From b69074fa495a237aba30e0f43f28c4086df04e04 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Mon, 8 Mar 2021 15:39:03 -0500
Subject: more jailtest

---
 src/jailtest/jailtest.h |  4 +++
 src/jailtest/main.c     | 29 ++++++++++++++--
 src/jailtest/sysfiles.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 119 insertions(+), 2 deletions(-)
 create mode 100644 src/jailtest/sysfiles.c

(limited to 'src')

diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
index 10174cc9a..0c4883061 100644
--- a/src/jailtest/jailtest.h
+++ b/src/jailtest/jailtest.h
@@ -38,6 +38,10 @@ void access_destroy(void);
 void noexec_setup(void);
 void noexec_test(const char *msg);
 
+// sysfiles.c
+void sysfiles_setup(const char *file);
+void sysfiles_test(void);
+
 // virtual.c
 void virtual_setup(const char *directory);
 void virtual_destroy(void);
diff --git a/src/jailtest/main.c b/src/jailtest/main.c
index 850277bc5..3369dca39 100644
--- a/src/jailtest/main.c
+++ b/src/jailtest/main.c
@@ -114,8 +114,32 @@ int main(int argc, char **argv) {
 	virtual_setup("/bin");
 	virtual_setup("/usr/share");
 	virtual_setup(user_run_dir);
-
-
+	// basic sysfiles
+	sysfiles_setup("/etc/shadow");
+	sysfiles_setup("/etc/gshadow");
+	sysfiles_setup("/usr/bin/mount");
+	sysfiles_setup("/usr/bin/su");
+	sysfiles_setup("/usr/bin/ksu");
+	sysfiles_setup("/usr/bin/sudo");
+	sysfiles_setup("/usr/bin/strace");
+	// X11
+	sysfiles_setup("/usr/bin/xev");
+	sysfiles_setup("/usr/bin/xinput");
+	// compilers
+	sysfiles_setup("/usr/bin/gcc");
+	sysfiles_setup("/usr/bin/clang");
+	// networking
+	sysfiles_setup("/usr/bin/dig");
+	sysfiles_setup("/usr/bin/nslookup");
+	sysfiles_setup("/usr/bin/resolvectl");
+	sysfiles_setup("/usr/bin/nc");
+	sysfiles_setup("/usr/bin/ncat");
+	sysfiles_setup("/usr/bin/nmap");
+	sysfiles_setup("/usr/sbin/tcpdump");
+	// terminals
+	sysfiles_setup("/usr/bin/gnome-terminal");
+	sysfiles_setup("/usr/bin/xfce4-terminal");
+	sysfiles_setup("/usr/bin/lxterminal");
 
 	// print processes
 	pid_read(0);
@@ -145,6 +169,7 @@ int main(int argc, char **argv) {
 					noexec_test("/var/tmp");
 					noexec_test(user_run_dir);
 					access_test();
+					sysfiles_test();
 				}
 				else {
 					printf("   Error: I cannot join the process mount space\n");
diff --git a/src/jailtest/sysfiles.c b/src/jailtest/sysfiles.c
new file mode 100644
index 000000000..7e4709453
--- /dev/null
+++ b/src/jailtest/sysfiles.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+	char *tfile;
+} TestFile;
+
+#define MAX_TEST_FILES 32
+TestFile tf[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void sysfiles_setup(const char *file) {
+	// I am root!
+	assert(file);
+
+	if (files_cnt >= MAX_TEST_FILES) {
+		fprintf(stderr, "Error: maximum number of system test files exceded\n");
+		exit(1);
+	}
+
+	if (access(file, F_OK)) {
+		// no such file
+		return;
+	}
+
+
+	char *fname = strdup(file);
+	if (!fname)
+		errExit("strdup");
+
+	tf[files_cnt].tfile = fname;
+	files_cnt++;
+}
+
+void sysfiles_test(void) {
+	// I am root in sandbox mount namespace
+	assert(user_uid);
+	int i;
+
+	pid_t child = fork();
+	if (child == -1)
+		errExit("fork");
+
+	if (child == 0) { // child
+		// drop privileges
+		if (setgid(user_gid) != 0)
+			errExit("setgid");
+		if (setuid(user_uid) != 0)
+			errExit("setuid");
+
+		for (i = 0; i < files_cnt; i++) {
+			assert(tf[i].tfile);
+
+			// try to open the file for reading
+			FILE *fp = fopen(tf[i].tfile, "r");
+			if (fp) {
+
+				printf("   Warning: I can access %s\n", tf[i].tfile);
+				fclose(fp);
+			}
+		}
+		exit(0);
+	}
+
+	// wait for the child to finish
+	int status;
+	wait(&status);
+}
-- 
cgit v1.2.3-54-g00ecf