From d0a4842403a3f01b18a5c404de7de2d390dd1d59 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 31 Oct 2019 14:24:03 -0400 Subject: testing --- test/filters/noroot.exp | 130 ++++++++++++++++++-------------------------- test/filters/seccomp-su.exp | 7 --- 2 files changed, 52 insertions(+), 85 deletions(-) diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 68304437f..9b8d2e91c 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -7,156 +7,130 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" +send -- "firejail --name=test --noroot --noprofile\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "cannot create a new user namespace" {puts "TESTING SKIP: user namespace not available\n"; exit} - "noroot option is not available" {puts "TESTING SKIP: user namespace not available\n"; exit} "Child process initialized" } sleep 1 +# check seccomp disabled and all caps enabled send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "CapBnd: 0000000000000000" -} expect { timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp:" + "CapBnd:" } expect { timeout {puts "TESTING ERROR 3\n";exit} - "2" + "ffffffff" } expect { timeout {puts "TESTING ERROR 4\n";exit} - "Cpus_allowed:" + "Seccomp:" } -puts "\n" - -send -- "ping 0\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "Operation not permitted" + "0" } -send -- "whoami\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - $env(USER) + "Cpus_allowed:" } -send -- "sudo -s\r" +puts "\n" + +send -- "whoami\r" expect { timeout {puts "TESTING ERROR 7\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} - "Bad system call" { puts "OK\n";} + $env(USER) } -send -- "cat /proc/self/uid_map | wc -l\r" +send -- "sudo -s\r" expect { timeout {puts "TESTING ERROR 8\n";exit} - "1" + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } -send -- "cat /proc/self/gid_map | wc -l\r" + +send -- "sudo su -\r" expect { timeout {puts "TESTING ERROR 9\n";exit} - "5" + "effective uid is not 0" {puts "OK\n"} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } -puts "\n" -send -- "exit\r" -sleep 2 - - - -send -- "firejail --name=test --noroot --noprofile\r" +send -- "sudo ls\r" expect { timeout {puts "TESTING ERROR 10\n";exit} - "Child process initialized" + "effective uid is not 0" {puts "OK\n"} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} } -sleep 1 -send -- "cat /proc/self/status\r" +send -- "cat /proc/self/uid_map | wc -l\r" expect { timeout {puts "TESTING ERROR 11\n";exit} - "CapBnd:" + "1" } +send -- "cat /proc/self/gid_map | wc -l\r" expect { timeout {puts "TESTING ERROR 12\n";exit} - "ffffffff" + "5" } + + + +spawn $env(SHELL) +send -- "firejail --debug --join=test\r" expect { timeout {puts "TESTING ERROR 13\n";exit} - "Seccomp:" + "User namespace detected" } expect { timeout {puts "TESTING ERROR 14\n";exit} - "2" {puts "seccomp already active\n";} - "0" -} -expect { - timeout {puts "TESTING ERROR 15\n";exit} - "Cpus_allowed:" + "Joining user namespace" } -puts "\n" +sleep 1 -send -- "whoami\r" -expect { - timeout {puts "TESTING ERROR 16\n";exit} - $env(USER) -} send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 17\n";exit} + timeout {puts "TESTING ERROR 15\n";exit} "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} -} -send -- "ping 0\r" -expect { - timeout {puts "TESTING ERROR 18\n";exit} - "Operation not permitted" + "Permission denied" { puts "OK\n";} } send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 19\n";exit} + timeout {puts "TESTING ERROR 16\n";exit} "1" } send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 20\n";exit} + timeout {puts "TESTING ERROR 17\n";exit} "5" } - - -spawn $env(SHELL) -send -- "firejail --debug --join=test\r" +# check seccomp disabled and all caps enabled +send -- "cat /proc/self/status\r" expect { - timeout {puts "TESTING ERROR 21\n";exit} - "User namespace detected" + timeout {puts "TESTING ERROR 18\n";exit} + "CapBnd:" } expect { - timeout {puts "TESTING ERROR 22\n";exit} - "Joining user namespace" + timeout {puts "TESTING ERROR 19\n";exit} + "ffffffff" } -sleep 1 - -send -- "sudo -s\r" expect { - timeout {puts "TESTING ERROR 23\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} - "Permission denied" { puts "OK\n";} + timeout {puts "TESTING ERROR 20\n";exit} + "Seccomp:" } -send -- "cat /proc/self/uid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 24\n";exit} - "1" + timeout {puts "TESTING ERROR 21\n";exit} + "0" } -send -- "cat /proc/self/gid_map | wc -l\r" expect { - timeout {puts "TESTING ERROR 25\n";exit} - "5" + timeout {puts "TESTING ERROR 22\n";exit} + "Cpus_allowed:" } +puts "\n" + + after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 3ff75b3b6..8417cadaf 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -28,13 +28,6 @@ expect { "Bad system call" {puts "OK\n"} } -send -- "ping google.com\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Operation not permitted" {puts "OK\n"} - "unknown host" {puts "OK\n"} -} - send -- "exit\r" after 100 puts "all done\n" -- cgit v1.2.3-54-g00ecf