] - - --fj-src=SRCDIR: manually specify the location of firejail source tree - as SRCDIR. If not specified, looks in the parent directory - of the directory where this script is located, and then the - current working directory, in that order. - --only-fix-mkdeb: don't run configure or make after modifying mkdeb.sh - CONFIGURE_OPTIONS: arguments for configure -'''.format(script=sys.argv[0])) - sys.exit(0) - else: - # Find the source directory - srcdir=None - args=sys.argv[1:] - for a in args: - if a.startswith('--fj-src='): - args.remove(a) - srcdir=a[9:] - break - if not(srcdir): - # srcdir not manually specified, try to auto-detect - srcdir=os.path.dirname(os.path.abspath(sys.argv[0]+'/..')) - if not(os.path.isfile(srcdir+'/mkdeb.sh')): - # Script is probably installed. Check the cwd. - if os.path.isfile('./mkdeb.sh'): - srcdir=None - else: - print('Error: Could not find the firejail source tree. Exiting.') - sys.exit(1) - sys.exit(run(srcdir, args)) diff --git a/contrib/fjclip.py b/contrib/fjclip.py deleted file mode 100755 index b45959841..000000000 --- a/contrib/fjclip.py +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env python - -import re -import sys -import subprocess -import fjdisplay - -usage = """fjclip.py src dest. src or dest can be named firejails or - for stdin or stdout. -firemon --x11 to see available running x11 firejails. firejail names can be shortened -to least ambiguous. for example 'work-libreoffice' can be shortened to 'work' if no -other firejails name starts with 'work'. -warning: browsers are dangerous. clipboards from browsers are dangerous. see -https://github.com/dxa4481/Pastejacking -fjclip.py strips whitespace from both -ends, but does nothing else to protect you. use a simple gui text editor like -gedit if you want to see what your pasting.""" - -if len(sys.argv) != 3 or sys.argv == '-h' or sys.argv == '--help': - print(usage) - exit(1) - -if sys.argv[1] == '-': - clipin_raw = sys.stdin.read() -else: - display = fjdisplay.getdisplay(sys.argv[1]) - clipin_raw = subprocess.check_output(['xsel','-b','--display',display]) - -clipin = clipin_raw.strip() - -if sys.argv[2] == '-': - print(clipin) -else: - display = fjdisplay.getdisplay(sys.argv[2]) - clipout = subprocess.Popen(['xsel','-b','-i','--display',display],stdin=subprocess.PIPE) - clipout.communicate(clipin) diff --git a/contrib/fjdisplay.py b/contrib/fjdisplay.py deleted file mode 100755 index 3f409545f..000000000 --- a/contrib/fjdisplay.py +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/env python - -import re -import sys -import subprocess - -usage = """fjdisplay.py name-of-firejail -returns the display in the form of ':NNN' -""" - -def getfirejails(): - output = subprocess.check_output(['firemon','--x11']) - firejails = {} - name = '' - for line in output.split('\n'): - namematch = re.search('--name=(\w+\S*)',line) - if namematch: - name = namematch.group(1) - displaymatch = re.search('DISPLAY (:\d+)',line) - if displaymatch: - firejails[name] = displaymatch.group(1) - return firejails - -def getdisplay(name): - firejails = getfirejails() - fjlist = '\n'.join(firejails.keys()) - namere = re.compile('^'+name+'.*', re.MULTILINE) - matchingjails = namere.findall(fjlist) - if len(matchingjails) == 1: - return firejails[matchingjails[0]] - if len(matchingjails) == 0: - raise NameError("firejail {} does not exist".format(name)) - else: - raise NameError("ambiguous firejail name") - -if __name__ == '__main__': - if '-h' in sys.argv or '--help' in sys.argv or len(sys.argv) > 2: - print(usage) - exit() - if len(sys.argv) == 1: - print(getfirejails()) - if len(sys.argv) == 2: - print (getdisplay(sys.argv[1])) diff --git a/contrib/fjresize.py b/contrib/fjresize.py deleted file mode 100755 index 3997cf280..000000000 --- a/contrib/fjresize.py +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env python - -import sys -import fjdisplay -import subprocess - -usage = """usage: fjresize.py firejail-name displaysize -resize firejail xephyr windows. -fjdisplay.py with no other arguments will list running named firejails with displays. -fjresize.py with only a firejail name will list valid resolutions. -names can be shortend as long its unambiguous. -note: you may need to move the xephyr window for the resize to take effect -example: - fjresize.py browser 1280x800 -""" - - -if len(sys.argv) == 2: - out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1])]) - print(out) -elif len(sys.argv) == 3: - out = subprocess.check_output(['xrandr','--display',fjdisplay.getdisplay(sys.argv[1]),'--output','default','--mode',sys.argv[2]]) - print(out) -else: - print(usage) diff --git a/contrib/update_deb.sh b/contrib/update_deb.sh deleted file mode 100755 index fa1b2d692..000000000 --- a/contrib/update_deb.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -# Purpose: Fetch, compile, and install firejail from GitHub source. For -# Debian-based distros only (Ubuntu, Mint, etc). -set -e -git clone --depth=1 https://github.com/netblue30/firejail.git -cd firejail -./configure --prefix=/usr -make deb -sudo dpkg -i firejail*.deb -echo "Firejail was updated!" -cd .. -rm -rf firejail diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in deleted file mode 100644 index 26df0fe51..000000000 --- a/src/faudit/Makefile.in +++ /dev/null @@ -1,14 +0,0 @@ -all: faudit - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -faudit: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -clean:; rm -f *.o faudit *.gcov *.gcda *.gcno - -distclean: clean - rm -fr Makefile diff --git a/src/faudit/caps.c b/src/faudit/caps.c deleted file mode 100644 index 46c262c89..000000000 --- a/src/faudit/caps.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "faudit.h" -#include - -#define MAXBUF 4098 -static int extract_caps(uint64_t *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "CapBnd:\t", 8) == 0) { - char *ptr = buf + 8; - unsigned long long tmp; - sscanf(ptr, "%llx", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -// return 1 if the capability is in tbe map -static int check_capability(uint64_t map, int cap) { - int i; - uint64_t mask = 1ULL; - - for (i = 0; i < 64; i++, mask <<= 1) { - if ((i == cap) && (mask & map)) - return 1; - } - - return 0; -} - -void caps_test(void) { - uint64_t caps_val; - - if (extract_caps(&caps_val)) { - printf("SKIP: cannot extract capabilities on this platform.\n"); - return; - } - - if (caps_val) { - printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); - printf("Use \"firejail --caps.drop=all\" to fix it.\n"); - - if (check_capability(caps_val, CAP_SYS_ADMIN)) - printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); - if (check_capability(caps_val, CAP_SYS_BOOT)) - printf("UGLY: CAP_SYS_BOOT is enabled.\n"); - } - else - printf("GOOD: all capabilities are disabled.\n"); -} diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c deleted file mode 100644 index cb08b9b0b..000000000 --- a/src/faudit/dbus.c +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - -// return 0 if the connection is possible -int check_unix(const char *sockfile) { - assert(sockfile); - int rv = -1; - - // open socket - int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock == -1) - return rv; - - // connect - struct sockaddr_un remote; - memset(&remote, 0, sizeof(struct sockaddr_un)); - remote.sun_family = AF_UNIX; - strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path)); - int len = strlen(remote.sun_path) + sizeof(remote.sun_family); - if (*sockfile == '@') - remote.sun_path[0] = '\0'; - if (connect(sock, (struct sockaddr *)&remote, len) == 0) - rv = 0; - - close(sock); - return rv; -} - -void dbus_test(void) { - // check the session bus - char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); - if (str) { - int rv = 0; - char *bus = strdup(str); - if (!bus) - errExit("strdup"); - char *sockfile; - if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { - sockfile += 13; - *sockfile = '@'; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - *sockfile = '@'; - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - } - else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { - sockfile += 10; - char *ptr = strchr(sockfile, ','); - if (ptr) - *ptr = '\0'; - rv = check_unix(sockfile); - if (rv == 0) - printf("MAYBE: D-Bus socket %s is available\n", sockfile); - else if (rv == -1) - printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); - } - else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) - printf("UGLY: session bus configured for TCP communication.\n"); - else - printf("GOOD: cannot find a D-Bus socket\n"); - - - free(bus); - } - else - printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); -} diff --git a/src/faudit/dev.c b/src/faudit/dev.c deleted file mode 100644 index 7bf4b279c..000000000 --- a/src/faudit/dev.c +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include - -void dev_test(void) { - DIR *dir; - if (!(dir = opendir("/dev"))) { - fprintf(stderr, "Error: cannot open /dev directory\n"); - return; - } - - struct dirent *entry; - printf("INFO: files visible in /dev directory: "); - int cnt = 0; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) - continue; - - printf("%s, ", entry->d_name); - cnt++; - } - printf("\n"); - - if (cnt > 20) - printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); - else - printf("GOOD: Access to /dev directory is restricted.\n"); - closedir(dir); -} diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h deleted file mode 100644 index 180121ec1..000000000 --- a/src/faudit/faudit.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#ifndef FAUDIT_H -#define FAUDIT_H -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define errExit(msg) do { char msgout[500]; sprintf(msgout, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0) - -// main.c -extern char *prog; - -// pid.c -void pid_test(void); - -// caps.c -void caps_test(void); - -// seccomp.c -void seccomp_test(void); - -// syscall.c -void syscall_helper(int argc, char **argv); -void syscall_run(const char *name); - -// files.c -void files_test(void); - -// network.c -void network_test(void); - -// dbus.c -int check_unix(const char *sockfile); -void dbus_test(void); - -// dev.c -void dev_test(void); - -// x11.c -void x11_test(void); - -#endif diff --git a/src/faudit/files.c b/src/faudit/files.c deleted file mode 100644 index 1ba18f2ab..000000000 --- a/src/faudit/files.c +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - -static char *username = NULL; -static char *homedir = NULL; - -static void check_home_file(const char *name) { - assert(homedir); - - char *fname; - if (asprintf(&fname, "%s/%s", homedir, name) == -1) - errExit("asprintf"); - - if (access(fname, R_OK) == 0) { - printf("UGLY: I can access files in %s directory. ", fname); - printf("Use \"firejail --blacklist=%s\" to block it.\n", fname); - } - else - printf("GOOD: I cannot access files in %s directory.\n", fname); - - free(fname); -} - -void files_test(void) { - struct passwd *pw = getpwuid(getuid()); - if (!pw) { - fprintf(stderr, "Error: cannot retrieve user account information\n"); - return; - } - - username = strdup(pw->pw_name); - if (!username) - errExit("strdup"); - homedir = strdup(pw->pw_dir); - if (!homedir) - errExit("strdup"); - - // check access to .ssh directory - check_home_file(".ssh"); - - // check access to .gnupg directory - check_home_file(".gnupg"); - - // check access to Firefox browser directory - check_home_file(".mozilla"); - - // check access to Chromium browser directory - check_home_file(".config/chromium"); - - // check access to Debian Icedove directory - check_home_file(".icedove"); - - // check access to Thunderbird directory - check_home_file(".thunderbird"); -} diff --git a/src/faudit/main.c b/src/faudit/main.c deleted file mode 100644 index d73986843..000000000 --- a/src/faudit/main.c +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -char *prog; - -int main(int argc, char **argv) { - // make test-arguments helper - if (getenv("FIREJAIL_TEST_ARGUMENTS")) { - printf("Arguments:\n"); - - int i; - for (i = 0; i < argc; i++) { - printf("#%s#\n", argv[i]); - } - - return 0; - } - - - if (argc != 1) { - int i; - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "syscall") == 0) { - syscall_helper(argc, argv); - return 0; - } - } - return 1; - } - - printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n"); - - // extract program name - prog = realpath(argv[0], NULL); - if (prog == NULL) { - prog = strdup("faudit"); - if (!prog) - errExit("strdup"); - } - printf("INFO: starting %s.\n", prog); - - - // check pid namespace - pid_test(); - printf("\n"); - - // check seccomp - seccomp_test(); - printf("\n"); - - // check capabilities - caps_test(); - printf("\n"); - - // check some well-known problematic files and directories - files_test(); - printf("\n"); - - // network - network_test(); - printf("\n"); - - // dbus - dbus_test(); - printf("\n"); - - // x11 test - x11_test(); - printf("\n"); - - // /dev test - dev_test(); - printf("\n"); - - - free(prog); - printf("--------------------------------------------------------------------------------\n"); - - return 0; -} diff --git a/src/faudit/network.c b/src/faudit/network.c deleted file mode 100644 index 54eef2b2a..000000000 --- a/src/faudit/network.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#include -#include - -static void check_ssh(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: SSH server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(22); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: SSH server not available on localhost.\n"); - else { - printf("MAYBE: an SSH server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -static void check_http(void) { - // open socket - int sock = socket(AF_INET, SOCK_STREAM, 0); - if (sock == -1) { - printf("GOOD: HTTP server not available on localhost.\n"); - return; - } - - // connect to localhost - struct sockaddr_in server; - server.sin_addr.s_addr = inet_addr("127.0.0.1"); - server.sin_family = AF_INET; - server.sin_port = htons(80); - - if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) - printf("GOOD: HTTP server not available on localhost.\n"); - else { - printf("MAYBE: an HTTP server is accessible on localhost. "); - printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); - } - - close(sock); -} - -void check_netlink(void) { - int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); - if (sock == -1) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - return; - } - - struct sockaddr_nl local; - memset(&local, 0, sizeof(local)); - local.nl_family = AF_NETLINK; - local.nl_groups = 0; //subscriptions; - - if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { - printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); - close(sock); - return; - } - - close(sock); - printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); - printf("You can use \"--protocol\" to disable the socket.\n"); -} - -void network_test(void) { - check_ssh(); - check_http(); - check_netlink(); -} diff --git a/src/faudit/pid.c b/src/faudit/pid.c deleted file mode 100644 index 22bb68c1a..000000000 --- a/src/faudit/pid.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -void pid_test(void) { - char *kern_proc[] = { - "kthreadd", - "ksoftirqd", - "kworker", - "rcu_sched", - "rcu_bh", - NULL // NULL terminated list - }; - int i; - - // look at the first 10 processes - int not_visible = 1; - for (i = 1; i <= 10; i++) { - struct stat s; - char *fname; - if (asprintf(&fname, "/proc/%d/comm", i) == -1) - errExit("asprintf"); - if (stat(fname, &s) == -1) { - free(fname); - continue; - } - - // open file - /* coverity[toctou] */ - FILE *fp = fopen(fname, "r"); - if (!fp) { - free(fname); - continue; - } - - // read file - char buf[100]; - if (fgets(buf, 10, fp) == NULL) { - fclose(fp); - free(fname); - continue; - } - not_visible = 0; - - // clean /n - char *ptr; - if ((ptr = strchr(buf, '\n')) != NULL) - *ptr = '\0'; - - // check process name against the kernel list - int j = 0; - while (kern_proc[j] != NULL) { - if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { - fclose(fp); - free(fname); - printf("BAD: Process %d is not running in a PID namespace. ", getpid()); - printf("Are you sure you're running in a sandbox?\n"); - return; - } - j++; - } - - fclose(fp); - free(fname); - } - - pid_t pid = getpid(); - if (not_visible && pid > 100) - printf("BAD: Process %d is not running in a PID namespace.\n", pid); - else - printf("GOOD: process %d is running in a PID namespace.\n", pid); - - // try to guess the type of container/sandbox - char *str = getenv("container"); - if (str) - printf("INFO: container/sandbox %s.\n", str); - else { - str = getenv("SNAP"); - if (str) - printf("INFO: this is a snap package\n"); - } -} diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c deleted file mode 100644 index 85a883618..000000000 --- a/src/faudit/seccomp.c +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" - -#define MAXBUF 4098 -static int extract_seccomp(int *val) { - FILE *fp = fopen("/proc/self/status", "r"); - if (!fp) - return 1; - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - if (strncmp(buf, "Seccomp:\t", 8) == 0) { - char *ptr = buf + 8; - int tmp; - sscanf(ptr, "%d", &tmp); - *val = tmp; - fclose(fp); - return 0; - } - } - - fclose(fp); - return 1; -} - -void seccomp_test(void) { - int seccomp_status; - int rv = extract_seccomp(&seccomp_status); - - if (rv) { - printf("INFO: cannot extract seccomp configuration on this platform.\n"); - return; - } - - if (seccomp_status == 0) { - printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); - } - else if (seccomp_status == 1) - printf("GOOD: seccomp strict mode - only read, write, _exit, and sigreturn are allowed.\n"); - else if (seccomp_status == 2) { - printf("GOOD: seccomp BPF enabled.\n"); - - printf("checking syscalls: "); fflush(0); - printf("mount... "); fflush(0); - syscall_run("mount"); - - printf("umount2... "); fflush(0); - syscall_run("umount2"); - - printf("ptrace... "); fflush(0); - syscall_run("ptrace"); - - printf("swapon... "); fflush(0); - syscall_run("swapon"); - - printf("swapoff... "); fflush(0); - syscall_run("swapoff"); - - printf("init_module... "); fflush(0); - syscall_run("init_module"); - - printf("delete_module... "); fflush(0); - syscall_run("delete_module"); - - printf("chroot... "); fflush(0); - syscall_run("chroot"); - - printf("pivot_root... "); fflush(0); - syscall_run("pivot_root"); - -#if defined(__i386__) || defined(__x86_64__) - printf("iopl... "); fflush(0); - syscall_run("iopl"); - - printf("ioperm... "); fflush(0); - syscall_run("ioperm"); -#endif - printf("\n"); - } - else - fprintf(stderr, "Error: unrecognized seccomp mode\n"); - -} diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c deleted file mode 100644 index 3650590f3..000000000 --- a/src/faudit/syscall.c +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include -#if defined(__i386__) || defined(__x86_64__) -#include -#endif -#include -extern int init_module(void *module_image, unsigned long len, - const char *param_values); -extern int finit_module(int fd, const char *param_values, - int flags); -extern int delete_module(const char *name, int flags); -extern int pivot_root(const char *new_root, const char *put_old); - -void syscall_helper(int argc, char **argv) { - (void) argc; - - if (argc < 3) - return; - - if (strcmp(argv[2], "mount") == 0) { - int rv = mount(NULL, NULL, NULL, 0, NULL); - (void) rv; - printf("\nUGLY: mount syscall permitted.\n"); - } - else if (strcmp(argv[2], "umount2") == 0) { - umount2(NULL, 0); - printf("\nUGLY: umount2 syscall permitted.\n"); - } - else if (strcmp(argv[2], "ptrace") == 0) { - ptrace(0, 0, NULL, NULL); - printf("\nUGLY: ptrace syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapon") == 0) { - swapon(NULL, 0); - printf("\nUGLY: swapon syscall permitted.\n"); - } - else if (strcmp(argv[2], "swapoff") == 0) { - swapoff(NULL); - printf("\nUGLY: swapoff syscall permitted.\n"); - } - else if (strcmp(argv[2], "init_module") == 0) { - init_module(NULL, 0, NULL); - printf("\nUGLY: init_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "delete_module") == 0) { - delete_module(NULL, 0); - printf("\nUGLY: delete_module syscall permitted.\n"); - } - else if (strcmp(argv[2], "chroot") == 0) { - int rv = chroot("/blablabla-57281292"); - (void) rv; - printf("\nUGLY: chroot syscall permitted.\n"); - } - else if (strcmp(argv[2], "pivot_root") == 0) { - pivot_root(NULL, NULL); - printf("\nUGLY: pivot_root syscall permitted.\n"); - } -#if defined(__i386__) || defined(__x86_64__) - else if (strcmp(argv[2], "iopl") == 0) { - iopl(0L); - printf("\nUGLY: iopl syscall permitted.\n"); - } - else if (strcmp(argv[2], "ioperm") == 0) { - ioperm(0, 0, 0); - printf("\nUGLY: ioperm syscall permitted.\n"); - } -#endif - exit(0); -} - -void syscall_run(const char *name) { - assert(prog); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - execl(prog, prog, "syscall", name, NULL); - perror("execl"); - _exit(1); - } - - // wait for the child to finish - waitpid(child, NULL, 0); -} diff --git a/src/faudit/x11.c b/src/faudit/x11.c deleted file mode 100644 index bb763b110..000000000 --- a/src/faudit/x11.c +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "faudit.h" -#include -#include - - -void x11_test(void) { - // check regular display 0 sockets - if (check_unix("/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); - - if (check_unix("@/tmp/.X11-unix/X0") == 0) - printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); - - // check all unix sockets in /tmp/.X11-unix directory - DIR *dir; - if (!(dir = opendir("/tmp/.X11-unix"))) { - // sleep 2 seconds and try again - sleep(2); - if (!(dir = opendir("/tmp/.X11-unix"))) { - ; - } - } - - if (dir == NULL) - printf("GOOD: cannot open /tmp/.X11-unix directory\n"); - else { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, "X0") == 0) - continue; - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - char *name; - if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) - errExit("asprintf"); - if (check_unix(name) == 0) - printf("MAYBE: X11 socket %s is available\n", name); - free(name); - } - closedir(dir); - } -} diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in deleted file mode 100644 index 7a606c872..000000000 --- a/src/fbuilder/Makefile.in +++ /dev/null @@ -1,14 +0,0 @@ -all: fbuilder - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fbuilder: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) - -clean:; rm -f *.o fbuilder *.gcov *.gcda *.gcno - -distclean: clean - rm -fr Makefile diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c deleted file mode 100644 index 1230fb780..000000000 --- a/src/fbuilder/build_bin.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "fbuilder.h" - -static FileDB *bin_out = NULL; - -static void process_bin(const char *fname) { - assert(fname); - - // process trace file - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open %s\n", fname); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - // remove \n - char *ptr = strchr(buf, '\n'); - if (ptr) - *ptr = '\0'; - - // parse line: 4:galculator:access /etc/fonts/conf.d:0 - // number followed by : - ptr = buf; - if (!isdigit(*ptr)) - continue; - while (isdigit(*ptr)) - ptr++; - if (*ptr != ':') - continue; - ptr++; - - // next : - ptr = strchr(ptr, ':'); - if (!ptr) - continue; - ptr++; - if (strncmp(ptr, "exec ", 5) == 0) - ptr += 5; - else - continue; - if (strncmp(ptr, "/bin/", 5) == 0) - ptr += 5; - else if (strncmp(ptr, "/sbin/", 6) == 0) - ptr += 6; - else if (strncmp(ptr, "/usr/bin/", 9) == 0) - ptr += 9; - else if (strncmp(ptr, "/usr/sbin/", 10) == 0) - ptr += 10; - else if (strncmp(ptr, "/usr/local/bin/", 15) == 0) - ptr += 15; - else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) - ptr += 16; - else if (strncmp(ptr, "/usr/games/", 11) == 0) - ptr += 12; - else if (strncmp(ptr, "/usr/local/games/", 17) == 0) - ptr += 17; - else - continue; - - // end of filename - char *ptr2 = strchr(ptr, ':'); - if (!ptr2) - continue; - *ptr2 = '\0'; - - // skip strace - if (strcmp(ptr, "strace") == 0) - continue; - - bin_out = filedb_add(bin_out, ptr); - } - - fclose(fp); -} - - -// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -void build_bin(const char *fname, FILE *fp) { - assert(fname); - - // run fname - process_bin(fname); - - // run all the rest - struct stat s; - int i; - for (i = 1; i <= 5; i++) { - char *newname; - if (asprintf(&newname, "%s.%d", fname, i) == -1) - errExit("asprintf"); - if (stat(newname, &s) == 0) - process_bin(newname); - free(newname); - } - - if (bin_out) { - fprintf(fp, "private-bin "); - FileDB *ptr = bin_out; - while (ptr) { - fprintf(fp, "%s,", ptr->fname); - ptr = ptr->next; - } - fprintf(fp, "\n"); - fprintf(fp, "# private-lib\n"); - } -} diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c deleted file mode 100644 index 771dc94cb..000000000 --- a/src/fbuilder/build_fs.c +++ /dev/null @@ -1,317 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "fbuilder.h" - -// common file processing function, using the callback for each line in the file -static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { - assert(fname); - assert(dir); - assert(callback); - - int dir_len = strlen(dir); - - // process trace file - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open %s\n", fname); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - // remove \n - char *ptr = strchr(buf, '\n'); - if (ptr) - *ptr = '\0'; - - // parse line: 4:galculator:access /etc/fonts/conf.d:0 - // number followed by : - ptr = buf; - if (!isdigit(*ptr)) - continue; - while (isdigit(*ptr)) - ptr++; - if (*ptr != ':') - continue; - ptr++; - - // next : - ptr = strchr(ptr, ':'); - if (!ptr) - continue; - ptr++; - if (strncmp(ptr, "access ", 7) == 0) - ptr += 7; - else if (strncmp(ptr, "fopen ", 6) == 0) - ptr += 6; - else if (strncmp(ptr, "fopen64 ", 8) == 0) - ptr += 8; - else if (strncmp(ptr, "open64 ", 7) == 0) - ptr += 7; - else if (strncmp(ptr, "open ", 5) == 0) - ptr += 5; - else - continue; - if (strncmp(ptr, dir, dir_len) != 0) - continue; - - // end of filename - char *ptr2 = strchr(ptr, ':'); - if (!ptr2) - continue; - *ptr2 = '\0'; - - callback(ptr); - } - - fclose(fp); -} - -// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { - assert(fname); - assert(dir); - assert(callback); - - // run fname - process_file(fname, dir, callback); - - // run all the rest - struct stat s; - int i; - for (i = 1; i <= 5; i++) { - char *newname; - if (asprintf(&newname, "%s.%d", fname, i) == -1) - errExit("asprintf"); - if (stat(newname, &s) == 0) - process_file(newname, dir, callback); - free(newname); - } -} - -//******************************************* -// etc directory -//******************************************* -static FileDB *etc_out = NULL; - -static void etc_callback(char *ptr) { - // skip firejail directory - if (strncmp(ptr, "/etc/firejail", 13) == 0) - return; - - // add only top files and directories - ptr += 5; // skip "/etc/" - char *end = strchr(ptr, '/'); - if (end) - *end = '\0'; - etc_out = filedb_add(etc_out, ptr); -} - -void build_etc(const char *fname, FILE *fp) { - assert(fname); - - process_files(fname, "/etc", etc_callback); - - fprintf(fp, "private-etc "); - if (etc_out == NULL) - fprintf(fp, "none\n"); - else { - FileDB *ptr = etc_out; - while (ptr) { - fprintf(fp, "%s,", ptr->fname); - ptr = ptr->next; - } - fprintf(fp, "\n"); - } -} - -//******************************************* -// var directory -//******************************************* -static FileDB *var_out = NULL; -static void var_callback(char *ptr) { - if (strcmp(ptr, "/var/lib") == 0) - ; - else if (strcmp(ptr, "/var/cache") == 0) - ; - else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) - var_out = filedb_add(var_out, "/var/lib/menu-xdg"); - else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) - var_out = filedb_add(var_out, "/var/cache/fontconfig"); - else - var_out = filedb_add(var_out, ptr); -} - -void build_var(const char *fname, FILE *fp) { - assert(fname); - - process_files(fname, "/var", var_callback); - - if (var_out == NULL) - fprintf(fp, "blacklist /var\n"); - else - filedb_print(var_out, "whitelist ", fp); -} - - -//******************************************* -// usr/share directory -//******************************************* -static FileDB *share_out = NULL; -static void share_callback(char *ptr) { - // extract the directory: - assert(strncmp(ptr, "/usr/share", 10) == 0); - char *p1 = ptr + 10; - if (*p1 != '/') - return; - p1++; - if (*p1 == '/') // double '/' - p1++; - if (*p1 == '\0') - return; - - // "/usr/share/bash-completion/bash_completion" becomes "/usr/share/bash-completion" - char *p2 = strchr(p1, '/'); - if (p2) - *p2 = '\0'; - - // store the file - share_out = filedb_add(share_out, ptr); -} - -void build_share(const char *fname, FILE *fp) { - assert(fname); - - process_files(fname, "/usr/share", share_callback); - - if (share_out == NULL) - fprintf(fp, "blacklist /usr/share\n"); - else - filedb_print(share_out, "whitelist ", fp); -} - -//******************************************* -// tmp directory -//******************************************* -static FileDB *tmp_out = NULL; -static void tmp_callback(char *ptr) { - filedb_add(tmp_out, ptr); -} - -void build_tmp(const char *fname, FILE *fp) { - assert(fname); - - process_files(fname, "/tmp", tmp_callback); - - if (tmp_out == NULL) - fprintf(fp, "private-tmp\n"); - else { - fprintf(fp, "\n"); - fprintf(fp, "# private-tmp\n"); - fprintf(fp, "# File accessed in /tmp directory:\n"); - fprintf(fp, "# "); - FileDB *ptr = tmp_out; - while (ptr) { - fprintf(fp, "%s,", ptr->fname); - ptr = ptr->next; - } - printf("\n"); - } -} - -//******************************************* -// dev directory -//******************************************* -static char *dev_skip[] = { - "/dev/zero", - "/dev/null", - "/dev/full", - "/dev/random", - "/dev/urandom", - "/dev/tty", - "/dev/snd", - "/dev/dri", - "/dev/pts", - "/dev/nvidia0", - "/dev/nvidia1", - "/dev/nvidia2", - "/dev/nvidia3", - "/dev/nvidia4", - "/dev/nvidia5", - "/dev/nvidia6", - "/dev/nvidia7", - "/dev/nvidia8", - "/dev/nvidia9", - "/dev/nvidiactl", - "/dev/nvidia-modeset", - "/dev/nvidia-uvm", - "/dev/video0", - "/dev/video1", - "/dev/video2", - "/dev/video3", - "/dev/video4", - "/dev/video5", - "/dev/video6", - "/dev/video7", - "/dev/video8", - "/dev/video9", - "/dev/dvb", - "/dev/sr0", - NULL -}; - -static FileDB *dev_out = NULL; -static void dev_callback(char *ptr) { - // skip private-dev devices - int i = 0; - int found = 0; - while (dev_skip[i]) { - if (strcmp(ptr, dev_skip[i]) == 0) { - found = 1; - break; - } - i++; - } - if (!found) - filedb_add(dev_out, ptr); -} - -void build_dev(const char *fname, FILE *fp) { - assert(fname); - - process_files(fname, "/dev", dev_callback); - - if (dev_out == NULL) - fprintf(fp, "private-dev\n"); - else { - fprintf(fp, "\n"); - fprintf(fp, "# private-dev\n"); - fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); - fprintf(fp, "# "); - FileDB *ptr = dev_out; - while (ptr) { - fprintf(fp, "%s,", ptr->fname); - ptr = ptr->next; - } - fprintf(fp, "\n"); - } -} - diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c deleted file mode 100644 index 7470a8d10..000000000 --- a/src/fbuilder/build_home.c +++ /dev/null @@ -1,199 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "fbuilder.h" - -static FileDB *db_skip = NULL; -static FileDB *db_out = NULL; - -static void load_whitelist_common(void) { - FILE *fp = fopen("/etc/firejail/whitelist-common.inc", "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - if (strncmp(buf, "whitelist ~/", 12) != 0) - continue; - char *fn = buf + 12; - char *ptr = strchr(buf, '\n'); - if (!ptr) - continue; - *ptr = '\0'; - - // add the file to skip list - db_skip = filedb_add(db_skip, fn); - } - - fclose(fp); -} - -void process_home(const char *fname, char *home, int home_len) { - assert(fname); - assert(home); - assert(home_len); - - // process trace file - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open %s\n", fname); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - // remove \n - char *ptr = strchr(buf, '\n'); - if (ptr) - *ptr = '\0'; - - // parse line: 4:galculator:access /etc/fonts/conf.d:0 - // number followed by : - ptr = buf; - if (!isdigit(*ptr)) - continue; - while (isdigit(*ptr)) - ptr++; - if (*ptr != ':') - continue; - ptr++; - - // next : - ptr = strchr(ptr, ':'); - if (!ptr) - continue; - ptr++; - if (strncmp(ptr, "access /home", 12) == 0) - ptr += 7; - else if (strncmp(ptr, "fopen /home", 11) == 0) - ptr += 6; - else if (strncmp(ptr, "fopen64 /home", 13) == 0) - ptr += 8; - else if (strncmp(ptr, "open64 /home", 12) == 0) - ptr += 7; - else if (strncmp(ptr, "open /home", 10) == 0) - ptr += 5; - else - continue; - - // end of filename - char *ptr2 = strchr(ptr, ':'); - if (!ptr2) - continue; - *ptr2 = '\0'; - - // check home directory - if (strncmp(ptr, home, home_len) != 0) - continue; - if (strcmp(ptr, home) == 0) - continue; - ptr += home_len + 1; - - // skip files handled automatically by firejail - if (strcmp(ptr, ".Xauthority") == 0 || - strcmp(ptr, ".Xdefaults-debian") == 0 || - strncmp(ptr, ".config/pulse/", 13) == 0 || - strncmp(ptr, ".pulse/", 7) == 0 || - strncmp(ptr, ".bash_hist", 10) == 0 || - strcmp(ptr, ".bashrc") == 0) - continue; - - - // try to find the relevant directory for this file - char *dir = extract_dir(ptr); - char *toadd = (dir)? dir: ptr; - - // skip some dot directories - if (strcmp(toadd, ".config") == 0 || - strcmp(toadd, ".local") == 0 || - strcmp(toadd, ".local/share") == 0 || - strcmp(toadd, ".cache") == 0) { - if (dir) - free(dir); - continue; - } - - // clean .cache entries - if (strncmp(toadd, ".cache/", 7) == 0) { - char *ptr2 = toadd + 7; - ptr2 = strchr(ptr2, '/'); - if (ptr2) - *ptr2 = '\0'; - } - - // skip files and directories in whitelist-common.inc - if (filedb_find(db_skip, toadd)) { - if (dir) - free(dir); - continue; - } - - // add the file to out list - db_out = filedb_add(db_out, toadd); - if (dir) - free(dir); - - } - fclose(fp); -} - - -// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -void build_home(const char *fname, FILE *fp) { - assert(fname); - - // load whitelist common - load_whitelist_common(); - - // find user home directory - struct passwd *pw = getpwuid(getuid()); - if (!pw) - errExit("getpwuid"); - char *home = pw->pw_dir; - if (!home) - errExit("getpwuid"); - int home_len = strlen(home); - - // run fname - process_home(fname, home, home_len); - - // run all the rest - struct stat s; - int i; - for (i = 1; i <= 5; i++) { - char *newname; - if (asprintf(&newname, "%s.%d", fname, i) == -1) - errExit("asprintf"); - if (stat(newname, &s) == 0) - process_home(newname, home, home_len); - free(newname); - } - - // print the out list if any - if (db_out) { - filedb_print(db_out, "whitelist ~/", fp); - fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); - } - else - fprintf(fp, "private\n"); - -} \ No newline at end of file diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c deleted file mode 100644 index 125487c41..000000000 --- a/src/fbuilder/build_profile.c +++ /dev/null @@ -1,170 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "fbuilder.h" -#include -#include - -#define TRACE_OUTPUT "/tmp/firejail-trace" -#define STRACE_OUTPUT "/tmp/firejail-strace" - -static char *cmdlist[] = { - "/usr/bin/firejail", - "--quiet", - "--output=" TRACE_OUTPUT, - "--noprofile", - "--caps.drop=all", - "--nonewprivs", - "--trace", - "--shell=none", - "/usr/bin/strace", // also used as a marker in build_profile() - "-c", - "-f", - "-o" STRACE_OUTPUT, -}; - -static void clear_tmp_files(void) { - unlink(STRACE_OUTPUT); - unlink(TRACE_OUTPUT); - - // run all the rest - int i; - for (i = 1; i <= 5; i++) { - char *newname; - if (asprintf(&newname, "%s.%d", TRACE_OUTPUT, i) == -1) - errExit("asprintf"); - unlink(newname); - free(newname); - } - -} - -void build_profile(int argc, char **argv, int index, FILE *fp) { - // next index is the application name - if (index >= argc) { - fprintf(stderr, "Error: application name missing\n"); - exit(1); - } - - // clean /tmp files - clear_tmp_files(); - - // detect strace - int have_strace = 0; - if (access("/usr/bin/strace", X_OK) == 0) - have_strace = 1; - - // calculate command length - unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; - if (arg_debug) - printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); - char *cmd[len]; - cmd[0] = cmdlist[0]; // explicit assignemnt to clean scan-build error - - // build command - unsigned i = 0; - for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { - // skip strace if not installed - if (have_strace == 0 && strcmp(cmdlist[i], "/usr/bin/strace") == 0) - break; - cmd[i] = cmdlist[i]; - } - - int i2 = index; - for (; i < (len - 1); i++, i2++) - cmd[i] = argv[i2]; - assert(i < len); - cmd[i] = NULL; - - if (arg_debug) { - for (i = 0; i < len; i++) - printf("\t%s\n", cmd[i]); - } - - // fork and execute - pid_t child = fork(); - if (child == -1) - errExit("fork"); - if (child == 0) { - assert(cmd[0]); - int rv = execvp(cmd[0], cmd); - (void) rv; - errExit("execv"); - } - - // wait for all processes to finish - int status; - if (waitpid(child, &status, 0) != child) - errExit("waitpid"); - - if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { - printf("\n\n\n"); - fprintf(fp, "############################################\n"); - fprintf(fp, "# %s profile\n", argv[index]); - fprintf(fp, "############################################\n"); - fprintf(fp, "# Persistent global definitions\n"); - fprintf(fp, "# include /etc/firejail/globals.local\n"); - fprintf(fp, "\n"); - - fprintf(fp, "### basic blacklisting\n"); - fprintf(fp, "include /etc/firejail/disable-common.inc\n"); - fprintf(fp, "# include /etc/firejail/disable-devel.inc\n"); - fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n"); - fprintf(fp, "# include /etc/firejail/disable-programs.inc\n"); - fprintf(fp, "\n"); - - fprintf(fp, "### home directory whitelisting\n"); - build_home(TRACE_OUTPUT, fp); - fprintf(fp, "\n"); - - fprintf(fp, "### filesystem\n"); - build_tmp(TRACE_OUTPUT, fp); - build_dev(TRACE_OUTPUT, fp); - build_etc(TRACE_OUTPUT, fp); - build_var(TRACE_OUTPUT, fp); - build_bin(TRACE_OUTPUT, fp); - build_share(TRACE_OUTPUT, fp); - fprintf(fp, "\n"); - - fprintf(fp, "### security filters\n"); - fprintf(fp, "caps.drop all\n"); - fprintf(fp, "nonewprivs\n"); - fprintf(fp, "seccomp\n"); - if (have_strace) - build_seccomp(STRACE_OUTPUT, fp); - else { - fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); - fprintf(fp, "# whitelisted seccomp filter.\n"); - } - fprintf(fp, "\n"); - - fprintf(fp, "### network\n"); - build_protocol(TRACE_OUTPUT, fp); - fprintf(fp, "\n"); - - fprintf(fp, "### environment\n"); - fprintf(fp, "shell none\n"); - - } - else { - fprintf(stderr, "Error: cannot run the sandbox\n"); - exit(1); - } -} diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c deleted file mode 100644 index fbc0e06f4..000000000 --- a/src/fbuilder/build_seccomp.c +++ /dev/null @@ -1,192 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "fbuilder.h" - -void build_seccomp(const char *fname, FILE *fp) { - assert(fname); - assert(fp); - - FILE *fp2 = fopen(fname, "r"); - if (!fp2) { - fprintf(stderr, "Error: cannot open %s\n", fname); - exit(1); - } - - char buf[MAX_BUF]; - int line = 1; - int position = 0; - int cnt = 0; - while (fgets(buf, MAX_BUF, fp2)) { - // remove \n - char *ptr = strchr(buf, '\n'); - if (ptr) - *ptr = '\0'; - - // first line: - //% time seconds usecs/call calls errors syscall - if (line == 1) { - // extract syscall position - ptr = strstr(buf, "syscall"); - if (*buf != '%' || ptr == NULL) { - // skip this line, it could be garbage from strace - continue; - } - position = (int) (ptr - buf); - } - else if (line == 2) { - if (*buf != '-') { - fprintf(stderr, "Error: invalid strace output\n%s\n", buf); - exit(1); - } - } - else { - // get out on the next "----" line - if (*buf == '-') - break; - - if (line == 3) - fprintf(fp, "# seccomp.keep %s", buf + position); - else - fprintf(fp, ",%s", buf + position); - cnt++; - } - line++; - } - fprintf(fp, "\n"); - fprintf(fp, "# %d syscalls total\n", cnt); - fprintf(fp, "# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); - fprintf(fp, "# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); - fprintf(fp, "# running your sandbox.\n"); - - fclose(fp2); -} - -//*************************************** -// protocol -//*************************************** -int unix_s = 0; -int inet = 0; -int inet6 = 0; -int netlink = 0; -int packet = 0; -static void process_protocol(const char *fname) { - assert(fname); - - // process trace file - FILE *fp = fopen(fname, "r"); - if (!fp) { - fprintf(stderr, "Error: cannot open %s\n", fname); - exit(1); - } - - char buf[MAX_BUF]; - while (fgets(buf, MAX_BUF, fp)) { - // remove \n - char *ptr = strchr(buf, '\n'); - if (ptr) - *ptr = '\0'; - - // parse line: 4:galculator:access /etc/fonts/conf.d:0 - // number followed by : - ptr = buf; - if (!isdigit(*ptr)) - continue; - while (isdigit(*ptr)) - ptr++; - if (*ptr != ':') - continue; - ptr++; - - // next : - ptr = strchr(ptr, ':'); - if (!ptr) - continue; - ptr++; - if (strncmp(ptr, "socket ", 7) == 0) - ptr += 7; - else - continue; - - if (strncmp(ptr, "AF_LOCAL ", 9) == 0) - unix_s = 1; - else if (strncmp(ptr, "AF_INET ", 8) == 0) - inet = 1; - else if (strncmp(ptr, "AF_INET6 ", 9) == 0) - inet6 = 1; - else if (strncmp(ptr, "AF_NETLINK ", 9) == 0) - netlink = 1; - else if (strncmp(ptr, "AF_PACKET ", 9) == 0) - packet = 1; - } - - fclose(fp); -} - - -// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -void build_protocol(const char *fname, FILE *fp) { - assert(fname); - - // run fname - process_protocol(fname); - - // run all the rest - struct stat s; - int i; - for (i = 1; i <= 5; i++) { - char *newname; - if (asprintf(&newname, "%s.%d", fname, i) == -1) - errExit("asprintf"); - if (stat(newname, &s) == 0) - process_protocol(newname); - free(newname); - } - - int net = 0; - if (unix_s || inet || inet6 || netlink || packet) { - fprintf(fp, "protocol "); - if (unix_s) - fprintf(fp, "unix,"); - if (inet) { - fprintf(fp, "inet,"); - net = 1; - } - if (inet6) { - fprintf(fp, "inet6,"); - net = 1; - } - if (netlink) - fprintf(fp, "netlink,"); - if (packet) { - fprintf(fp, "packet"); - net = 1; - } - fprintf(fp, "\n"); - } - - if (net == 0) - fprintf(fp, "net none\n"); - else { - fprintf(fp, "# net eth0\n"); - fprintf(fp, "netfilter\n"); - } -} - diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h deleted file mode 100644 index 0a0fd42c9..000000000 --- a/src/fbuilder/fbuilder.h +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#ifndef FBUILDER_H -#define FBUILDER_H -#include "../include/common.h" -#include -#include -#include -#include - - -#define MAX_BUF 4096 -// main.c -extern int arg_debug; - -// build_profile.c -void build_profile(int argc, char **argv, int index, FILE *fp); - -// build_seccomp.c -void build_seccomp(const char *fname, FILE *fp); -void build_protocol(const char *fname, FILE *fp); - -// build_fs.c -void build_etc(const char *fname, FILE *fp); -void build_var(const char *fname, FILE *fp); -void build_tmp(const char *fname, FILE *fp); -void build_dev(const char *fname, FILE *fp); -void build_share(const char *fname, FILE *fp); - -// build_bin.c -void build_bin(const char *fname, FILE *fp); - -// build_home.c -void build_home(const char *fname, FILE *fp); - -// utils.c -int is_dir(const char *fname); -char *extract_dir(char *fname); - -// filedb.c -typedef struct filedb_t { - struct filedb_t *next; - char *fname; // file name - int len; // length of file name -} FileDB; - -FileDB *filedb_add(FileDB *head, const char *fname); -FileDB *filedb_find(FileDB *head, const char *fname); -void filedb_print(FileDB *head, const char *prefix, FILE *fp); - -#endif \ No newline at end of file diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c deleted file mode 100644 index 7af3724e8..000000000 --- a/src/fbuilder/filedb.c +++ /dev/null @@ -1,79 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "fbuilder.h" - -FileDB *filedb_find(FileDB *head, const char *fname) { - FileDB *ptr = head; - int found = 0; - int len = strlen(fname); - - while (ptr) { - // exact name - if (strcmp(fname, ptr->fname) == 0) { - found = 1; - break; - } - - // parent directory in the list - if (len > ptr->len && - fname[ptr->len] == '/' && - strncmp(ptr->fname, fname, ptr->len) == 0) { - found = 1; - break; - } - - ptr = ptr->next; - } - - if (found) - return ptr; - - return NULL; -} - -FileDB *filedb_add(FileDB *head, const char *fname) { - assert(fname); - - // don't add it if it is already there or if the parent directory is already in the list - if (filedb_find(head, fname)) - return head; - - // add a new entry - FileDB *entry = malloc(sizeof(FileDB)); - if (!entry) - errExit("malloc"); - memset(entry, 0, sizeof(FileDB)); - entry->fname = strdup(fname); - if (!entry->fname) - errExit("strdup"); - entry->len = strlen(entry->fname); - entry->next = head; - return entry; -}; - -void filedb_print(FileDB *head, const char *prefix, FILE *fp) { - FileDB *ptr = head; - while (ptr) { - fprintf(fp, "%s%s\n", prefix, ptr->fname); - ptr = ptr->next; - } -} - diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c deleted file mode 100644 index ef5dee7d9..000000000 --- a/src/fbuilder/main.c +++ /dev/null @@ -1,93 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "fbuilder.h" -int arg_debug = 0; - -static void usage(void) { - printf("Firejail profile builder\n"); - printf("Usage: firejail [--debug] --build[=profile-file] program-and-arguments\n"); -} - -int main(int argc, char **argv) { -#if 0 -{ -system("cat /proc/self/status"); -int i; -for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); -printf("\n"); -} -#endif - - int i; - int prog_index = 0; - FILE *fp = stdout; - int prof_file = 0; - - // parse arguments and extract program index - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) { - usage(); - return 0; - } - else if (strcmp(argv[i], "--debug") == 0) - arg_debug = 1; - else if (strcmp(argv[i], "--build") == 0) - ; // do nothing, this is passed down from firejail - else if (strncmp(argv[i], "--build=", 8) == 0) { - // this option is only supported for non-root users - if (getuid() == 0) { - fprintf(stderr, "Error fbuild: --build=profile-name is not supported for root user.\n"); - exit(1); - } - - // check file access - fp = fopen(argv[i] + 8, "w"); - if (!fp) { - fprintf(stderr, "Error fbuild: cannot open profile file.\n"); - exit(1); - } - prof_file = 1; - // do nothing, this is passed down from firejail - } - else { - if (*argv[i] == '-') { - fprintf(stderr, "Error fbuilder: invalid program\n"); - usage(); - exit(1); - } - prog_index = i; - break; - } - } - - if (prog_index == 0) { - fprintf(stderr, "Error fbuilder: program and arguments required\n"); - usage(); - if (prof_file) - fclose(fp); - exit(1); - } - - build_profile(argc, argv, prog_index, fp); - if (prof_file) - fclose(fp); - return 0; -} diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c deleted file mode 100644 index 1d490b07e..000000000 --- a/src/fbuilder/utils.c +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "fbuilder.h" - -// todo: duplicated from src/firejail/util.c - remove dplication -// return 1 if the file is a directory -int is_dir(const char *fname) { - assert(fname); - if (*fname == '\0') - return 0; - - // if fname doesn't end in '/', add one - int rv; - struct stat s; - if (fname[strlen(fname) - 1] == '/') - rv = stat(fname, &s); - else { - char *tmp; - if (asprintf(&tmp, "%s/", fname) == -1) { - fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); - errExit("asprintf"); - } - rv = stat(tmp, &s); - free(tmp); - } - - if (rv == -1) - return 0; - - if (S_ISDIR(s.st_mode)) - return 1; - - return 0; -} - -// return NULL if fname is already a directory, or if no directory found -char *extract_dir(char *fname) { - assert(fname); - if (is_dir(fname)) - return NULL; - - char *name = strdup(fname); - if (!name) - errExit("strdup"); - - char *ptr = strrchr(name, '/'); - if (!ptr) { - free(name); - return NULL; - } - *ptr = '\0'; - - return name; -} diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 24ff553d7..ba2f8e284 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -740,7 +740,7 @@ void fs_basic_fs(void) { } - +#ifndef LTS #ifdef HAVE_OVERLAYFS char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { struct stat s; @@ -1292,6 +1292,7 @@ void fs_chroot(const char *rootdir) { disable_config(); } #endif +#endif // LTS // this function is called from sandbox.c before blacklist/whitelist functions void fs_private_tmp(void) { diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c deleted file mode 100644 index 5625ed356..000000000 --- a/src/firejail/fs_bin.c +++ /dev/null @@ -1,309 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "firejail.h" -#include -#include -#include -#include -#include -#include - -static int prog_cnt = 0; - -static char *paths[] = { - "/usr/local/bin", - "/usr/bin", - "/bin", - "/usr/games", - "/usr/local/games", - "/usr/local/sbin", - "/usr/sbin", - "/sbin", - NULL -}; - -// return 1 if found, 0 if not found -static char *check_dir_or_file(const char *name) { - assert(name); - struct stat s; - char *fname = NULL; - - int i = 0; - while (paths[i]) { - // private-bin-no-local can be disabled in /etc/firejail/firejail.config - if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { - i++; - continue; - } - - // check file - if (asprintf(&fname, "%s/%s", paths[i], name) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Checking %s/%s\n", paths[i], name); - if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories - // check symlink to firejail executable in /usr/local/bin - if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { - /* coverity[toctou] */ - char *actual_path = realpath(fname, NULL); - if (actual_path) { - char *ptr = strstr(actual_path, "/firejail"); - if (ptr && strlen(ptr) == strlen("/firejail")) { - if (arg_debug) - printf("firejail exec symlink detected\n"); - free(actual_path); - free(fname); - fname = NULL; - i++; - continue; - } - free(actual_path); - } - - } - break; // file found - } - - free(fname); - fname = NULL; - i++; - } - - if (!fname) { - if (arg_debug) - fwarning("file %s not found\n", name); - return NULL; - } - - free(fname); - return paths[i]; -} - -// return 1 if the file is in paths[] -static int valid_full_path_file(const char *name) { - assert(name); - - if (*name != '/') - return 0; - if (strstr(name, "..")) - return 0; - - // do we have a file? - struct stat s; - if (stat(name, &s) == -1) - return 0; - // directories not allowed - if (S_ISDIR(s.st_mode)) - return 0; - // checking access - if (access(name, X_OK) == -1) - return 0; - - // check standard paths - int i = 0; - while (paths[i]) { - // private-bin-no-local can be disabled in /etc/firejail/firejail.config - if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { - i++; - continue; - } - - int len = strlen(paths[i]); - if (strncmp(name, paths[i], len) == 0 && name[len] == '/' && name[len + 1] != '\0') - return 1; - i++; - } - if (arg_debug) - printf("file %s not found\n", name); - return 0; -} - -static void report_duplication(const char *fname) { - // report the file on all bin paths - int i = 0; - while (paths[i]) { - char *p; - if (asprintf(&p, "%s/%s", paths[i], fname) == -1) - errExit("asprintf"); - fs_logger2("clone", p); - free(p); - i++; - } -} - -static void duplicate(char *fname) { - assert(fname); - - if (*fname == '~' || strstr(fname, "..")) { - fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); - exit(1); - } - invalid_filename(fname, 0); // no globbing - - char *full_path; - if (*fname == '/') { - // If the absolute filename is indicated, directly use it. This - // is required for the following cases: - // - if user's $PATH order is not the same as the above - // paths[] variable order - if (!valid_full_path_file(fname)) { - fwarning("invalid private-bin path %s\n", fname); - return; - } - - full_path = strdup(fname); - if (!full_path) - errExit("strdup"); - } - else { - // Find the standard directory (by looping through paths[]) - // where the filename fname is located - char *path = check_dir_or_file(fname); - if (!path) - return; - if (asprintf(&full_path, "%s/%s", path, fname) == -1) - errExit("asprintf"); - } - - // add to private-lib list - if (cfg.bin_private_lib == NULL) { - if (asprintf(&cfg.bin_private_lib, "%s,%s",fname, full_path) == -1) - errExit("asprinf"); - } - else { - char *tmp; - if (asprintf(&tmp, "%s,%s,%s", cfg.bin_private_lib, fname, full_path) == -1) - errExit("asprinf"); - free(cfg.bin_private_lib); - cfg.bin_private_lib = tmp; - } - - // if full_path is symlink, and the link is in our path, copy both the file and the symlink - if (is_link(full_path)) { - char *actual_path = realpath(full_path, NULL); - if (actual_path) { - if (valid_full_path_file(actual_path)) { - // solving problems such as /bin/sh -> /bin/dash - // copy the real file pointed by symlink - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); - prog_cnt++; - char *f = strrchr(actual_path, '/'); - if (f && *(++f) !='\0') - report_duplication(f); - } - free(actual_path); - } - } - - // copy a file or a symlink - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); - prog_cnt++; - free(full_path); - report_duplication(fname); -} - -static void globbing(char *fname) { - assert(fname); - - // go directly to duplicate() if no globbing char is present - see man 7 glob - if (strrchr(fname, '*') == NULL && - strrchr(fname, '[') == NULL && - strrchr(fname, '?') == NULL) - return duplicate(fname); - - // loop through paths[] - int i = 0; - while (paths[i]) { - // private-bin-no-local can be disabled in /etc/firejail/firejail.config - if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { - i++; - continue; - } - - // check file - char *pattern; - if (asprintf(&pattern, "%s/%s", paths[i], fname) == -1) - errExit("asprintf"); - - // globbing - glob_t globbuf; - int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); - if (globerr) { - fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern); - exit(1); - } - - size_t j; - for (j = 0; j < globbuf.gl_pathc; j++) { - assert(globbuf.gl_pathv[j]); - // testing for GLOB_NOCHECK - no pattern matched returns the original pattern - if (strcmp(globbuf.gl_pathv[j], pattern) == 0) - continue; - - duplicate(globbuf.gl_pathv[j]); - } - - globfree(&globbuf); - free(pattern); - i++; - } -} - -void fs_private_bin_list(void) { - char *private_list = cfg.bin_private_keep; - assert(private_list); - - // start timetrace - timetrace_start(); - - // create /run/firejail/mnt/bin directory - mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); - - if (arg_debug) - printf("Copying files in the new bin directory\n"); - - // copy the list of files in the new home directory - char *dlist = strdup(private_list); - if (!dlist) - errExit("strdup"); - - char *ptr = strtok(dlist, ","); - globbing(ptr); - while ((ptr = strtok(NULL, ",")) != NULL) - globbing(ptr); - free(dlist); - fs_logger_print(); - - // mount-bind - int i = 0; - while (paths[i]) { - struct stat s; - if (stat(paths[i], &s) == 0) { - if (arg_debug) - printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); - if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", paths[i]); - fs_logger2("mount", paths[i]); - } - i++; - } - fmessage("%d %s installed in %0.2f ms\n", prog_cnt, (prog_cnt == 1)? "program": "programs", timetrace_end()); -} diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 3afa3bf0c..f8e7e6e74 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -364,6 +364,7 @@ void fs_check_private_dir(void) { } } +#ifndef LTS //*********************************************************************************** // --private-home //*********************************************************************************** @@ -531,3 +532,4 @@ void fs_private_home_list(void) { fprintf(stderr, "Home directory installed in %0.2f ms\n", timetrace_end()); } +#endif //LTS \ No newline at end of file diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c deleted file mode 100644 index 77c9a0cf5..000000000 --- a/src/firejail/fs_lib.c +++ /dev/null @@ -1,378 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ -#include "firejail.h" -#include "../include/ldd_utils.h" -#include -#include -#include -#include -#include -#include -#define MAXBUF 4096 - -extern void fslib_install_stdc(void); -extern void fslib_install_system(void); - -static int lib_cnt = 0; -static int dir_cnt = 0; - -static void report_duplication(const char *full_path) { - char *fname = strrchr(full_path, '/'); - if (fname && *(++fname) != '\0') { - // report the file on all bin paths - int i = 0; - while (default_lib_paths[i]) { - char *p; - if (asprintf(&p, "%s/%s", default_lib_paths[i], fname) == -1) - errExit("asprintf"); - fs_logger2("clone", p); - free(p); - i++; - } - } -} - -static char *build_dest_dir(const char *full_path) { - assert(full_path); - if (strstr(full_path, "/x86_64-linux-gnu/")) - return RUN_LIB_DIR "/x86_64-linux-gnu"; - return RUN_LIB_DIR; -} - -// copy fname in private_run_dir -void fslib_duplicate(const char *full_path) { - assert(full_path); - - struct stat s; - if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)) - return; - - char *dest_dir = build_dest_dir(full_path); - - // don't copy it if the file is already there - char *ptr = strrchr(full_path, '/'); - if (!ptr) - return; - ptr++; - if (*ptr == '\0') - return; - - char *name; - if (asprintf(&name, "%s/%s", dest_dir, ptr) == -1) - errExit("asprintf"); - if (stat(name, &s) == 0) { - free(name); - return; - } - free(name); - - if (arg_debug || arg_debug_private_lib) - printf(" copying %s to private %s\n", full_path, dest_dir); - - sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); - report_duplication(full_path); - lib_cnt++; -} - - -// requires full path for lib -// it could be a library or an executable -// lib is not copied, only libraries used by it -void fslib_copy_libs(const char *full_path) { - assert(full_path); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_copy_libs %s\n", full_path); - - // if library/executable does not exist or the user does not have read access to it - // print a warning and exit the function. - if (access(full_path, R_OK)) { - if (arg_debug || arg_debug_private_lib) - printf("cannot find %s for private-lib, skipping...\n", full_path); - return; - } - - // create an empty RUN_LIB_FILE and allow the user to write to it - unlink(RUN_LIB_FILE); // in case is there - create_empty_file_as_root(RUN_LIB_FILE, 0644); - if (chown(RUN_LIB_FILE, getuid(), getgid())) - errExit("chown"); - - // run fldd to extact the list of files - if (arg_debug || arg_debug_private_lib) - printf(" running fldd %s\n", full_path); - sbox_run(SBOX_USER | SBOX_SECCOMP | SBOX_CAPS_NONE, 3, PATH_FLDD, full_path, RUN_LIB_FILE); - - // open the list of libraries and install them on by one - FILE *fp = fopen(RUN_LIB_FILE, "r"); - if (!fp) - errExit("fopen"); - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp)) { - // remove \n - char *ptr = strchr(buf, '\n'); - if (ptr) - *ptr = '\0'; - fslib_duplicate(buf); - } - fclose(fp); -} - - -void fslib_copy_dir(const char *full_path) { - assert(full_path); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_copy_dir %s\n", full_path); - - // do nothing if the directory does not exist or is not owned by root - struct stat s; - if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)) - return; - - char *dir_name = strrchr(full_path, '/'); - assert(dir_name); - dir_name++; - assert(*dir_name != '\0'); - - // do nothing if the directory is already there - char *dest; - if (asprintf(&dest, "%s/%s", build_dest_dir(full_path), dir_name) == -1) - errExit("asprintf"); - if (stat(dest, &s) == 0) { - free(dest); - return; - } - - // create new directory and mount the original on top of it - mkdir_attr(dest, 0755, 0, 0); - - if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("clone", full_path); - fs_logger2("mount", full_path); - dir_cnt++; - free(dest); -} - -// fname should be a vallid full path at this point -static void load_library(const char *fname) { - assert(fname); - assert(*fname == '/'); - - // existing file owned by root, read access - struct stat s; - if (stat(fname, &s) == 0 && s.st_uid == 0 && !access(fname, R_OK)) { - // load directories, regular 64 bit libraries, and 64 bit executables - if (is_dir(fname) || is_lib_64(fname)) { - if (is_dir(fname)) - fslib_copy_dir(fname); - else { - if (strstr(fname, ".so") || - access(fname, X_OK) != 0) // don't duplicate executables, just install the libraries - fslib_duplicate(fname); - - fslib_copy_libs(fname); - } - } - } -} - -static void install_list_entry(const char *lib) { - // filename check - int len = strlen(lib); - if (strcspn(lib, "\\&!?\"'<>%^(){}[];,") != (size_t)len || - strstr(lib, "..")) { - fprintf(stderr, "Error: \"%s\" is an invalid library\n", lib); - exit(1); - } - - // if this is a full path, use it as is - if (*lib == '/') - return load_library(lib); - - - // find the library - int i; - for (i = 0; default_lib_paths[i]; i++) { - char *fname = NULL; - if (asprintf(&fname, "%s/%s", default_lib_paths[i], lib) == -1) - errExit("asprintf"); - -#define DO_GLOBBING -#ifdef DO_GLOBBING - // globbing - glob_t globbuf; - int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); - if (globerr) { - fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname); - exit(1); - } - size_t j; - for (j = 0; j < globbuf.gl_pathc; j++) { - assert(globbuf.gl_pathv[j]); -//printf("glob %s\n", globbuf.gl_pathv[j]); - // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway - load_library(globbuf.gl_pathv[j]); - } - - globfree(&globbuf); -#else - load_library(fname); -#endif - free(fname); - } - -// fwarning("%s library not found, skipping...\n", lib); - return; -} - - -void fslib_install_list(const char *lib_list) { - assert(lib_list); - if (arg_debug || arg_debug_private_lib) - printf(" fslib_install_list %s\n", lib_list); - - char *dlist = strdup(lib_list); - if (!dlist) - errExit("strdup"); - - char *ptr = strtok(dlist, ","); - install_list_entry(ptr); - - while ((ptr = strtok(NULL, ",")) != NULL) - install_list_entry(ptr); - free(dlist); - fs_logger_print(); -} - - - -static void mount_directories(void) { - if (arg_debug || arg_debug_private_lib) - printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); - - if (is_dir("/lib")) { - if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/lib"); - fs_logger("mount /lib"); - } - - if (is_dir("/lib64")) { - if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/lib64"); - fs_logger("mount /lib64"); - } - - if (is_dir("/usr/lib")) { - if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || - mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("tmpfs", "/usr/lib"); - fs_logger("mount /usr/lib"); - } - - // for amd64 only - we'll deal with i386 later - if (is_dir("/lib32")) { - if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - fs_logger("blacklist-nolog /lib32"); - } - if (is_dir("/libx32")) { - if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - fs_logger("blacklist-nolog /libx32"); - } -} - -void fs_private_lib(void) { -#ifndef __x86_64__ - fwarning("private-lib feature is currently available only on amd64 platforms\n"); - return; -#endif - char *private_list = cfg.lib_private_keep; - if (arg_debug || arg_debug_private_lib) - printf("Starting private-lib processing: program %s, shell %s\n", - (cfg.original_program_index > 0)? cfg.original_argv[cfg.original_program_index]: "none", - (arg_shell_none)? "none": cfg.shell); - - // create /run/firejail/mnt/lib directory - mkdir_attr(RUN_LIB_DIR, 0755, 0, 0); - - // install standard C libraries - if (arg_debug || arg_debug_private_lib) - printf("Installing standard C library\n"); - fslib_install_stdc(); - - // start timetrace - timetrace_start(); - - // copy the libs in the new lib directory for the main exe - if (cfg.original_program_index > 0) { - if (arg_debug || arg_debug_private_lib) - printf("Installing sandboxed program libraries\n"); - fslib_install_list(cfg.original_argv[cfg.original_program_index]); - } - - // for the shell - if (!arg_shell_none) { - if (arg_debug || arg_debug_private_lib) - printf("Installing shell libraries\n"); - - fslib_install_list(cfg.shell); - // a shell is useless without some basic commands - fslib_install_list("/bin/ls,/bin/cat,/bin/mv,/bin/rm"); - - } - - // for the listed libs and directories - if (private_list && *private_list != '\0') { - if (arg_debug || arg_debug_private_lib) - printf("Processing private-lib files\n"); - fslib_install_list(private_list); - } - - // for private-bin files - if (arg_private_bin && cfg.bin_private_lib && *cfg.bin_private_lib != '\0') { - if (arg_debug || arg_debug_private_lib) - printf("Processing private-bin files\n"); - fslib_install_list(cfg.bin_private_lib); - } - fmessage("Program libraries installed in %0.2f ms\n", timetrace_end()); - - // install the reset of the system libraries - if (arg_debug || arg_debug_private_lib) - printf("Installing system libraries\n"); - fslib_install_system(); - - // bring in firejail directory for --trace and seccomp post exec - // bring in firejail executable libraries in case we are redirected here by a firejail symlink from /usr/local/bin/firejail - fslib_install_list("/usr/bin/firejail,firejail"); // todo: use the installed path for the executable - - fmessage("Installed %d %s and %d %s\n", lib_cnt, (lib_cnt == 1)? "library": "libraries", - dir_cnt, (dir_cnt == 1)? "directory": "directories"); - - // mount lib filesystem - mount_directories(); -} diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c deleted file mode 100644 index ea5edfabe..000000000 --- a/src/firejail/fs_lib2.c +++ /dev/null @@ -1,314 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ -#include "firejail.h" -#include -#include - -extern void fslib_duplicate(const char *full_path); -extern void fslib_copy_libs(const char *full_path); -extern void fslib_copy_dir(const char *full_path); - -//*************************************************************** -// Standard C library -//*************************************************************** -// standard libc libraries based on Debian's libc6 package -// selinux seems to be linked in most command line utilities -// locale (/usr/lib/locale) - without it, the program will default to "C" locale -typedef struct liblist_t { - const char *name; - int len; -} LibList; - -static LibList libc_list[] = { - { "libselinux.so.", 0 }, - { "ld-linux-x86-64.so.", 0 }, - { "libanl.so.", 0 }, - { "libc.so.", 0 }, - { "libcidn.so.", 0 }, - { "libcrypt.so.", 0 }, - { "libdl.so.", 0 }, - { "libm.so.", 0 }, - { "libmemusage.so", 0 }, - { "libmvec.so.", 0 }, - { "libnsl.so.", 0 }, - { "libnss_compat.so.", 0 }, - { "libnss_dns.so.", 0 }, - { "libnss_files.so.", 0 }, - { "libnss_hesiod.so.", 0 }, - { "libnss_nisplus.so.", 0 }, - { "libnss_nis.so.", 0 }, - { "libpthread.so.", 0 }, - { "libresolv.so.", 0 }, - { "librt.so.", 0 }, - { "libthread_db.so.", 0 }, - { "libutil.so.", 0 }, - { NULL, 0} -}; - -static int find_libc_list(const char *name) { - assert(name); - - int i = 0; - while (libc_list[i].name) { - if (libc_list[i].len == 0) - libc_list[i].len = strlen(libc_list[i].name); - if (strncmp(name, libc_list[i].name, libc_list[i].len) == 0) - return 1; - i++; - } - return 0; -} - -// compare the files in dirname against liblist above -static void stdc(const char *dirname) { - assert(dirname); - - DIR *dir = opendir(dirname); - if (dir) { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - - if (find_libc_list(entry->d_name)) { - char *fname; - if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) - errExit("asprintf"); - - fslib_duplicate(fname); - } - } - closedir(dir); - } -} - -void fslib_install_stdc(void) { - // install standard C libraries - struct stat s; - char *stdclib = "/lib64"; // CentOS, Fedora, Arch - - if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends - mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); - stdclib = "/lib/x86_64-linux-gnu"; - } - - timetrace_start(); - stdc(stdclib); - - // install locale - if (stat("/usr/lib/locale", &s) == 0) - fslib_copy_dir("/usr/lib/locale"); - - fmessage("Standard C library installed in %0.2f ms\n", timetrace_end()); -} - - -//*************************************************************** -// various system libraries -//*************************************************************** - -// look for library in the new filesystem, and install one or two more directories, dir1 and dir2 -typedef struct syslib_t { - const char *library; // look in the system for this library - int len; // length of library string, 0 by default - int found; // library found, 0 by default - const char *dir1; // directory to install - const char *dir2; // directory to install - const char *message; // message to print on the screen -} SysLib; - -SysLib syslibs[] = { -#if 0 - { - "", // library - 0, 0, // len and found flag - "", // dir1 - "", // dir2 - "" // message - }, -#endif - { // pixmaps - libraries used by GTK to display application menu icons - "libgdk_pixbuf-2.0", // library - 0, 0, // len and found flag - "gdk-pixbuf-2.0", // dir1 - "", // dir2 - "GdkPixbuf" // message - }, - { // GTK2 - "libgtk-x11-2.0", // library - 0, 0, // len and found flag - "gtk-2.0", // dir1 - "libgtk2.0-0", // dir2 - "GTK2" // message - }, - { // GTK3 - "libgtk-3", // library - 0, 0, // len and found flag - "gtk-3.0", // dir1 - "libgtk-3-0", // dir2 - "GTK3" // message - }, - { // Pango - text internationalization, found on older GTK2-based systems - "libpango", // library - 0, 0, // len and found flag - "pango", // dir1 - "", // dir2 - "Pango" // message - }, - { // Library for handling GObject introspection data on GTK systems - "libgirepository-1.0", // library - 0, 0, // len and found flag - "girepository-1.0", // dir1 - "", // dir2 - "GIRepository" // message - }, - { // GIO - "libgio", // library - 0, 0, // len and found flag - "gio", // dir1 - "", // dir2 - "GIO" // message - }, - { // Enchant speller - "libenchant.so.", // library - 0, 0, // len and found flag - "enchant", // dir1 - "", // dir2 - "Enchant (speller)" // message - }, - { // Qt5 - lots of problems on Arch Linux, Qt5 version 5.9.1 - disabled in all apps profiles - "libQt5", // library - 0, 0, // len and found flag - "qt5", // dir1 - "gdk-pixbuf-2.0", // dir2 - "Qt5, GdkPixbuf" // message - }, - { // Qt4 - "libQtCore", // library - 0, 0, // len and found flag - "qt4", // dir1 - "gdk-pixbuf-2.0", // dir2 - "Qt4" // message - }, - - { // NULL terminated list - NULL, // library - 0, 0, // len and found flag - "", // dir1 - "", // dir2 - "" // message - } -}; - -void fslib_install_system(void) { - // look for installed libraries - DIR *dir = opendir(RUN_LIB_DIR "/x86_64-linux-gnu"); - if (!dir) - dir = opendir(RUN_LIB_DIR); - - if (dir) { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - - SysLib *ptr = &syslibs[0]; - while (ptr->library) { - if (ptr->len == 0) - ptr->len = strlen(ptr->library); - - if (strncmp(entry->d_name, ptr->library, ptr->len) == 0) { - ptr->found = 1; - break; - } - - ptr++; - } - - } - closedir(dir); - } - else - assert(0); - - // install required directories - SysLib *ptr = &syslibs[0]; - while (ptr->library) { - if (ptr->found) { - assert(*ptr->message != '\0'); - timetrace_start(); - - // bring in all libraries - assert(ptr->dir1); - char *name; - // Debian & friends - if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir1) == -1) - errExit("asprintf"); - if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); - } - else { - free(name); - // CentOS, Fedora, Arch - if (asprintf(&name, "/usr/lib64/%s", ptr->dir1) == -1) - errExit("asprintf"); - if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); - } - } - free(name); - - if (*ptr->dir2 != '\0') { - // Debian & friends - if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) - errExit("asprintf"); - if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); - } - else { - free(name); - // CentOS, Fedora, Arch - if (asprintf(&name, "/usr/lib64/%s", ptr->dir2) == -1) - errExit("asprintf"); - if (access(name, R_OK) == 0) { - fslib_copy_libs(name); - fslib_copy_dir(name); - } - } - free(name); - } - - fmessage("%s installed in %0.2f ms\n", ptr->message, timetrace_end()); - } - ptr++; - } -} - - - - - diff --git a/src/firejail/main.c b/src/firejail/main.c index 3e092a3cc..ba5e8cdfd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -339,6 +339,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } #endif +#ifndef LTS #ifdef HAVE_X11 else if (strcmp(argv[i], "--x11") == 0) { if (checkcfg(CFG_X11)) { @@ -373,6 +374,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit_err_feature("x11"); } #endif +#endif // LTS #ifdef HAVE_NETWORK else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { if (checkcfg(CFG_NETWORK)) { @@ -825,6 +827,7 @@ static int check_arg(int argc, char **argv, const char *argument, int strict) { return found; } +#ifndef LTS static void run_builder(int argc, char **argv) { EUID_ASSERT(); (void) argc; @@ -844,7 +847,7 @@ static void run_builder(int argc, char **argv) { perror("execvp"); exit(1); } - +#endif // LTS //******************************************* // Main program @@ -920,10 +923,11 @@ int main(int argc, char **argv) { profile_add(cmd); } +#ifndef LTS // profile builder if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename run_builder(argc, argv); // this function will not return - +#endif // LTS // check argv[0] symlink wrapper if this is not a login shell if (*argv[0] != '-') run_symlink(argc, argv, 0); // if symlink detected, this function will not return @@ -1354,6 +1358,7 @@ int main(int argc, char **argv) { } else if (strcmp(argv[i], "--disable-mnt") == 0) arg_disable_mnt = 1; +#ifndef LTS #ifdef HAVE_OVERLAYFS else if (strcmp(argv[i], "--overlay") == 0) { if (checkcfg(CFG_OVERLAYFS)) { @@ -1441,6 +1446,7 @@ int main(int argc, char **argv) { exit_err_feature("overlayfs"); } #endif +#endif //LTS else if (strncmp(argv[i], "--profile=", 10) == 0) { // multiple profile files are allowed! @@ -1489,6 +1495,7 @@ int main(int argc, char **argv) { else cfg.profile_ignore[j] = argv[i] + 9; } +#ifndef LTS #ifdef HAVE_CHROOT else if (strncmp(argv[i], "--chroot=", 9) == 0) { if (checkcfg(CFG_CHROOT)) { @@ -1537,6 +1544,7 @@ int main(int argc, char **argv) { exit_err_feature("chroot"); } #endif +#endif // LTS else if (strcmp(argv[i], "--writable-etc") == 0) { if (cfg.etc_private_keep) { fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); @@ -1583,6 +1591,7 @@ int main(int argc, char **argv) { } arg_private = 1; } +#ifndef LTS #ifdef HAVE_PRIVATE_HOME else if (strncmp(argv[i], "--private-home=", 15) == 0) { if (checkcfg(CFG_PRIVATE_HOME)) { @@ -1607,6 +1616,7 @@ int main(int argc, char **argv) { exit_err_feature("private-home"); } #endif +#endif //LTS else if (strcmp(argv[i], "--private-dev") == 0) { arg_private_dev = 1; } @@ -1657,6 +1667,7 @@ int main(int argc, char **argv) { cfg.srv_private_keep = argv[i] + 14; arg_private_srv = 1; } +#ifndef LTS else if (strncmp(argv[i], "--private-bin=", 14) == 0) { // extract private bin list if (*(argv[i] + 14) == '\0') { @@ -1685,6 +1696,7 @@ int main(int argc, char **argv) { else exit_err_feature("private-lib"); } +#endif // LTS else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; } @@ -2100,6 +2112,7 @@ int main(int argc, char **argv) { //************************************* else if (strncmp(argv[i], "--timeout=", 10) == 0) cfg.timeout = extract_timeout(argv[i] + 10); +#ifndef LTS else if (strcmp(argv[i], "--audit") == 0) { arg_audit_prog = LIBDIR "/firejail/faudit"; arg_audit = 1; @@ -2120,6 +2133,7 @@ int main(int argc, char **argv) { } arg_audit = 1; } +#endif // LTS else if (strcmp(argv[i], "--appimage") == 0) arg_appimage = 1; else if (strcmp(argv[i], "--shell=none") == 0) { @@ -2364,10 +2378,11 @@ int main(int argc, char **argv) { } EUID_ASSERT(); +#ifndef LTS // block X11 sockets if (arg_x11_block) x11_block(); - +#endif //LTS // check network configuration options - it will exit if anything went wrong net_check_cfg(); @@ -2422,9 +2437,11 @@ int main(int argc, char **argv) { } if (cfg.name) set_name_run_file(sandbox_pid); +#ifndef LTS int display = x11_display(); if (display > 0) set_x11_run_file(sandbox_pid, display); +#endif flock(lockfd_directory, LOCK_UN); close(lockfd_directory); EUID_USER(); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4b2fb3abd..c3ef2f2f5 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -198,6 +198,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_private = 1; return 0; } +#ifndef LTS if (strncmp(ptr, "private-home ", 13) == 0) { #ifdef HAVE_PRIVATE_HOME if (checkcfg(CFG_PRIVATE_HOME)) { @@ -213,6 +214,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #endif return 0; } +#endif //LTS else if (strcmp(ptr, "allusers") == 0) { arg_allusers = 1; return 0; @@ -790,6 +792,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } +#ifndef LTS if (strcmp(ptr, "x11 xephyr") == 0) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) { @@ -875,7 +878,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #endif return 0; } - +#endif //LTS // private /etc list of files and directories if (strncmp(ptr, "private-etc ", 12) == 0) { if (arg_writable_etc) { @@ -949,7 +952,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } - +#ifndef LTS #ifdef HAVE_OVERLAYFS if (strncmp(ptr, "overlay-named ", 14) == 0) { if (checkcfg(CFG_OVERLAYFS)) { @@ -1034,6 +1037,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } } #endif +#endif // LTS // filesystem bind if (strncmp(ptr, "bind ", 5) == 0) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 66881c040..06c2dbf5b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -391,6 +391,7 @@ void start_application(int no_sandbox) { //**************************************** // audit //**************************************** +#ifndef LTS if (arg_audit) { assert(arg_audit_prog); #ifdef HAVE_GCOV @@ -404,7 +405,9 @@ void start_application(int no_sandbox) { //**************************************** // start the program without using a shell //**************************************** - else if (arg_shell_none) { + else +#endif // LTS + if (arg_shell_none) { if (arg_debug) { int i; for (i = cfg.original_program_index; i < cfg.original_argc; i++) { @@ -732,6 +735,7 @@ int sandbox(void* sandbox_arg) { if (arg_appimage) enforce_filters(); +#ifndef LTS #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); @@ -761,6 +765,7 @@ int sandbox(void* sandbox_arg) { } else #endif +#endif // LTS fs_basic_fs(); //**************************** @@ -775,6 +780,7 @@ int sandbox(void* sandbox_arg) { else fs_private_homedir(); } +#ifndef LTS else if (cfg.home_private_keep) { // --private-home= if (cfg.chrootdir) fwarning("private-home= feature is disabled in chroot\n"); @@ -784,6 +790,7 @@ int sandbox(void* sandbox_arg) { fs_private_home_list(); } else // --private +#endif //LTS fs_private(); } @@ -823,6 +830,7 @@ int sandbox(void* sandbox_arg) { } } +#ifndef LTS // private-bin is disabled for appimages if (arg_private_bin && !arg_appimage) { if (cfg.chrootdir) @@ -853,6 +861,7 @@ int sandbox(void* sandbox_arg) { fs_private_lib(); } } +#endif // LTS if (arg_private_cache) { if (cfg.chrootdir) @@ -1001,10 +1010,12 @@ int sandbox(void* sandbox_arg) { } } +#ifndef LTS // clean /tmp/.X11-unix sockets fs_x11(); if (arg_x11_xorg) x11_xorg(); +#endif //LTS //**************************** // set security filters diff --git a/src/firejail/x11.c b/src/firejail/x11.c deleted file mode 100644 index 9cbe6598e..000000000 --- a/src/firejail/x11.c +++ /dev/null @@ -1,1311 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ -#include "firejail.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -// on Debian 7 we are missing O_PATH definition -#include -#ifndef O_PATH -#define O_PATH 010000000 -#endif - - -// Parse the DISPLAY environment variable and return a display number. -// Returns -1 if DISPLAY is not set, or is set to anything other than :ddd. -int x11_display(void) { - const char *display_str = getenv("DISPLAY"); - char *endp; - unsigned long display; - - if (!display_str) { - if (arg_debug) - fputs("DISPLAY is not set\n", stderr); - return -1; - } - - if (display_str[0] != ':' || display_str[1] < '0' || display_str[1] > '9') { - if (arg_debug) - fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); - return -1; - } - - errno = 0; - display = strtoul(display_str+1, &endp, 10); - // handling DISPLAY=:0 and also :0.0 - if (endp == display_str+1 || (*endp != '\0' && *endp != '.')) { - if (arg_debug) - fprintf(stderr, "unsupported DISPLAY form '%s'\n", display_str); - return -1; - } - if (errno || display > (unsigned long)INT_MAX) { - if (arg_debug) - fprintf(stderr, "display number %s is outside the valid range\n", - display_str+1); - return -1; - } - - if (arg_debug) - fprintf(stderr, "DISPLAY=%s parsed as %lu\n", display_str, display); - - return (int)display; -} - - -#ifdef HAVE_X11 -// check for X11 abstract sockets -static int x11_abstract_sockets_present(void) { - - EUID_ROOT(); // grsecurity fix - FILE *fp = fopen("/proc/net/unix", "r"); - if (!fp) - errExit("fopen"); - EUID_USER(); - - char *linebuf = 0; - size_t bufsz = 0; - int found = 0; - errno = 0; - - for (;;) { - if (getline(&linebuf, &bufsz, fp) == -1) { - if (errno) - errExit("getline"); - break; - } - // The last space-separated field in 'linebuf' is the - // pathname of the socket. Abstract sockets' pathnames - // all begin with '@/', normal ones begin with '/'. - char *p = strrchr(linebuf, ' '); - if (!p) { - fputs("error parsing /proc/net/unix\n", stderr); - exit(1); - } - if (strncmp(p+1, "@/tmp/.X11-unix/", 16) == 0) { - found = 1; - break; - } - } - - free(linebuf); - fclose(fp); - return found; -} - - -// Choose a random, unallocated display number. This has an inherent -// and unavoidable TOCTOU race, since we cannot create either the -// socket or a lockfile ourselves. -static int random_display_number(void) { - int display; - int found = 0; - int i; - - struct sockaddr_un sa; - // The -1 here is because we need space to inject a - // leading nul byte. - int sun_pathmax = (int)(sizeof sa.sun_path - 1); - assert((size_t)sun_pathmax == sizeof sa.sun_path - 1); - int sun_pathlen; - - int sockfd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sockfd == -1) - errExit("socket"); - - for (i = 0; i < 100; i++) { - display = rand() % (X11_DISPLAY_END - X11_DISPLAY_START) + X11_DISPLAY_START; - - // The display number might be claimed by a server listening - // in _either_ the normal or the abstract namespace; they - // don't necessarily do both. The easiest way to check is - // to try to connect, both ways. - memset(&sa, 0, sizeof sa); - sa.sun_family = AF_UNIX; - sun_pathlen = snprintf(sa.sun_path, sun_pathmax, - "/tmp/.X11-unix/X%d", display); - if (sun_pathlen >= sun_pathmax) { - fprintf(stderr, "sun_path too small for display :%d" - " (only %d bytes usable)\n", display, sun_pathmax); - exit(1); - } - - if (connect(sockfd, (struct sockaddr *)&sa, - offsetof(struct sockaddr_un, sun_path) + sun_pathlen + 1) == 0) { - close(sockfd); - sockfd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sockfd == -1) - errExit("socket"); - continue; - } - if (errno != ECONNREFUSED && errno != ENOENT) - errExit("connect"); - - // Name not claimed in the normal namespace; now try it - // in the abstract namespace. Note that abstract-namespace - // names are NOT nul-terminated; they extend to the length - // specified as the third argument to 'connect'. - memmove(sa.sun_path + 1, sa.sun_path, sun_pathlen + 1); - sa.sun_path[0] = '\0'; - if (connect(sockfd, (struct sockaddr *)&sa, - offsetof(struct sockaddr_un, sun_path) + 1 + sun_pathlen) == 0) { - close(sockfd); - sockfd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sockfd == -1) - errExit("socket"); - continue; - } - if (errno != ECONNREFUSED && errno != ENOENT) - errExit("connect"); - - // This display number is unclaimed. Of course, it could - // be claimed before we get around to doing it... - found = 1; - break; - } - close(sockfd); - - if (!found) { - fputs("Error: cannot find an unallocated X11 display number, " - "exiting...\n", stderr); - exit(1); - } - return display; -} -#endif - -#ifdef HAVE_X11 -void x11_start_xvfb(int argc, char **argv) { - EUID_ASSERT(); - int i; - struct stat s; - pid_t jail = 0; - pid_t server = 0; - - setenv("FIREJAIL_X11", "yes", 1); - - // mever try to run X servers as root!!! - if (getuid() == 0) { - fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); - exit(1); - } - drop_privs(0); - - // check xvfb - if (!program_in_path("Xvfb")) { - fprintf(stderr, "\nError: Xvfb program was not found in /usr/bin directory, please install it:\n"); - fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xvfb\n"); - fprintf(stderr, " Arch: sudo pacman -S xorg-server-xvfb\n"); - exit(0); - } - - int display = random_display_number(); - char *display_str; - if (asprintf(&display_str, ":%d", display) == -1) - errExit("asprintf"); - - assert(xvfb_screen); - - char *server_argv[256] = { // rest initialyzed to NULL - "Xvfb", display_str, "-screen", "0", xvfb_screen - }; - unsigned pos = 0; - while (server_argv[pos] != NULL) pos++; - assert(xvfb_extra_params); // should be "" if empty - - // parse xvfb_extra_params - // very basic quoting support - char *temp = strdup(xvfb_extra_params); - if (*xvfb_extra_params != '\0') { - if (!temp) - errExit("strdup"); - bool dquote = false; - bool squote = false; - for (i = 0; i < (int) strlen(xvfb_extra_params); i++) { - if (temp[i] == '\"') { - dquote = !dquote; - // replace closing quote by \0 - if (dquote) temp[i] = '\0'; - } - if (temp[i] == '\'') { - squote = !squote; - // replace closing quote by \0 - if (squote) temp[i] = '\0'; - } - if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0'; - if (dquote && squote) { - fprintf(stderr, "Error: mixed quoting found while parsing xvfb_extra_params\n"); - exit(1); - } - } - if (dquote) { - fprintf(stderr, "Error: unclosed quote found while parsing xvfb_extra_params\n"); - exit(1); - } - - server_argv[pos++] = temp; - for (i = 0; i < (int) strlen(xvfb_extra_params)-1; i++) { - if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { - fprintf(stderr, "Error: arg count limit exceeded while parsing xvfb_extra_params\n"); - exit(1); - } - if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) server_argv[pos++] = temp + i + 2; - else if (temp[i] == '\0' && temp[i+1] != '\0') server_argv[pos++] = temp + i + 1; - } - } - - server_argv[pos++] = NULL; - - assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); // no overrun - assert(server_argv[pos-1] == NULL); // last element is null - - if (arg_debug) { - size_t i = 0; - printf("\n*** Starting xvfb server:"); - while (server_argv[i]!=NULL) { - printf(" \"%s\"", server_argv[i]); - i++; - } - printf(" ***\n\n"); - } - - // remove --x11 arg - char *jail_argv[argc+2]; - int j = 0; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--x11", 5) == 0) - continue; - jail_argv[j] = argv[i]; - j++; - } - jail_argv[j] = NULL; - - assert(j < argc+2); // no overrun - - if (arg_debug) { - size_t i = 0; - printf("\n*** Stating xvfb client:"); - while (jail_argv[i]!=NULL) { - printf(" \"%s\"", jail_argv[i]); - i++; - } - printf(" ***\n\n"); - } - - server = fork(); - if (server < 0) - errExit("fork"); - if (server == 0) { - if (arg_debug) - printf("Starting xvfb...\n"); - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(server_argv[0], server_argv); - perror("execvp"); - _exit(1); - } - - if (arg_debug) - printf("xvfb server pid %d\n", server); - - // check X11 socket - char *fname; - if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) - errExit("asprintf"); - int n = 0; - // wait for x11 server to start - while (++n < 10) { - sleep(1); - if (stat(fname, &s) == 0) - break; - }; - - if (n == 10) { - fprintf(stderr, "Error: failed to start xvfb\n"); - exit(1); - } - free(fname); - - assert(display_str); - setenv("DISPLAY", display_str, 1); - // run attach command - jail = fork(); - if (jail < 0) - errExit("fork"); - if (jail == 0) { - fmessage("\n*** Attaching to Xvfb display %d ***\n\n", display); - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(jail_argv[0], jail_argv); - perror("execvp"); - _exit(1); - } - - // cleanup - free(display_str); - free(temp); - - // wait for either server or jail termination - pid_t pid = wait(NULL); - - // see which process terminated and kill other - if (pid == server) { - kill(jail, SIGTERM); - } - else if (pid == jail) { - kill(server, SIGTERM); - } - - // without this closing Xephyr window may mess your terminal: - // "monitoring" process will release terminal before - // jail process ends and releases terminal - wait(NULL); // fulneral - - exit(0); -} - - -static char *extract_setting(int argc, char **argv, const char *argument) { - int i; - int len = strlen(argument); - - for (i = 1; i < argc; i++) { - if (strncmp(argv[i], argument, len) == 0) { - return argv[i] + len; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } - - return NULL; -} - - -//$ Xephyr -ac -br -noreset -screen 800x600 :22 & -//$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox -void x11_start_xephyr(int argc, char **argv) { - EUID_ASSERT(); - int i; - struct stat s; - pid_t jail = 0; - pid_t server = 0; - - // default xephyr screen can be overwriten by a --xephyr-screen= command line option - char *newscreen = extract_setting(argc, argv, "--xephyr-screen="); - if (newscreen) - xephyr_screen = newscreen; - - setenv("FIREJAIL_X11", "yes", 1); - - // unfortunately, xephyr does a number of weird things when started by root user!!! - if (getuid() == 0) { - fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); - exit(1); - } - drop_privs(0); - - // check xephyr - if (!program_in_path("Xephyr")) { - fprintf(stderr, "\nError: Xephyr program was not found in /usr/bin directory, please install it:\n"); - fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); - fprintf(stderr, " Arch: sudo pacman -S xorg-server-xephyr\n"); - exit(0); - } - - int display = random_display_number(); - char *display_str; - if (asprintf(&display_str, ":%d", display) == -1) - errExit("asprintf"); - - assert(xephyr_screen); - char *server_argv[256] = { // rest initialyzed to NULL - "Xephyr", "-ac", "-br", "-noreset", "-screen", xephyr_screen - }; - unsigned pos = 0; - while (server_argv[pos] != NULL) pos++; - if (checkcfg(CFG_XEPHYR_WINDOW_TITLE)) { - server_argv[pos++] = "-title"; - server_argv[pos++] = "firejail x11 sandbox"; - } - - assert(xephyr_extra_params); // should be "" if empty - - // parse xephyr_extra_params - // very basic quoting support - char *temp = strdup(xephyr_extra_params); - if (*xephyr_extra_params != '\0') { - if (!temp) - errExit("strdup"); - bool dquote = false; - bool squote = false; - for (i = 0; i < (int) strlen(xephyr_extra_params); i++) { - if (temp[i] == '\"') { - dquote = !dquote; - // replace closing quote by \0 - if (dquote) temp[i] = '\0'; - } - if (temp[i] == '\'') { - squote = !squote; - // replace closing quote by \0 - if (squote) temp[i] = '\0'; - } - if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0'; - if (dquote && squote) { - fprintf(stderr, "Error: mixed quoting found while parsing xephyr_extra_params\n"); - exit(1); - } - } - if (dquote) { - fprintf(stderr, "Error: unclosed quote found while parsing xephyr_extra_params\n"); - exit(1); - } - - server_argv[pos++] = temp; - for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { - if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { - fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); - exit(1); - } - if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) { - server_argv[pos++] = temp + i + 2; - } - else if (temp[i] == '\0' && temp[i+1] != '\0') { - server_argv[pos++] = temp + i + 1; - } - } - } - - server_argv[pos++] = display_str; - server_argv[pos++] = NULL; - - // no overrun - assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); - assert(server_argv[pos-1] == NULL); // last element is null - - { - size_t i = 0; - printf("\n*** Starting xephyr server:"); - while (server_argv[i]!=NULL) { - printf(" \"%s\"", server_argv[i]); - i++; - } - printf(" ***\n\n"); - } - - // remove --x11 arg - char *jail_argv[argc+2]; - int j = 0; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--x11", 5) == 0) - continue; - jail_argv[j] = argv[i]; - j++; - } - jail_argv[j] = NULL; - - assert(j < argc+2); // no overrun - - if (arg_debug) { - size_t i = 0; - printf("*** Starting xephyr client:"); - while (jail_argv[i]!=NULL) { - printf(" \"%s\"", jail_argv[i]); - i++; - } - printf(" ***\n\n"); - } - - server = fork(); - if (server < 0) - errExit("fork"); - if (server == 0) { - if (arg_debug) - printf("Starting xephyr...\n"); - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(server_argv[0], server_argv); - perror("execvp"); - _exit(1); - } - - if (arg_debug) - printf("xephyr server pid %d\n", server); - - // check X11 socket - char *fname; - if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) - errExit("asprintf"); - int n = 0; - // wait for x11 server to start - while (++n < 10) { - sleep(1); - if (stat(fname, &s) == 0) - break; - }; - - if (n == 10) { - fprintf(stderr, "Error: failed to start xephyr\n"); - exit(1); - } - free(fname); - - assert(display_str); - setenv("DISPLAY", display_str, 1); - // run attach command - jail = fork(); - if (jail < 0) - errExit("fork"); - if (jail == 0) { - if (!arg_quiet) - printf("\n*** Attaching to Xephyr display %d ***\n\n", display); - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(jail_argv[0], jail_argv); - perror("execvp"); - _exit(1); - } - - // cleanup - free(display_str); - free(temp); - - // wait for either server or jail termination - pid_t pid = wait(NULL); - - // see which process terminated and kill other - if (pid == server) { - kill(jail, SIGTERM); - } - else if (pid == jail) { - kill(server, SIGTERM); - } - - // without this closing Xephyr window may mess your terminal: - // "monitoring" process will release terminal before - // jail process ends and releases terminal - wait(NULL); // fulneral - - exit(0); -} - - -void x11_start_xpra_old(int argc, char **argv, int display, char *display_str) { - EUID_ASSERT(); - int i; - struct stat s; - pid_t client = 0; - pid_t server = 0; - - // build the start command - char *server_argv[256] = { // rest initialyzed to NULL - "xpra", "start", display_str, "--no-daemon", - }; - unsigned pos = 0; - while (server_argv[pos] != NULL) pos++; - - assert(xpra_extra_params); // should be "" if empty - - // parse xephyr_extra_params - // very basic quoting support - char *temp = strdup(xpra_extra_params); - if (*xpra_extra_params != '\0') { - if (!temp) - errExit("strdup"); - bool dquote = false; - bool squote = false; - for (i = 0; i < (int) strlen(xpra_extra_params); i++) { - if (temp[i] == '\"') { - dquote = !dquote; - // replace closing quote by \0 - if (dquote) temp[i] = '\0'; - } - if (temp[i] == '\'') { - squote = !squote; - // replace closing quote by \0 - if (squote) temp[i] = '\0'; - } - if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0'; - if (dquote && squote) { - fprintf(stderr, "Error: mixed quoting found while parsing xpra_extra_params\n"); - exit(1); - } - } - if (dquote) { - fprintf(stderr, "Error: unclosed quote found while parsing xpra_extra_params\n"); - exit(1); - } - - server_argv[pos++] = temp; - for (i = 0; i < (int) strlen(xpra_extra_params)-1; i++) { - if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { - fprintf(stderr, "Error: arg count limit exceeded while parsing xpra_extra_params\n"); - exit(1); - } - if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) { - server_argv[pos++] = temp + i + 2; - } - else if (temp[i] == '\0' && temp[i+1] != '\0') { - server_argv[pos++] = temp + i + 1; - } - } - } - - server_argv[pos++] = NULL; - - // no overrun - assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); - assert(server_argv[pos-1] == NULL); // last element is null - - if (arg_debug) { - size_t i = 0; - printf("\n*** Starting xpra server: "); - while (server_argv[i]!=NULL) { - printf(" \"%s\"", server_argv[i]); - i++; - } - printf(" ***\n\n"); - } - - int fd_null = -1; - if (arg_quiet) { - fd_null = open("/dev/null", O_RDWR); - if (fd_null == -1) - errExit("open"); - } - - // start - server = fork(); - if (server < 0) - errExit("fork"); - if (server == 0) { - if (arg_debug) - printf("Starting xpra...\n"); - - if (arg_quiet && fd_null != -1) { - dup2(fd_null,0); - dup2(fd_null,1); - dup2(fd_null,2); - } - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(server_argv[0], server_argv); - perror("execvp"); - _exit(1); - } - - // add a small delay, on some systems it takes some time for the server to start - sleep(5); - - // check X11 socket - char *fname; - if (asprintf(&fname, "/tmp/.X11-unix/X%d", display) == -1) - errExit("asprintf"); - int n = 0; - // wait for x11 server to start - while (++n < 10) { - sleep(1); - if (stat(fname, &s) == 0) - break; - } - - if (n == 10) { - fprintf(stderr, "Error: failed to start xpra\n"); - exit(1); - } - free(fname); - - // build attach command - char *attach_argv[] = { "xpra", "--title=\"firejail x11 sandbox\"", "attach", display_str, NULL }; - - // run attach command - client = fork(); - if (client < 0) - errExit("fork"); - if (client == 0) { - if (arg_quiet && fd_null != -1) { - dup2(fd_null,0); - dup2(fd_null,1); - dup2(fd_null,2); - } - - fmessage("\n*** Attaching to xpra display %d ***\n\n", display); - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(attach_argv[0], attach_argv); - perror("execvp"); - _exit(1); - } - - assert(display_str); - setenv("DISPLAY", display_str, 1); - - // build jail command - char *firejail_argv[argc+2]; - pos = 0; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--x11", 5) == 0) - continue; - firejail_argv[pos] = argv[i]; - pos++; - } - firejail_argv[pos] = NULL; - - assert((int) pos < (argc+2)); - assert(!firejail_argv[pos]); - - // start jail - pid_t jail = fork(); - if (jail < 0) - errExit("fork"); - if (jail == 0) { - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - if (firejail_argv[0]) // shut up llvm scan-build - execvp(firejail_argv[0], firejail_argv); - perror("execvp"); - exit(1); - } - - fmessage("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail); - - sleep(1); // adding a delay in order to let the server start - - // wait for jail or server to end - while (1) { - pid_t pid = wait(NULL); - - if (pid == jail) { - char *stop_argv[] = { "xpra", "stop", display_str, NULL }; - pid_t stop = fork(); - if (stop < 0) - errExit("fork"); - if (stop == 0) { - if (arg_quiet && fd_null != -1) { - dup2(fd_null,0); - dup2(fd_null,1); - dup2(fd_null,2); - } - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(stop_argv[0], stop_argv); - perror("execvp"); - _exit(1); - } - - // wait for xpra server to stop, 10 seconds limit - while (++n < 10) { - sleep(1); - pid = waitpid(server, NULL, WNOHANG); - if (pid == server) - break; - } - - if (arg_debug) { - if (n == 10) - printf("failed to stop xpra server gratefully\n"); - else - printf("xpra server successfully stopped in %d secs\n", n); - } - - // kill xpra server and xpra client - kill(client, SIGTERM); - kill(server, SIGTERM); - exit(0); - } - else if (pid == server) { - // kill firejail process - kill(jail, SIGTERM); - // kill xpra client (should die with server, but...) - kill(client, SIGTERM); - exit(0); - } - } -} - - -void x11_start_xpra_new(int argc, char **argv, char *display_str) { - EUID_ASSERT(); - int i; - pid_t server = 0; - - // build the start command - char *server_argv[256] = { // rest initialyzed to NULL - "xpra", "start", display_str, "--daemon=no", "--attach=yes", "--exit-with-children=yes" - }; - unsigned spos = 0; - unsigned fpos = 0; - while (server_argv[spos] != NULL) spos++; - - // build jail command - char *firejail_argv[argc+2]; - size_t total_length = 0; - for (i = 0; i < argc; i++) { - if (strncmp(argv[i], "--x11", 5) == 0) - continue; - firejail_argv[fpos] = argv[i]; - fpos++; - total_length += strlen(argv[i]); - } - - char *start_child_prefix = "--start-child="; - char *start_child; - start_child = malloc(total_length + strlen(start_child_prefix) + fpos + 2); - if (start_child == NULL) { - fprintf(stderr, "Error: unable to allocate start_child to assemble command\n"); - exit(1); - } - - strcpy(start_child,start_child_prefix); - for(i = 0; (unsigned) i < fpos; i++) { - strncat(start_child,firejail_argv[i],strlen(firejail_argv[i])); - if((unsigned) i != fpos - 1) - strncat(start_child," ",strlen(" ")); - } - - server_argv[spos++] = start_child; - - server_argv[spos++] = NULL; - firejail_argv[fpos] = NULL; - - assert(xpra_extra_params); // should be "" if empty - - // parse xephyr_extra_params - // very basic quoting support - char *temp = strdup(xpra_extra_params); - if (*xpra_extra_params != '\0') { - if (!temp) - errExit("strdup"); - bool dquote = false; - bool squote = false; - for (i = 0; i < (int) strlen(xpra_extra_params); i++) { - if (temp[i] == '\"') { - dquote = !dquote; - // replace closing quote by \0 - if (dquote) temp[i] = '\0'; - } - if (temp[i] == '\'') { - squote = !squote; - // replace closing quote by \0 - if (squote) temp[i] = '\0'; - } - if (!dquote && !squote && temp[i] == ' ') temp[i] = '\0'; - if (dquote && squote) { - fprintf(stderr, "Error: mixed quoting found while parsing xpra_extra_params\n"); - exit(1); - } - } - if (dquote) { - fprintf(stderr, "Error: unclosed quote found while parsing xpra_extra_params\n"); - exit(1); - } - - server_argv[spos++] = temp; - for (i = 0; i < (int) strlen(xpra_extra_params)-1; i++) { - if (spos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { - fprintf(stderr, "Error: arg count limit exceeded while parsing xpra_extra_params\n"); - exit(1); - } - if (temp[i] == '\0' && (temp[i+1] == '\"' || temp[i+1] == '\'')) { - server_argv[spos++] = temp + i + 2; - } - else if (temp[i] == '\0' && temp[i+1] != '\0') { - server_argv[spos++] = temp + i + 1; - } - } - } - - server_argv[spos++] = NULL; - - assert((int) fpos < (argc+2)); - assert(!firejail_argv[fpos]); - // no overrun - assert(spos < (sizeof(server_argv)/sizeof(*server_argv))); - assert(server_argv[spos-1] == NULL); // last element is null - - if (arg_debug) { - size_t i = 0; - printf("\n*** Starting xpra server: "); - while (server_argv[i]!=NULL) { - printf(" \"%s\"", server_argv[i]); - i++; - } - printf(" ***\n\n"); - } - - int fd_null = -1; - if (arg_quiet) { - fd_null = open("/dev/null", O_RDWR); - if (fd_null == -1) - errExit("open"); - } - - // start - server = fork(); - if (server < 0) - errExit("fork"); - if (server == 0) { - if (arg_debug) - printf("Starting xpra...\n"); - - if (arg_quiet && fd_null != -1) { - dup2(fd_null,0); - dup2(fd_null,1); - dup2(fd_null,2); - } - - // running without privileges - see drop_privs call above - assert(getenv("LD_PRELOAD") == NULL); - execvp(server_argv[0], server_argv); - perror("execvp"); - _exit(1); - } - - // wait for server to end - while (1) { - pid_t pid = wait(NULL); - if (pid == server) { - free(start_child); - exit(0); - } - } -} - - -void x11_start_xpra(int argc, char **argv) { - EUID_ASSERT(); - - setenv("FIREJAIL_X11", "yes", 1); - - // unfortunately, xpra does a number of weird things when started by root user!!! - if (getuid() == 0) { - fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); - exit(1); - } - drop_privs(0); - - // check xpra - if (!program_in_path("xpra")) { - fprintf(stderr, "\nError: Xpra program was not found in /usr/bin directory, please install it:\n"); - fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); - exit(0); - } - - int display = random_display_number(); - char *display_str; - if (asprintf(&display_str, ":%d", display) == -1) - errExit("asprintf"); - - if (checkcfg(CFG_XPRA_ATTACH)) - x11_start_xpra_new(argc, argv, display_str); - else - x11_start_xpra_old(argc, argv, display, display_str); -} - - -void x11_start(int argc, char **argv) { - EUID_ASSERT(); - - // unfortunately, xpra does a number of weird things when started by root user!!! - if (getuid() == 0) { - fprintf(stderr, "Error: X11 sandboxing is not available when running as root\n"); - exit(1); - } - - // check xpra - if (program_in_path("xpra")) - x11_start_xpra(argc, argv); - else if (program_in_path("Xephyr")) - x11_start_xephyr(argc, argv); - else { - fprintf(stderr, "\nError: Xpra or Xephyr not found in /usr/bin directory, please install one of them:\n"); - fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xpra\n"); - fprintf(stderr, " Debian/Ubuntu/Mint: sudo apt-get install xserver-xephyr\n"); - exit(0); - } -} -#endif - -// Porting notes: -// -// 1. merge #1100 from zackw: -// Attempting to run xauth -f directly on a file in /run/firejail/mnt/ directory fails on Debian 8 -// with this message: -// xauth: timeout in locking authority file /run/firejail/mnt/sec.Xauthority-Qt5Mu4 -// Failed to create untrusted X cookie: xauth: exit 1 -// For this reason we run xauth on a file in a tmpfs filesystem mounted on /tmp. This was -// a partial merge. -// -// 2. Since we cannot deal with the TOCTOU condition when mounting .Xauthority in user home -// directory, we need to make sure /usr/bin/xauth executable is the real thing, and not -// something picked up on $PATH. -// -// 3. If for any reason xauth command fails, we exit the sandbox. On Debian 8 this happens -// when using a network namespace. Somehow, xauth tries to connect to the abstract socket, -// and it fails because of the network namespace - it should try to connect to the regular -// Unix socket! If we ignore the fail condition, the program will be started on X server without -// the security extension loaded. -void x11_xorg(void) { -#ifdef HAVE_X11 - - // check xauth utility is present in the system - struct stat s; - if (stat("/usr/bin/xauth", &s) == -1) { - fprintf(stderr, "Error: xauth utility not found in /usr/bin. Please install it:\n" - " Debian/Ubuntu/Mint: sudo apt-get install xauth\n"); - exit(1); - } - if (s.st_uid != 0 && s.st_gid != 0) { - fprintf(stderr, "Error: invalid /usr/bin/xauth executable\n"); - exit(1); - } - - // get DISPLAY env - char *display = getenv("DISPLAY"); - if (!display) { - fputs("Error: --x11=xorg requires an 'outer' X11 server to use.\n", stderr); - exit(1); - } - - // temporarily mount a tempfs on top of /tmp directory - if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) - errExit("mounting /tmp"); - - // create the temporary .Xauthority file - if (arg_debug) - printf("Generating a new .Xauthority file\n"); - char tmpfname[] = "/tmp/.tmpXauth-XXXXXX"; - int fd = mkstemp(tmpfname); - if (fd == -1) { - fprintf(stderr, "Error: cannot create .Xauthority file\n"); - exit(1); - } - if (fchown(fd, getuid(), getgid()) == -1) - errExit("chown"); - close(fd); - - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - drop_privs(1); - clearenv(); -#ifdef HAVE_GCOV - __gcov_flush(); -#endif - execlp("/usr/bin/xauth", "/usr/bin/xauth", "-v", "-f", tmpfname, - "generate", display, "MIT-MAGIC-COOKIE-1", "untrusted", NULL); - - _exit(127); - } - - // wait for the xauth process to finish - int status; - if (waitpid(child, &status, 0) != child) - errExit("waitpid"); - if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { - /* success */ - } - else if (WIFEXITED(status)) { - fprintf(stderr, "Failed to create untrusted X cookie: xauth: exit %d\n", - WEXITSTATUS(status)); - exit(1); - } - else if (WIFSIGNALED(status)) { - fprintf(stderr, "Failed to create untrusted X cookie: xauth: %s\n", - strsignal(WTERMSIG(status))); - exit(1); - } - else { - fprintf(stderr, "Failed to create untrusted X cookie: " - "xauth: un-decodable exit status %04x\n", status); - exit(1); - } - - // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted - // automatically when the sandbox is closed (rename doesn't work) - // root needed - if (copy_file(tmpfname, RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) { - fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); - exit(1); - } - /* coverity[toctou] */ - unlink(tmpfname); - umount("/tmp"); - - // Ensure there is already a file in the usual location, so that bind-mount below will work. - char *dest; - if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) - errExit("asprintf"); - if (lstat(dest, &s) == -1) - touch_file_as_user(dest, getuid(), getgid(), 0600); - - // get a file descriptor for .Xauthority - fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("safe_fd"); - // check if the actual mount destination is a user owned regular file - if (fstat(fd, &s) == -1) - errExit("fstat"); - if (!S_ISREG(s.st_mode) || s.st_uid != getuid()) { - if (S_ISLNK(s.st_mode)) - fprintf(stderr, "Error: .Xauthority is a symbolic link\n"); - else - fprintf(stderr, "Error: .Xauthority is not a user owned regular file\n"); - exit(1); - } - - // mount via the link in /proc/self/fd - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount(RUN_XAUTHORITY_SEC_FILE, proc, "none", MS_BIND, "mode=0600") == -1) { - fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); - exit(1); - } - free(proc); - close(fd); - // check /proc/self/mountinfo to confirm the mount is ok - MountData *mptr = get_last_mount(); - if (strcmp(mptr->dir, dest) != 0 || strcmp(mptr->fstype, "tmpfs") != 0) - errLogExit("invalid .Xauthority mount"); - - ASSERT_PERMS(dest, getuid(), getgid(), 0600); - free(dest); -#endif -} - - -void fs_x11(void) { -#ifdef HAVE_X11 - int display = x11_display(); - if (display <= 0) - return; - - char *x11file; - if (asprintf(&x11file, "/tmp/.X11-unix/X%d", display) == -1) - errExit("asprintf"); - struct stat x11stat; - if (stat(x11file, &x11stat) == -1 || !S_ISSOCK(x11stat.st_mode)) { - free(x11file); - return; - } - - if (arg_debug || arg_debug_whitelists) - fprintf(stderr, "Masking all X11 sockets except %s\n", x11file); - - // Move the real /tmp/.X11-unix to a scratch location - // so we can still access x11file after we mount a - // tmpfs over /tmp/.X11-unix. - int rv = mkdir(RUN_WHITELIST_X11_DIR, 0700); - if (rv == -1) - errExit("mkdir"); - if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 0700)) - errExit("set_perms"); - - if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, 0, MS_BIND|MS_REC, 0) < 0) - errExit("mount bind"); - - // This directory must be mode 1777, or Xlib will barf. - if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", - MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, - "mode=1777,uid=0,gid=0") < 0) - errExit("mounting tmpfs on /tmp/.X11-unix"); - fs_logger("tmpfs /tmp/.X11-unix"); - - // create an empty file which will have the desired socket bind-mounted over it - int fd = open(x11file, O_RDWR|O_CREAT|O_EXCL, x11stat.st_mode & ~S_IFMT); - if (fd < 0) - errExit(x11file); - if (fchown(fd, x11stat.st_uid, x11stat.st_gid)) - errExit("fchown"); - close(fd); - - // do the mount - char *wx11file; - if (asprintf(&wx11file, "%s/X%d", RUN_WHITELIST_X11_DIR, display) == -1) - errExit("asprintf"); - if (mount(wx11file, x11file, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - fs_logger2("whitelist", x11file); - - free(x11file); - free(wx11file); - - // block access to RUN_WHITELIST_X11_DIR - if (mount(RUN_RO_DIR, RUN_WHITELIST_X11_DIR, 0, MS_BIND, 0) < 0) - errExit("mount"); - fs_logger2("blacklist", RUN_WHITELIST_X11_DIR); -#endif -} - - -void x11_block(void) { -#ifdef HAVE_X11 - // check abstract socket presence and network namespace options - if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured) - && x11_abstract_sockets_present()) { - fprintf(stderr, "ERROR: --x11=none specified, but abstract X11 socket still accessible.\n" - "Additional setup required. To block abstract X11 socket you can either:\n" - " * use network namespace in firejail (--net=none, --net=...)\n" - " * add \"-nolisten local\" to xserver options\n" - " (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n"); - exit(1); - } - - // blacklist sockets - profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); - profile_add(strdup("blacklist /tmp/.X11-unix")); - - // blacklist .Xauthority - profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); - profile_add(strdup("blacklist ${HOME}/.Xauthority")); - char *xauthority = getenv("XAUTHORITY"); - if (xauthority) { - char *line; - if (asprintf(&line, "blacklist %s", xauthority) == -1) - errExit("asprintf"); - profile_check_line(line, 0, NULL); - profile_add(line); - } - - // clear environment - env_store("DISPLAY", RMENV); - env_store("XAUTHORITY", RMENV); -#endif -} diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in deleted file mode 100644 index 5af37cfbd..000000000 --- a/src/fldd/Makefile.in +++ /dev/null @@ -1,14 +0,0 @@ -all: fldd - -include ../common.mk - -%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h - $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ - -fldd: $(OBJS) ../lib/ldd_utils.o - $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) - -clean:; rm -f *.o fldd *.gcov *.gcda *.gcno - -distclean: clean - rm -fr Makefile diff --git a/src/fldd/main.c b/src/fldd/main.c deleted file mode 100644 index 4658e82fb..000000000 --- a/src/fldd/main.c +++ /dev/null @@ -1,353 +0,0 @@ -/* - * Copyright (C) 2014-2018 Firejail Authors - * - * This file is part of firejail project - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ - -#include "../include/common.h" -#include "../include/ldd_utils.h" - -#include -#include -#include -#include -#include -#include -#include - - -static int arg_quiet = 0; -static void copy_libs_for_lib(const char *lib); - -typedef struct storage_t { - struct storage_t *next; - const char *name; -} Storage; -static Storage *libs = NULL; -static Storage *lib_paths = NULL; - -// return 1 if found -static int storage_find(Storage *ptr, const char *name) { - while (ptr) { - if (strcmp(ptr->name, name) == 0) - return 1; - ptr = ptr->next; - } - - return 0; -} - -static void storage_add(Storage **head, const char *name) { - if (storage_find(*head, name)) - return; - - Storage *s = malloc(sizeof(Storage)); - if (!s) - errExit("malloc"); - s->next = *head; - *head = s; - s->name = strdup(name); - if (!s->name) - errExit("strdup"); -} - - -static void storage_print(Storage *ptr, int fd) { - while (ptr) { - dprintf(fd, "%s\n", ptr->name); - ptr = ptr->next; - } -} - -static bool ptr_ok(const void *ptr, const void *base, const void *end, const char *name) { - bool r; - (void) name; - - r = (ptr >= base && ptr < end); - return r; -} - - -static void parse_elf(const char *exe) { - int f; - f = open(exe, O_RDONLY); - if (f < 0) { - if (!arg_quiet) - fprintf(stderr, "Warning fldd: cannot open %s, skipping...\n", exe); - return; - } - - struct stat s; - char *base = NULL, *end; - if (fstat(f, &s) == -1) - goto error_close; - base = mmap(0, s.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, f, 0); - if (base == MAP_FAILED) - goto error_close; - - end = base + s.st_size; - - Elf_Ehdr *ebuf = (Elf_Ehdr *)base; - if (strncmp((const char *)ebuf->e_ident, ELFMAG, SELFMAG) != 0) { - if (!arg_quiet) - fprintf(stderr, "Warning fldd: %s is not an ELF executable or library\n", exe); - goto close; - } -//unsigned char elfclass = ebuf->e_ident[EI_CLASS]; -//if (elfclass == ELFCLASS32) -//printf("%s 32bit\n", exe); -//else if (elfclass == ELFCLASS64) -//printf("%s 64bit\n", exe); - - - Elf_Phdr *pbuf = (Elf_Phdr *)(base + sizeof(*ebuf)); - while (ebuf->e_phnum-- > 0 && ptr_ok(pbuf, base, end, "pbuf")) { - switch (pbuf->p_type) { - case PT_INTERP: - // dynamic loader ld-linux.so - if (!ptr_ok(base + pbuf->p_offset, base, end, "base + pbuf->p_offset")) - goto close; - - storage_add(&libs, base + pbuf->p_offset); - break; - } - pbuf++; - } - - Elf_Shdr *sbuf = (Elf_Shdr *)(base + ebuf->e_shoff); - if (!ptr_ok(sbuf, base, end, "sbuf")) - goto close; - - // Find strings section - char *strbase = NULL; - int sections = ebuf->e_shnum; - while (sections-- > 0 && ptr_ok(sbuf, base, end, "sbuf")) { - if (sbuf->sh_type == SHT_STRTAB) { - strbase = base + sbuf->sh_offset; - if (!ptr_ok(strbase, base, end, "strbase")) - goto close; - break; - } - sbuf++; - } - if (strbase == NULL) - goto error_close; - - // Find dynamic section - sections = ebuf->e_shnum; - while (sections-- > 0 && ptr_ok(sbuf, base, end, "sbuf")) { -// TODO: running fldd on large gui programs (fldd /usr/bin/transmission-qt) -// crash on accessing memory location sbuf->sh_type if sbuf->sh_type in the previous section was 0 (SHT_NULL) -// for now we just exit the while loop - this is probably incorrect -// printf("sbuf %p #%s#, sections %d, type %u\n", sbuf, exe, sections, sbuf->sh_type); - if (!ptr_ok(sbuf, base, end, "sbuf")) - goto close; - - if (sbuf->sh_type == SHT_NULL) - break; - if (sbuf->sh_type == SHT_DYNAMIC) { - Elf_Dyn *dbuf = (Elf_Dyn *)(base + sbuf->sh_offset); - if (!ptr_ok(dbuf, base, end, "dbuf")) - goto close; - // Find DT_RPATH/DT_RUNPATH tags first - unsigned long size = sbuf->sh_size; - while (size >= sizeof(*dbuf) && ptr_ok(dbuf, base, end, "dbuf")) { - if (dbuf->d_tag == DT_RPATH || dbuf->d_tag == DT_RUNPATH) { - const char *searchpath = strbase + dbuf->d_un.d_ptr; - if (!ptr_ok(searchpath, base, end, "searchpath")) - goto close; - storage_add(&lib_paths, searchpath); - } - size -= sizeof(*dbuf); - dbuf++; - } - // Find DT_NEEDED tags - dbuf = (Elf_Dyn *)(base + sbuf->sh_offset); - size = sbuf->sh_size; - while (size >= sizeof(*dbuf) && ptr_ok(dbuf, base, end, "dbuf")) { - if (dbuf->d_tag == DT_NEEDED) { - const char *lib = strbase + dbuf->d_un.d_ptr; - if (!ptr_ok(lib, base, end, "lib")) - goto close; - copy_libs_for_lib(lib); - } - size -= sizeof(*dbuf); - dbuf++; - } - } - sbuf++; - } - goto close; - - error_close: - perror("copy libs"); - close: - if (base) - munmap(base, s.st_size); - - close(f); -} - -static void copy_libs_for_lib(const char *lib) { - Storage *lib_path; - for (lib_path = lib_paths; lib_path; lib_path = lib_path->next) { - char *fname; - if (asprintf(&fname, "%s/%s", lib_path->name, lib) == -1) - errExit("asprintf"); - if (access(fname, R_OK) == 0 && is_lib_64(fname)) { - if (!storage_find(libs, fname)) { - storage_add(&libs, fname); - // libs may need other libs - parse_elf(fname); - } - free(fname); - return; - } - free(fname); - } - - // log a warning and continue - if (!arg_quiet) - fprintf(stderr, "Warning fldd: cannot find %s, skipping...\n", lib); -} - -static void lib_paths_init(void) { - int i; - for (i = 0; default_lib_paths[i]; i++) - storage_add(&lib_paths, default_lib_paths[i]); -} - - -static void walk_directory(const char *dirname) { - assert(dirname); - - DIR *dir = opendir(dirname); - if (dir) { - struct dirent *entry; - while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0) - continue; - if (strcmp(entry->d_name, "..") == 0) - continue; - - // build full path - char *path; - if (asprintf(&path, "%s/%s", dirname, entry->d_name) == -1) - errExit("asprintf"); - - // check regular so library - char *ptr = strstr(entry->d_name, ".so"); - if (ptr && is_lib_64(path)) { - if (*(ptr + 3) == '\0' || *(ptr + 3) == '.') { - parse_elf(path); - free(path); - continue; - } - } - - // check directory - // entry->d_type field is supported in glibc since version 2.19 (Feb 2014) - // we'll use stat to check for directories - struct stat s; - if (stat(path, &s) == -1) - errExit("stat"); - if (S_ISDIR(s.st_mode)) - walk_directory(path); - } - closedir(dir); - } -} - - - -static void usage(void) { - printf("Usage: fldd program_or_directory [file]\n"); - printf("Print a list of libraries used by program or store it in the file.\n"); - printf("Print a list of libraries used by all .so files in a directory or store it in the file.\n"); -} - -int main(int argc, char **argv) { -#if 0 -{ -//system("cat /proc/self/status"); -int i; -for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); -printf("\n"); -} -#endif - if (argc < 2) { - fprintf(stderr, "Error fldd: invalid arguments\n"); - usage(); - exit(1); - } - - - if (strcmp(argv[1], "--help") == 0) { - usage(); - return 0; - } - - // check program access - if (access(argv[1], R_OK)) { - fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]); - exit(1); - } - - char *quiet = getenv("FIREJAIL_QUIET"); - if (quiet && strcmp(quiet, "yes") == 0) - arg_quiet = 1; - - if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { - usage(); - return 0; - } - - int fd = STDOUT_FILENO; - // attempt to open the file - if (argc == 3) { - fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644); - if (!fd) { - fprintf(stderr, "Error fldd: invalid arguments\n"); - usage(); - exit(1); - } - } - - // initialize local storage - lib_paths_init(); - - // process files - struct stat s; - if (stat(argv[1], &s) == -1) - errExit("stat"); - if (S_ISDIR(s.st_mode)) - walk_directory(argv[1]); - else { - if (is_lib_64(argv[1])) - parse_elf(argv[1]); - else - fprintf(stderr, "Warning fldd: %s is not a 64bit program/library\n", argv[1]); - } - - - // print libraries and exit - storage_print(libs, fd); - if (argc == 3) - close(fd); - return 0; -} diff --git a/status b/status index 533ccc69e..f59f8e5a2 100644 --- a/status +++ b/status @@ -1,2 +1,5 @@ -starting from main as of Jul 27 -removing chroot, overlayfs, x11, private-bin, private-lib +Phase 1 +- starting from main as of Jul 27 +- removing chroot, overlayfs, x11, private-bin, private-lib +- removing private-home, audit, build + diff --git a/test/apps-x11-xorg/apps-x11-xorg.sh b/test/apps-x11-xorg/apps-x11-xorg.sh deleted file mode 100755 index ea07d3713..000000000 --- a/test/apps-x11-xorg/apps-x11-xorg.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) - -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: firefox x11 xorg" - ./firefox.exp -else - echo "TESTING SKIP: firefox not found" -fi - -which transmission-gtk 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: transmission-gtk x11 xorg" - ./transmission-gtk.exp -else - echo "TESTING SKIP: transmission-gtk not found" -fi - -which thunderbird 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: thunderbird x11 xorg" - ./thunderbird.exp -else - echo "TESTING SKIP: thunderbird not found" -fi diff --git a/test/apps-x11-xorg/firefox.exp b/test/apps-x11-xorg/firefox.exp deleted file mode 100755 index 10575b277..000000000 --- a/test/apps-x11-xorg/firefox.exp +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange firefox -no-remote www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -sleep 1 -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps --nowrap\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11-xorg/thunderbird.exp b/test/apps-x11-xorg/thunderbird.exp deleted file mode 100755 index 6706cc321..000000000 --- a/test/apps-x11-xorg/thunderbird.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange thunderbird\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "thunderbird" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "thunderbird" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 2 -send -- "firemon --caps --nowrap\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "thunderbird" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11-xorg/transmission-gtk.exp b/test/apps-x11-xorg/transmission-gtk.exp deleted file mode 100755 index 75c302764..000000000 --- a/test/apps-x11-xorg/transmission-gtk.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xorg --ignore=net --ignore=netfilter --ignore=iprange transmission-gtk\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "transmission-gtk" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp --nowrap\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps --nowrap\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11/apps-x11.sh b/test/apps-x11/apps-x11.sh deleted file mode 100755 index c12b11f3e..000000000 --- a/test/apps-x11/apps-x11.sh +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) - -echo "TESTING: no x11 (test/apps-x11/x11-none.exp)" -./x11-none.exp - - -which xterm 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: xterm x11 xorg" - ./xterm-xorg.exp - - which xpra 2>/dev/null - if [ "$?" -eq 0 ]; - then - echo "TESTING: xterm x11 xpra" - ./xterm-xpra.exp - fi - - which Xephyr 2>/dev/null - if [ "$?" -eq 0 ]; - then - echo "TESTING: xterm x11 xephyr" - ./xterm-xephyr.exp - fi -else - echo "TESTING SKIP: xterm not found" -fi - -# check xpra/xephyr -which xpra 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "xpra found" -else - echo "xpra not found" - which Xephyr 2>/dev/null - if [ "$?" -eq 0 ]; - then - echo "Xephyr found" - else - echo "TESTING SKIP: xpra and/or Xephyr not found" - exit - fi -fi - -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: firefox x11" - ./firefox.exp -else - echo "TESTING SKIP: firefox not found" -fi - -which chromium 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: chromium x11" - ./chromium.exp -else - echo "TESTING SKIP: chromium not found" -fi - -which transmission-gtk 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: transmission-gtk x11" - ./transmission-gtk.exp -else - echo "TESTING SKIP: transmission-gtk not found" -fi - -which thunderbird 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: thunderbird x11" - ./thunderbird.exp -else - echo "TESTING SKIP: thunderbird not found" -fi diff --git a/test/apps-x11/chromium.exp b/test/apps-x11/chromium.exp deleted file mode 100755 index f72b86dde..000000000 --- a/test/apps-x11/chromium.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 chromium www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "chromium" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "chromium" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "Seccomp: 0" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "chromium" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "00240000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - - -puts "\nall done\n" diff --git a/test/apps-x11/firefox.exp b/test/apps-x11/firefox.exp deleted file mode 100755 index 8021042e5..000000000 --- a/test/apps-x11/firefox.exp +++ /dev/null @@ -1,90 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 firefox -no-remote www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -sleep 1 -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11/thunderbird.exp b/test/apps-x11/thunderbird.exp deleted file mode 100755 index 5994ab15e..000000000 --- a/test/apps-x11/thunderbird.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 thunderbird\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "thunderbird" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "thunderbird" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 2 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "thunderbird" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11/transmission-gtk.exp b/test/apps-x11/transmission-gtk.exp deleted file mode 100755 index 48c685cf0..000000000 --- a/test/apps-x11/transmission-gtk.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11 transmission-gtk\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "transmission-gtk" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11/x11-none.exp b/test/apps-x11/x11-none.exp deleted file mode 100755 index e6e515966..000000000 --- a/test/apps-x11/x11-none.exp +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=none\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "use network namespace in firejail" -} -sleep 1 - -send -- "firejail --name=test --net=none --x11=none\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al /tmp/.X11-unix\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "cannot open directory" -} -after 100 - -send -- "xterm\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "DISPLAY is not set" -} -after 100 - -send -- "export DISPLAY=:0.0\r" -after 100 -send -- "xterm\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Xt error" -} -after 100 - -puts "\nall done\n" diff --git a/test/apps-x11/x11-xephyr.exp b/test/apps-x11/x11-xephyr.exp deleted file mode 100755 index 68f981096..000000000 --- a/test/apps-x11/x11-xephyr.exp +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xephyr xterm\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} - -exit - - -sleep 5 - - -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "use network namespace in firejail" -} -sleep 1 - -send -- "firejail --name=test --net=none --x11=none\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "ls -al /tmp/.X11-unix\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "cannot open directory" -} -after 100 - -send -- "xterm\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "DISPLAY is not set" -} -after 100 - -send -- "export DISPLAY=:0.0\r" -after 100 -send -- "xterm\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Xt error" -} -after 100 - -puts "\nall done\n" diff --git a/test/apps-x11/xterm-xephyr.exp b/test/apps-x11/xterm-xephyr.exp deleted file mode 100755 index 63fa03fbb..000000000 --- a/test/apps-x11/xterm-xephyr.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xephyr xterm\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xterm" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11/xterm-xorg.exp b/test/apps-x11/xterm-xorg.exp deleted file mode 100755 index a31925383..000000000 --- a/test/apps-x11/xterm-xorg.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xorg xterm\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xterm" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/apps-x11/xterm-xpra.exp b/test/apps-x11/xterm-xpra.exp deleted file mode 100755 index 8830bb003..000000000 --- a/test/apps-x11/xterm-xpra.exp +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --x11=xpra xterm\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xterm" -} -sleep 1 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "xterm" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 - -send -- "firemon --x11\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "name=test xterm" -} -expect { - timeout {puts "TESTING ERROR 7.1\n";exit} - "DISPLAY" -} -sleep 1 - -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh deleted file mode 100755 index 0f0fdab22..000000000 --- a/test/chroot/chroot.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) - -rm -f unchroot -gcc -o unchroot unchroot.c -sudo ./configure - -echo "TESTING: chroot (test/chroot/fs_chroot.exp)" -./fs_chroot.exp - -echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)" -sudo ./unchroot-as-root.exp - - - -rm -f unchroot diff --git a/test/chroot/configure b/test/chroot/configure deleted file mode 100755 index 26a516931..000000000 --- a/test/chroot/configure +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -# build a very small chroot -ROOTDIR="/tmp/chroot" # default chroot directory -DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files -DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " -DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc -DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" - -rm -fr $ROOTDIR -mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc,sys} -chmod 777 $ROOTDIR/tmp -mkdir -p $ROOTDIR/etc/firejail -mkdir -p $ROOTDIR/home/netblue/.config/firejail -chown netblue:netblue $ROOTDIR/home/netblue -chown netblue:netblue $ROOTDIR/home/netblue/.config -cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/. -cp -a /etc/skel $ROOTDIR/etc/. -mkdir $ROOTDIR/home/someotheruser -mkdir $ROOTDIR/boot -mkdir $ROOTDIR/selinux -cp /etc/passwd $ROOTDIR/etc/. -cp /etc/group $ROOTDIR/etc/. -cp /etc/hosts $ROOTDIR/etc/. -cp /etc/hostname $ROOTDIR/etc/. -mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu -cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/. -cp -a /usr/lib/ssl $ROOTDIR/usr/lib/. -touch $ROOTDIR/var/log/syslog -touch $ROOTDIR/var/tmp/somefile -SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u` -for FILE in $SORTED -do - cp --parents $FILE $ROOTDIR -done -cp --parents /lib64/ld-linux-x86-64.so.2 $ROOTDIR -cp --parents /lib/ld-linux.so.2 $ROOTDIR -cp unchroot $ROOTDIR/. -touch $ROOTDIR/this-is-my-chroot - -cd $ROOTDIR; find . -mkdir -p usr/lib/firejail/ -cp /usr/lib/firejail/libtrace.so usr/lib/firejail/. - - -echo "To enter the chroot directory run: firejail --chroot=$ROOTDIR" diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp deleted file mode 100755 index a071027e5..000000000 --- a/test/chroot/fs_chroot.exp +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --chroot=/tmp/chroot\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} - "Child process initialized" {puts "chroot available\n"}; -} -sleep 1 - -send -- "cd /home;pwd\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "home" -} -sleep 1 -send -- "bash\r" -sleep 1 -send -- "ls /\r" -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "this-is-my-chroot" -} -after 100 - -send -- "ps aux\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/bin/bash" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "ps aux" -} -after 100 - -send -- "ps aux | wc -l; pwd\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "6" -} -after 100 - -# check /sys directory -send -- "ls /sys\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "block" -} -after 100 - - -puts "all done\n" diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp deleted file mode 100755 index e4bedd539..000000000 --- a/test/chroot/unchroot-as-root.exp +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --chroot=/tmp/chroot\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} - "Child process initialized" {puts "chroot available\n"}; -} -sleep 1 - -send -- "cd /\r" -after 100 - - -send -- "./unchroot\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" -} -after 100 - -puts "all done\n" diff --git a/test/chroot/unchroot.c b/test/chroot/unchroot.c deleted file mode 100644 index 4919637d6..000000000 --- a/test/chroot/unchroot.c +++ /dev/null @@ -1,40 +0,0 @@ -// simple unchroot example from http://linux-vserver.org/Secure_chroot_Barrier -#include -#include -#include -#include -#include - -void die(char *msg) { - perror(msg); - exit(1); -} - -int main(int argc, char *argv[]) -{ - int i; - - if (chdir("/") != 0) - die("chdir(/)"); - - if (mkdir("baz", 0777) != 0) - ; //die("mkdir(baz)"); - - if (chroot("baz") != 0) - die("chroot(baz)"); - - for (i=0; i<50; i++) { - if (chdir("..") != 0) - die("chdir(..)"); - } - - if (chroot(".") != 0) - die("chroot(.)"); - - printf("Exploit seems to work. =)\n"); - - execl("/bin/bash", "bash", "-i", (char *)0); - die("exec bash"); - - exit(0); -} diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp deleted file mode 100755 index ec24b23af..000000000 --- a/test/overlay/firefox-x11-xorg.exp +++ /dev/null @@ -1,89 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -sleep 1 -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --overlay --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp deleted file mode 100755 index 1b7034af0..000000000 --- a/test/overlay/firefox-x11.exp +++ /dev/null @@ -1,89 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --overlay --name=test --x11 firefox -no-remote www.gentoo.org\r" -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -sleep 1 -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} -send -- "firejail --name=blablabla --overlay\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -sleep 1 -send -- "firejail --shutdown=test\r" -sleep 3 - -puts "\nall done\n" diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp deleted file mode 100755 index 5bdd6751f..000000000 --- a/test/overlay/firefox.exp +++ /dev/null @@ -1,98 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --overlay firefox -no-remote www.gentoo.org\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/firefox.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 10 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "firefox" {puts "firefox detected\n";} - "iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "no-remote" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - - -send -- "firejail --name=blablabla --overlay\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 5.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - " firefox" {puts "firefox detected\n";} - " iceweasel" {puts "iceweasel detected\n";} -} -expect { - timeout {puts "TESTING ERROR 6.0\n";exit} - "no-remote" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/overlay/fs-named.exp b/test/overlay/fs-named.exp deleted file mode 100755 index 0356720bc..000000000 --- a/test/overlay/fs-named.exp +++ /dev/null @@ -1,69 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --overlay-named=firejail-test\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} - "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} -} -sleep 1 -send -- "stty -echo\r" -after 100 - -send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "done" -} -after 100 - -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "xyzxyzxyz" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "done" -} -after 100 - -send -- "exit\r" -sleep 2 - -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} - "done" -} -after 100 - -send -- "firejail --overlay-named=firejail-test\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} - "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} -} -sleep 1 - -send -- "stty -echo\r" -after 100 -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "xyzxyzxyz" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "done" -} -after 100 - -puts "\nall done\n" diff --git a/test/overlay/fs-tmpfs.exp b/test/overlay/fs-tmpfs.exp deleted file mode 100755 index 20fa315b6..000000000 --- a/test/overlay/fs-tmpfs.exp +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --overlay-clean\r" -after 100 -send -- "file ~/.firejail\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "cannot open" -} -after 100 - -send -- "firejail --overlay-tmpfs\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} - "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} -} -sleep 1 -send -- "stty -echo\r" -after 100 - -send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "done" -} -after 100 - -send -- "stty -echo\r" -after 100 -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "xyzxyzxyz" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "done" -} -after 100 - -send -- "exit\r" -sleep 1 - -send -- "stty -echo\r" -after 100 -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "xyzxyzxyz" {puts "TESTING ERROR 6\n";exit} - "done" -} -after 100 - -send -- "file ~/.firejail\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "cannot open" -} -after 100 - -puts "\nall done\n" diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp deleted file mode 100755 index 9debe6536..000000000 --- a/test/overlay/fs.exp +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --overlay\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit} - "Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit} - "Child process initialized" {puts "found\n"} -} -sleep 1 - -send -- "stty -echo\r" -after 100 -send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "done" -} -after 100 - -send -- "stty -echo\r" -after 100 -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "xyzxyzxyz" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "done" -} -after 100 - -send -- "exit\r" -sleep 2 - -send -- "stty -echo\r" -after 100 -send -- "cat ~/_firejail_test_file; echo done\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit} - "done" -} -after 100 - -# check /sys directory -send -- "ls /sys\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "block" -} -after 100 - -puts "\nall done\n" diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh deleted file mode 100755 index 9daf1f5f6..000000000 --- a/test/overlay/overlay.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) - -echo "TESTING: overlay fs (test/overlay/fs.exp)" -rm -fr ~/_firejail_test_* -./fs.exp -rm -fr ~/_firejail_test_* - -echo "TESTING: overlay named fs (test/overlay/fs-named.exp)" -rm -fr ~/_firejail_test_* -./fs-named.exp -rm -fr ~/_firejail_test_* - -echo "TESTING: overlay tmpfs fs (test/overlay/fs-tmpfs.exp)" -rm -fr ~/_firejail_test_* -./fs-tmpfs.exp -rm -fr ~/_firejail_test_* - -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: overlay firefox" - ./firefox.exp -else - echo "TESTING SKIP: firefox not found" -fi - -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: overlay firefox x11 xorg" - ./firefox.exp -else - echo "TESTING SKIP: firefox not found" -fi - - -# check xpra/xephyr -which xpra 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "xpra found" -else - echo "xpra not found" - which Xephyr 2>/dev/null - if [ "$?" -eq 0 ]; - then - echo "Xephyr found" - else - echo "TESTING SKIP: xpra and/or Xephyr not found" - exit - fi -fi - -which firefox 2>/dev/null -if [ "$?" -eq 0 ]; -then - echo "TESTING: overlay firefox x11" - ./firefox-x11.exp -else - echo "TESTING SKIP: firefox not found" -fi diff --git a/test/private-lib/atril.exp b/test/private-lib/atril.exp deleted file mode 100755 index 04b11a646..000000000 --- a/test/private-lib/atril.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail atril\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/atril.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "atril" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail atril" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail atril" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/eog.exp b/test/private-lib/eog.exp deleted file mode 100755 index 1b5406add..000000000 --- a/test/private-lib/eog.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail eog\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/eog.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "eog" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail eog" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail eog" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/eom.exp b/test/private-lib/eom.exp deleted file mode 100755 index a8b74de98..000000000 --- a/test/private-lib/eom.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail eom\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/eom.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "eom" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail eom" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail eom" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/evince.exp b/test/private-lib/evince.exp deleted file mode 100755 index 94ed826db..000000000 --- a/test/private-lib/evince.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail evince\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/evince.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "evince" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail evince" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail evince" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/galculator.exp b/test/private-lib/galculator.exp deleted file mode 100755 index c18c07571..000000000 --- a/test/private-lib/galculator.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail galculator\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/galculator.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "galculator" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail galculator" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail galculator" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/gedit.exp b/test/private-lib/gedit.exp deleted file mode 100755 index 00fa934e7..000000000 --- a/test/private-lib/gedit.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail /usr/bin/gedit\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/gedit.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "gedit" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail /usr/bin/gedit" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail /usr/bin/gedit" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp deleted file mode 100755 index e9d2c8208..000000000 --- a/test/private-lib/gnome-calculator.exp +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -# gnome-calculator uses quiet at the top of the profile -# we need to use --ignore -send -- "firejail --ignore=quiet gnome-calculator\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/gnome-calculator.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "gnome-calculator" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail --ignore=quiet gnome-calculator" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail --ignore=quiet gnome-calculator" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/gpicview.exp b/test/private-lib/gpicview.exp deleted file mode 100755 index 8d36a9d11..000000000 --- a/test/private-lib/gpicview.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail gpicview\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/gpicview.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "gpicview" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail gpicview" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail gpicview" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/leafpad.exp b/test/private-lib/leafpad.exp deleted file mode 100755 index 2a1b07f94..000000000 --- a/test/private-lib/leafpad.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail leafpad\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/leafpad.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "leafpad" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail leafpad" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail leafpad" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/mousepad.exp b/test/private-lib/mousepad.exp deleted file mode 100755 index 2e8f5e92b..000000000 --- a/test/private-lib/mousepad.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail mousepad\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/mousepad.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "mousepad" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail mousepad" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail mousepad" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/pluma.exp b/test/private-lib/pluma.exp deleted file mode 100755 index 92ae0a345..000000000 --- a/test/private-lib/pluma.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail pluma\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/pluma.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "pluma" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail pluma" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail pluma" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh deleted file mode 100755 index edf81917a..000000000 --- a/test/private-lib/private-lib.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -export MALLOC_CHECK_=3 -export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -LIST="evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" - - -for app in $LIST; do - which $app 2>/dev/null - if [ "$?" -eq 0 ]; - then - echo "TESTING: private-lib $app" - ./$app.exp - else - echo "TESTING SKIP: $app not found" - fi -done diff --git a/test/private-lib/transmission-gtk.exp b/test/private-lib/transmission-gtk.exp deleted file mode 100755 index 06559293b..000000000 --- a/test/private-lib/transmission-gtk.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail transmission-gtk\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/transmission-gtk.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "transmission-gtk" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail transmission-gtk" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/private-lib/xcalc.exp b/test/private-lib/xcalc.exp deleted file mode 100755 index 12bd73b51..000000000 --- a/test/private-lib/xcalc.exp +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail xcalc\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Reading profile /etc/firejail/xcalc.profile" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -sleep 3 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "xcalc" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail xcalc" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - ":firejail xcalc" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -puts "\nall done\n" diff --git a/test/utils/audit.exp b/test/utils/audit.exp deleted file mode 100755 index 6352dc62d..000000000 --- a/test/utils/audit.exp +++ /dev/null @@ -1,159 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --audit\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "is running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "container/sandbox firejail" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "all capabilities are disabled" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "dev directory seems to be fully populated" -} -after 100 - - -send -- "firejail --audit\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "is running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "container/sandbox firejail" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "all capabilities are disabled" -} -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "dev directory seems to be fully populated" -} -after 100 - -send -- "firejail --audit=blablabla\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "cannot find the audit program" -} -after 100 - -send -- "firejail --audit=\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "invalid audit program" -} -after 100 - -# run audit executable without a sandbox -send -- "faudit\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "is not running in a PID namespace" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "BAD: seccomp disabled" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "BAD: the capability map is" -} -expect { - timeout {puts "TESTING ERROR 16\n";exit} - "MAYBE: /dev directory seems to be fully populated" -} -after 100 - -# test seccomp -send -- "firejail --seccomp.drop=mkdir --audit\r" -expect { - timeout {puts "TESTING ERROR 17\n";exit} - "Firejail Audit" -} -expect { - timeout {puts "TESTING ERROR 18\n";exit} - "GOOD: seccomp BPF enabled" -} -expect { - timeout {puts "TESTING ERROR 19\n";exit} - "UGLY: mount syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 20\n";exit} - "UGLY: umount2 syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 21\n";exit} - "UGLY: ptrace syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 22\n";exit} - "UGLY: swapon syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 23\n";exit} - "UGLY: swapoff syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 24\n";exit} - "UGLY: init_module syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 25\n";exit} - "UGLY: delete_module syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 26\n";exit} - "UGLY: chroot syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 27\n";exit} - "UGLY: pivot_root syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 28\n";exit} - "UGLY: iopl syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 29\n";exit} - "UGLY: ioperm syscall permitted" -} -expect { - timeout {puts "TESTING ERROR 30\n";exit} - "GOOD: all capabilities are disabled" -} -after 100 - -puts "\nall done\n" diff --git a/test/utils/build.exp b/test/utils/build.exp deleted file mode 100755 index 5e883e4ba..000000000 --- a/test/utils/build.exp +++ /dev/null @@ -1,91 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2018 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --build cat ~/firejail-test-file-7699\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "whitelist ~/firejail-test-file-7699" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "include /etc/firejail/whitelist-common.inc" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "private-tmp" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "private-dev" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "blacklist /var" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "private-bin cat," -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "caps.drop all" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "nonewprivs" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "seccomp" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "net none" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "shell none" -} -after 100 - -send -- "firejail --build cat /etc/passwd\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "private-etc passwd," -} -after 100 - -send -- "firejail --build cat /var/tmp/firejail-test-file-7699\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "whitelist /var/tmp/firejail-test-file-7699" -} -after 100 - -send -- "firejail --build man firejail\r" -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "whitelist /usr/share/man" -} -after 100 - -send -- "firejail --build wget blablabla\r" -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "protocol inet" -} -after 100 - - -send -- "firejail --build cat /tmp/firejail-test-file-7699\r" -#todo - bug: it comes back with private-tmp -sleep 1 - - -puts "all done\n" diff --git a/test/utils/utils.sh b/test/utils/utils.sh index d98e4c2e4..82d00007b 100755 --- a/test/utils/utils.sh +++ b/test/utils/utils.sh @@ -12,18 +12,6 @@ if [ -f /etc/debian_version ]; then fi export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail" -echo "testing" > ~/firejail-test-file-7699 -echo "testing" > /tmp/firejail-test-file-7699 -echo "testing" > /var/tmp/firejail-test-file-7699 -echo "TESTING: build (test/utils/build.exp)" -./build.exp -rm -f ~/firejail-test-file-7699 -rm -f /tmp/firejail-test-file-7699 -rm -f /var/tmp/firejail-test-file-7699 - -echo "TESTING: audit (test/utils/audit.exp)" -./audit.exp - echo "TESTING: name (test/utils/name.exp)" ./name.exp -- cgit v1.2.3-54-g00ecf