From ead4ec3089b97eda1b438da248caf76f169345ad Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 18 Nov 2017 08:39:02 -0500 Subject: netfilter template support --- Makefile.in | 7 +- README.md | 13 +++- RELNOTES | 1 + etc/tcpserver.net | 27 +++++++ src/firejail/netfilter.c | 13 +++- src/firejail/usage.c | 2 +- src/fnetfilter/main.c | 144 ++++++++++++++++++++++++++++++------ src/man/firejail.txt | 23 +++++- test/fnetfilter/cmdline.exp | 37 +++++++++ test/fnetfilter/copy.exp | 52 +++++++++++++ test/fnetfilter/default.exp | 40 ++++++++++ test/fnetfilter/fnetfilter.sh | 28 +++++++ test/fnetfilter/outlocked | 0 test/fnetfilter/template.exp | 82 ++++++++++++++++++++ test/fnetfilter/test1.net | 19 +++++ test/fnetfilter/test2.net | 19 +++++ test/fnetfilter/test3.net | 1 + test/network/netfilter-template.exp | 44 +++++++++++ test/network/network.sh | 6 ++ test/network/tcpserver.c | 108 +++++++++++++++++++++++++++ 20 files changed, 633 insertions(+), 33 deletions(-) create mode 100644 etc/tcpserver.net create mode 100755 test/fnetfilter/cmdline.exp create mode 100755 test/fnetfilter/copy.exp create mode 100755 test/fnetfilter/default.exp create mode 100755 test/fnetfilter/fnetfilter.sh create mode 100644 test/fnetfilter/outlocked create mode 100755 test/fnetfilter/template.exp create mode 100644 test/fnetfilter/test1.net create mode 100644 test/fnetfilter/test2.net create mode 100644 test/fnetfilter/test3.net create mode 100755 test/network/netfilter-template.exp create mode 100644 test/network/tcpserver.c diff --git a/Makefile.in b/Makefile.in index 9334d8608..d11d537bc 100644 --- a/Makefile.in +++ b/Makefile.in @@ -276,10 +276,13 @@ test-fs: test-fcopy: cd test/fcopy; ./fcopy.sh | grep TESTING -test: test-profiles test-private-lib test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments +test-fnetfilter: + cd test/fnetfilter; ./fnetfilter.sh | grep TESTING + +test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments echo "TEST COMPLETE" -test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments +test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments echo "TEST COMPLETE" ########################################## diff --git a/README.md b/README.md index 643839b1d..30ba3c989 100644 --- a/README.md +++ b/README.md @@ -210,18 +210,27 @@ $ --debug-private-lib Debug messages for --private-lib option. + --netfilter=filename,arg1,arg2,arg3 ... + This is the template version of the previous command. $ARG1, + $ARG2, $ARG3 ... in the firewall script are replaced with arg1, + arg2, arg3 ... passed on the command line. Up to 16 arguments + are supported. Example: + + $ firejail --net=eth0 --ip=192.168.1.105 \ + --netfilter=/etc/firejail/tcpserver.net,5001 server-program + --netfilter.print=name|pid Print the firewall installed in the sandbox specified by name or PID. Example: - $ firejail --net=browser --net=eth0 --netfilter firefox & + $ firejail --name=browser --net=eth0 --netfilter firefox & $ firejail --netfilter.print=browser --netfilter6.print=name|pid Print the IPv6 firewall installed in the sandbox specified by name or PID. Example: - $ firejail --net=browser --net=eth0 --netfilter firefox & + $ firejail --name=browser --net=eth0 --netfilter firefox & $ firejail --netfilter6.print=browser ````` diff --git a/RELNOTES b/RELNOTES index 3c878520d..bf5397c22 100644 --- a/RELNOTES +++ b/RELNOTES @@ -27,6 +27,7 @@ firejail (0.9.51) baseline; urgency=low * feature: profile build tool (--build) * feature: --netfilter.print * feature: --netfilter6.print + * feature: netfilter template support * new profiles: upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles, https://github.com/nyancat18/fe, diff --git a/etc/tcpserver.net b/etc/tcpserver.net new file mode 100644 index 000000000..e60404e6b --- /dev/null +++ b/etc/tcpserver.net @@ -0,0 +1,27 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] + +################################################################### +# Simple tcp filter template. $ARG1 is the port number. +# +# Usage: $ARG1 in this template is replaced by 5001 from command line below +# +# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program +# +################################################################### + +# allow server traffic +-A INPUT -p tcp --dport $ARG1 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport $ARG1 -m state --state ESTABLISHED -j ACCEPT + +# allow incoming ping +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# allow outgoing DNS +-A OUTPUT -p udp --dport 53 -j ACCEPT +-A INPUT -p udp --sport 53 -j ACCEPT + +COMMIT diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index e1d0edd01..dd4009a2e 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -24,7 +24,6 @@ #include #include - void check_netfilter_file(const char *fname) { EUID_ASSERT(); @@ -44,7 +43,6 @@ void check_netfilter_file(const char *fname) { free(tmp); } - void netfilter(const char *fname) { // find iptables command struct stat s; @@ -150,6 +148,16 @@ void netfilter_print(pid_t pid, int ipv6) { } free(comm); + // check privileges for non-root users + uid_t uid = getuid(); + if (uid != 0) { + uid_t sandbox_uid = pid_get_uid(pid); + if (uid != sandbox_uid) { + fprintf(stderr, "Error: permission is denied to join a sandbox created by a different user.\n"); + exit(1); + } + } + // check network namespace char *name; if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) @@ -196,4 +204,3 @@ void netfilter_print(pid_t pid, int ipv6) { sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); } - diff --git a/src/firejail/usage.c b/src/firejail/usage.c index f1581e847..89ea4ccca 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -122,7 +122,7 @@ void usage(void) { printf(" --net=ethernet_interface - enable network namespaces and connect to this\n"); printf("\tEthernet interface.\n"); printf(" --net=none - enable a new, unconnected network namespace.\n"); - printf(" --netfilter[=filename] - enable firewall.\n"); + printf(" --netfilter[=filename,arg1,arg2,arg3 ...] - enable firewall.\n"); printf(" --netfilter.print=name|pid - print the firewall.\n"); printf(" --netfilter6=filename - enable IPv6 firewall.\n"); printf(" --netfilter6.print=name|pid - print the IPv6 firewall.\n"); diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 67ab31832..723c1ac32 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c @@ -20,8 +20,12 @@ #include "../include/common.h" #define MAXBUF 4098 +#define MAXARGS 16 +static char *args[MAXARGS] = {0}; +static int argcnt = 0; int arg_quiet = 0; + static char *default_filter = "*filter\n" ":INPUT DROP [0:0]\n" @@ -29,7 +33,7 @@ static char *default_filter = ":OUTPUT ACCEPT [0:0]\n" "-A INPUT -i lo -j ACCEPT\n" "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" -"# echo replay is handled by -m state RELATED/ESTABLISHED below\n" +"# echo replay is handled by -m state RELATED/ESTABLISHED above\n" "#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n" "-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n" "-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n" @@ -46,6 +50,111 @@ static void usage(void) { printf("\tfnetfilter netfilter-command destination-file\n"); } + +static void copy(const char *src, const char *dest) { + FILE *fp1 = fopen(src, "r"); + if (!fp1) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", src); + exit(1); + } + + FILE *fp2 = fopen(dest, "w"); + if (!fp2) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", dest); + exit(1); + } + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp1)) + fprintf(fp2, "%s", buf); + + fclose(fp1); + fclose(fp2); +} + +static void process_template(char *src, const char *dest) { + char *arg_start = strchr(src, ','); + assert(arg_start); + *arg_start = '\0'; + arg_start++; + if (*arg_start == '\0') { + fprintf(stderr, "Error fnetfilter: you need to provide at least on argument\n"); + exit(1); + } + + // extract the arguments from command line + char *token = strtok(arg_start, ","); + while (token) { + // look for abnormal things + int len = strlen(token); + if (strcspn(token, "\\&!?\"'<>%^(){};,*[]") != (size_t)len) { + fprintf(stderr, "Error fnetfilter: invalid argument in netfilter command\n"); + exit(1); + } + args[argcnt] = token; + argcnt++; + token = strtok(NULL, ","); + } +#if 0 +{ +printf("argcnt %d\n", argcnt); +int i; +for (i = 0; i < argcnt; i++) + printf("%s\n", args[i]); +} +#endif + + // open the files + FILE *fp1 = fopen(src, "r"); + if (!fp1) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", src); + exit(1); + } + + FILE *fp2 = fopen(dest, "w"); + if (!fp2) { + fprintf(stderr, "Error fnetfilter: cannot open %s\n", dest); + exit(1); + } + + int line = 0; + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp1)) { + line++; + char *ptr = buf; + while (*ptr != '\0') { + if (*ptr != '$') + fputc(*ptr, fp2); + else { + // parsing + int index = 0; + int rv = sscanf(ptr, "$ARG%u", &index) ; + if (rv != 1) { + fprintf(stderr, "Error fnetfilter: invalid template argument on line %d\n", line); + exit(1); + } + + // print argument + if (index < 1 || index > argcnt) { + fprintf(stderr, "Error fnetfilter: $ARG%d on line %d was not defined\n", index, line); + exit(1); + } + fprintf(fp2, "%s", args[index - 1]); + + // march to the end of argument + ptr += 4; + while (isdigit(*ptr)) + ptr++; + ptr--; + } + ptr++; + } + } + + fclose(fp1); + fclose(fp2); +} + int main(int argc, char **argv) { #if 0 { @@ -61,7 +170,7 @@ printf("\n"); if (quiet && strcmp(quiet, "yes") == 0) arg_quiet = 1; - if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { + if (argc > 1 && (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0)) { usage(); return 0; } @@ -75,6 +184,12 @@ printf("\n"); char *command = (argc == 3)? argv[1]: NULL; //printf("command %s\n", command); //printf("destfile %s\n", destfile); + // destfile is a real filename + int len = strlen(destfile); + if (strcspn(destfile, "\\&!?\"'<>%^(){};,*[]") != (size_t)len) { + fprintf(stderr, "Error fnetfilter: invalid destination file in netfilter command\n"); + exit(1); + } // handle default config (command = NULL, destfile) if (command == NULL) { @@ -88,28 +203,11 @@ printf("\n"); fclose(fp); } else { - // copy the file - FILE *fp1 = fopen(command, "r"); - if (!fp1) { - fprintf(stderr, "Error fnetfilter: cannot open %s\n", command); - exit(1); - } - - FILE *fp2 = fopen(destfile, "w"); - if (!fp2) { - fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile); - exit(1); - } - - char buf[MAXBUF]; - while (fgets(buf, MAXBUF, fp1)) - fprintf(fp2, "%s", buf); - - fclose(fp1); - fclose(fp2); + if (strrchr(command, ',')) + process_template(command, destfile); + else + copy(command, destfile); } - -printf("fnetfilter running\n"); return 0; } diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bf27c07ad..d9000fd5e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -937,13 +937,32 @@ is a desktop client firewall that disable access to local network. Example: $ firejail --netfilter=/etc/firejail/nolocal.net \\ .br --net=eth0 firefox + + + + +.TP +\fB\-\-netfilter=filename,arg1,arg2,arg3 ... +This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script +are replaced with arg1, arg2, arg3 ... passed on the command line. Up to 16 arguments are supported. +Example: +.br + +.br +$ firejail --net=eth0 --ip=192.168.1.105 \\ +.br +--netfilter=/etc/firejail/tcpserver.net,5001 server-program +.br + + + .TP \fB\-\-netfilter.print=name|pid Print the firewall installed in the sandbox specified by name or PID. Example: .br .br -$ firejail --net=browser --net=eth0 --netfilter firefox & +$ firejail --name=browser --net=eth0 --netfilter firefox & .br $ firejail --netfilter.print=browser @@ -959,7 +978,7 @@ Print the IPv6 firewall installed in the sandbox specified by name or PID. Examp .br .br -$ firejail --net=browser --net=eth0 --netfilter firefox & +$ firejail --name=browser --net=eth0 --netfilter firefox & .br $ firejail --netfilter6.print=browser diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp new file mode 100755 index 000000000..1a0b1c5aa --- /dev/null +++ b/test/fnetfilter/cmdline.exp @@ -0,0 +1,37 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "fnetfilter\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Usage:" +} +after 100 + +send -- "fnetfilter -h\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Usage:" +} +after 100 + +send -- "fnetfilter -h a b c d\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Usage:" +} +after 100 + +send -- "fnetfilter a b c d\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Usage:" +} +after 100 +puts "\nall done\n" diff --git a/test/fnetfilter/copy.exp b/test/fnetfilter/copy.exp new file mode 100755 index 000000000..65145ec4b --- /dev/null +++ b/test/fnetfilter/copy.exp @@ -0,0 +1,52 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm outfile\r" +after 100 + +send -- "fnetfilter test1.net outfile\r" +after 100 + +send -- "cat outfile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "test1" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "*filter" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "INPUT -m state --state RELATED,ESTABLISHED" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "disable STUN" +} +after 100 + +send -- "fnetfilter foo outfile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "cannot open foo" +} +after 100 + +send -- "fnetfilter test1.net outlocked\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "cannot open outlocked" +} +after 100 + +send -- "rm outfile\r" +after 100 + +puts "\nall done\n" diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp new file mode 100755 index 000000000..d7c9d91d5 --- /dev/null +++ b/test/fnetfilter/default.exp @@ -0,0 +1,40 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm outfile\r" +after 100 + +send -- "fnetfilter outfile\r" +after 100 + +send -- "cat outfile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "*filter" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "INPUT -m state --state RELATED,ESTABLISHED" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "disable STUN" +} +after 100 + +send -- "fnetfilter test1.net,33\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "invalid destination file in netfilter command" +} +after 100 +send -- "rm outfile\r" +after 100 + +puts "\nall done\n" diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh new file mode 100755 index 000000000..5fd08d186 --- /dev/null +++ b/test/fnetfilter/fnetfilter.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) + +if [ -f /etc/debian_version ]; then + libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") + export PATH="$PATH:$libdir" +fi + +export PATH="$PATH:/usr/lib/firejail" + +echo "TESTING: fnetfilter cmdline (test/fnetfilter/cmdline.exp)" +./cmdline.exp + +echo "TESTING: fnetfilter default (test/fnetfilter/default.exp)" +./default.exp + +echo "TESTING: fnetfilter copy (test/fnetfilter/copy.exp)" +./copy.exp + +echo "TESTING: fnetfilter template (test/fnetfilter/template.exp)" +./template.exp + +rm -f outfile diff --git a/test/fnetfilter/outlocked b/test/fnetfilter/outlocked new file mode 100644 index 000000000..e69de29bb diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp new file mode 100755 index 000000000..eb57313bd --- /dev/null +++ b/test/fnetfilter/template.exp @@ -0,0 +1,82 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "rm outfile\r" +after 100 + +send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request,3478,3479 outfile\r" +after 100 + +send -- "cat outfile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "*filter" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "INPUT -m state --state RELATED,ESTABLISHED" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "icmp-type echo-reply" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "icmp-type destination-unreachable" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "icmp-type time-exceeded" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "icmp-type echo-request" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "dport 3478" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "dport 3479" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "dport 3478" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "dport 3479" +} +after 100 + +send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request outfile\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "ARG5 on line 14 was not defined" +} +after 100 + +send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "invalid destination file in netfilter command" +} +after 100 + +send -- "fnetfilter test3.net,44 outfile\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "invalid template argument on line 1" +} +after 100 +send -- "rm outfile\r" +after 100 + +puts "\nall done\n" diff --git a/test/fnetfilter/test1.net b/test/fnetfilter/test1.net new file mode 100644 index 000000000..59bef1443 --- /dev/null +++ b/test/fnetfilter/test1.net @@ -0,0 +1,19 @@ +*filter +# test2 +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# echo replay is handled by -m state RELATED/ESTABLISHED above +#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT +-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT +-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +# disable STUN +-A OUTPUT -p udp --dport 3478 -j DROP +-A OUTPUT -p udp --dport 3479 -j DROP +-A OUTPUT -p tcp --dport 3478 -j DROP +-A OUTPUT -p tcp --dport 3479 -j DROP +COMMIT + diff --git a/test/fnetfilter/test2.net b/test/fnetfilter/test2.net new file mode 100644 index 000000000..a02785413 --- /dev/null +++ b/test/fnetfilter/test2.net @@ -0,0 +1,19 @@ +*filter +# test2 +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# echo replay is handled by -m state RELATED/ESTABLISHED above +#-A INPUT -p icmp --$ARG1 echo-reply -j ACCEPT +-A INPUT -p icmp --$ARG1 $ARG2 -j ACCEPT +-A INPUT -p icmp --$ARG1 $ARG3 -j ACCEPT +-A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT +# disable STUN +-A OUTPUT -p udp --dport $ARG5 -j DROP +-A OUTPUT -p udp --dport $ARG6 -j DROP +-A OUTPUT -p tcp --dport $ARG5 -j DROP +-A OUTPUT -p tcp --dport $ARG6 -j DROP +COMMIT + diff --git a/test/fnetfilter/test3.net b/test/fnetfilter/test3.net new file mode 100644 index 000000000..702cb06b3 --- /dev/null +++ b/test/fnetfilter/test3.net @@ -0,0 +1 @@ +asdfasdf $ARG asdfasdfdasf diff --git a/test/network/netfilter-template.exp b/test/network/netfilter-template.exp new file mode 100755 index 000000000..637b32468 --- /dev/null +++ b/test/network/netfilter-template.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2017 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5555 ./tcpserver 5555\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "telnet 10.10.30.10 5555\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Connected to 10.10.30.10" +} +sleep 1 + +send "sdfklsjadfl;ksadjfl;sdkfj\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "response" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Connection closed" +} +sleep 1 + +send -- "telnet 10.10.30.10 5556\r" +expect { + timeout {puts "OK\n"} + "Connected to 10.10.30.10" {puts "TESTING ERROR 6\n";exit} + "dikasdfjasdjf" +} + +after 100 +puts "all done\n" diff --git a/test/network/network.sh b/test/network/network.sh index 739644c8e..83a70f1e3 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -8,6 +8,12 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) sudo ./configure +echo "TESTING: netfilter template (netfilter-template.exp)" +rm -f ./tcpserver +gcc -o tcpserver tcpserver.c +./netfilter-template.exp +rm ./tcpserver + echo "TESTING: firemon interface (firemon-interfaces.exp)" sudo ./firemon-interfaces.exp diff --git a/test/network/tcpserver.c b/test/network/tcpserver.c new file mode 100644 index 000000000..b2395a4ad --- /dev/null +++ b/test/network/tcpserver.c @@ -0,0 +1,108 @@ +/* + * Copyright (C) 2014-2017 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include +#include +#include +#include +#include +#include + + +int main(int argc, char **argv) { + int fd, newfd, client_len; + struct sockaddr_in serv_addr, client_addr; + int n, pid; + + if (argc < 2) { + printf("Usage: ./server port-number\n"); + return 1; + } + int portno = atoi(argv[1]); + + // init socket + fd = socket(AF_INET, SOCK_STREAM, 0); + if (fd < 0) { + perror("ERROR opening socket"); + return 1; + } + + // Initialize socket structure + memset(&serv_addr, 0, sizeof(serv_addr)); + + serv_addr.sin_family = AF_INET; + serv_addr.sin_addr.s_addr = INADDR_ANY; + serv_addr.sin_port = htons(portno); + + // bind + if (bind(fd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) { + perror("bind"); + return 1; + } + + // listen - 5 pending conncections + if (listen(fd, 5) < 0) { + perror("listen"); + return 1; + } + client_len = sizeof(client_addr); + + while (1) { + newfd = accept(fd, (struct sockaddr *) &client_addr, &client_len); + + if (newfd < 0) { + perror("accept"); + return 1; + } + + /* Create child process */ + pid = fork(); + + if (pid < 0) { + perror("fork"); + return 1; + } + + if (pid == 0) { + // child + close(fd); +#define MAXBUF 4096 + char buf[MAXBUF]; + memset(buf, 0, MAXBUF); + + int rcv = read(newfd, buf, MAXBUF - 1); + if (rcv < 0) { + perror("read"); + exit(1); + } + + int sent = write(newfd, "response\n", 9); + if (sent < 9) { + perror("write"); + return 1; + } + + exit(0); + } + else + close(newfd); + } + + return 0; +} -- cgit v1.2.3-54-g00ecf