From bb5e52040c9b16c4a81e3d241d841181f9d0c950 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Apr 2019 11:55:39 -0400 Subject: Arch Linux fixes --- etc/galculator.profile | 2 +- etc/gnome-nettool.profile | 2 +- test/private-lib/gnome-logs.exp | 83 ++++++++++++++++++++++++++++++++++ test/private-lib/gnome-nettool.exp | 84 +++++++++++++++++++++++++++++++++++ test/private-lib/gnome-system-log.exp | 83 ++++++++++++++++++++++++++++++++++ test/private-lib/pavucontrol.exp | 83 ++++++++++++++++++++++++++++++++++ test/private-lib/private-lib.sh | 4 +- 7 files changed, 337 insertions(+), 4 deletions(-) create mode 100755 test/private-lib/gnome-logs.exp create mode 100755 test/private-lib/gnome-nettool.exp create mode 100755 test/private-lib/gnome-system-log.exp create mode 100755 test/private-lib/pavucontrol.exp diff --git a/etc/galculator.profile b/etc/galculator.profile index 92b400572..b9adcfd34 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -23,7 +23,7 @@ include whitelist-var-common.inc apparmor caps.drop all -hostname galculator +#hostname galculator - breaks Arch Linux ipc-namespace net none nodbus diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile index a763917d1..3f28b7efe 100644 --- a/etc/gnome-nettool.profile +++ b/etc/gnome-nettool.profile @@ -39,6 +39,6 @@ disable-mnt private private-cache private-dev -private-lib libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* +private-lib libgtk-3.so.*,libgtop*,libbind9.so.*,libcrypto.so.*,libdns.so.*,libirs.so.*,liblua.so.*,libssh2.so.*,libssl.so.* private-tmp diff --git a/test/private-lib/gnome-logs.exp b/test/private-lib/gnome-logs.exp new file mode 100755 index 000000000..ecec5b50c --- /dev/null +++ b/test/private-lib/gnome-logs.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gnome-logs\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gnome-logs.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gnome-logs" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail gnome-logs" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gnome-logs" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/gnome-nettool.exp b/test/private-lib/gnome-nettool.exp new file mode 100755 index 000000000..6e6e0395b --- /dev/null +++ b/test/private-lib/gnome-nettool.exp @@ -0,0 +1,84 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gnome-nettool\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gnome-nettool.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gnome-nettool" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +#seccomp is not configured +#send -- "firemon --seccomp\r" +#expect { +# timeout {puts "TESTING ERROR 5\n";exit} +# "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} +# ":firejail gnome-nettool" +#} +#expect { +# timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} +# "Seccomp: 2" +#} +#expect { +# timeout {puts "TESTING ERROR 5.1\n";exit} +# "name=blablabla" +#} +#after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gnome-nettool" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000002000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/gnome-system-log.exp b/test/private-lib/gnome-system-log.exp new file mode 100755 index 000000000..bdc09b8bc --- /dev/null +++ b/test/private-lib/gnome-system-log.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail gnome-system-log\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/gnome-system-log.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "gnome-system-log" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail gnome-system-log" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail gnome-system-log" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/pavucontrol.exp b/test/private-lib/pavucontrol.exp new file mode 100755 index 000000000..ade658d51 --- /dev/null +++ b/test/private-lib/pavucontrol.exp @@ -0,0 +1,83 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2019 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail pavucontrol\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Reading profile /etc/firejail/pavucontrol.profile" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 3 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "pavucontrol" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + ":firejail pavucontrol" +} +expect { + timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 5.1\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + ":firejail pavucontrol" +} +expect { + timeout {puts "TESTING ERROR 6.1\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 6.2\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6.3\n";exit} + "name=blablabla" +} +after 100 + +puts "\nall done\n" diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index c6a5a4309..5e9d75379 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh @@ -3,9 +3,9 @@ # Copyright (C) 2014-2019 Firejail Authors # License GPL v2 -export MALLOC_CHECK_=3 +export MALLOC_CHECK_=3g export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -LIST="dig whois evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" +LIST="gnome-logs gnome-system-log gnome-nettool pavucontrol dig whois evince galculator gnome-calculator gedit leafpad mousepad pluma transmission-gtk xcalc atril gpicview eom eog" for app in $LIST; do -- cgit v1.2.3-54-g00ecf