From fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 1 Dec 2016 12:30:11 -0500 Subject: cleanup --- src/firejail/main.c | 291 ++++++++++++++++++------------------------------- src/firejail/profile.c | 102 +++++++++-------- test/root/join.exp | 52 +++++++++ test/root/root.sh | 6 + test/utils/join.exp | 15 ++- 5 files changed, 233 insertions(+), 233 deletions(-) create mode 100755 test/root/join.exp diff --git a/src/firejail/main.c b/src/firejail/main.c index 4ccbb6a86..aa855b7eb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -250,10 +250,8 @@ static void check_network(Bridge *br) { #ifdef HAVE_USERNS void check_user_namespace(void) { EUID_ASSERT(); - if (getuid() == 0) { - fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); - exit(1); - } + if (getuid() == 0) + goto errout; // test user namespaces available in the kernel struct stat s1; @@ -263,16 +261,27 @@ void check_user_namespace(void) { stat("/proc/self/uid_map", &s2) == 0 && stat("/proc/self/gid_map", &s3) == 0) arg_noroot = 1; - else { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n"); - arg_noroot = 0; - } + else + goto errout; + + return; + +errout: + if (!arg_quiet || arg_debug) + fprintf(stderr, "Warning: noroot option is not available\n"); + arg_noroot = 0; + } #endif -// exit commands +static void exit_err_feature(const char *feature) { + fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); + exit(1); +} + +// run independent commands and exit program +// this function handles command line options such as --version and --help static void run_cmd_and_exit(int i, int argc, char **argv) { EUID_ASSERT(); @@ -298,21 +307,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) errExit("asprintf"); EUID_ROOT(); - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); + if (setreuid(0, 0) < 0 || + setregid(0, 0) < 0) + errExit("setreuid/setregid"); errno = 0; - int rv = remove_directory(path); - if (rv) { - fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); - exit(1); - } - } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); + if (remove_directory(path)) + errExit("remove_directory"); } + else + exit_err_feature("overlayfs"); exit(0); } #endif @@ -322,30 +325,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { x11_start(argc, argv); exit(0); } - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } else if (strcmp(argv[i], "--x11=xpra") == 0) { if (checkcfg(CFG_X11)) { x11_start_xpra(argc, argv); exit(0); } - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } else if (strcmp(argv[i], "--x11=xephyr") == 0) { if (checkcfg(CFG_X11)) { x11_start_xephyr(argc, argv); exit(0); } - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } #endif #ifdef HAVE_NETWORK @@ -406,10 +403,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 12); bandwidth_pid(pid, cmd, dev, down, up); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); exit(0); } #endif @@ -422,20 +417,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); exit(rv); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strcmp(argv[i], "--debug-errnos") == 0) { if (checkcfg(CFG_SECCOMP)) { int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); exit(rv); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); exit(0); } else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { @@ -444,10 +435,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 16); seccomp_print_filter(pid); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); exit(0); } else if (strcmp(argv[i], "--debug-protocols") == 0) { @@ -460,10 +449,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 17); protocol_print_filter(pid); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); exit(0); } #endif @@ -530,10 +517,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { 2, PATH_FIREMON, "--netstats"); exit(0); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } #endif #ifdef HAVE_FILE_TRANSFER @@ -558,10 +543,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { sandboxfs(SANDBOX_FS_GET, pid, path, NULL); exit(0); } - else { - fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("file transfer"); } else if (strncmp(argv[i], "--put=", 6) == 0) { if (checkcfg(CFG_FILE_TRANSFER)) { @@ -590,10 +573,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); exit(0); } - else { - fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("file transfer"); } else if (strncmp(argv[i], "--ls=", 5) == 0) { if (checkcfg(CFG_FILE_TRANSFER)) { @@ -616,10 +597,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { sandboxfs(SANDBOX_FS_LS, pid, path, NULL); exit(0); } - else { - fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("file transfer"); } #endif else if (strncmp(argv[i], "--join=", 7) == 0) { @@ -685,11 +664,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { pid_t pid = read_pid(argv[i] + 15); join(pid, argc, argv, i + 1); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } - + else + exit_err_feature("networking"); exit(0); } #endif @@ -1117,10 +1093,8 @@ int main(int argc, char **argv) { errExit("strdup"); } } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strcmp(argv[i], "--seccomp") == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1130,10 +1104,8 @@ int main(int argc, char **argv) { } arg_seccomp = 1; } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strncmp(argv[i], "--seccomp=", 10) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1144,10 +1116,8 @@ int main(int argc, char **argv) { arg_seccomp = 1; cfg.seccomp_list = seccomp_check_list(argv[i] + 10); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1158,10 +1128,8 @@ int main(int argc, char **argv) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { if (checkcfg(CFG_SECCOMP)) { @@ -1172,10 +1140,8 @@ int main(int argc, char **argv) { arg_seccomp = 1; cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); } - else { - fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("seccomp"); } #endif else if (strcmp(argv[i], "--caps") == 0) @@ -1274,10 +1240,8 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } - else { - fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("bind"); } #endif else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { @@ -1315,10 +1279,8 @@ int main(int argc, char **argv) { profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } - else { - fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("whitelist"); } #endif @@ -1368,10 +1330,8 @@ int main(int argc, char **argv) { free(subdirname); } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("overlayfs"); } else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { if (checkcfg(CFG_OVERLAYFS)) { @@ -1402,11 +1362,8 @@ int main(int argc, char **argv) { } cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } - + else + exit_err_feature("overlayfs"); } else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { if (checkcfg(CFG_OVERLAYFS)) { @@ -1421,10 +1378,8 @@ int main(int argc, char **argv) { } arg_overlay = 1; } - else { - fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("overlayfs"); } #endif else if (strncmp(argv[i], "--profile=", 10) == 0) { @@ -1551,10 +1506,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("chroot"); } #endif else if (strcmp(argv[i], "--writable-etc") == 0) { @@ -1603,10 +1556,8 @@ int main(int argc, char **argv) { cfg.home_private_keep = argv[i] + 15; arg_private = 1; } - else { - fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("private-home"); } #endif else if (strcmp(argv[i], "--private-dev") == 0) { @@ -1680,10 +1631,8 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--noroot") == 0) { if (checkcfg(CFG_USERNS)) check_user_namespace(); - else { - fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("noroot"); } #endif else if (strcmp(argv[i], "--nonewprivs") == 0) { @@ -1758,10 +1707,8 @@ int main(int argc, char **argv) { } intf->configured = 1; } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--net=", 6) == 0) { @@ -1811,10 +1758,8 @@ int main(int argc, char **argv) { } net_configure_bridge(br, argv[i] + 6); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--veth-name=", 12) == 0) { @@ -1832,20 +1777,16 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strcmp(argv[i], "--scan") == 0) { if (checkcfg(CFG_NETWORK)) { arg_scan = 1; } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--iprange=", 10) == 0) { if (checkcfg(CFG_NETWORK)) { @@ -1885,10 +1826,8 @@ int main(int argc, char **argv) { return 1; } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--mac=", 6) == 0) { @@ -1909,10 +1848,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--mtu=", 6) == 0) { @@ -1928,10 +1865,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--ip=", 5) == 0) { @@ -1956,10 +1891,8 @@ int main(int argc, char **argv) { } } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--ip6=", 6) == 0) { @@ -1982,10 +1915,8 @@ int main(int argc, char **argv) { // exit(1); // } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } @@ -1996,10 +1927,8 @@ int main(int argc, char **argv) { exit(1); } } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } #endif else if (strncmp(argv[i], "--dns=", 6) == 0) { @@ -2038,10 +1967,8 @@ int main(int argc, char **argv) { if (checkcfg(CFG_NETWORK)) { arg_netfilter = 1; } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--netfilter=", 12) == 0) { @@ -2062,10 +1989,8 @@ int main(int argc, char **argv) { arg_netfilter_file = argv[i] + 12; check_netfilter_file(arg_netfilter_file); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { @@ -2074,10 +1999,8 @@ int main(int argc, char **argv) { arg_netfilter6_file = argv[i] + 13; check_netfilter_file(arg_netfilter6_file); } - else { - fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("networking"); } #endif //************************************* @@ -2184,10 +2107,8 @@ int main(int argc, char **argv) { else if (strcmp(argv[i], "--x11=xorg") == 0) { if (checkcfg(CFG_X11)) arg_x11_xorg = 1; - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - exit(1); - } + else + exit_err_feature("x11"); } #endif else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2be6948f0..3697b54b9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -63,6 +63,13 @@ int profile_find(const char *name, const char *dir) { // run-time profiles //*************************************************** +static void warning_feature_disabled(const char *feature) { + if (!arg_quiet) + fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature); +} + + + // check profile line; if line == 0, this was generated from a command line option // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function @@ -130,8 +137,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #if HAVE_USERNS if (checkcfg(CFG_USERNS)) check_user_namespace(); - else if (!arg_quiet) - fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("noroot"); #endif return 0; @@ -144,8 +151,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) arg_seccomp = 1; - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -175,8 +182,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.home_private_keep = ptr + 13; arg_private = 1; } - else if (!arg_quiet) - fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("private-home"); #endif return 0; } @@ -208,8 +215,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_NETWORK if (checkcfg(CFG_NETWORK)) arg_netfilter = 1; - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -222,8 +229,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { errExit("strdup"); check_netfilter_file(arg_netfilter_file); } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -236,8 +243,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { errExit("strdup"); check_netfilter_file(arg_netfilter6_file); } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -254,8 +261,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.interface2.configured = 0; cfg.interface3.configured = 0; } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -295,8 +302,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } net_configure_bridge(br, ptr + 4); } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -318,8 +325,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -363,8 +370,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -390,8 +397,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -410,8 +417,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -439,8 +446,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -467,8 +474,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -481,8 +488,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } } - else if (!arg_quiet) - fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); + else + warning_feature_disabled("networking"); #endif return 0; } @@ -508,8 +515,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!cfg.protocol) errExit("strdup"); } - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -531,7 +538,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.seccomp_list = seccomp_check_list(ptr + 8); } else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + warning_feature_disabled("seccomp"); #endif return 0; @@ -544,8 +551,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); } - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -557,8 +564,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_seccomp = 1; cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); } - else if (!arg_quiet) - fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); + else + warning_feature_disabled("seccomp"); #endif return 0; } @@ -676,6 +683,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(0); } } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -684,10 +693,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_X11 if (checkcfg(CFG_X11)) arg_x11_xorg = 1; - else { - fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); - return 0; - } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -705,6 +712,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(0); } } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -723,6 +732,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(0); } } + else + warning_feature_disabled("x11"); #endif return 0; } @@ -795,13 +806,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { *(dname2 - 1) = ','; return 1; } - else if (!arg_quiet) { - fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); - return 0; - } -#else - return 0; + else + warning_feature_disabled("bind"); #endif + return 0; } // rlimit diff --git a/test/root/join.exp b/test/root/join.exp new file mode 100755 index 000000000..e4a4e87af --- /dev/null +++ b/test/root/join.exp @@ -0,0 +1,52 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +cd /home +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=jointesting --cpu=0 --nice=2\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --join=jointesting\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Switching to pid" +} +sleep 1 +send -- "ps aux\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "/bin/bash" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "/bin/bash" +} + +send -- "exit\r" +sleep 1 +send -- "firejail --join-network=jointesting\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +send -- "exit\r" +sleep 1 +send -- "firejail --join-filesystem=jointesting\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} + +after 100 + +puts "\nall done\n" diff --git a/test/root/root.sh b/test/root/root.sh index 371bccdff..9764b3804 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -56,6 +56,12 @@ echo "TESTING: fs private (test/root/private.exp)" echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)" ./whitelist.exp +#******************************** +# utils +#******************************** +echo "TESTING: join (test/root/join.exp)" +./join.exp + #******************************** # seccomp #******************************** diff --git a/test/utils/join.exp b/test/utils/join.exp index fc30bc6a4..79fe99f2d 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -32,7 +32,20 @@ expect { "/bin/bash" } -send -- "exit" +send -- "exit\r" +sleep 1 +send -- "firejail --join-network=jointesting\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "is only available to root user" +} +after 100 +send -- "firejail --join-filesystem=jointesting\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "is only available to root user" +} + after 100 puts "\nall done\n" -- cgit v1.2.3-54-g00ecf