From eb8dfc1284f29afa76697f1f3e87b6374d1706fa Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 2 Mar 2023 17:34:07 +0100 Subject: restrict-namespaces testing --- test/filters/namespaces | Bin 17392 -> 17496 bytes test/filters/namespaces-32 | Bin 16104 -> 16180 bytes test/filters/namespaces-32.exp | 80 ++++++++++++++++++++++++++++++----------- test/filters/namespaces.c | 38 +++++++++++++++++--- test/filters/namespaces.exp | 80 ++++++++++++++++++++++++++++++----------- 5 files changed, 153 insertions(+), 45 deletions(-) diff --git a/test/filters/namespaces b/test/filters/namespaces index 721ba092e..6d36ae8e9 100755 Binary files a/test/filters/namespaces and b/test/filters/namespaces differ diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 index 4df674d1b..a5ba488a4 100755 Binary files a/test/filters/namespaces-32 and b/test/filters/namespaces-32 differ diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp index 3b618bd01..f2310db3b 100755 --- a/test/filters/namespaces-32.exp +++ b/test/filters/namespaces-32.exp @@ -20,7 +20,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "clone successful" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" expect { @@ -31,7 +31,7 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" expect { @@ -42,7 +42,7 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" expect { @@ -53,9 +53,9 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup,user\r" expect { timeout {puts "TESTING ERROR 8\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -64,9 +64,9 @@ expect { timeout {puts "TESTING ERROR 9\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc,user\r" expect { timeout {puts "TESTING ERROR 10\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -75,9 +75,9 @@ expect { timeout {puts "TESTING ERROR 11\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,user,uts\r" expect { timeout {puts "TESTING ERROR 12\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -86,7 +86,7 @@ expect { timeout {puts "TESTING ERROR 13\n";exit} "clone successful" } -after 100 +after 200 # # unshare @@ -101,7 +101,7 @@ expect { timeout {puts "TESTING ERROR 15\n";exit} "unshare successful" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" expect { @@ -112,7 +112,7 @@ expect { timeout {puts "TESTING ERROR 17\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" expect { @@ -123,7 +123,7 @@ expect { timeout {puts "TESTING ERROR 19\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" expect { @@ -134,9 +134,9 @@ expect { timeout {puts "TESTING ERROR 21\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup,user\r" expect { timeout {puts "TESTING ERROR 22\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -145,9 +145,9 @@ expect { timeout {puts "TESTING ERROR 23\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc,user\r" expect { timeout {puts "TESTING ERROR 24\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -156,9 +156,9 @@ expect { timeout {puts "TESTING ERROR 25\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,user,uts\r" expect { timeout {puts "TESTING ERROR 26\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -167,7 +167,47 @@ expect { timeout {puts "TESTING ERROR 27\n";exit} "unshare successful" } +after 200 -after 100 +# +# clone3 +# + +send -- "firejail --noprofile ./namespaces-32 clone3 cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 28\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 29\n";exit} + "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"} + "clone3 successful" { + after 200 + + send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone3 user\r" + expect { + timeout {puts "TESTING ERROR 30\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" + } + expect { + timeout {puts "TESTING ERROR 31\n";exit} + "Error: clone3: Function not implemented" + } + after 200 + + # clone3 arguments are not checked + send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces-32 clone3 cgroup,ipc,net,pid,user,uts\r" + expect { + timeout {puts "TESTING ERROR 32\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" + } + expect { + timeout {puts "TESTING ERROR 33\n";exit} + "Error: clone3: Function not implemented" + } + } +} + +after 200 puts "\nall done\n" diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index ecf0fdcd1..18ebc8faa 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c @@ -1,21 +1,29 @@ #define _GNU_SOURCE #include -#include +#include #include #include #include #include #include +#include #include +#include #ifndef CLONE_NEWTIME #define CLONE_NEWTIME 0x00000080 #endif +#include +#ifndef __NR_clone3 +#define __NR_clone3 435 +#endif + #define STACK_SIZE 1024 * 1024 + static int usage() { - fprintf(stderr, "Usage: namespaces [clone,unshare] [cgroup,ipc,mnt,net,pid,time,user,uts]\n"); + fprintf(stderr, "Usage: namespaces [clone,clone3,unshare] [cgroup,ipc,mnt,net,pid,time,user,uts]\n"); exit(1); } @@ -71,8 +79,11 @@ int main (int argc, char **argv) { usage(); int flags = ns_flags(argv[2]); - if (getuid() != 0) - flags |= CLONE_NEWUSER; + + if (getuid() != 0 && (flags & CLONE_NEWUSER) != CLONE_NEWUSER) { + fprintf(stderr, "Error: add \"user\" to namespaces list\n"); + exit(1); + } if (strcmp(argv[1], "clone") == 0) { void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, @@ -80,8 +91,25 @@ int main (int argc, char **argv) { if (stack == MAP_FAILED) die("mmap"); - if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) + pid_t pid = clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL); + if (pid < 0) die("clone"); + waitpid(pid, NULL, 0); + } + else if (strcmp(argv[1], "clone3") == 0) { + struct clone_args args = { + .flags = flags, + .exit_signal = SIGCHLD, + }; + + pid_t pid = syscall(__NR_clone3, &args, sizeof(struct clone_args)); + if (pid < 0) + die("clone3"); + if (pid == 0) { + fprintf(stderr, "clone3 successful\n"); + exit(0); + } + waitpid(pid, NULL, 0); } else if (strcmp(argv[1], "unshare") == 0) { if (unshare(flags)) diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp index 96e4a774a..394826de7 100755 --- a/test/filters/namespaces.exp +++ b/test/filters/namespaces.exp @@ -20,7 +20,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "clone successful" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" expect { @@ -31,7 +31,7 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" expect { @@ -42,7 +42,7 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" expect { @@ -53,9 +53,9 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup,user\r" expect { timeout {puts "TESTING ERROR 8\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -64,9 +64,9 @@ expect { timeout {puts "TESTING ERROR 9\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc,user\r" expect { timeout {puts "TESTING ERROR 10\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -75,9 +75,9 @@ expect { timeout {puts "TESTING ERROR 11\n";exit} "Error: clone: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,user,uts\r" expect { timeout {puts "TESTING ERROR 12\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -86,7 +86,7 @@ expect { timeout {puts "TESTING ERROR 13\n";exit} "clone successful" } -after 100 +after 200 # # unshare @@ -101,7 +101,7 @@ expect { timeout {puts "TESTING ERROR 15\n";exit} "unshare successful" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" expect { @@ -112,7 +112,7 @@ expect { timeout {puts "TESTING ERROR 17\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" expect { @@ -123,7 +123,7 @@ expect { timeout {puts "TESTING ERROR 19\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" expect { @@ -134,9 +134,9 @@ expect { timeout {puts "TESTING ERROR 21\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup,user\r" expect { timeout {puts "TESTING ERROR 22\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -145,9 +145,9 @@ expect { timeout {puts "TESTING ERROR 23\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc,user\r" expect { timeout {puts "TESTING ERROR 24\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -156,9 +156,9 @@ expect { timeout {puts "TESTING ERROR 25\n";exit} "Error: unshare: Operation not permitted" } -after 100 +after 200 -send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,user,uts\r" expect { timeout {puts "TESTING ERROR 26\n";exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" @@ -167,7 +167,47 @@ expect { timeout {puts "TESTING ERROR 27\n";exit} "unshare successful" } +after 200 -after 100 +# +# clone3 +# + +send -- "firejail --noprofile ./namespaces clone3 cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 28\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 29\n";exit} + "Error: clone3: Function not implemented" {puts "OK, clone3 not available on this system\n"} + "clone3 successful" { + after 200 + + send -- "firejail --noprofile --restrict-namespaces ./namespaces clone3 user\r" + expect { + timeout {puts "TESTING ERROR 30\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" + } + expect { + timeout {puts "TESTING ERROR 31\n";exit} + "Error: clone3: Function not implemented" + } + after 200 + + # clone3 arguments are not checked + send -- "firejail --noprofile --restrict-namespaces=mnt ./namespaces clone3 cgroup,ipc,net,pid,user,uts\r" + expect { + timeout {puts "TESTING ERROR 32\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" + } + expect { + timeout {puts "TESTING ERROR 33\n";exit} + "Error: clone3: Function not implemented" + } + } +} + +after 200 puts "\nall done\n" -- cgit v1.2.3-54-g00ecf