From b50812ff5ef5009b7c6babb19fd9caa315f31515 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 1 Mar 2023 08:52:53 -0500 Subject: appimage testing --- .github/workflows/build.yml | 2 + Makefile | 24 +++--- test/appimage/Leafpad-0.8.17-x86_64.AppImage | Bin 786432 -> 0 bytes .../Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage | Bin 231417 -> 0 bytes test/appimage/appimage-args.exp | 90 +------------------- test/appimage/appimage-trace.exp | 45 ++-------- test/appimage/appimage-v1.exp | 92 --------------------- test/appimage/appimage-v2.exp | 31 +++---- test/appimage/appimage.sh | 5 +- test/appimage/hello-x86_64.AppImage | Bin 0 -> 197824 bytes test/appimage/main.c | 32 +++++++ 11 files changed, 72 insertions(+), 249 deletions(-) delete mode 100644 test/appimage/Leafpad-0.8.17-x86_64.AppImage delete mode 100644 test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage delete mode 100755 test/appimage/appimage-v1.exp create mode 100755 test/appimage/hello-x86_64.AppImage create mode 100644 test/appimage/main.c diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index edc1e8a1b..e68ad99db 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -71,6 +71,8 @@ jobs: run: command -V firejail && firejail --version - name: lab setup run: SHELL=/bin/bash make lab-setup + - name: run appimage tests + run: SHELL=/bin/bash make test-appimage - name: run chroot tests run: SHELL=/bin/bash make test-chroot - name: run sysutils tests diff --git a/Makefile b/Makefile index 6814e8ddf..dbe084a2e 100644 --- a/Makefile +++ b/Makefile @@ -314,7 +314,7 @@ mkman.sh \ platform \ src -DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot +DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils .PHONY: dist dist: config.mk @@ -372,7 +372,7 @@ $(TEST_TARGETS): # extract some data about the testing setup: kernel, network connectivity, user -lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc +lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" @@ -380,6 +380,14 @@ test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-et test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters echo "TEST COMPLETE" +# not included in "make dist" and "make test" +test-appimage: + $(MAKE) -C test $(subst test-,,$@) + +# not included in "make dist" and "make test" +test-chroot: + $(MAKE) -C test $(subst test-,,$@) + # old gihub test; the new test is driven directly from .github/workflows/build.yml test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment echo "TEST COMPLETE" @@ -393,21 +401,9 @@ test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-uti test-private-lib: $(MAKE) -C test $(subst test-,,$@) -# requires root access -test-chroot: - $(MAKE) -C test $(subst test-,,$@) - -# Huge appimage files, not included in "make dist" archive -test-appimage: - $(MAKE) -C test $(subst test-,,$@) - # Root access, network devices are created before the test # restart your computer to get rid of these devices test-network: $(MAKE) -C test $(subst test-,,$@) -# OverlayFS is not available on all platforms -test-overlay: - $(MAKE) -C test $(subst test-,,$@) - # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc" diff --git a/test/appimage/Leafpad-0.8.17-x86_64.AppImage b/test/appimage/Leafpad-0.8.17-x86_64.AppImage deleted file mode 100644 index 865f6b44c..000000000 Binary files a/test/appimage/Leafpad-0.8.17-x86_64.AppImage and /dev/null differ diff --git a/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage b/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage deleted file mode 100644 index d167431f3..000000000 Binary files a/test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage and /dev/null differ diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp index e85e8a46a..ef64e862f 100755 --- a/test/appimage/appimage-args.exp +++ b/test/appimage/appimage-args.exp @@ -8,97 +8,15 @@ spawn $env(SHELL) match_max 100000 set appimage_id $spawn_id -send -- "firejail --name=test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "execvp argument 2" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "AppRun" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "testfile" -} +send -- "firejail --name=test --appimage hello-x86_64.AppImage testfile\r" expect { timeout {puts "TESTING ERROR 4\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -sleep 2 - -spawn $env(SHELL) -send -- "firejail --list\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "appimage Leafpad" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp --wrap\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - "appimage Leafpad" -} -expect { - timeout {puts "TESTING ERROR 9 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 10\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps --wrap\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - "appimage Leafpad" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "name=blablabla" -} -after 100 - -spawn $env(SHELL) -send -- "firejail --shutdown=test\r" - -set spawn_id $appimage_id -expect { - timeout {puts "shutdown\n";exit} - "AppImage detached" + timeout {puts "TESTING ERROR 4\n";exit} + "1 - testfile" } -after 100 - +after 500 puts "\nall done\n" diff --git a/test/appimage/appimage-trace.exp b/test/appimage/appimage-trace.exp index f98826138..c1e481a67 100755 --- a/test/appimage/appimage-trace.exp +++ b/test/appimage/appimage-trace.exp @@ -8,61 +8,28 @@ spawn $env(SHELL) match_max 100000 set appimage_id $spawn_id -send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r" +send -- "firejail --trace --timeout=00:00:05 --appimage hello-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } expect { timeout {puts "TESTING ERROR 2\n";exit} - "leafpad:socket" + "AppRun:exec" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "leafpad:connect" + "AppRun:opendir" } expect { timeout {puts "TESTING ERROR 4\n";exit} - "X11-unix/X0" + "Hello, World!" } expect { timeout {puts "TESTING ERROR 5\n";exit} - "Parent is shutting down, bye" + "ping:exec" } -expect { - timeout {puts "shutdown\n"} - "AppImage detached" -} -sleep 1 - -send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" -expect { - timeout {puts "TESTING ERROR 11\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -expect { - timeout {puts "TESTING ERROR 12\n";exit} - "leafpad:socket" -} -expect { - timeout {puts "TESTING ERROR 13\n";exit} - "leafpad:connect" -} -expect { - timeout {puts "TESTING ERROR 14\n";exit} - "X11-unix/X0" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "Parent is shutting down, bye" -} -expect { - timeout {puts "shutdown\n"} - "AppImage detached" -} -sleep 1 - -after 100 +after 500 puts "\nall done\n" diff --git a/test/appimage/appimage-v1.exp b/test/appimage/appimage-v1.exp deleted file mode 100755 index bb360cd18..000000000 --- a/test/appimage/appimage-v1.exp +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/expect -f -# This file is part of Firejail project -# Copyright (C) 2014-2023 Firejail Authors -# License GPL v2 - -set timeout 10 -spawn $env(SHELL) -match_max 100000 -set appimage_id $spawn_id - -send -- "firejail --name=test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 2 - -spawn $env(SHELL) -send -- "firejail --list\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - ":firejail" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "appimage Leafpad" -} -after 100 - -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - - -send -- "firejail --name=blablabla\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" -} -sleep 2 - -spawn $env(SHELL) -send -- "firemon --seccomp --wrap\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - "appimage Leafpad" -} -expect { - timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} - "Seccomp: 2" -} -expect { - timeout {puts "TESTING ERROR 5.1\n";exit} - "name=blablabla" -} -after 100 -send -- "firemon --caps --wrap\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "appimage Leafpad" -} -expect { - timeout {puts "TESTING ERROR 6.1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 6.2\n";exit} - "0000000000000000" -} -expect { - timeout {puts "TESTING ERROR 6.3\n";exit} - "name=blablabla" -} -after 100 - -spawn $env(SHELL) -send -- "firejail --shutdown=test\r" - -set spawn_id $appimage_id -expect { - timeout {puts "shutdown\n"} - "AppImage detached" -} - -after 100 - -puts "\nall done\n" diff --git a/test/appimage/appimage-v2.exp b/test/appimage/appimage-v2.exp index 748ac3d79..2d86de240 100755 --- a/test/appimage/appimage-v2.exp +++ b/test/appimage/appimage-v2.exp @@ -8,12 +8,24 @@ spawn $env(SHELL) match_max 100000 set appimage_id $spawn_id -send -- "firejail --name=test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r" +send -- "firejail --name=test --appimage hello-x86_64.AppImage\r" expect { timeout {puts "TESTING ERROR 1\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" } -sleep 2 +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Hello, World!" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Operation not permitted" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Hello, again!" +} +sleep 5 spawn $env(SHELL) send -- "firejail --list\r" @@ -23,19 +35,10 @@ expect { } expect { timeout {puts "TESTING ERROR 3.1\n";exit} - "appimage Leafpad" + "appimage hello-x86_64" } after 100 -# grsecurity exit -send -- "file /proc/sys/kernel/grsecurity\r" -expect { - timeout {puts "TESTING ERROR - grsecurity detection\n";exit} - "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} - "cannot open" {puts "grsecurity not present\n"} -} - - send -- "firejail --name=blablabla\r" expect { timeout {puts "TESTING ERROR 4\n";exit} @@ -48,7 +51,7 @@ send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - "appimage Leafpad" + "appimage hello-x86_64" } expect { timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} @@ -62,7 +65,7 @@ after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - "appimage Leafpad" + "appimage hello-x86_64" } expect { timeout {puts "TESTING ERROR 6.1\n";exit} diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index 0c50434ac..57e389249 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh @@ -7,16 +7,13 @@ export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export LC_ALL=C -echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)" -./appimage-v1.exp - echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" ./appimage-v2.exp echo "TESTING: AppImage file name (test/appimage/filename.exp)" ./filename.exp -echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" +echo "TESTING: AppImage args (test/appimage/appimage-args.exp)" ./appimage-args.exp echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)" diff --git a/test/appimage/hello-x86_64.AppImage b/test/appimage/hello-x86_64.AppImage new file mode 100755 index 000000000..b5d68fc5c Binary files /dev/null and b/test/appimage/hello-x86_64.AppImage differ diff --git a/test/appimage/main.c b/test/appimage/main.c new file mode 100644 index 000000000..83c495183 --- /dev/null +++ b/test/appimage/main.c @@ -0,0 +1,32 @@ +// This is a simple hello program compiled on Debian 11 (glibc 2.31) +// and packaged as an appimage using appimagetool from +// https://github.com/AppImage/AppImageKit. The tool in installed +// in the current directory. +// +// Building the appimage: +// mkdir -p AppDir/usr/bin +// gcc -o AppDir/usr/bin/hello main.c && strip AppDir/usr/bin/hello +// ./appimagetool AppDir + + +#include +#include +#include + +int main(int argc, char **argv) { + // test args + int i; + for (i = 1; i < argc; i++) + printf("%d - %s\n", i, argv[i]); + + printf("Hello, World!\n"); + + // elevate privileges - firejail should block it + system("ping -c 3 127.0.0.1\n"); + + printf("Hello, again!\n"); + sleep(30); + + return 0; +} + -- cgit v1.2.3-54-g00ecf