From 1379851360349d6617ad32944a25ee5e2bb74fc2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 8 Aug 2015 19:12:30 -0400 Subject: Baseline firejail 0.9.28 --- src/tools/check-caps.sh | 46 ++++++++++++++ src/tools/extract_caps.c | 83 +++++++++++++++++++++++++ src/tools/extract_syscalls.c | 91 +++++++++++++++++++++++++++ src/tools/mkcoverit.sh | 45 ++++++++++++++ src/tools/rvtest.c | 144 +++++++++++++++++++++++++++++++++++++++++++ src/tools/ttytest.c | 36 +++++++++++ 6 files changed, 445 insertions(+) create mode 100755 src/tools/check-caps.sh create mode 100644 src/tools/extract_caps.c create mode 100644 src/tools/extract_syscalls.c create mode 100755 src/tools/mkcoverit.sh create mode 100644 src/tools/rvtest.c create mode 100644 src/tools/ttytest.c (limited to 'src/tools') diff --git a/src/tools/check-caps.sh b/src/tools/check-caps.sh new file mode 100755 index 000000000..13525677b --- /dev/null +++ b/src/tools/check-caps.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +if [ $# -eq 0 ] +then + echo "Usage: check-caps.sh program-and-arguments" + echo +fi + +set -x + +firejail --caps.drop=chown "$1" +firejail --caps.drop=dac_override "$1" +firejail --caps.drop=dac_read_search "$1" +firejail --caps.drop=fowner "$1" +firejail --caps.drop=fsetid "$1" +firejail --caps.drop=kill "$1" +firejail --caps.drop=setgid "$1" +firejail --caps.drop=setuid "$1" +firejail --caps.drop=setpcap "$1" +firejail --caps.drop=linux_immutable "$1" +firejail --caps.drop=net_bind_service "$1" +firejail --caps.drop=net_broadcast "$1" +firejail --caps.drop=net_admin "$1" +firejail --caps.drop=net_raw "$1" +firejail --caps.drop=ipc_lock "$1" +firejail --caps.drop=ipc_owner "$1" +firejail --caps.drop=sys_module "$1" +firejail --caps.drop=sys_rawio "$1" +firejail --caps.drop=sys_chroot "$1" +firejail --caps.drop=sys_ptrace "$1" +firejail --caps.drop=sys_pacct "$1" +firejail --caps.drop=sys_admin "$1" +firejail --caps.drop=sys_boot "$1" +firejail --caps.drop=sys_nice "$1" +firejail --caps.drop=sys_resource "$1" +firejail --caps.drop=sys_time "$1" +firejail --caps.drop=sys_tty_config "$1" +firejail --caps.drop=mknod "$1" +firejail --caps.drop=lease "$1" +firejail --caps.drop=audit_write "$1" +firejail --caps.drop=audit_control "$1" +firejail --caps.drop=setfcap "$1" +firejail --caps.drop=mac_override "$1" +firejail --caps.drop=mac_admin "$1" +firejail --caps.drop=syslog "$1" +firejail --caps.drop=wake_alarm "$1" diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c new file mode 100644 index 000000000..94a062ccb --- /dev/null +++ b/src/tools/extract_caps.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include +#include +#include +#include + +#define BUFMAX 4096 + +int main(int argc, char **argv) { + if (argc != 2) { + printf("usage: %s /usr/include/linux/capability.h\n", argv[0]); + return 1; + } + + //open file + FILE *fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open file\n"); + return 1; + } + + // read file + char buf[BUFMAX]; + while (fgets(buf, BUFMAX, fp)) { + // cleanup + char *start = buf; + while (*start == ' ' || *start == '\t') + start++; + char *end = strchr(start, '\n'); + if (end) + *end = '\0'; + + // parsing + if (strncmp(start, "#define CAP_", 12) == 0) { + if (strstr(start, "CAP_LAST_CAP")) + break; + + char *ptr1 = start + 8; + char *ptr2 = ptr1; + while (*ptr2 == ' ' || *ptr2 == '\t') + ptr2++; + while (*ptr2 != ' ' && *ptr2 != '\t') + ptr2++; + *ptr2 = '\0'; + + ptr2 = strdup(ptr1); + assert(ptr2); + ptr2 += 4; + char *ptr3 = ptr2; + while (*ptr3 != '\0') { + *ptr3 = tolower(*ptr3); + ptr3++; + } + + + printf("#ifdef %s\n", ptr1); + printf("\t{\"%s\", %s },\n", ptr2, ptr1); + printf("#endif\n"); + + } + + } + fclose(fp); + return 0; +} diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c new file mode 100644 index 000000000..0e064a49e --- /dev/null +++ b/src/tools/extract_syscalls.c @@ -0,0 +1,91 @@ +/* + * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include +#include 6 +#include + +#define BUFMAX 4096 + +int main(int argc, char **argv) { + if (argc != 2) { + printf("usage: %s /media/ubuntu/usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]); + return 1; + } + + //open file + FILE *fp = fopen(argv[1], "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open file\n"); + return 1; + } + + // read file + char buf[BUFMAX]; + while (fgets(buf, BUFMAX, fp)) { + // cleanup + char *start = buf; + while (*start == ' ' || *start == '\t') + start++; + char *end = strchr(start, '\n'); + if (end) + *end = '\0'; + + // parsing + if (strncmp(start, "#endif", 6) == 0) + printf("%s\n", start); + if (strncmp(start, "#endif", 6) == 0) + printf("%s\n", start); + else if (strncmp(start, "#if", 3) == 0) + printf("%s\n", start); + else if (strncmp(start, "#define", 7) == 0) { + // extract data + char *ptr1 = strstr(start, "SYS_"); + char *ptr2 = strstr(start, "__NR_"); + if (!ptr1 || !ptr2) { + fprintf(stderr, "Error: cannot parse \"%s\"\n", start); + fclose(fp); + return 1; + } + *(ptr2 - 1) = '\0'; + + char *ptr3 = ptr1; + while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') + ptr3++; + *ptr3 = '\0'; + ptr3 = ptr2; + while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') + ptr3++; + *ptr3 = '\0'; + + ptr3 = ptr1; + while (*ptr3 != '_') + ptr3++; + ptr3++; + + printf("#ifdef %s\n", ptr1); + printf("#ifdef %s\n", ptr2); + printf("\t{\"%s\", %s},\n", ptr3, ptr2); + printf("#endif\n"); + printf("#endif\n"); + } + } + fclose(fp); + return 0; +} diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh new file mode 100755 index 000000000..4af84a7a1 --- /dev/null +++ b/src/tools/mkcoverit.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# unpack firejail archive +ARCFIREJAIL=`ls *.tar.bz2| grep firejail` +if [ "$?" -eq 0 ]; +then + echo "preparing $ARCFIREJAIL" + DIRFIREJAIL=`basename $ARCFIREJAIL .tar.bz2` + rm -fr $DIRFIREJAIL + tar -xjvf $ARCFIREJAIL + cd $DIRFIREJAIL + ./configure --prefix=/usr + cd .. +else + echo "Error: firejail source archive missing" + exit 1 +fi + + +# unpack firetools archive +ARCFIRETOOLS=`ls *.tar.bz2 | grep firetools` +if [ "$?" -eq 0 ]; +then + echo "preparing $ARCFIRETOOLS" + DIRFIRETOOLS=`basename $ARCFIRETOOLS .tar.bz2` + rm -fr $DIRFIRETOOLS + tar -xjvf $ARCFIRETOOLS + cd $DIRFIRETOOLS + pwd + ./configure --prefix=/usr + cd .. + +else + echo "Error: firetools source archive missing" + exit 1 +fi + +# move firetools in firejail source tree +mkdir -p $DIRFIREJAIL/extras +mv $DIRFIRETOOLS $DIRFIREJAIL/extras/firetools + +# build +cd $DIRFIREJAIL +cov-build --dir cov-int make -j 4 extras +tar czvf myproject.tgz cov-int diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c new file mode 100644 index 000000000..95050e671 --- /dev/null +++ b/src/tools/rvtest.c @@ -0,0 +1,144 @@ +/* + * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ + +// run it as "rvtest 2>/dev/null | grep TESTING" + +#include +#include +#include +#include +#include +#include + +#define MAXBUF 1024 // line buffer +#define TIMEOUT 30 // timeout time in seconds + +static pid_t pid; +static void catch_alarm(int sig) { + kill(pid, SIGTERM); + sleep(1); + kill(pid, SIGKILL); + printf("TESTING ERROR: SIGALARM triggered\n"); + exit(1); +} + +static void usage(void) { + printf("Usage: rvtest testfile\n"); + printf("\n"); + printf("Testfile format:\n"); + printf("\tretval command\n"); + printf("\n"); + printf("Testfile example:\n"); + printf("\n"); + printf("0 firejail --net=none exit\n"); + printf("1 firejail --private=/etc sleep 1\n"); + printf("1 firejail --blablabla\n"); +} + +int main(int argc, char **argv) { + if (argc != 2) { + fprintf(stderr, "Error: test file missing\n"); + usage(); + return 1; + } + + signal (SIGALRM, catch_alarm); + + // open test file + char *fname = argv[1]; + FILE *fp = fopen(fname, "r"); + + // read test file + char buf[MAXBUF]; + int line = 0; + while (fgets(buf, MAXBUF, fp)) { + line++; + // skip blanks + char *start = buf; + while (*start == ' ' || *start == '\t') + start++; + // remove '\n' + char *ptr = strchr(start, '\n'); + if (ptr) + *ptr ='\0'; + if (*start == '\0') + continue; + + // skip comments + if (*start == '#') + continue; + ptr = strchr(start, '#'); + if (ptr) + *ptr = '\0'; + + // extract exit status + int status; + int rv = sscanf(start, "%d\n", &status); + if (rv != 1) { + fprintf(stderr, "Error: invalid line %d in %s\n", line, fname); + exit(1); + } + + // extract command + char *cmd = strchr(start, ' '); + if (!cmd) { + fprintf(stderr, "Error: invalid line %d in %s\n", line, fname); + exit(1); + } + + // execute command + printf("TESTING %s\n", cmd); + fflush(0); + pid = fork(); + if (pid == -1) { + perror("fork"); + exit(1); + } + + // child + if (pid == 0) { + char *earg[50]; + earg[0] = "/bin/bash"; + earg[1] = "-c"; + earg[2] = cmd; + earg[3] = NULL; + execvp(earg[0], earg); + } + // parent + else { + int exit_status; + + alarm(TIMEOUT); + pid = waitpid(pid, &exit_status, 0); + if (pid == -1) { + perror("waitpid"); + exit(1); + } + + if (WEXITSTATUS(exit_status) != status) + printf("ERROR TESTING: %s\n", cmd); + } + + fflush(0); + } + fclose(fp); + + return 0; +} \ No newline at end of file diff --git a/src/tools/ttytest.c b/src/tools/ttytest.c new file mode 100644 index 000000000..a449bf9ba --- /dev/null +++ b/src/tools/ttytest.c @@ -0,0 +1,36 @@ +#define _XOPEN_SOURCE 600 +#include +#include +#include +#include + +int main(void) { + int fdm; + int rc; + + // initial + system("ls -l /dev/pts"); + + fdm = posix_openpt(O_RDWR); + if (fdm < 0) { + perror("posix_openpt"); + return 1; + } + + rc = grantpt(fdm); + if (rc != 0) { + perror("grantpt"); + return 1; + } + + rc = unlockpt(fdm); + if (rc != 0) { + perror("unlockpt"); + return 1; + } + + // final + system("ls -l /dev/pts"); + + return 0; +} -- cgit v1.2.3-54-g00ecf