From e44f60a25011e388ae9f33ce8d16b9d8cb143502 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 9 Nov 2016 09:43:31 -0500 Subject: testing --- configure | 4 +-- configure.ac | 4 +-- src/firejail/sandbox.c | 8 ++--- src/firejail/sbox.c | 2 ++ src/fnet/interface.c | 1 + test/network/interface.exp | 66 ++++++++++++++++++++++++++++++++++++++++ test/network/net_scan.exp | 75 ++++++++++++++++++++++++++++++++++++++++++++++ test/network/network.sh | 6 ++++ 8 files changed, 156 insertions(+), 10 deletions(-) create mode 100755 test/network/interface.exp create mode 100755 test/network/net_scan.exp diff --git a/configure b/configure index 47413e5b8..0aefb5c62 100755 --- a/configure +++ b/configure @@ -3704,7 +3704,7 @@ fi if test "x$enable_gcov" = "xyes"; then : - HAVE_GCOV="--coverage " + HAVE_GCOV="--coverage -DHAVE_GCOV " EXTRA_LDFLAGS+="-lgcov --coverage " @@ -4970,9 +4970,9 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " Gcov instrumentation: $HAVE_GCOV" echo diff --git a/configure.ac b/configure.ac index e05c023f7..74ba09f43 100644 --- a/configure.ac +++ b/configure.ac @@ -140,7 +140,7 @@ HAVE_GCOV="" AC_ARG_ENABLE([gcov], AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) AS_IF([test "x$enable_gcov" = "xyes"], [ - HAVE_GCOV="--coverage " + HAVE_GCOV="--coverage -DHAVE_GCOV " EXTRA_LDFLAGS+="-lgcov --coverage " AC_SUBST(HAVE_GCOV) ]) @@ -178,9 +178,9 @@ echo " whitelisting: $HAVE_WHITELIST" echo " private home support: $HAVE_PRIVATE_HOME" echo " file transfer support: $HAVE_FILE_TRANSFER" echo " overlayfs support: $HAVE_OVERLAYFS" -echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " busybox workaround: $BUSYBOX_WORKAROUND" echo " EXTRA_LDFLAGS: $EXTRA_LDFLAGS" +echo " fatal warnings: $HAVE_FATAL_WARNINGS" echo " Gcov instrumentation: $HAVE_GCOV" echo diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 556cb1fca..6b7f7f003 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -481,28 +481,24 @@ int sandbox(void* sandbox_arg) { sandbox_if_up(&cfg.bridge3); -// todo: this code seems to be dead!!! - // enable interfaces + // moving an interface in a namespace using --interface will reset the interface configuration; + // we need to put the configuration back if (cfg.interface0.configured && cfg.interface0.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface0.ip), cfg.interface0.dev); net_config_interface(cfg.interface0.dev, cfg.interface0.ip, cfg.interface0.mask, cfg.interface0.mtu); } if (cfg.interface1.configured && cfg.interface1.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface1.ip), cfg.interface1.dev); net_config_interface(cfg.interface1.dev, cfg.interface1.ip, cfg.interface1.mask, cfg.interface1.mtu); } if (cfg.interface2.configured && cfg.interface2.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface2.ip), cfg.interface2.dev); net_config_interface(cfg.interface2.dev, cfg.interface2.ip, cfg.interface2.mask, cfg.interface2.mtu); } if (cfg.interface3.configured && cfg.interface3.ip) { -assert(0); if (arg_debug) printf("Configuring %d.%d.%d.%d address on interface %s\n", PRINT_IP(cfg.interface3.ip), cfg.interface3.dev); net_config_interface(cfg.interface3.dev, cfg.interface3.ip, cfg.interface3.mask, cfg.interface3.mtu); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index b16736dee..3d4eef3aa 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -156,9 +156,11 @@ int sbox_run(unsigned filter, int num, ...) { caps_drop_all(); } else if (filter & SBOX_CAPS_NETWORK) { +#ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; set |= ((uint64_t) 1) << CAP_NET_RAW; caps_set(set); +#endif } if (filter & SBOX_SECCOMP) { diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 67af062bf..046b2c972 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -284,6 +284,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) { close(sock); + fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname); errExit("ioctl"); } diff --git a/test/network/interface.exp b/test/network/interface.exp new file mode 100755 index 000000000..b15563eec --- /dev/null +++ b/test/network/interface.exp @@ -0,0 +1,66 @@ +#!/usr/bin/expect -f +# +# interface +# + +set timeout 10 +spawn $env(SHELL) +match_max 100000 +set overlay [lindex $argv 0] +set chroot [lindex $argv 1] + +# +# N +# +# todo: seems to be unable to find interface eth0.7 +#send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r" +send -- "firejail --noprofile --interface=eth0.7 --interface=eth0.6\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "eth0.5" +} +expect { + timeout {puts "TESTING ERROR 2n";exit} + "Link" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "10.10.205.10" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1" +} +after 100 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0.6" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Link" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "10.10.206.10" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1" +} +after 100 + +send -- "exit\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/network/net_scan.exp b/test/network/net_scan.exp new file mode 100755 index 000000000..5afbbeea6 --- /dev/null +++ b/test/network/net_scan.exp @@ -0,0 +1,75 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +send -- "firejail --net=br1 --ip=10.10.30.50\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --net=br1 --ip=10.10.30.51\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "10.10.30.51" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --net=br1 --scan\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "10.10.30.51" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Child process initialized" +} +sleep 1 + + + +after 100 + +puts "\nall done\n" + diff --git a/test/network/network.sh b/test/network/network.sh index 7b6d66e34..e0087411d 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -52,6 +52,12 @@ echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)" echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)" ./net_defaultgw3.exp +echo "TESTING: scan (net_scan.exp)" +./net_scan.exp + +echo "TESTING: interface (interface.exp)" +./interface.exp + echo "TESTING: netfilter (net_netfilter.exp)" ./net_netfilter.exp -- cgit v1.2.3-54-g00ecf