From a1272742cfbdbfe999a701f804b58ceb4605713d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:27:31 -0400 Subject: added make test-filters --- test/filters/caps.exp | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 test/filters/caps.exp (limited to 'test/filters/caps.exp') diff --git a/test/filters/caps.exp b/test/filters/caps.exp new file mode 100755 index 000000000..034d6a733 --- /dev/null +++ b/test/filters/caps.exp @@ -0,0 +1,72 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --caps.keep=chown,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "CapBnd: 0000000000000009" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=all --noprofile\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "CapBnd: 0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + +puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 8fdede5811ad03ccb6261fc992fcf11b4a06a3b3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 22 Aug 2016 11:31:08 -0400 Subject: testing --- test/arguments/readme | 2 +- test/filters/caps.exp | 2 +- test/filters/noroot.exp | 1 + test/filters/protocol.exp | 2 +- test/filters/seccomp-bad-empty.exp | 2 +- test/filters/seccomp-chmod-profile.exp | 2 +- test/filters/seccomp-chmod.exp | 2 +- test/filters/seccomp-chown.exp | 4 ++-- test/filters/seccomp-dualfilter.exp | 1 + test/filters/seccomp-empty.exp | 1 + test/filters/seccomp-errno.exp | 2 +- test/filters/seccomp-ptrace.exp | 2 +- test/filters/seccomp-su.exp | 2 +- test/filters/seccomp-umount.exp | 2 +- test/fs/fs_dev_shm.exp | 2 +- test/fs/fs_var_lock.exp | 2 +- test/fs/fs_var_tmp.exp | 2 +- test/fs/option_bind_user.exp | 2 +- test/fs/option_blacklist.exp | 2 +- test/fs/option_blacklist_file.exp | 2 +- test/fs/option_blacklist_glob.exp | 1 + test/fs/private-bin.exp | 2 +- test/fs/private-etc-empty.exp | 1 + test/fs/private-etc.exp | 2 +- test/fs/private.exp | 2 +- test/fs/whitelist-double.exp | 2 +- test/fs/whitelist-empty.exp | 1 + test/network/4bridges_arp.exp | 3 ++- test/network/4bridges_ip.exp | 3 ++- test/network/bandwidth.exp | 2 +- test/network/hostname.exp | 3 ++- test/network/ip6.exp | 2 ++ test/network/net_badip.exp | 2 +- test/network/net_defaultgw.exp | 3 ++- test/network/net_defaultgw2.exp | 3 ++- test/network/net_defaultgw3.exp | 3 ++- test/network/net_interface.exp | 2 ++ test/network/net_ip.exp | 3 ++- test/network/net_local.exp | 2 ++ test/network/net_mac.exp | 3 ++- test/network/net_macvlan.exp | 2 ++ test/network/net_mtu.exp | 2 ++ test/network/net_noip.exp | 1 + test/network/net_noip2.exp | 1 + test/network/net_none.exp | 3 ++- test/network/net_profile.exp | 3 ++- test/profiles/ignore.exp | 2 +- test/profiles/profile_followlnk.exp | 3 ++- test/profiles/profile_noperm.exp | 2 +- test/profiles/profile_readonly.exp | 4 ++-- test/profiles/profile_syntax.exp | 2 +- test/profiles/profile_syntax2.exp | 4 ++-- test/utils/caps-print.exp | 2 +- test/utils/cpu-print.exp | 2 +- test/utils/dns-print.exp | 2 +- test/utils/fs-print.exp | 2 +- test/utils/join-profile.exp | 2 +- test/utils/join.exp | 2 +- test/utils/join2.exp | 2 +- test/utils/join3.exp | 2 +- test/utils/ls.exp | 2 +- test/utils/protocol-print.exp | 2 +- test/utils/seccomp-print.exp | 2 +- test/utils/shutdown2.exp | 2 +- test/utils/shutdown3.exp | 2 +- test/utils/shutdown4.exp | 2 +- test/utils/trace.exp | 1 + 67 files changed, 86 insertions(+), 56 deletions(-) (limited to 'test/filters/caps.exp') diff --git a/test/arguments/readme b/test/arguments/readme index f5844848e..c28461478 100644 --- a/test/arguments/readme +++ b/test/arguments/readme @@ -5,5 +5,5 @@ Run "make && sudo make install" to install it. Run "make test" to run the tests. -Run "make uninstall" to remove the test program. +Run "sudo make uninstall" to remove the test program. diff --git a/test/filters/caps.exp b/test/filters/caps.exp index 034d6a733..7f7cf7dd1 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp @@ -66,7 +66,7 @@ expect { "Seccomp:" } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp index 1e08cee12..2a7cb7975 100755 --- a/test/filters/noroot.exp +++ b/test/filters/noroot.exp @@ -156,4 +156,5 @@ expect { timeout {puts "TESTING ERROR 24\n";exit} "3" } +after 100 puts "\nall done\n" diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp index 82e9a63eb..835f645b2 100755 --- a/test/filters/protocol.exp +++ b/test/filters/protocol.exp @@ -180,6 +180,6 @@ expect { timeout {puts "TESTING ERROR 4.9\n";exit} "after socket" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp index 53f06e632..1bd9c9b1f 100755 --- a/test/filters/seccomp-bad-empty.exp +++ b/test/filters/seccomp-bad-empty.exp @@ -36,6 +36,6 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "Error: line 1 in seccomp-bad-empty2.profile is invalid" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-chmod-profile.exp b/test/filters/seccomp-chmod-profile.exp index e5d16f524..463ce05e9 100755 --- a/test/filters/seccomp-chmod-profile.exp +++ b/test/filters/seccomp-chmod-profile.exp @@ -47,5 +47,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-chmod.exp b/test/filters/seccomp-chmod.exp index 9ca084e7f..b17990e3a 100755 --- a/test/filters/seccomp-chmod.exp +++ b/test/filters/seccomp-chmod.exp @@ -47,5 +47,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-chown.exp b/test/filters/seccomp-chown.exp index 4e393fea2..a54d279f1 100755 --- a/test/filters/seccomp-chown.exp +++ b/test/filters/seccomp-chown.exp @@ -45,5 +45,5 @@ expect { send -- "exit\r" -sleep 1 -puts "\n" +after 100 +puts "\nall done\n" diff --git a/test/filters/seccomp-dualfilter.exp b/test/filters/seccomp-dualfilter.exp index 8a48130b3..958dab528 100755 --- a/test/filters/seccomp-dualfilter.exp +++ b/test/filters/seccomp-dualfilter.exp @@ -51,4 +51,5 @@ expect { "Parent is shutting down" } +after 100 puts "\nall done\n" diff --git a/test/filters/seccomp-empty.exp b/test/filters/seccomp-empty.exp index 11b275c7d..d150dac7d 100755 --- a/test/filters/seccomp-empty.exp +++ b/test/filters/seccomp-empty.exp @@ -144,5 +144,6 @@ expect { } sleep 2 send -- "exit\r" +after 100 puts "\n" diff --git a/test/filters/seccomp-errno.exp b/test/filters/seccomp-errno.exp index aefe816e1..4df1948be 100755 --- a/test/filters/seccomp-errno.exp +++ b/test/filters/seccomp-errno.exp @@ -86,5 +86,5 @@ sleep 1 send -- "rm seccomp-test-file\r" -sleep 1 +after 100 puts "all done\n" diff --git a/test/filters/seccomp-ptrace.exp b/test/filters/seccomp-ptrace.exp index fba9ea92f..bb87b96ea 100755 --- a/test/filters/seccomp-ptrace.exp +++ b/test/filters/seccomp-ptrace.exp @@ -22,5 +22,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "all done\n" diff --git a/test/filters/seccomp-su.exp b/test/filters/seccomp-su.exp index 3f1f2e732..7833c69b0 100755 --- a/test/filters/seccomp-su.exp +++ b/test/filters/seccomp-su.exp @@ -36,5 +36,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "all done\n" diff --git a/test/filters/seccomp-umount.exp b/test/filters/seccomp-umount.exp index 6e2f8c6c2..df38dba5e 100755 --- a/test/filters/seccomp-umount.exp +++ b/test/filters/seccomp-umount.exp @@ -27,5 +27,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\n" diff --git a/test/fs/fs_dev_shm.exp b/test/fs/fs_dev_shm.exp index 6d27978e2..8150dfa61 100755 --- a/test/fs/fs_dev_shm.exp +++ b/test/fs/fs_dev_shm.exp @@ -85,6 +85,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/fs_var_lock.exp b/test/fs/fs_var_lock.exp index 0e2b3181a..5879dca52 100755 --- a/test/fs/fs_var_lock.exp +++ b/test/fs/fs_var_lock.exp @@ -85,6 +85,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/fs_var_tmp.exp b/test/fs/fs_var_tmp.exp index 811baac68..a3bc5afe2 100755 --- a/test/fs/fs_var_tmp.exp +++ b/test/fs/fs_var_tmp.exp @@ -85,6 +85,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/option_bind_user.exp b/test/fs/option_bind_user.exp index 9d2d17d7f..a2912968e 100755 --- a/test/fs/option_bind_user.exp +++ b/test/fs/option_bind_user.exp @@ -9,7 +9,7 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "bind option is available only if running as root" } -sleep 1 +after 100 puts "\n" diff --git a/test/fs/option_blacklist.exp b/test/fs/option_blacklist.exp index 38fd19237..6554d438f 100755 --- a/test/fs/option_blacklist.exp +++ b/test/fs/option_blacklist.exp @@ -32,7 +32,7 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "done" } -sleep 1 +after 100 puts "\n" diff --git a/test/fs/option_blacklist_file.exp b/test/fs/option_blacklist_file.exp index 846735d9e..b0164136c 100755 --- a/test/fs/option_blacklist_file.exp +++ b/test/fs/option_blacklist_file.exp @@ -20,7 +20,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "done" } -sleep 1 +after 100 puts "\n" diff --git a/test/fs/option_blacklist_glob.exp b/test/fs/option_blacklist_glob.exp index 01939736d..5a96cacc9 100755 --- a/test/fs/option_blacklist_glob.exp +++ b/test/fs/option_blacklist_glob.exp @@ -27,6 +27,7 @@ expect { timeout {puts "TESTING ERROR 2\n";exit} "Permission denied" } +after 100 puts "\n" diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index c19702e77..fe9468be9 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -66,6 +66,6 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 13e917a5c..2ab634afd 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp @@ -35,4 +35,5 @@ expect { "0" } +after 100 puts "\nall done\n" diff --git a/test/fs/private-etc.exp b/test/fs/private-etc.exp index 3b4f3eb2b..e692f7382 100755 --- a/test/fs/private-etc.exp +++ b/test/fs/private-etc.exp @@ -40,6 +40,6 @@ expect { "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/private.exp b/test/fs/private.exp index 7eee0c82b..67435b888 100755 --- a/test/fs/private.exp +++ b/test/fs/private.exp @@ -54,6 +54,6 @@ expect { timeout {puts "TESTING ERROR 11\n";exit} "done" } -sleep 1 +after 100 puts "all done\n" diff --git a/test/fs/whitelist-double.exp b/test/fs/whitelist-double.exp index 34463dbe4..fc05f9322 100755 --- a/test/fs/whitelist-double.exp +++ b/test/fs/whitelist-double.exp @@ -37,6 +37,6 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "0" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/fs/whitelist-empty.exp b/test/fs/whitelist-empty.exp index f44d4fb58..71bb8f914 100755 --- a/test/fs/whitelist-empty.exp +++ b/test/fs/whitelist-empty.exp @@ -49,5 +49,6 @@ expect { "0" } +after 100 puts "\nall done\n" diff --git a/test/network/4bridges_arp.exp b/test/network/4bridges_arp.exp index f769df43b..4ffa715cc 100755 --- a/test/network/4bridges_arp.exp +++ b/test/network/4bridges_arp.exp @@ -167,7 +167,8 @@ expect { timeout {puts "TESTING ERROR 10.2\n";exit} "10.10.50.0/24 dev eth3 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/4bridges_ip.exp b/test/network/4bridges_ip.exp index db7a61867..3cfd71be0 100755 --- a/test/network/4bridges_ip.exp +++ b/test/network/4bridges_ip.exp @@ -171,7 +171,8 @@ expect { "10.10.50.0/24 dev eth3 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/bandwidth.exp b/test/network/bandwidth.exp index 2913c6b14..8f3a706a8 100755 --- a/test/network/bandwidth.exp +++ b/test/network/bandwidth.exp @@ -60,6 +60,6 @@ expect { "rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit} "done" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/network/hostname.exp b/test/network/hostname.exp index 53f24f7b1..73d06725f 100755 --- a/test/network/hostname.exp +++ b/test/network/hostname.exp @@ -23,6 +23,7 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "done" } -sleep 1 +send -- "exit\r" +after 100 puts "all done\n" diff --git a/test/network/ip6.exp b/test/network/ip6.exp index e5939021e..f0fcebcf8 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -42,6 +42,8 @@ expect { "scopeid 0x0" { puts "Arch\n"} } +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_badip.exp b/test/network/net_badip.exp index 8003252d6..d13a6144e 100755 --- a/test/network/net_badip.exp +++ b/test/network/net_badip.exp @@ -13,7 +13,7 @@ expect { timeout {puts "TESTING ERROR 0.0\n";exit} "the IP address is not" } -sleep 1 +after 100 puts "\n" diff --git a/test/network/net_defaultgw.exp b/test/network/net_defaultgw.exp index 5534b7706..6291ae5ba 100755 --- a/test/network/net_defaultgw.exp +++ b/test/network/net_defaultgw.exp @@ -43,7 +43,8 @@ expect { timeout {puts "TESTING ERROR 10.2\n";exit} "10.10.20.0/29 dev eth0 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_defaultgw2.exp b/test/network/net_defaultgw2.exp index 86f204e8c..7620e4899 100755 --- a/test/network/net_defaultgw2.exp +++ b/test/network/net_defaultgw2.exp @@ -37,7 +37,8 @@ expect { timeout {puts "TESTING ERROR 10.3\n";exit} "10.10.30.0/24 dev eth1 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_defaultgw3.exp b/test/network/net_defaultgw3.exp index 30150938f..a47324adc 100755 --- a/test/network/net_defaultgw3.exp +++ b/test/network/net_defaultgw3.exp @@ -14,7 +14,8 @@ expect { "default gateway 10.10.95.89 is not in the range of any network" } -sleep 1 +after 100 + puts "\n" diff --git a/test/network/net_interface.exp b/test/network/net_interface.exp index 2e6619938..2f87024d8 100755 --- a/test/network/net_interface.exp +++ b/test/network/net_interface.exp @@ -86,6 +86,8 @@ expect { timeout {puts "TESTING ERROR 5.1\n";exit} "UP" } +send -- "exit\r" +after 100 puts "all done\n" diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp index 0eff212dd..32103050d 100755 --- a/test/network/net_ip.exp +++ b/test/network/net_ip.exp @@ -69,7 +69,8 @@ expect { timeout {puts "TESTING ERROR 10\n";exit} "10.10.20.0/29 dev eth0 proto kernel scope link" } -sleep 1 +send -- "exit\r" +after 100 puts "\n" diff --git a/test/network/net_local.exp b/test/network/net_local.exp index 60ab2af05..b72b9adaf 100755 --- a/test/network/net_local.exp +++ b/test/network/net_local.exp @@ -43,6 +43,8 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "255.0.0.0" } +send -- "exit\r" +after 100 puts "all done\n" diff --git a/test/network/net_mac.exp b/test/network/net_mac.exp index 5c48be9fd..d3cd8163f 100755 --- a/test/network/net_mac.exp +++ b/test/network/net_mac.exp @@ -33,7 +33,8 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_macvlan.exp b/test/network/net_macvlan.exp index ca503c26a..f457ea98f 100755 --- a/test/network/net_macvlan.exp +++ b/test/network/net_macvlan.exp @@ -86,6 +86,8 @@ while { $i <= $MAXi } { after 100 # sleep 1 } +send -- "exit\r" +after 100 puts "\n" diff --git a/test/network/net_mtu.exp b/test/network/net_mtu.exp index 21b9aa5cb..eb9c5d08c 100755 --- a/test/network/net_mtu.exp +++ b/test/network/net_mtu.exp @@ -28,6 +28,8 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "state UP" } +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_noip.exp b/test/network/net_noip.exp index 3fb53d860..b557d116c 100755 --- a/test/network/net_noip.exp +++ b/test/network/net_noip.exp @@ -38,6 +38,7 @@ expect { timeout {puts "TESTING ERROR 6\n";exit} "done" } +send -- "exit\r" after 100 puts "all done\n" diff --git a/test/network/net_noip2.exp b/test/network/net_noip2.exp index cf86d7f6b..c86ea4900 100755 --- a/test/network/net_noip2.exp +++ b/test/network/net_noip2.exp @@ -38,6 +38,7 @@ expect { timeout {puts "TESTING ERROR 6\n";exit} "done" } +send -- "exit\r" after 100 puts "all done\n" diff --git a/test/network/net_none.exp b/test/network/net_none.exp index 1c1577d76..1761eb423 100755 --- a/test/network/net_none.exp +++ b/test/network/net_none.exp @@ -66,6 +66,7 @@ expect { "eth0" {puts "TESTING ERROR 5.1\n";exit} "done" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/network/net_profile.exp b/test/network/net_profile.exp index 7e88193cc..dee0b2793 100755 --- a/test/network/net_profile.exp +++ b/test/network/net_profile.exp @@ -70,7 +70,8 @@ expect { "state UP" } -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index 281697b26..0c5691e9a 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp @@ -46,5 +46,5 @@ expect { "Child process initialized" } - +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_followlnk.exp b/test/profiles/profile_followlnk.exp index 4d89de26b..eb3d04852 100755 --- a/test/profiles/profile_followlnk.exp +++ b/test/profiles/profile_followlnk.exp @@ -31,7 +31,8 @@ expect { sleep 1 send -- "exit\r" +after 100 send -- "rm -fr /tmp/firejailtest*\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_noperm.exp b/test/profiles/profile_noperm.exp index 25ec580bd..b3b031cb2 100755 --- a/test/profiles/profile_noperm.exp +++ b/test/profiles/profile_noperm.exp @@ -9,5 +9,5 @@ expect { timeout {puts "TESTING ERROR 0\n";exit} "cannot access profile" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_readonly.exp b/test/profiles/profile_readonly.exp index e8e78d6ad..c1c9544a6 100755 --- a/test/profiles/profile_readonly.exp +++ b/test/profiles/profile_readonly.exp @@ -28,9 +28,9 @@ expect { "Read-only file system" } send -- "exit\r" -sleep 1 +after 100 send -- "rm -fr /tmp/firejailtest*\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_syntax.exp b/test/profiles/profile_syntax.exp index dd6b637ed..c8cb99a5f 100755 --- a/test/profiles/profile_syntax.exp +++ b/test/profiles/profile_syntax.exp @@ -50,5 +50,5 @@ expect { } send -- "exit\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/profiles/profile_syntax2.exp b/test/profiles/profile_syntax2.exp index ba83731be..9dca35ca2 100755 --- a/test/profiles/profile_syntax2.exp +++ b/test/profiles/profile_syntax2.exp @@ -45,6 +45,6 @@ expect { timeout {puts "TESTING ERROR 8\n";exit} "Child process initialized" } - -sleep 1 +send -- "exit\r" +after 100 puts "\nall done\n" diff --git a/test/utils/caps-print.exp b/test/utils/caps-print.exp index 9cc4b1872..fa5239da2 100755 --- a/test/utils/caps-print.exp +++ b/test/utils/caps-print.exp @@ -28,5 +28,5 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "net_raw - disabled" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/cpu-print.exp b/test/utils/cpu-print.exp index 4a9ffa0ac..ca2e57313 100755 --- a/test/utils/cpu-print.exp +++ b/test/utils/cpu-print.exp @@ -20,5 +20,5 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Cpus_allowed_list: 1-2" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/dns-print.exp b/test/utils/dns-print.exp index 51dcab508..406ab5149 100755 --- a/test/utils/dns-print.exp +++ b/test/utils/dns-print.exp @@ -20,5 +20,5 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "nameserver 1.2.3.4" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/fs-print.exp b/test/utils/fs-print.exp index fa0eab95b..4d4ceb718 100755 --- a/test/utils/fs-print.exp +++ b/test/utils/fs-print.exp @@ -28,5 +28,5 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "blacklist /proc/kmsg" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join-profile.exp b/test/utils/join-profile.exp index a4262b999..a2078c2f6 100755 --- a/test/utils/join-profile.exp +++ b/test/utils/join-profile.exp @@ -30,6 +30,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join.exp b/test/utils/join.exp index ab4917f7d..7f582e2e5 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp @@ -33,6 +33,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join2.exp b/test/utils/join2.exp index 82540fe39..5895eb730 100755 --- a/test/utils/join2.exp +++ b/test/utils/join2.exp @@ -33,6 +33,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/join3.exp b/test/utils/join3.exp index e92045dd1..3ccc47bf9 100755 --- a/test/utils/join3.exp +++ b/test/utils/join3.exp @@ -33,6 +33,6 @@ expect { } send -- "exit" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/ls.exp b/test/utils/ls.exp index 3a99be0d5..b83957a4f 100755 --- a/test/utils/ls.exp +++ b/test/utils/ls.exp @@ -37,5 +37,5 @@ expect { sleep 1 send -- "rm -f lstesting\r" -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/protocol-print.exp b/test/utils/protocol-print.exp index 152a64467..b4b94ea93 100755 --- a/test/utils/protocol-print.exp +++ b/test/utils/protocol-print.exp @@ -20,5 +20,5 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "unix,inet,inet6" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/seccomp-print.exp b/test/utils/seccomp-print.exp index d0531a9c3..f6ff1e721 100755 --- a/test/utils/seccomp-print.exp +++ b/test/utils/seccomp-print.exp @@ -32,5 +32,5 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "RETURN_ALLOW" } -sleep 1 +after 100 puts "\nall done\n" diff --git a/test/utils/shutdown2.exp b/test/utils/shutdown2.exp index 7857b919c..777a73ec9 100755 --- a/test/utils/shutdown2.exp +++ b/test/utils/shutdown2.exp @@ -40,6 +40,6 @@ expect { timeout {puts "TESTING ERROR 5\n";exit} "5" } -sleep 1 +after 100 puts "\nalldone\n" diff --git a/test/utils/shutdown3.exp b/test/utils/shutdown3.exp index 02b68c4ce..a74fb3386 100755 --- a/test/utils/shutdown3.exp +++ b/test/utils/shutdown3.exp @@ -60,6 +60,6 @@ expect { timeout {puts "TESTING ERROR 10\n";exit} "5" } -sleep 1 +after 100 puts "\nalldone\n" diff --git a/test/utils/shutdown4.exp b/test/utils/shutdown4.exp index 0f2e0e7fe..2942ba3d5 100755 --- a/test/utils/shutdown4.exp +++ b/test/utils/shutdown4.exp @@ -60,6 +60,6 @@ expect { timeout {puts "TESTING ERROR 50\n";exit} "50" } -sleep 1 +after 100 puts "\nalldone\n" diff --git a/test/utils/trace.exp b/test/utils/trace.exp index b562a6b49..78a04b273 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp @@ -110,5 +110,6 @@ expect { "bash:access /etc/terminfo/" {puts "debian\n"} "bash:access /usr/share/terminfo/" {puts "arch\n"} } +after 100 puts "\nall done\n" -- cgit v1.2.3-70-g09d2 From 62b9173095929c7ef21b9fb2385f54ceba956aa7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 17:52:30 -0500 Subject: caps testing --- src/firejail/caps.c | 77 ++++++++++++++++----------------- src/firejail/firejail.h | 2 +- src/firejail/main.c | 6 +-- src/firejail/profile.c | 6 +-- test/filters/caps-print.exp | 103 ++++++++++++++++++++++++++++++++++++++++++++ test/filters/caps.exp | 73 +++++++++++++++++++++++++++++-- test/filters/caps1.profile | 1 + test/filters/caps2.profile | 1 + test/filters/caps3.profile | 1 + test/filters/filters.sh | 3 ++ 10 files changed, 221 insertions(+), 52 deletions(-) create mode 100755 test/filters/caps-print.exp create mode 100644 test/filters/caps1.profile create mode 100644 test/filters/caps2.profile create mode 100644 test/filters/caps3.profile (limited to 'test/filters/caps.exp') diff --git a/src/firejail/caps.c b/src/firejail/caps.c index ba811cada..6cfa36629 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -181,12 +181,10 @@ static int caps_find_name(const char *name) { } // return 1 if error, 0 if OK -int caps_check_list(const char *clist, void (*callback)(int)) { +void caps_check_list(const char *clist, void (*callback)(int)) { // don't allow empty lists - if (clist == NULL || *clist == '\0') { - fprintf(stderr, "Error: empty capabilities lists are not allowed\n"); - return -1; - } + if (clist == NULL || *clist == '\0') + goto errexit; // work on a copy of the string char *str = strdup(clist); @@ -201,11 +199,8 @@ int caps_check_list(const char *clist, void (*callback)(int)) { else if (*ptr == ',') { *ptr = '\0'; int nr = caps_find_name(start); - if (nr == -1) { - fprintf(stderr, "Error: capability %s not found\n", start); - free(str); - return -1; - } + if (nr == -1) + goto errexit; else if (callback != NULL) callback(nr); @@ -215,17 +210,18 @@ int caps_check_list(const char *clist, void (*callback)(int)) { } if (*start != '\0') { int nr = caps_find_name(start); - if (nr == -1) { - fprintf(stderr, "Error: capability %s not found\n", start); - free(str); - return -1; - } + if (nr == -1) + goto errexit; else if (callback != NULL) callback(nr); } free(str); - return 0; + return; + +errexit: + fprintf(stderr, "Error: capability \"%s\" not found\n", start); + exit(1); } void caps_print(void) { @@ -256,49 +252,53 @@ void caps_print(void) { // enabled by default int caps_default_filter(void) { // drop capabilities - if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_MODULE"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_MODULE\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_RAWIO"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_RAWIO\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_BOOT"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_BOOT\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_NICE"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_NICE\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_TTY_CONFIG"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_TTY_CONFIG\n"); #ifdef CAP_SYSLOG - if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYSLOG"); + if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYSLOG\n"); #endif - if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_MKNOD"); + if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_MKNOD\n"); - if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0) && arg_debug) - fprintf(stderr, "Warning: cannot drop CAP_SYS_ADMIN"); + if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0)) + goto errexit; else if (arg_debug) printf("Drop CAP_SYS_ADMIN\n"); return 0; + +errexit: + fprintf(stderr, "Error: cannot drop capabilities\n"); + exit(1); } void caps_drop_all(void) { @@ -359,19 +359,14 @@ static uint64_t extract_caps(int pid) { EUID_ASSERT(); char *file; - if (asprintf(&file, "/proc/%d/status", pid) == -1) { + if (asprintf(&file, "/proc/%d/status", pid) == -1) errExit("asprintf"); - exit(1); - } EUID_ROOT(); // grsecurity FILE *fp = fopen(file, "r"); EUID_USER(); // grsecurity - if (!fp) { - printf("Error: cannot open %s\n", file); - free(file); - exit(1); - } + if (!fp) + goto errexit; char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { @@ -385,6 +380,8 @@ static uint64_t extract_caps(int pid) { } } fclose(fp); + +errexit: free(file); fprintf(stderr, "Error: cannot read caps configuration\n"); exit(1); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2e031ce04..4ae3cfd9f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -508,7 +508,7 @@ int caps_default_filter(void); void caps_print(void); void caps_drop_all(void); void caps_set(uint64_t caps); -int caps_check_list(const char *clist, void (*callback)(int)); +void caps_check_list(const char *clist, void (*callback)(int)); void caps_drop_list(const char *clist); void caps_keep_list(const char *clist); void caps_print_filter(pid_t pid); diff --git a/src/firejail/main.c b/src/firejail/main.c index ff7b762cd..111a1d751 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1186,8 +1186,7 @@ int main(int argc, char **argv) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - return 1; + caps_check_list(arg_caps_list, NULL); } else if (strncmp(argv[i], "--caps.keep=", 12) == 0) { arg_caps_keep = 1; @@ -1195,8 +1194,7 @@ int main(int argc, char **argv) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - return 1; + caps_check_list(arg_caps_list, NULL); } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 688fa9609..abb8bd9b6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -570,8 +570,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - exit(1); + caps_check_list(arg_caps_list, NULL); return 0; } @@ -582,8 +581,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (!arg_caps_list) errExit("strdup"); // verify caps list and exit if problems - if (caps_check_list(arg_caps_list, NULL)) - exit(1); + caps_check_list(arg_caps_list, NULL); return 0; } diff --git a/test/filters/caps-print.exp b/test/filters/caps-print.exp new file mode 100755 index 000000000..d9d662239 --- /dev/null +++ b/test/filters/caps-print.exp @@ -0,0 +1,103 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test --noprofile --caps --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Drop CAP_SYS_RAWIO" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Drop CAP_SYS_BOOT" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Drop CAP_SYS_NICE" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Drop CAP_SYS_TTY_CONFIG" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Drop CAP_SYSLOG" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Drop CAP_MKNOD" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Drop CAP_SYS_ADMIN" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "firejail --caps.print=test\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "chown - enabled" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "setgid - enabled" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "setuid - enabled" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "mknod - disabled" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "syslog - disabled" +} +after 100 + +send -- "firejail --debug-caps\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "21 - sys_admin" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "22 - sys_boot" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "23 - sys_nice" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "24 - sys_resource" +} +after 100 + +send -- "firejail --caps.keep=\"bla bla bla\"\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "capability" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "not found" +} + +after 100 +puts "\nall done\n" diff --git a/test/filters/caps.exp b/test/filters/caps.exp index 7f7cf7dd1..2954f2e58 100755 --- a/test/filters/caps.exp +++ b/test/filters/caps.exp @@ -12,7 +12,7 @@ expect { timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } -sleep 2 +after 100 send -- "cat /proc/self/status\r" expect { @@ -31,7 +31,7 @@ expect { timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } -sleep 2 +after 100 send -- "cat /proc/self/status\r" expect { @@ -50,7 +50,7 @@ expect { timeout {puts "TESTING ERROR 7\n";exit} "Child process initialized" } -sleep 2 +after 100 send -- "cat /proc/self/status\r" expect { @@ -66,7 +66,74 @@ expect { "Seccomp:" } send -- "exit\r" +sleep 1 + + +send -- "firejail --profile=caps1.profile --debug\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Drop CAP_SYS_MODULE" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Drop CAP_SYS_ADMIN" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Drop CAP_" {puts "TESTING ERROR 14\n";exit} + "Child process initialized" +} after 100 +send -- "exit\r" +sleep 1 +## tofix: possible problem with caps.keep in profile files +##send -- "firejail --caps.keep=chown,fowner --noprofile\r" +#send -- "firejail --profile=caps2.profile\r" +#expect { +# timeout {puts "TESTING ERROR 15\n";exit} +# "Child process initialized" +#} +#after 100 +# +#send -- "cat /proc/self/status\r" +#expect { +# timeout {puts "TESTING ERROR 16\n";exit} +# "CapBnd: 0000000000000009" +#} +#expect { +# timeout {puts "TESTING ERROR 17\n";exit} +# "Seccomp:" +#} +#send -- "exit\r" +#sleep 1 + +#send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +send -- "firejail --profile=caps3.profile\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + "Child process initialized" +} +after 100 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + + +after 100 puts "\nall done\n" diff --git a/test/filters/caps1.profile b/test/filters/caps1.profile new file mode 100644 index 000000000..8b0c3b340 --- /dev/null +++ b/test/filters/caps1.profile @@ -0,0 +1 @@ +caps diff --git a/test/filters/caps2.profile b/test/filters/caps2.profile new file mode 100644 index 000000000..4f0016fad --- /dev/null +++ b/test/filters/caps2.profile @@ -0,0 +1 @@ +caps.drop chown,dac_override,dac_read_search,fowner \ No newline at end of file diff --git a/test/filters/caps3.profile b/test/filters/caps3.profile new file mode 100644 index 000000000..4f0016fad --- /dev/null +++ b/test/filters/caps3.profile @@ -0,0 +1 @@ +caps.drop chown,dac_override,dac_read_search,fowner \ No newline at end of file diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 5c7c98b3e..fea4a0296 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -12,6 +12,9 @@ echo "TESTING: noroot (test/filters/noroot.exp)" echo "TESTING: capabilities (test/filters/caps.exp)" ./caps.exp +echo "TESTING: capabilities print (test/filters/caps-print.exp)" +./caps-print.exp + rm -f seccomp-test-file if [ "$(uname -m)" = "x86_64" ]; then echo "TESTING: fseccomp (test/filters/fseccomp.exp)" -- cgit v1.2.3-70-g09d2