From ea774178f6d8f613c96c0d001fed200155b704b7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:31:21 -0400 Subject: added make test-filters --- test/filters/filters.sh | 48 +++++++++++ test/filters/seccomp-chmod-profile.exp | 49 +++++++++++ test/filters/seccomp-chmod.exp | 49 +++++++++++ test/filters/seccomp-chown.exp | 49 +++++++++++ test/filters/seccomp-debug.exp | 31 +++++++ test/filters/seccomp-dualfilter.exp | 41 +++++++++ test/filters/seccomp-empty.exp | 148 +++++++++++++++++++++++++++++++++ test/filters/seccomp-empty.profile | 1 + test/filters/seccomp-errno.exp | 90 ++++++++++++++++++++ test/filters/seccomp-ptrace.exp | 26 ++++++ test/filters/seccomp-su.exp | 37 +++++++++ test/filters/seccomp-umount.exp | 31 +++++++ 12 files changed, 600 insertions(+) create mode 100755 test/filters/filters.sh create mode 100755 test/filters/seccomp-chmod-profile.exp create mode 100755 test/filters/seccomp-chmod.exp create mode 100755 test/filters/seccomp-chown.exp create mode 100755 test/filters/seccomp-debug.exp create mode 100755 test/filters/seccomp-dualfilter.exp create mode 100755 test/filters/seccomp-empty.exp create mode 100644 test/filters/seccomp-empty.profile create mode 100755 test/filters/seccomp-errno.exp create mode 100755 test/filters/seccomp-ptrace.exp create mode 100755 test/filters/seccomp-su.exp create mode 100755 test/filters/seccomp-umount.exp diff --git a/test/filters/filters.sh b/test/filters/filters.sh new file mode 100755 index 000000000..c21243a0f --- /dev/null +++ b/test/filters/filters.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +echo "TESTING: noroot (test/filters/noroot.exp)" +./noroot.exp + +echo "TESTING: capabilities (test/filters/caps.exp)" +./caps.exp + +echo "TESTING: protocol (test/filters/protocol.exp)" +./protocol.exp + +echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" +./seccomp-bad-empty.exp + +echo "TESTING: seccomp debug (test/filters/seccomp-debug.exp)" +./seccomp-debug.exp + +echo "TESTING: seccomp errno (test/filters/seccomp-errno.exp)" +./seccomp-errno.exp + +echo "TESTING: seccomp su (test/filters/seccomp-su.exp)" +./seccomp-su.exp + +echo "TESTING: seccomp ptrace (seccomp-ptrace.exp)" +./seccomp-ptrace.exp + +echo "TESTING: seccomp chmod - seccomp lists (test/filters/seccomp-chmod.exp)" +./seccomp-chmod.exp + +echo "TESTING: seccomp chmod profile - seccomp lists (test/filters/seccomp-chmod-profile.exp)" +./seccomp-chmod-profile.exp + +echo "TESTING: seccomp empty (test/filters/seccomp-empty.exp)" +./seccomp-empty.exp + +echo "TESTING: seccomp bad empty (test/filters/seccomp-bad-empty.exp)" +./seccomp-bad-empty.exp + +echo "TESTING: seccomp dual filter (test/filters/seccomp-dualfilter.exp)" +./seccomp-dualfilter.exp + + diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp new file mode 100755 index 000000000..9683fad90 --- /dev/null +++ b/test/filters/seccomp-chmod-profile.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --profile=seccomp.profile --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chmod +x testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +sleep 1 +puts "\n" diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp new file mode 100755 index 000000000..0d52122d3 --- /dev/null +++ b/test/filters/seccomp-chmod.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chmod +x testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +sleep 1 +puts "\n" diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp new file mode 100755 index 000000000..4e393fea2 --- /dev/null +++ b/test/filters/seccomp-chown.exp @@ -0,0 +1,49 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "touch testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "ls -l testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + +send -- "chown netblue:netblue testfile;pwd\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Bad system call" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/root" {puts "running as root"} + "/home" +} + + +send -- "exit\r" +sleep 1 +puts "\n" diff --git a/test/filters/seccomp-debug.exp b/test/filters/seccomp-debug.exp new file mode 100755 index 000000000..dbc0d37a9 --- /dev/null +++ b/test/filters/seccomp-debug.exp @@ -0,0 +1,31 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "SECCOMP Filter" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "BLACKLIST" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "open_by_handle_at" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "exit\r" +after 100 +puts "all done\n" diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp new file mode 100755 index 000000000..26b36236a --- /dev/null +++ b/test/filters/seccomp-dualfilter.exp @@ -0,0 +1,41 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail ./syscall_test mount\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "before mount" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "after mount" {puts "TESTING ERROR 2.1\n";exit} + "Parent is shutting down" +} +sleep 1 + +send -- "firejail ./syscall_test32 mount\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "before mount" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "after mount" {puts "TESTING ERROR 5.1\n";exit} + "Parent is shutting down" +} + +puts "\nall done\n" diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp new file mode 100755 index 000000000..11b275c7d --- /dev/null +++ b/test/filters/seccomp-empty.exp @@ -0,0 +1,148 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 0.1\n";exit} + "mount" +} +expect { + timeout {puts "TESTING ERROR 0.2\n";exit} + "ptrace" +} +expect { + timeout {puts "TESTING ERROR 0.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 0.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 0.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 0.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 0.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 3 +puts "\n" + +send -- "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "mount" {puts "TESTING ERROR 1.2\n";exit} + "ptrace" {puts "TESTING ERROR 1.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 1.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 1.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +puts "\n" + +sleep 2 +send -- "firejail --debug --profile=seccomp.profile --private\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "mount" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "ptrace" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 2.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 2.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 2.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +sleep 3 +puts "\n" + +send -- "firejail --debug --profile=seccomp-empty.profile --private\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "VALIDATE_ARCHITECTURE" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "mount" {puts "TESTING ERROR 3.2\n";exit} + "ptrace" {puts "TESTING ERROR 3.3\n";exit} + "chmod" +} +expect { + timeout {puts "TESTING ERROR 3.4\n";exit} + "fchmod" +} +expect { + timeout {puts "TESTING ERROR 3.5\n";exit} + "fchmodat" +} +expect { + timeout {puts "TESTING ERROR 3.6\n";exit} + "RETURN_ALLOW" +} +expect { + timeout {puts "TESTING ERROR 3.7\n";exit} + "Child process initialized" +} +sleep 2 +send -- "exit\r" +puts "\n" + diff --git a/test/filters/seccomp-empty.profile b/test/filters/seccomp-empty.profile new file mode 100644 index 000000000..8f71f55a5 --- /dev/null +++ b/test/filters/seccomp-empty.profile @@ -0,0 +1 @@ +seccomp.drop chmod,fchmod,fchmodat diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp new file mode 100755 index 000000000..aefe816e1 --- /dev/null +++ b/test/filters/seccomp-errno.exp @@ -0,0 +1,90 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch seccomp-test-file\r" +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "No such file or directory" +} +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "unlinkat 2 ENOENT" +} +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat,mkdir\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +sleep 1 +send -- "rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "No such file or directory" +} +after 100 +puts "\n" + +send -- "mkdir seccomp-test-dir\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "No such file or directory" +} +after 100 +puts "\n" + +send -- "exit\r" +sleep 1 + + +send -- "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "errno enoent already configured" +} +sleep 1 + +send -- "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Child process initialized" +} +sleep 1 +send -- "rm seccomp-test-file\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "No such file or directory" +} +after 100 +puts "\n" + +send -- "mkdir seccomp-test-dir\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Operation not permitted" +} +after 100 +puts "\n" + +send -- "exit\r" +sleep 1 + + + + +send -- "rm seccomp-test-file\r" +sleep 1 +puts "all done\n" diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp new file mode 100755 index 000000000..fba9ea92f --- /dev/null +++ b/test/filters/seccomp-ptrace.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "strace ls\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Bad system call" {puts "version 1\n";} + " unexpected signal 31" {puts "version 2\n"} +} + +send -- "exit\r" +sleep 1 +puts "all done\n" diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp new file mode 100755 index 000000000..003f3df99 --- /dev/null +++ b/test/filters/seccomp-su.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --seccomp\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "sudo su -\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "effective uid is not 0" +} + +send -- "sudo ls\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "effective uid is not 0" +} + +send -- "ping google.com\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Operation not permitted" +} + +send -- "exit\r" +sleep 1 +puts "all done\n" diff --git a/test/filters/seccomp-umount.exp b/test/filters/seccomp-umount.exp new file mode 100755 index 000000000..6e2f8c6c2 --- /dev/null +++ b/test/filters/seccomp-umount.exp @@ -0,0 +1,31 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "sudo ls; sudo whoami; sudo pwd\r" +expect { + timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} + "root" +} + +send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "umount /proc\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Bad system call" +} + +send -- "exit\r" +sleep 1 +puts "\n" -- cgit v1.2.3-54-g00ecf