From a8b23c83998c7964f8898c39784ac186a0216c3f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Fri, 11 Nov 2016 07:47:46 -0500
Subject: testing

---
 Makefile.in                       | 45 ++++++++++++------
 src/firejail/fs.c                 |  6 +++
 src/fnet/interface.c              | 76 ++++++++++--------------------
 test/fs_overlay.exp               | 66 --------------------------
 test/overlay/firefox-x11-xorg.exp | 90 +++++++++++++++++++++++++++++++++++
 test/overlay/firefox-x11.exp      | 90 +++++++++++++++++++++++++++++++++++
 test/overlay/firefox.exp          | 99 +++++++++++++++++++++++++++++++++++++++
 test/overlay/fs.exp               | 46 ++++++++++++++++++
 test/overlay/overlay.sh           | 57 ++++++++++++++++++++++
 9 files changed, 443 insertions(+), 132 deletions(-)
 delete mode 100755 test/fs_overlay.exp
 create mode 100755 test/overlay/firefox-x11-xorg.exp
 create mode 100755 test/overlay/firefox-x11.exp
 create mode 100755 test/overlay/firefox.exp
 create mode 100755 test/overlay/fs.exp
 create mode 100755 test/overlay/overlay.sh

diff --git a/Makefile.in b/Makefile.in
index 64970d4a5..03b6befbe 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -161,6 +161,8 @@ dist:
 	tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
 	rm -fr $(NAME)-$(VERSION)
 
+asc:; ./mkasc.sh $(VERSION)
+
 deb: dist
 	./mkdeb.sh $(NAME) $(VERSION)
 
@@ -173,9 +175,6 @@ install-snap: snap
 test-compile: dist
 	cd test/compile; ./compile.sh $(NAME)-$(VERSION)
 
-test-root:
-	cd test/root; su -c ./root.sh | grep TESTING
-	
 .PHONY: rpms
 rpms:
 	./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
@@ -189,7 +188,19 @@ cppcheck: clean
 scan-build: clean
 	scan-build make
 
-asc:; ./mkasc.sh $(VERSION)
+gcov-test-initialized:
+	./gcov-test-init.sh
+	
+gcov: gcov-test-initialized
+	lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
+	rm -fr gcov-dir
+	genhtml gcov-file --output-directory gcov-dir
+	
+
+#
+# make test
+#
+
 
 test-profiles:
 	cd test/profiles; ./profiles.sh | grep TESTING
@@ -218,21 +229,25 @@ test-filters:
 test-arguments:
 	cd test/arguments; ./arguments.sh | grep TESTING
 	
-test-network:
-	cd test/network; ./network.sh | grep TESTING
-
 test-fs:
 	cd test/fs; ./fs.sh | grep TESTING
 
 test: test-profiles test-fs test-utils  test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
 	echo "TEST COMPLETE"
 
-gcov-test-initialized:
-	./gcov-test-init.sh
-	
-gcov: gcov-test-initialized
-	lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
-	rm -fr gcov-dir
-	genhtml gcov-file --output-directory gcov-dir
+#
+# individual tests, some of them requiring root access
+#
+
+# root access, network devices are created before the test
+test-network:
+	cd test/network; ./network.sh | grep TESTING
+
+# all the tests are run as root
+test-root:
+	cd test/root; su -c ./root.sh | grep TESTING
 	
-	
\ No newline at end of file
+# runs as regular user
+test-overlay:
+	cd test/overlay; ./overlay.sh | grep TESTING
+
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4556f0a82..65b0773ca 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -919,6 +919,9 @@ void fs_overlayfs(void) {
 	}
 
 	// chroot in the new filesystem
+#ifdef HAVE_GCOV
+	__gcov_flush();
+#endif
 	if (chroot(oroot) == -1)
 		errExit("chroot");
 
@@ -1102,6 +1105,9 @@ void fs_chroot(const char *rootdir) {
 	}
 	
 	// chroot into the new directory
+#ifdef HAVE_GCOV
+	__gcov_flush();
+#endif
 	if (arg_debug)
 		printf("Chrooting into %s\n", rootdir);
 	if (chroot(rootdir) < 0)
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index 046b2c972..3958efddd 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -29,13 +29,18 @@
 #include <net/route.h>
 #include <linux/if_bridge.h>
 
-// add a veth device to a bridge
-void net_bridge_add_interface(const char *bridge, const char *dev) {
-	if (strlen(bridge) > IFNAMSIZ) {
-		fprintf(stderr, "Error fnet: invalid network device name %s\n", bridge);
+static void check_if_name(const char *ifname) {
+	if (strlen(ifname) > IFNAMSIZ) {
+		fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
 		exit(1);
 	}
+}
 
+// add a veth device to a bridge
+void net_bridge_add_interface(const char *bridge, const char *dev) {
+	check_if_name(bridge);
+	check_if_name(dev);
+	
 	// somehow adding the interface to the bridge resets MTU on bridge device!!!
 	// workaround: restore MTU on the bridge device
 	// todo: put a real fix in
@@ -69,18 +74,14 @@ void net_bridge_add_interface(const char *bridge, const char *dev) {
 	close(sock);
 
 	int mtu2 = net_get_mtu(bridge);
-	if (mtu1 != mtu2) {
+	if (mtu1 != mtu2)
 		net_set_mtu(bridge, mtu1);
-	}
 }
 
 
 // bring interface up
 void net_if_up(const char *ifname) {
-	if (strlen(ifname) > IFNAMSIZ) {
-		fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
-		exit(1);
-	}
+	check_if_name(ifname);
 	
 	int sock = socket(AF_INET,SOCK_DGRAM,0);
 	if (sock < 0)
@@ -93,28 +94,19 @@ void net_if_up(const char *ifname) {
 	ifr.ifr_addr.sa_family = AF_INET;
 
 	// read the existing flags
-	if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-		close(sock);
-		printf("Error fnet: cannot bring up interface %s\n", ifname);
+	if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
 		errExit("ioctl");
-	}
 
 	ifr.ifr_flags |= IFF_UP;
 
 	// set the new flags
-	if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
-		close(sock);
-		printf("Error fnet: cannot bring up interface %s\n", ifname);
+	if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0)
 		errExit("ioctl");
-	}
 
 	// checking
 	// read the existing flags
-	if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-		close(sock);
-		printf("Error fnet: cannot bring up interface %s\n", ifname);
+	if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
 		errExit("ioctl");
-	}
 
 	// wait not more than 500ms for the interface to come up
 	int cnt = 0;
@@ -122,11 +114,8 @@ void net_if_up(const char *ifname) {
 		usleep(10000);			  // sleep 10ms
 
 		// read the existing flags
-		if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
-			close(sock);
-			printf("Error fnet: cannot bring up interface %s\n", ifname);
+		if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
 			errExit("ioctl");
-		}
 		if (ifr.ifr_flags & IFF_RUNNING)
 			break;
 		cnt++;
@@ -136,12 +125,8 @@ void net_if_up(const char *ifname) {
 }
 
 int net_get_mtu(const char *ifname) {
+	check_if_name(ifname);
 	int mtu = 0;
-	if (strlen(ifname) > IFNAMSIZ) {
-		fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
-		exit(1);
-	}
-
 	int s;
 	struct ifreq ifr;
 
@@ -160,11 +145,7 @@ int net_get_mtu(const char *ifname) {
 }
 
 void net_set_mtu(const char *ifname, int mtu) {
-	if (strlen(ifname) > IFNAMSIZ) {
-		fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
-		exit(1);
-	}
-
+	check_if_name(ifname);
 	int s;
 	struct ifreq ifr;
 
@@ -246,6 +227,7 @@ void net_ifprint(int scan) {
 }
 
 int net_get_mac(const char *ifname, unsigned char mac[6]) {
+	check_if_name(ifname);
 
 	struct ifreq ifr;
 	int sock;
@@ -267,11 +249,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
 
 // configure interface ipv4 address
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
-	if (strlen(ifname) > IFNAMSIZ) {
-		fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-		exit(1);
-	}
-
+	check_if_name(ifname);
 	int sock = socket(AF_INET,SOCK_DGRAM,0);
 	if (sock < 0)
 		errExit("socket");
@@ -282,34 +260,29 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
 	ifr.ifr_addr.sa_family = AF_INET;
 
 	((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
-	if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) {
-		close(sock);
-		fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname);
+	if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) 
 		errExit("ioctl");
-	}
 
 	if (ip != 0) {
 		((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr =  htonl(mask);
-		if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) {
-			close(sock);
+		if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0)
 			errExit("ioctl");
-		}
 	}
 	
 	// configure mtu
 	if (mtu > 0) {
 		ifr.ifr_mtu = mtu;
-		if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) {
-			close(sock);
+		if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0)
 			errExit("ioctl");
-		}
 	}
 
 	close(sock);
 	usleep(10000);				  // sleep 10ms
+	return;
 }
 
 int net_if_mac(const char *ifname, const unsigned char mac[6]) {
+	check_if_name(ifname);
 	struct ifreq ifr;
 	int sock;
 
@@ -335,6 +308,7 @@ struct ifreq6 {
 	unsigned int ifr6_ifindex;
 };
 void net_if_ip6(const char *ifname, const char *addr6) {
+	check_if_name(ifname);
 	if (strchr(addr6, ':') == NULL) {
 		fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
 		exit(1);
diff --git a/test/fs_overlay.exp b/test/fs_overlay.exp
deleted file mode 100755
index b7eeba80f..000000000
--- a/test/fs_overlay.exp
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/usr/bin/expect -f
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-
-send -- "rm -f /tmp/firejail-overlay-test;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 0\n";exit}
-	"home"
-}
-
-send -- "ls > /tmp/firejail-overlay-test;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	"home"
-}
-
-send -- "firejail --noprofile --overlay\r"
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
-	"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
-	"Child process initialized" {puts "found\n"}
-}
-sleep 1
-
-send -- "echo xyzxyzxyz > /tmp/firejail-overlay-test;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	"home"
-}
-sleep 1
-
-send -- "cat  /tmp/firejail-overlay-test;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	"xyzxyzxyz"
-}
-expect {
-	timeout {puts "TESTING ERROR 4.1\n";exit}
-	"home"
-}
-sleep 1
-
-send -- "exit\r"
-sleep 2
-
-send -- "cat  /tmp/firejail-overlay-test;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 5\n";exit}
-	"xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
-	"home"
-}
-
-sleep 1
-send -- "rm -f /tmp/firejail-overlay-test;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 0\n";exit}
-	"home"
-}
-
-
-sleep 1
-puts "all done \n"
-
diff --git a/test/overlay/firefox-x11-xorg.exp b/test/overlay/firefox-x11-xorg.exp
new file mode 100755
index 000000000..76c0e55fc
--- /dev/null
+++ b/test/overlay/firefox-x11-xorg.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"firefox" {puts "firefox detected\n";}
+	"iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 3.2\n";exit}
+	"no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --overlay --name=blablabla\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	" firefox" {puts "firefox detected\n";}
+	" iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 5.0\n";exit}
+	"no-remote"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	" firefox" {puts "firefox detected\n";}
+	" iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 6.0\n";exit}
+	"no-remote"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/test/overlay/firefox-x11.exp b/test/overlay/firefox-x11.exp
new file mode 100755
index 000000000..aa248f328
--- /dev/null
+++ b/test/overlay/firefox-x11.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --overlay --name=test --x11 firefox -no-remote www.gentoo.org\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"firefox" {puts "firefox detected\n";}
+	"iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 3.2\n";exit}
+	"no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --name=blablabla --overlay\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	" firefox" {puts "firefox detected\n";}
+	" iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 5.0\n";exit}
+	"no-remote"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	" firefox" {puts "firefox detected\n";}
+	" iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 6.0\n";exit}
+	"no-remote"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/test/overlay/firefox.exp b/test/overlay/firefox.exp
new file mode 100755
index 000000000..6ef23558d
--- /dev/null
+++ b/test/overlay/firefox.exp
@@ -0,0 +1,99 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --overlay firefox -no-remote www.gentoo.org\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Reading profile /etc/firejail/firefox.profile"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Child process initialized"
+}
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	":firejail"
+}
+expect {
+	timeout {puts "TESTING ERROR 3.1\n";exit}
+	"firefox" {puts "firefox detected\n";}
+	"iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 3.2\n";exit}
+	"no-remote"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+	"cannot open" {puts "grsecurity not present\n"}
+}
+
+
+send -- "firejail --name=blablabla --overlay\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	" firefox" {puts "firefox detected\n";}
+	" iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 5.0\n";exit}
+	"no-remote"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+	"Seccomp:	2"
+}
+expect {
+	timeout {puts "TESTING ERROR 5.1\n";exit}
+	"name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	" firefox" {puts "firefox detected\n";}
+	" iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+	timeout {puts "TESTING ERROR 6.0\n";exit}
+	"no-remote"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.1\n";exit}
+	"CapBnd:"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.2\n";exit}
+	"0000000000000000"
+}
+expect {
+	timeout {puts "TESTING ERROR 6.3\n";exit}
+	"name=blablabla"
+}
+after 100
+
+puts "\nall done\n"
+
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp
new file mode 100755
index 000000000..15ada9203
--- /dev/null
+++ b/test/overlay/fs.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --overlay\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"not available for kernels older than 3.18" {puts "\nTESTING: overlayfs not available\n"; exit}
+	"Error: --overlay option is not available on Grsecurity systems" {puts "\nTESTING: overlayfs not available\n"; exit}
+	"Child process initialized" {puts "found\n"}
+}
+sleep 1
+
+send -- "echo xyzxyzxyz > ~/_firejail_test_file; echo done\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"done"
+}
+after 100
+
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"xyzxyzxyz"
+}
+expect {
+	timeout {puts "TESTING ERROR 4.1\n";exit}
+	"done"
+}
+after 100
+
+send -- "exit\r"
+sleep 2
+
+send -- "cat  ~/_firejail_test_file; echo done\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
+	"done"
+}
+
+after 100
+puts "\nall done\n"
+
diff --git a/test/overlay/overlay.sh b/test/overlay/overlay.sh
new file mode 100755
index 000000000..971adddfe
--- /dev/null
+++ b/test/overlay/overlay.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+echo "TESTING: overlay fs (test/overlay/fs.exp)"
+rm -fr ~/_firejail_test_*
+./fs.exp
+rm -fr ~/_firejail_test_*
+
+which firefox
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: overlay firefox"
+	./firefox.exp
+else
+	echo "TESTING SKIP: firefox not found"
+fi
+
+which firefox
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: overlay firefox x11 xorg"
+	./firefox.exp
+else
+	echo "TESTING SKIP: firefox not found"
+fi
+
+
+# check xpra/xephyr
+which xpra
+if [ "$?" -eq 0 ];
+then
+        echo "xpra found"
+else
+        echo "xpra not found"
+	which Xephyr
+	if [ "$?" -eq 0 ];
+	then
+        	echo "Xephyr found"
+	else
+        	echo "TESTING SKIP: xpra and/or Xephyr not found"
+		exit
+	fi
+fi
+
+which firefox
+if [ "$?" -eq 0 ];
+then
+	echo "TESTING: overlay firefox x11"
+	./firefox.exp
+else
+	echo "TESTING SKIP: firefox not found"
+fi
-- 
cgit v1.2.3-54-g00ecf