From 27c4d069f322fbeca07c88e0e96208233103a5db Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Feb 2023 09:51:26 -0500 Subject: chroot testing --- test/chroot/chroot.sh | 5 ++++ test/chroot/configure | 2 +- test/chroot/fs_chroot.exp | 48 +++++++++++++++++++++----------------- test/chroot/fs_chroot_disabled.exp | 17 ++++++++++++++ test/chroot/unchroot-as-root.exp | 2 +- 5 files changed, 51 insertions(+), 23 deletions(-) create mode 100755 test/chroot/fs_chroot_disabled.exp (limited to 'test/chroot') diff --git a/test/chroot/chroot.sh b/test/chroot/chroot.sh index 840f162cc..a1fb3ee38 100755 --- a/test/chroot/chroot.sh +++ b/test/chroot/chroot.sh @@ -11,6 +11,11 @@ rm -f unchroot gcc -o unchroot unchroot.c sudo ./configure +echo "TESTING: chroot disabled (test/chroot/fs_chroot_disabled.exp)" +./fs_chroot_disabled.exp + +sudo sed -i s/"# chroot no"/"chroot yes"/g /etc/firejail/firejail.config + echo "TESTING: chroot (test/chroot/fs_chroot.exp)" ./fs_chroot.exp diff --git a/test/chroot/configure b/test/chroot/configure index a817f6566..af511f9c7 100755 --- a/test/chroot/configure +++ b/test/chroot/configure @@ -8,7 +8,7 @@ ROOTDIR="/tmp/chroot" # default chroot directory DEFAULT_FILES="/bin/bash /bin/sh " # basic chroot files DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group " DEFAULT_FILES+=`find /lib -name libnss*` # files required by glibc -DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount" +DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /usr/bin/touch /bin/grep" rm -fr $ROOTDIR mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc,sys} diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp index 545de0c66..eb1349112 100755 --- a/test/chroot/fs_chroot.exp +++ b/test/chroot/fs_chroot.exp @@ -10,55 +10,61 @@ match_max 100000 send -- "firejail --chroot=/tmp/chroot\r" expect { timeout {puts "TESTING ERROR 0\n";exit} - "Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit} -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"}; } sleep 1 -send -- "cd /home;pwd\r" +send -- "pwd\r" expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "home" + timeout {puts "TESTING ERROR 1\n";exit} + "/home" } -sleep 1 -send -- "bash\r" -sleep 1 +after 100 send -- "ls /\r" expect { - timeout {puts "TESTING ERROR 0.2\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "this-is-my-chroot" } after 100 send -- "ps aux\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "/bin/bash" } expect { - timeout {puts "TESTING ERROR 2\n";exit} - "bash" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "ps aux" } after 100 -send -- "ps aux | wc -l; pwd\r" +# check /sys directory +send -- "ls /sys\r" expect { timeout {puts "TESTING ERROR 5\n";exit} - "6" + "block" } -after 100 - -# check /sys directory -send -- "ls /sys\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - "block" + "class" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "dev" } after 100 +# check /bin directory +send -- "ls /bin/find\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "No such file or directory" +} +after 100 +send -- "/bin/ping 1.1.1.1\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Operation not permitted" +} puts "all done\n" diff --git a/test/chroot/fs_chroot_disabled.exp b/test/chroot/fs_chroot_disabled.exp new file mode 100755 index 000000000..e6cfe85f3 --- /dev/null +++ b/test/chroot/fs_chroot_disabled.exp @@ -0,0 +1,17 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2023 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --chroot=/tmp/chroot\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "feature is disabled" +} +sleep 1 + +puts "all done\n" diff --git a/test/chroot/unchroot-as-root.exp b/test/chroot/unchroot-as-root.exp index eccb400c0..7614ed406 100755 --- a/test/chroot/unchroot-as-root.exp +++ b/test/chroot/unchroot-as-root.exp @@ -22,7 +22,7 @@ after 100 send -- "./unchroot\r" expect { timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" + "Operation not permitted" } after 100 -- cgit v1.2.3-54-g00ecf