From 5116c1ceddf1966c852cbe2d81a2b2672dc3ba90 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sat, 24 Dec 2022 03:06:46 +0100 Subject: testing --- test/filters/filters.sh | 10 +++ test/filters/namespaces | Bin 0 -> 17392 bytes test/filters/namespaces-32 | Bin 0 -> 16104 bytes test/filters/namespaces-32.exp | 173 +++++++++++++++++++++++++++++++++++++++++ test/filters/namespaces.c | 96 +++++++++++++++++++++++ test/filters/namespaces.exp | 173 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 452 insertions(+) create mode 100755 test/filters/namespaces create mode 100755 test/filters/namespaces-32 create mode 100755 test/filters/namespaces-32.exp create mode 100644 test/filters/namespaces.c create mode 100755 test/filters/namespaces.exp (limited to 'test') diff --git a/test/filters/filters.sh b/test/filters/filters.sh index 3b4a6b492..c313b80ed 100755 --- a/test/filters/filters.sh +++ b/test/filters/filters.sh @@ -30,6 +30,16 @@ else echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686." fi +if [[ $(uname -m) == "x86_64" ]]; then + echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)" + ./namespaces.exp +elif [[ $(uname -m) == "i686" ]]; then + echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)" + ./namespaces-32.exp +else + echo "TESTING SKIP: namespaces binary only running on x86_64 and i686." +fi + echo "TESTING: debug options (test/filters/debug.exp)" ./debug.exp diff --git a/test/filters/namespaces b/test/filters/namespaces new file mode 100755 index 000000000..721ba092e Binary files /dev/null and b/test/filters/namespaces differ diff --git a/test/filters/namespaces-32 b/test/filters/namespaces-32 new file mode 100755 index 000000000..4df674d1b Binary files /dev/null and b/test/filters/namespaces-32 differ diff --git a/test/filters/namespaces-32.exp b/test/filters/namespaces-32.exp new file mode 100755 index 000000000..b643a28d3 --- /dev/null +++ b/test/filters/namespaces-32.exp @@ -0,0 +1,173 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +# clone +# + +send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "clone successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "clone successful" +} +after 100 + +# +# unshare +# + +send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "unshare successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 26\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "unshare successful" +} + + +after 100 +puts "\nall done\n" diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c new file mode 100644 index 000000000..06dfa4edf --- /dev/null +++ b/test/filters/namespaces.c @@ -0,0 +1,96 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef CLONE_NEWTIME +#define CLONE_NEWTIME 0x00000080 +#endif + +#define STACK_SIZE 1024 * 1024 + +static int usage() { + fprintf(stderr, "Usage: namespaces [clone,unshare] [cgroup,ipc,mnt,net,pid,time,user,uts]\n"); + exit(1); +} + +static void die(const char *msg) { + fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); + exit(1); +} + +static int ns_flags(const char *list) { + int flags = 0; + + char *dup = strdup(list); + if (!dup) + die("cannot allocate memory"); + + char *token = strtok(dup, ","); + while (token) { + if (strcmp(token, "cgroup") == 0) + flags |= CLONE_NEWCGROUP; + else if (strcmp(token, "ipc") == 0) + flags |= CLONE_NEWIPC; + else if (strcmp(token, "net") == 0) + flags |= CLONE_NEWNET; + else if (strcmp(token, "mnt") == 0) + flags |= CLONE_NEWNS; + else if (strcmp(token, "pid") == 0) + flags |= CLONE_NEWPID; + else if (strcmp(token, "time") == 0) + flags |= CLONE_NEWTIME; + else if (strcmp(token, "user") == 0) + flags |= CLONE_NEWUSER; + else if (strcmp(token, "uts") == 0) + flags |= CLONE_NEWUTS; + else + usage(); + + token = strtok(NULL, ","); + } + + free(dup); + return flags; +} + +static int child(void *arg) { + (void) arg; + + fprintf(stderr, "clone successful\n"); + return 0; +} + +int main (int argc, char **argv) { + if (argc != 3) + usage(); + + int flags = ns_flags(argv[2]); + if (getuid() != 0) + flags |= CLONE_NEWUSER; + + if (strcmp(argv[1], "clone") == 0) { + void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (stack == MAP_FAILED) + die("mmap"); + + if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) + die("clone"); + } + else if (strcmp(argv[1], "unshare") == 0) { + if (unshare(flags)) + die("unshare"); + + fprintf(stderr, "unshare successful\n"); + } + else + usage(); + + return 0; +} diff --git a/test/filters/namespaces.exp b/test/filters/namespaces.exp new file mode 100755 index 000000000..cfa92f0ba --- /dev/null +++ b/test/filters/namespaces.exp @@ -0,0 +1,173 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2022 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +# clone +# + +send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "clone successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "Error: clone: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "clone successful" +} +after 100 + +# +# unshare +# + +send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "unshare successful" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 25\n";exit} + "Error: unshare: Operation not permitted" +} +after 100 + +send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r" +expect { + timeout {puts "TESTING ERROR 26\n";exit} + -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" +} +expect { + timeout {puts "TESTING ERROR 27\n";exit} + "unshare successful" +} + + +after 100 +puts "\nall done\n" -- cgit v1.2.3-54-g00ecf