From 91235785e06ac890514fd51fa44aa14e7c2e108e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 2 Mar 2023 08:19:41 -0500 Subject: network testing --- .github/workflows/build.yml | 4 +- Makefile | 12 ++- test/network/hostname.exp | 31 -------- test/network/net_ip.exp | 77 ++++++++++++------- test/network/net_mac.exp | 5 +- test/network/net_none.exp | 52 +++---------- test/network/network.sh | 183 +++++++++++++++++++++++--------------------- 7 files changed, 168 insertions(+), 196 deletions(-) delete mode 100755 test/network/hostname.exp diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e68ad99db..cb0d31828 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,7 +60,7 @@ jobs: - name: update package information run: sudo apt-get update - name: install dependencies - run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois + run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois bridge-utils - name: configure run: CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux - name: make @@ -71,6 +71,8 @@ jobs: run: command -V firejail && firejail --version - name: lab setup run: SHELL=/bin/bash make lab-setup + - name: run network tests + run: SHELL=/bin/bash make test-network - name: run appimage tests run: SHELL=/bin/bash make test-appimage - name: run chroot tests diff --git a/Makefile b/Makefile index dbe084a2e..fc543f8c4 100644 --- a/Makefile +++ b/Makefile @@ -372,7 +372,7 @@ $(TEST_TARGETS): # extract some data about the testing setup: kernel, network connectivity, user -lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc +lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" @@ -384,10 +384,16 @@ test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sy test-appimage: $(MAKE) -C test $(subst test-,,$@) -# not included in "make dist" and "make test" +# using sudo; not included in "make dist" and "make test" test-chroot: $(MAKE) -C test $(subst test-,,$@) +# using sudo; not included in "make dist" and "make test" +test-network: + $(MAKE) -C test $(subst test-,,$@) + + + # old gihub test; the new test is driven directly from .github/workflows/build.yml test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment echo "TEST COMPLETE" @@ -403,7 +409,5 @@ test-private-lib: # Root access, network devices are created before the test # restart your computer to get rid of these devices -test-network: - $(MAKE) -C test $(subst test-,,$@) # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" diff --git a/test/network/hostname.exp b/test/network/hostname.exp deleted file mode 100755 index 42af84847..000000000 --- a/test/network/hostname.exp +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2023 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --hostname=bingo --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 1 -send -- "stty -echo\r" -after 100 - -send -- "ping -c 3 bingo; echo done\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "3 packets transmitted, 3 received" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "done" -} -send -- "exit\r" -after 100 - -puts "all done\n" diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 48d8a75fb..304b71814 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -7,70 +7,95 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -# check ip address -send -- "firejail --net=br0 --ip=10.10.20.5\r" +send -- "firejail --net=br0 cat /proc/1/net/dev\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" } expect { timeout {puts "TESTING ERROR 1\n";exit} - "10.10.20.5" + "10.10.20." } expect { timeout {puts "TESTING ERROR 2\n";exit} - "255.255.255.248" + "255.255.255.0" } expect { timeout {puts "TESTING ERROR 3\n";exit} "UP" } +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Default gateway 10.10.20.1" +} expect { timeout {puts "TESTING ERROR 4\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -sleep 1 -send -- "exit\r" -sleep 1 - -# check loopback -send -- "firejail --net=br0 --ip=10.10.20.5 --protocol=unix,inet,netlink\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "lo" + "lo:" } expect { timeout {puts "TESTING ERROR 6\n";exit} - "127.0.0.1" + "eth0:" } +after 500 + +send -- "firejail --net=br0 --ip=10.10.20.5 cat /proc/1/net/dev\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "255.0.0.0" + "eth0" } expect { timeout {puts "TESTING ERROR 8\n";exit} - "UP" + "10.10.20.5" } expect { timeout {puts "TESTING ERROR 9\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "UP" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Default gateway 10.10.20.1" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -sleep 1 +after 500 -# check default gateway -send -- "ip route show\r" +send -- "firejail --net=br0 --ip=10.10.50.5 cat /proc/1/net/dev\r" expect { - timeout {puts "TESTING ERROR 10.1\n";exit} - "default via 10.10.20.1 dev eth0" + timeout {puts "TESTING ERROR 13\n";exit} + "the IP address is not in the interface range" } +after 500 -send -- "ip route show\r" +send -- "firejail --net=br0 --defaultgw=10.10.20.2 cat /proc/1/net/dev\r" expect { - timeout {puts "TESTING ERROR 10\n";exit} - "10.10.20.0/29 dev eth0 proto kernel scope link" {puts "old iproute2\n";} - "10.10.20.0/29 dev eth0 proto kernel scope link" {puts "new iproute2\n";} + timeout {puts "TESTING ERROR 14\n";exit} + "Default gateway 10.10.20.2" } -send -- "exit\r" -after 100 +expect { + timeout {puts "TESTING ERROR 14\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 500 -puts "\n" +send -- "firejail --net=br0 --defaultgw=10.110.210.2 cat /proc/1/net/dev\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "default gateway 10.110.210.2 is not in the range of any network" +} +after 500 + + + + +after 100 +puts "\nall done\n" diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index 086efd02c..481e452af 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp @@ -8,7 +8,7 @@ spawn $env(SHELL) match_max 100000 # check ip address -send -- "firejail --net=br0 --ip=10.10.20.5 --mac=00:11:22:33:44:55\r" +send -- "firejail --net=br0 --ip=10.10.20.5 --mac=00:11:22:33:44:55 cat /proc/1/net/dev\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" @@ -23,7 +23,7 @@ expect { } expect { timeout {puts "TESTING ERROR 2\n";exit} - "255.255.255.248" + "255.255.255.0" } expect { timeout {puts "TESTING ERROR 3\n";exit} @@ -33,7 +33,6 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -send -- "exit\r" after 100 puts "\nall done\n" diff --git a/test/network/net_none.exp b/test/network/net_none.exp index aa071862e..6932c7e8a 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -11,63 +11,31 @@ match_max 100000 send -- "firejail --net=none\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "eth0" {puts "TESTING ERROR 0.1\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -sleep 1 +after 500 -# test default gw -send -- "bash\r" -sleep 1 -send -- "stty -echo\r" -after 100 - -send -- "netstat -rn; echo done\r" +send -- "cat /proc/1/net/dev | wc -l\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "0.0.0.0" {puts "TESTING ERROR 1.1\n";exit} - "done" + "3" } -sleep 1 - -# check again devices -send -- "cat /proc/1/net/dev;echo done\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "eth0" {puts "TESTING ERROR 2.1\n";exit} - "done" -} -send -- "exit\r" -sleep 1 send -- "exit\r" -sleep 1 +after 500 + # profile send -- "firejail --profile=net_none.profile\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} - "eth0" {puts "TESTING ERROR 3.1\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -sleep 1 +after 500 -# test default gw -send -- "bash\r" -sleep 1 -send -- "netstat -rn; echo done\r" +send -- "cat /proc/1/net/dev | wc -l\r" expect { - timeout {puts "TESTING ERROR 4\n";exit} - "0.0.0.0" {puts "TESTING ERROR 4.1\n";exit} - "done" -} -sleep 1 - -# check again devices -send -- "cat /proc/1/net/dev;echo done\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "eth0" {puts "TESTING ERROR 5.1\n";exit} - "done" + timeout {puts "TESTING ERROR 3\n";exit} + "3" } send -- "exit\r" after 100 diff --git a/test/network/network.sh b/test/network/network.sh index 0cb92f2e3..6bb8332ee 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -7,46 +7,13 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -sudo ./configure - -echo "TESTING: unconfigured network (net_unconfigured.exp)" -./net_unconfigured.exp - -echo "TESTING: netfilter template (netfilter-template.exp)" -rm -f ./tcpserver -gcc -o tcpserver tcpserver.c -./netfilter-template.exp -rm ./tcpserver - -echo "TESTING: firemon interface (firemon-interfaces.exp)" -sudo ./firemon-interfaces.exp - -echo "TESTING: netns (netns.exp)" -./netns.exp - -echo "TESTING: print dns (dns-print.exp)" -./dns-print.exp - -echo "TESTING: firemon arp (firemon-arp.exp)" -./firemon-arp.exp - -echo "TESTING: firemon netstats (netstats.exp)" -./netstats.exp - -echo "TESTING: firemon route (firemon-route.exp)" -./firemon-route.exp - -echo "TESTING: network profile (net_profile.exp)" -./net_profile.exp - -echo "TESTING: bandwidth (bandwidth.exp)" -./bandwidth.exp - -echo "TESTING: IPv6 support (ip6.exp)" -./ip6.exp - -echo "TESTING: local network (net_local.exp)" -./net_local.exp +sudo brctl addbr br0 +sudo ip link set br0 up +sudo ip addr add 10.10.20.1/24 dev br0 +sudo brctl addbr br1 +sudo ip link set br1 up +sudo ip addr add 10.10.30.1/24 dev br1 +ip addr show echo "TESTING: no network (net_none.exp)" ./net_none.exp @@ -55,56 +22,94 @@ echo "TESTING: network IP (net_ip.exp)" ./net_ip.exp echo "TESTING: network MAC (net_mac.exp)" -sleep 2 ./net_mac.exp -echo "TESTING: network MTU (net_mtu.exp)" -./net_mtu.exp - -echo "TESTING: network hostname (hostname.exp)" -./hostname.exp - -echo "TESTING: network bad IP (net_badip.exp)" -./net_badip.exp - -echo "TESTING: network no IP test 1 (net_noip.exp)" -./net_noip.exp - -echo "TESTING: network no IP test 2 (net_noip2.exp)" -./net_noip2.exp - -echo "TESTING: network default gateway test 1 (net_defaultgw.exp)" -./net_defaultgw.exp - -echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" -./net_defaultgw2.exp - -echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" -./net_defaultgw3.exp - -echo "TESTING: scan (net_scan.exp)" -./net_scan.exp - -echo "TESTING: interface (interface.exp)" -./interface.exp - -echo "TESTING: veth (net_veth.exp)" -./net_veth.exp - -echo "TESTING: netfilter (net_netfilter.exp)" -./net_netfilter.exp - -echo "TESTING: iprange (iprange.exp)" -./iprange.exp - -echo "TESTING: veth-name (veth-name.exp)" -./veth-name.exp - -echo "TESTING: macvlan2 (net_macvlan2.exp)" -./net_macvlan2.exp -echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" -./4bridges_arp.exp -echo "TESTING: 4 bridges IP (4bridges_ip.exp)" -./4bridges_ip.exp +#echo "TESTING: unconfigured network (net_unconfigured.exp)" +#./net_unconfigured.exp +# +#echo "TESTING: netfilter template (netfilter-template.exp)" +#rm -f ./tcpserver +#gcc -o tcpserver tcpserver.c +#./netfilter-template.exp +#rm ./tcpserver +# +#echo "TESTING: firemon interface (firemon-interfaces.exp)" +#sudo ./firemon-interfaces.exp +# +#echo "TESTING: netns (netns.exp)" +#./netns.exp +# +#echo "TESTING: print dns (dns-print.exp)" +#./dns-print.exp +# +#echo "TESTING: firemon arp (firemon-arp.exp)" +#./firemon-arp.exp +# +#echo "TESTING: firemon netstats (netstats.exp)" +#./netstats.exp +# +#echo "TESTING: firemon route (firemon-route.exp)" +#./firemon-route.exp +# +#echo "TESTING: network profile (net_profile.exp)" +#./net_profile.exp +# +#echo "TESTING: bandwidth (bandwidth.exp)" +#./bandwidth.exp +# +#echo "TESTING: IPv6 support (ip6.exp)" +#./ip6.exp +# +#echo "TESTING: local network (net_local.exp)" +#./net_local.exp +# +# +#echo "TESTING: network MTU (net_mtu.exp)" +#./net_mtu.exp +# +#echo "TESTING: network bad IP (net_badip.exp)" +#./net_badip.exp +# +#echo "TESTING: network no IP test 1 (net_noip.exp)" +#./net_noip.exp +# +#echo "TESTING: network no IP test 2 (net_noip2.exp)" +#./net_noip2.exp +# +#echo "TESTING: network default gateway test 1 (net_defaultgw.exp)" +#./net_defaultgw.exp +# +#echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" +#./net_defaultgw2.exp +# +#echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" +#./net_defaultgw3.exp +# +#echo "TESTING: scan (net_scan.exp)" +#./net_scan.exp +# +#echo "TESTING: interface (interface.exp)" +#./interface.exp +# +#echo "TESTING: veth (net_veth.exp)" +#./net_veth.exp +# +#echo "TESTING: netfilter (net_netfilter.exp)" +#./net_netfilter.exp +# +#echo "TESTING: iprange (iprange.exp)" +#./iprange.exp +# +#echo "TESTING: veth-name (veth-name.exp)" +#./veth-name.exp +# +#echo "TESTING: macvlan2 (net_macvlan2.exp)" +#./net_macvlan2.exp +# +#echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" +#./4bridges_arp.exp +# +#echo "TESTING: 4 bridges IP (4bridges_ip.exp)" +#./4bridges_ip.exp -- cgit v1.2.3-54-g00ecf