From 4ece607b8f833cf0974bcf2a5e41f0504cbbff59 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Jun 2016 07:58:20 -0400 Subject: sysutils --- Makefile.in | 7 +++++- etc/cpio.profile | 21 ++++++++++++---- etc/gzip.profile | 1 + etc/strings.profile | 1 + etc/xz.profile | 2 ++ etc/xzdec.profile | 4 ++-- platform/debian/conffiles | 1 + src/firejail/main.c | 61 +++++++++++++++++++++++++++++++++++++---------- test/sysutils/cpio.exp | 26 ++++++++++++++++++++ test/sysutils/gzip.exp | 26 ++++++++++++++++++++ test/sysutils/strings.exp | 26 ++++++++++++++++++++ test/sysutils/sysutils.sh | 44 ++++++++++++++++++++++++++++++++++ test/sysutils/xzdec.exp | 29 ++++++++++++++++++++++ todo | 7 ++++++ 14 files changed, 235 insertions(+), 21 deletions(-) create mode 100644 etc/xz.profile create mode 100755 test/sysutils/cpio.exp create mode 100755 test/sysutils/gzip.exp create mode 100755 test/sysutils/strings.exp create mode 100755 test/sysutils/sysutils.sh create mode 100755 test/sysutils/xzdec.exp diff --git a/Makefile.in b/Makefile.in index cb166aa33..5204fc34a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -53,6 +53,7 @@ clean: rm -f test/environment/wget-log* rm -fr test/environment/-testdir rm -f test/environment/logfile* + rm -f test/sysutils/firejail_t* cd test/compile; ./compile.sh --clean; cd ../.. cd test/dist-compile; ./compile.sh --clean; cd ../.. @@ -213,6 +214,7 @@ realinstall: install -c -m 0644 .etc/gzip.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/xzdec.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/strings.profile $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/xz.profile $(DESTDIR)/$(sysconfdir)/firejail/. sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/firejail/login.users ]; then install -c -m 0644 etc/login.users $(DESTDIR)/$(sysconfdir)/firejail/.; fi;" install -c -m 0644 etc/firejail.config $(DESTDIR)/$(sysconfdir)/firejail/. rm -fr .etc @@ -327,6 +329,9 @@ test-apps: test-apps-x11: cd test/apps-x11; ./apps-x11.sh | grep TESTING +test-sysutils: + cd test/sysutils; ./sysutils.sh | grep TESTING + test-utils: cd test/utils; ./utils.sh | grep TESTING @@ -342,5 +347,5 @@ test-network: test-fs: cd test/fs; ./fs.sh | grep TESTING -test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-filters +test: test-profiles test-fs test-utils test-environment test-sysutils test-apps test-apps-x11 test-filters echo "TEST COMPLETE" diff --git a/etc/cpio.profile b/etc/cpio.profile index f10b82962..b0e59c106 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,10 +1,21 @@ # cpio profile -# testing: find . -print -depth | cpio -ov > tree.cpio -include /etc/firejail/default.profile -tracelog +# /sbin and /usr/sbin are visible inside the sandbox +# /boot is not visible and /var is heavily modified + +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +private-dev +private-tmp +seccomp +caps.drop all net none shell none -private-bin cpio -private-dev +tracelog +net none + diff --git a/etc/gzip.profile b/etc/gzip.profile index 3c9e8a9bf..8d35c9f66 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -4,3 +4,4 @@ tracelog net none shell none private-dev +private-tmp diff --git a/etc/strings.profile b/etc/strings.profile index 8be9a5719..9bc67cfb8 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -4,3 +4,4 @@ tracelog net none shell none private-dev +private-tmp diff --git a/etc/xz.profile b/etc/xz.profile new file mode 100644 index 000000000..709585acd --- /dev/null +++ b/etc/xz.profile @@ -0,0 +1,2 @@ +# xz profile +include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index ade46dddd..1bff66965 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,7 +1,7 @@ -# XZ decompressor profile +# xzdec profile include /etc/firejail/default.profile tracelog net none shell none private-dev - +private-tmp diff --git a/platform/debian/conffiles b/platform/debian/conffiles index a09df0c29..34ab8cd81 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -123,4 +123,5 @@ /etc/firejail/gzip.profile /etc/firejail/xzdec.profile /etc/firejail/strings.profile +/etc/firejail/xz.profile diff --git a/src/firejail/main.c b/src/firejail/main.c index c6fbd584e..f149dd376 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -693,6 +693,52 @@ static void delete_x11_file(pid_t pid) { free(fname); } +static void detect_quiet(int argc, char **argv) { + int i; + char *progs[] = { + "cpio", + "strings", + "gzip", + "xz", + "xzdec", + NULL + }; + + // detect --quiet + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--quiet") == 0) { + arg_quiet = 1; + break; + } + + // detect end of firejail params + if (strcmp(argv[i], "--") == 0) + break; + if (strncmp(argv[i], "--", 2) != 0) + break; + } + + // argv[i] is the program name if --quiet was not already detected + if (arg_quiet || i == argc) + return; + + // extract the name of the program without the leading path + char *ptr = strrchr(argv[i], '/'); + char *name = (ptr)? (ptr + 1): argv[i]; + if (*name == '\0') + return; + + // look for the program in the list + int j = 0; + while (progs[j] != NULL) { + if (strcmp(name, progs[j]) == 0) { + arg_quiet = 1; + return; + } + j++; + } +} + //******************************************* // Main program //******************************************* @@ -709,6 +755,8 @@ int main(int argc, char **argv) { int highest_errno = errno_highest_nr(); #endif + detect_quiet(argc, argv); + // drop permissions by default and rise them when required EUID_INIT(); EUID_USER(); @@ -717,19 +765,6 @@ int main(int argc, char **argv) { if (*argv[0] != '-') run_symlink(argc, argv); - // detect --quiet - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--quiet") == 0) { - arg_quiet = 1; - break; - } - - // detect end of firejail params - if (strcmp(argv[i], "--") == 0) - break; - if (strncmp(argv[i], "--", 2) != 0) - break; - } // check if we already have a sandbox running // If LXC is detected, start firejail sandbox diff --git a/test/sysutils/cpio.exp b/test/sysutils/cpio.exp new file mode 100755 index 000000000..9755d8737 --- /dev/null +++ b/test/sysutils/cpio.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "find /usr/share/doc/firejail | /bin/cpio -ov > firejail_t1\r" +sleep 1 + +send -- "find /usr/share/doc/firejail | firejail /bin/cpio -ov > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/gzip.exp b/test/sysutils/gzip.exp new file mode 100755 index 000000000..ab0e727de --- /dev/null +++ b/test/sysutils/gzip.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/bin/gzip -c /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /bin/gzip -c /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/strings.exp b/test/sysutils/strings.exp new file mode 100755 index 000000000..1fd0f5dc0 --- /dev/null +++ b/test/sysutils/strings.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/strings /usr/bin/firejail > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/strings /usr/bin/firejail > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh new file mode 100755 index 000000000..f230c9a6b --- /dev/null +++ b/test/sysutils/sysutils.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +which cpio +if [ "$?" -eq 0 ]; +then + echo "TESTING: cpio" + ./cpio.exp +else + echo "TESTING SKIP: cpio not found" +fi + +which strings +if [ "$?" -eq 0 ]; +then + echo "TESTING: strings" + ./strings.exp +else + echo "TESTING SKIP: strings not found" +fi + +which gzip +if [ "$?" -eq 0 ]; +then + echo "TESTING: gzip" + ./gzip.exp +else + echo "TESTING SKIP: gzip not found" +fi + +which xzdec +if [ "$?" -eq 0 ]; +then + echo "TESTING: xzdec" + ./xzdec.exp +else + echo "TESTING SKIP: xzdec not found" +fi + diff --git a/test/sysutils/xzdec.exp b/test/sysutils/xzdec.exp new file mode 100755 index 000000000..0ea6f5fb0 --- /dev/null +++ b/test/sysutils/xzdec.exp @@ -0,0 +1,29 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "/usr/bin/xz -c /usr/bin/firejail > firejail_t3\r" +sleep 1 + +send -- "/usr/bin/xzdec -c firejail_t3 > firejail_t1\r" +sleep 1 + +send -- "firejail /usr/bin/xzdec -c firejail_t3 > firejail_t2\r" +sleep 1 + +send -- "diff -s firejail_t1 firejail_t2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "firejail_t1 and firejail_t2 are identical" +} + +send -- "rm firejail_t*\r" +sleep 1 + + +puts "\nall done\n" diff --git a/todo b/todo index cd36b5f11..a5c311562 100644 --- a/todo +++ b/todo @@ -101,3 +101,10 @@ firejail.src: E: no-changelogname-tag firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found 1 packages and 0 specfiles checked; 1 errors, 1 warnings. +15. Testing: +find /usr/share/doc/firejail | cpio -ov > t1 +strings /usr/bin/firejail > t1 +gzip -c /usr/bin/firejail > t1 + +use diff -s to compare the files + -- cgit v1.2.3-54-g00ecf