From acf8efb878b84882a9df61eff51fdcaceb522a4c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 8 Mar 2023 16:23:30 -0500 Subject: testing --- .github/workflows/build.yml | 6 +- Makefile | 4 +- README | 1 + gcov.sh | 4 +- test/capabilities/capabilities.sh | 23 +++++++ test/capabilities/caps-join.exp | 96 ++++++++++++++++++++++++++ test/capabilities/caps-print.exp | 103 ++++++++++++++++++++++++++++ test/capabilities/caps.exp | 139 ++++++++++++++++++++++++++++++++++++++ test/capabilities/caps1.profile | 1 + test/capabilities/caps2.profile | 1 + test/capabilities/caps3.profile | 1 + test/filters/caps-join.exp | 96 -------------------------- test/filters/caps-print.exp | 103 ---------------------------- test/filters/caps.exp | 139 -------------------------------------- test/filters/caps1.profile | 1 - test/filters/caps2.profile | 1 - test/filters/caps3.profile | 1 - test/filters/filters.sh | 24 +++---- test/firecfg/firecfg.exp | 13 ++++ test/firecfg/firecfg.sh | 5 ++ 20 files changed, 404 insertions(+), 358 deletions(-) create mode 100755 test/capabilities/capabilities.sh create mode 100755 test/capabilities/caps-join.exp create mode 100755 test/capabilities/caps-print.exp create mode 100755 test/capabilities/caps.exp create mode 100644 test/capabilities/caps1.profile create mode 100644 test/capabilities/caps2.profile create mode 100644 test/capabilities/caps3.profile delete mode 100755 test/filters/caps-join.exp delete mode 100755 test/filters/caps-print.exp delete mode 100755 test/filters/caps.exp delete mode 100644 test/filters/caps1.profile delete mode 100644 test/filters/caps2.profile delete mode 100644 test/filters/caps3.profile diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9f2072c74..2e6a462f2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -73,10 +73,10 @@ jobs: run: SHELL=/bin/bash make lab-setup - name: run firecfg tests run: SHELL=/bin/bash make test-firecfg + - name: run capabilities tests + run: SHELL=/bin/bash make test-capabilities - name: run apparmor tests run: SHELL=/bin/bash make test-apparmor - - name: run network tests - run: SHELL=/bin/bash make test-network - name: run appimage tests run: SHELL=/bin/bash make test-appimage - name: run chroot tests @@ -97,3 +97,5 @@ jobs: run: SHELL=/bin/bash make test-utils - name: run environment tests run: SHELL=/bin/bash make test-environment + - name: run network tests + run: SHELL=/bin/bash make test-network diff --git a/Makefile b/Makefile index 3bb128ccc..9a0482848 100644 --- a/Makefile +++ b/Makefile @@ -314,7 +314,7 @@ mkman.sh \ platform \ src -DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils +DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/capabilities test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils .PHONY: dist dist: config.mk @@ -368,7 +368,7 @@ codespell: clean # make test # -TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc +TESTS=profiles capabilities apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc TEST_TARGETS=$(patsubst %,test-%,$(TESTS)) $(TEST_TARGETS): diff --git a/README b/README index a6474fdb2..3dca59a28 100644 --- a/README +++ b/README @@ -720,6 +720,7 @@ Manuel Dipolt (https://github.com/xeniter) - stack alignment for the ARM Architecture Marek Küthe (https://github.com/marek22k) - allow loading plugins in gajim + - allow bsfilter in email-common.profile Martin Carpenter (https://github.com/mcarpenter) - security audit and bug fixes - Centos 6.x support diff --git a/gcov.sh b/gcov.sh index 0f2808ace..a4f56136c 100755 --- a/gcov.sh +++ b/gcov.sh @@ -13,7 +13,7 @@ gcov_generate() { USER="$(whoami)" find . -exec sudo chown "$USER:$USER" '{}' + lcov -q --capture -d src/firejail -d src/lib -d src/firecfg -d src/firemon \ - -d src/fnet -d src/fnetfilter -d src/fcopy --output-file gcov-file + -d src/fnet -d src/fnetfilter -d src/fcopy -d src/fseccomp --output-file gcov-file genhtml -q gcov-file --output-directory gcov-dir } @@ -23,6 +23,8 @@ gcov_generate make test-firecfg | grep TESTING gcov_generate +make test-capabilities | grep TESTING +gcov_generate make test-apparmor | grep TESTING gcov_generate make test-network | grep TESTING diff --git a/test/capabilities/capabilities.sh b/test/capabilities/capabilities.sh new file mode 100755 index 000000000..50279cd4f --- /dev/null +++ b/test/capabilities/capabilities.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2023 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +export LC_ALL=C + + +#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then + echo "TESTING: capabilities (test/filters/caps.exp)" + ./caps.exp +#else +# echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" +#fi + +echo "TESTING: capabilities print (test/filters/caps-print.exp)" +./caps-print.exp + +echo "TESTING: capabilities join (test/filters/caps-join.exp)" +./caps-join.exp + diff --git a/test/capabilities/caps-join.exp b/test/capabilities/caps-join.exp new file mode 100755 index 000000000..1830143fb --- /dev/null +++ b/test/capabilities/caps-join.exp @@ -0,0 +1,96 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2023 Firejail Authors +# License GPL v2 + +set timeout 10 +match_max 100000 +spawn $env(SHELL) +set id1 $spawn_id +spawn $env(SHELL) +set id2 $spawn_id + +send -- "stty -echo\r" +after 100 + +# +# regular run +# +set spawn_id $id1 +send -- "firejail --name=jointesting\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +sleep 1 + +set spawn_id $id2 + +send -- "firejail --join=jointesting cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "CapBnd: 0000000000000000" +} +sleep 1 + +set spawn_id $id1 +send -- "exit\r" +after 100 + +# +# no caps +# +set spawn_id $id1 +send -- "firejail --name=jointesting --noprofile\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +sleep 1 + +set spawn_id $id2 + +send -- "firejail --join=jointesting cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "fffffffff" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "CapAmb:" +} +sleep 1 + +set spawn_id $id1 +send -- "exit\r" +after 100 + +# +# no caps +# +set spawn_id $id1 +send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r" +expect { + timeout {puts "TESTING ERROR20\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +sleep 1 + +set spawn_id $id2 + +send -- "firejail --join=jointesting cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "CapBnd: 0000000000000009" +} +sleep 1 + +set spawn_id $id1 +send -- "exit\r" +after 100 + +puts "all done\n" diff --git a/test/capabilities/caps-print.exp b/test/capabilities/caps-print.exp new file mode 100755 index 000000000..b403f9ffe --- /dev/null +++ b/test/capabilities/caps-print.exp @@ -0,0 +1,103 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2023 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --noprofile --caps --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Drop CAP_SYS_RAWIO" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Drop CAP_SYS_BOOT" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Drop CAP_SYS_NICE" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Drop CAP_SYS_TTY_CONFIG" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Drop CAP_SYSLOG" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Drop CAP_MKNOD" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Drop CAP_SYS_ADMIN" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --caps.print=test\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "chown - enabled" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "setgid - enabled" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "setuid - enabled" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mknod - disabled" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "syslog - disabled" +} +after 100 + +send -- "firejail --debug-caps\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "21 - sys_admin" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "22 - sys_boot" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "23 - sys_nice" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "24 - sys_resource" +} +after 100 + +send -- "firejail --caps.keep=\"bla bla bla\"\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "capability" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "not found" +} + +after 100 +puts "\nall done\n" diff --git a/test/capabilities/caps.exp b/test/capabilities/caps.exp new file mode 100755 index 000000000..dbd63efda --- /dev/null +++ b/test/capabilities/caps.exp @@ -0,0 +1,139 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2023 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --caps.keep=chown,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 100 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "CapBnd: 0000000000000009" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=all --noprofile\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 100 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "CapBnd: 0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 100 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + +send -- "firejail --profile=caps1.profile --debug\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Drop CAP_SYS_ADMIN" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Drop CAP_" {puts "TESTING ERROR 14\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 100 +send -- "exit\r" +sleep 1 + + +## tofix: possible problem with caps.keep in profile files +##send -- "firejail --caps.keep=chown,fowner --noprofile\r" +#send -- "firejail --profile=caps2.profile\r" +#expect { +# timeout {puts "TESTING ERROR 15\n";exit} +# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +#} +#after 100 +# +#send -- "cat /proc/self/status\r" +#expect { +# timeout {puts "TESTING ERROR 16\n";exit} +# "CapBnd: 0000000000000009" +#} +#expect { +# timeout {puts "TESTING ERROR 17\n";exit} +# "Seccomp:" +#} +#send -- "exit\r" +#sleep 1 + +#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +send -- "firejail --profile=caps3.profile\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +after 100 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + + +after 100 +puts "\nall done\n" diff --git a/test/capabilities/caps1.profile b/test/capabilities/caps1.profile new file mode 100644 index 000000000..8b0c3b340 --- /dev/null +++ b/test/capabilities/caps1.profile @@ -0,0 +1 @@ +caps diff --git a/test/capabilities/caps2.profile b/test/capabilities/caps2.profile new file mode 100644 index 000000000..ad49719f1 --- /dev/null +++ b/test/capabilities/caps2.profile @@ -0,0 +1 @@ +caps.drop chown,dac_override,dac_read_search,fowner diff --git a/test/capabilities/caps3.profile b/test/capabilities/caps3.profile new file mode 100644 index 000000000..ad49719f1 --- /dev/null +++ b/test/capabilities/caps3.profile @@ -0,0 +1 @@ +caps.drop chown,dac_override,dac_read_search,fowner diff --git a/test/filters/caps-join.exp b/test/filters/caps-join.exp deleted file mode 100755 index 1830143fb..000000000 --- a/test/filters/caps-join.exp +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2023 Firejail Authors -# License GPL v2 - -set timeout 10 -match_max 100000 -spawn $env(SHELL) -set id1 $spawn_id -spawn $env(SHELL) -set id2 $spawn_id - -send -- "stty -echo\r" -after 100 - -# -# regular run -# -set spawn_id $id1 -send -- "firejail --name=jointesting\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 1 - -set spawn_id $id2 - -send -- "firejail --join=jointesting cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "CapBnd: 0000000000000000" -} -sleep 1 - -set spawn_id $id1 -send -- "exit\r" -after 100 - -# -# no caps -# -set spawn_id $id1 -send -- "firejail --name=jointesting --noprofile\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 1 - -set spawn_id $id2 - -send -- "firejail --join=jointesting cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "fffffffff" -} -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "CapAmb:" -} -sleep 1 - -set spawn_id $id1 -send -- "exit\r" -after 100 - -# -# no caps -# -set spawn_id $id1 -send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r" -expect { - timeout {puts "TESTING ERROR20\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 1 - -set spawn_id $id2 - -send -- "firejail --join=jointesting cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 21\n";exit} - "CapBnd: 0000000000000009" -} -sleep 1 - -set spawn_id $id1 -send -- "exit\r" -after 100 - -puts "all done\n" diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp deleted file mode 100755 index b403f9ffe..000000000 --- a/test/filters/caps-print.exp +++ /dev/null @@ -1,103 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2023 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --name=test --noprofile --caps --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Drop CAP_SYS_MODULE" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Drop CAP_SYS_RAWIO" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Drop CAP_SYS_BOOT" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Drop CAP_SYS_NICE" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Drop CAP_SYS_TTY_CONFIG" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "Drop CAP_SYSLOG" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Drop CAP_MKNOD" -} -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Drop CAP_SYS_ADMIN" -} -expect { - timeout {puts "TESTING ERROR 8\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --caps.print=test\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "chown - enabled" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "setgid - enabled" -} -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "setuid - enabled" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "mknod - disabled" -} -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "syslog - disabled" -} -after 100 - -send -- "firejail --debug-caps\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "21 - sys_admin" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "22 - sys_boot" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "23 - sys_nice" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "24 - sys_resource" -} -after 100 - -send -- "firejail --caps.keep=\"bla bla bla\"\r" -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "capability" -} -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "not found" -} - -after 100 -puts "\nall done\n" diff --git a/test/filters/caps.exp b/test/filters/caps.exp deleted file mode 100755 index dbd63efda..000000000 --- a/test/filters/caps.exp +++ /dev/null @@ -1,139 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2023 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --caps.keep=chown,fowner --noprofile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -after 100 - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "CapBnd: 0000000000000009" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Seccomp:" -} -send -- "exit\r" -sleep 1 - -send -- "firejail --caps.drop=all --noprofile\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -after 100 - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "CapBnd: 0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Seccomp:" -} -send -- "exit\r" -sleep 1 - -send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -after 100 - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "fffffff0" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "Seccomp:" -} -send -- "exit\r" -sleep 1 - - -send -- "firejail --profile=caps1.profile --debug\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "Drop CAP_SYS_MODULE" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "Drop CAP_SYS_ADMIN" -} -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "Drop CAP_" {puts "TESTING ERROR 14\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -after 100 -send -- "exit\r" -sleep 1 - - -## tofix: possible problem with caps.keep in profile files -##send -- "firejail --caps.keep=chown,fowner --noprofile\r" -#send -- "firejail --profile=caps2.profile\r" -#expect { -# timeout {puts "TESTING ERROR 15\n";exit} -# -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -#} -#after 100 -# -#send -- "cat /proc/self/status\r" -#expect { -# timeout {puts "TESTING ERROR 16\n";exit} -# "CapBnd: 0000000000000009" -#} -#expect { -# timeout {puts "TESTING ERROR 17\n";exit} -# "Seccomp:" -#} -#send -- "exit\r" -#sleep 1 - -#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" -send -- "firejail --profile=caps3.profile\r" -expect { - timeout {puts "TESTING ERROR 18\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -after 100 - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 19\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 20\n";exit} - "fffffff0" -} -expect { - timeout {puts "TESTING ERROR 21\n";exit} - "Seccomp:" -} -send -- "exit\r" -sleep 1 - - - -after 100 -puts "\nall done\n" diff --git a/test/filters/caps1.profile b/test/filters/caps1.profile deleted file mode 100644 index 8b0c3b340..000000000 --- a/test/filters/caps1.profile +++ /dev/null @@ -1 +0,0 @@ -caps diff --git a/test/filters/caps2.profile b/test/filters/caps2.profile deleted file mode 100644 index ad49719f1..000000000 --- a/test/filters/caps2.profile +++ /dev/null @@ -1 +0,0 @@ -caps.drop chown,dac_override,dac_read_search,fowner diff --git a/test/filters/caps3.profile b/test/filters/caps3.profile deleted file mode 100644 index ad49719f1..000000000 --- a/test/filters/caps3.profile +++ /dev/null @@ -1 +0,0 @@ -caps.drop chown,dac_override,dac_read_search,fowner diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 2d115db1b..e19047e6f 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -57,18 +57,18 @@ echo "TESTING: noroot (test/filters/noroot.exp)" ./noroot.exp -if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then - echo "TESTING: capabilities (test/filters/caps.exp)" - ./caps.exp -else - echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" -fi - -echo "TESTING: capabilities print (test/filters/caps-print.exp)" -./caps-print.exp - -echo "TESTING: capabilities join (test/filters/caps-join.exp)" -./caps-join.exp +#if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then +# echo "TESTING: capabilities (test/filters/caps.exp)" +# ./caps.exp +#else +# echo "TESTING SKIP: other capabilities than expected (test/filters/caps.exp)" +#fi +# +#echo "TESTING: capabilities print (test/filters/caps-print.exp)" +#./caps-print.exp +# +#echo "TESTING: capabilities join (test/filters/caps-join.exp)" +#./caps-join.exp rm -f seccomp-test-file if [[ $(uname -m) == "x86_64" ]]; then diff --git a/test/firecfg/firecfg.exp b/test/firecfg/firecfg.exp index 0249fb7fa..755eea3a1 100755 --- a/test/firecfg/firecfg.exp +++ b/test/firecfg/firecfg.exp @@ -12,7 +12,20 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "ping: symbolic link to /usr/bin/firejail" } +after 100 +send -- "file /tmp/ttt/ping\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "ping: symbolic link to /usr/bin/firejail" +} +after 100 + +send -- "firecfg --list\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/usr/local/bin/ping" +} after 100 puts "\nall done\n" diff --git a/test/firecfg/firecfg.sh b/test/firecfg/firecfg.sh index 6b03cc841..6f2bb5244 100755 --- a/test/firecfg/firecfg.sh +++ b/test/firecfg/firecfg.sh @@ -7,6 +7,11 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C +sudo mkdir /tmp/ttt sudo firecfg +sudo firecfg --bindir=/tmp/ttt + echo "TESTING: firecfg (test/firecfg/firecfg.exp)" ./firecfg.exp + +sudo rm -fr /tmp/ttt -- cgit v1.2.3-54-g00ecf