From a1272742cfbdbfe999a701f804b58ceb4605713d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 30 Apr 2016 07:27:31 -0400 Subject: added make test-filters --- test/filters/caps.exp | 72 +++++++++++++ test/filters/noroot.exp | 156 +++++++++++++++++++++++++++ test/filters/protocol.exp | 180 +++++++++++++++++++++++++++++++ test/filters/protocol1.profile | 1 + test/filters/protocol2.profile | 1 + test/filters/seccomp-bad-empty.exp | 38 +++++++ test/filters/seccomp-bad-empty.profile | 1 + test/filters/seccomp-bad-empty2.profile | 1 + test/filters/seccomp.profile | 1 + test/filters/syscall_test | Bin 0 -> 9552 bytes test/filters/syscall_test.c | 82 ++++++++++++++ test/filters/syscall_test32 | Bin 0 -> 6868 bytes test/noroot.exp | 117 -------------------- test/protocol.exp | 184 -------------------------------- test/protocol1.profile | 1 - test/protocol2.profile | 1 - test/seccomp-bad-empty.exp | 38 ------- test/seccomp-bad-empty.profile | 1 - test/seccomp-bad-empty2.profile | 1 - test/seccomp-chmod-profile.exp | 46 -------- test/seccomp-chmod.exp | 46 -------- test/seccomp-chown.exp | 46 -------- test/seccomp-debug.exp | 28 ----- test/seccomp-dualfilter.exp | 38 ------- test/seccomp-empty.exp | 145 ------------------------- test/seccomp-empty.profile | 1 - test/seccomp-errno.exp | 87 --------------- test/seccomp-ptrace.exp | 23 ---- test/seccomp-su.exp | 34 ------ test/seccomp-umount.exp | 28 ----- test/seccomp.profile | 1 - 31 files changed, 533 insertions(+), 866 deletions(-) create mode 100755 test/filters/caps.exp create mode 100755 test/filters/noroot.exp create mode 100755 test/filters/protocol.exp create mode 100644 test/filters/protocol1.profile create mode 100644 test/filters/protocol2.profile create mode 100755 test/filters/seccomp-bad-empty.exp create mode 100644 test/filters/seccomp-bad-empty.profile create mode 100644 test/filters/seccomp-bad-empty2.profile create mode 100644 test/filters/seccomp.profile create mode 100755 test/filters/syscall_test create mode 100644 test/filters/syscall_test.c create mode 100755 test/filters/syscall_test32 delete mode 100755 test/noroot.exp delete mode 100755 test/protocol.exp delete mode 100644 test/protocol1.profile delete mode 100644 test/protocol2.profile delete mode 100755 test/seccomp-bad-empty.exp delete mode 100644 test/seccomp-bad-empty.profile delete mode 100644 test/seccomp-bad-empty2.profile delete mode 100755 test/seccomp-chmod-profile.exp delete mode 100755 test/seccomp-chmod.exp delete mode 100755 test/seccomp-chown.exp delete mode 100755 test/seccomp-debug.exp delete mode 100755 test/seccomp-dualfilter.exp delete mode 100755 test/seccomp-empty.exp delete mode 100644 test/seccomp-empty.profile delete mode 100755 test/seccomp-errno.exp delete mode 100755 test/seccomp-ptrace.exp delete mode 100755 test/seccomp-su.exp delete mode 100755 test/seccomp-umount.exp delete mode 100644 test/seccomp.profile (limited to 'test') diff --git a/test/filters/caps.exp b/test/filters/caps.exp new file mode 100755 index 000000000..034d6a733 --- /dev/null +++ b/test/filters/caps.exp @@ -0,0 +1,72 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --caps.keep=chown,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "CapBnd: 0000000000000009" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=all --noprofile\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "CapBnd: 0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "fffffff0" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Seccomp:" +} +send -- "exit\r" +sleep 1 + + +puts "\nall done\n" diff --git a/test/filters/noroot.exp b/test/filters/noroot.exp new file mode 100755 index 000000000..a1f6ce88d --- /dev/null +++ b/test/filters/noroot.exp @@ -0,0 +1,156 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --noroot --caps.drop=all --seccomp\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "CapBnd: 0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Seccomp:" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "2" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Cpus_allowed:" +} +puts "\n" + +send -- "ping 0\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Operation not permitted" +} +send -- "whoami\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + $env(USER) +} +send -- "sudo -s\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} +} +send -- "cat /proc/self/uid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "1" +} +send -- "cat /proc/self/gid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "3" +} + +puts "\n" +send -- "exit\r" +sleep 2 + + + +send -- "firejail --name=test --noroot --noprofile\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /proc/self/status\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "ffffffff" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Seccomp:" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "0" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "Cpus_allowed:" +} +puts "\n" + +send -- "whoami\r" +expect { + timeout {puts "TESTING ERROR 15\n";exit} + $env(USER) +} +send -- "sudo -s\r" +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} +} +send -- "ping 0\r" +expect { + timeout {puts "TESTING ERROR 17\n";exit} + "Operation not permitted" +} +send -- "cat /proc/self/uid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 18\n";exit} + "1" +} +send -- "cat /proc/self/gid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 19\n";exit} + "3" +} + + + +spawn $env(SHELL) +send -- "firejail --debug --join=test\r" +expect { + timeout {puts "TESTING ERROR 20\n";exit} + "User namespace detected" +} +expect { + timeout {puts "TESTING ERROR 21\n";exit} + "Joining user namespace" +} +sleep 1 + +send -- "sudo -s\r" +expect { + timeout {puts "TESTING ERROR 22\n";exit} + "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} + "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} +} +send -- "cat /proc/self/uid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 23\n";exit} + "1" +} +send -- "cat /proc/self/gid_map | wc -l\r" +expect { + timeout {puts "TESTING ERROR 24\n";exit} + "3" +} +puts "\nall done\n" diff --git a/test/filters/protocol.exp b/test/filters/protocol.exp new file mode 100755 index 000000000..cf552da56 --- /dev/null +++ b/test/filters/protocol.exp @@ -0,0 +1,180 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile --protocol=unix ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 1.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 1.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 1.4\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 1.5\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 1.6\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 1.7\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 1.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 1.9\n";exit} + "Operation not supported" +} +sleep 1 + +send -- "firejail --noprofile --protocol=inet6,packet ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 2.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 2.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 2.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 2.4\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 2.5\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 2.6\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 2.7\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 2.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 2.9\n";exit} + "after socket" +} +sleep 1 + +# profile testing +send -- "firejail --profile=protocol1.profile ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 3.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 3.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 3.4\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 3.5\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 3.6\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 3.7\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 3.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 3.9\n";exit} + "Operation not supported" +} +sleep 1 + +send -- "firejail --profile=protocol2.profile ./syscall_test socket\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +expect { + timeout {puts "TESTING ERROR 4.1\n";exit} + "socket AF_INET" +} +expect { + timeout {puts "TESTING ERROR 4.2\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 4.3\n";exit} + "socket AF_INET6" +} +expect { + timeout {puts "TESTING ERROR 4.4\n";exit} + "socket AF_NETLINK" +} +expect { + timeout {puts "TESTING ERROR 4.5\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 4.6\n";exit} + "socket AF_UNIX" +} +expect { + timeout {puts "TESTING ERROR 4.7\n";exit} + "Operation not supported" +} +expect { + timeout {puts "TESTING ERROR 4.8\n";exit} + "socket AF_PACKETX" +} +expect { + timeout {puts "TESTING ERROR 4.9\n";exit} + "after socket" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/filters/protocol1.profile b/test/filters/protocol1.profile new file mode 100644 index 000000000..3e1ea2a29 --- /dev/null +++ b/test/filters/protocol1.profile @@ -0,0 +1 @@ +protocol unix diff --git a/test/filters/protocol2.profile b/test/filters/protocol2.profile new file mode 100644 index 000000000..b7eb4ab91 --- /dev/null +++ b/test/filters/protocol2.profile @@ -0,0 +1 @@ +protocol inet6,packet diff --git a/test/filters/seccomp-bad-empty.exp b/test/filters/seccomp-bad-empty.exp new file mode 100755 index 000000000..631d67743 --- /dev/null +++ b/test/filters/seccomp-bad-empty.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --seccomp=\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Error: empty syscall lists are not allowed" +} + +send -- "firejail --seccomp.drop=\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "Error: empty syscall lists are not allowed" +} + +send -- "firejail --seccomp.keep=\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Error: empty syscall lists are not allowed" +} + +send -- "firejail --profile=seccomp-bad-empty.profile\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Error: line 1 in seccomp-bad-empty.profile is invalid" +} + +send -- "firejail --profile=seccomp-bad-empty2.profile\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Error: line 1 in seccomp-bad-empty2.profile is invalid" +} +sleep 1 +puts "\nall done\n" + diff --git a/test/filters/seccomp-bad-empty.profile b/test/filters/seccomp-bad-empty.profile new file mode 100644 index 000000000..2d4fcde7c --- /dev/null +++ b/test/filters/seccomp-bad-empty.profile @@ -0,0 +1 @@ +seccomp.drop diff --git a/test/filters/seccomp-bad-empty2.profile b/test/filters/seccomp-bad-empty2.profile new file mode 100644 index 000000000..c4e6c9f74 --- /dev/null +++ b/test/filters/seccomp-bad-empty2.profile @@ -0,0 +1 @@ +seccomp.keep diff --git a/test/filters/seccomp.profile b/test/filters/seccomp.profile new file mode 100644 index 000000000..cb0b15aee --- /dev/null +++ b/test/filters/seccomp.profile @@ -0,0 +1 @@ +seccomp chmod,fchmod,fchmodat diff --git a/test/filters/syscall_test b/test/filters/syscall_test new file mode 100755 index 000000000..bf29c5b99 Binary files /dev/null and b/test/filters/syscall_test differ diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c new file mode 100644 index 000000000..422af619d --- /dev/null +++ b/test/filters/syscall_test.c @@ -0,0 +1,82 @@ +// This file is part of Firejail project +// Copyright (C) 2014-2016 Firejail Authors +// License GPL v2 + +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) { + if (argc != 2) { + printf("Usage: test [sleep|socket|mkdir|mount]\n"); + return 1; + } + + if (strcmp(argv[1], "sleep") == 0) { + printf("before sleep\n"); + sleep(1); + printf("after sleep\n"); + } + else if (strcmp(argv[1], "socket") == 0) { + int sock; + + printf("testing socket AF_INET\n"); + if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { + perror("socket"); + } + else + close(sock); + + printf("testing socket AF_INET6\n"); + if ((sock = socket(AF_INET6, SOCK_STREAM, 0)) < 0) { + perror("socket"); + } + else + close(sock); + + printf("testing socket AF_NETLINK\n"); + if ((sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE)) < 0) { + perror("socket"); + } + else + close(sock); + + printf("testing socket AF_UNIX\n"); + if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { + perror("socket"); + } + else + close(sock); + + // root needed to be able to handle this + printf("testing socket AF_PACKETX\n"); + if ((sock = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP))) < 0) { + perror("socket"); + } + else + close(sock); + printf("after socket\n"); + } + else if (strcmp(argv[1], "mkdir") == 0) { + printf("before mkdir\n"); + mkdir("tmp", 0777); + printf("after mkdir\n"); + } + else if (strcmp(argv[1], "mount") == 0) { + printf("before mount\n"); + if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) { + perror("mount"); + } + printf("after mount\n"); + } + else { + fprintf(stderr, "Error: invalid argument\n"); + return 1; + } + return 0; +} diff --git a/test/filters/syscall_test32 b/test/filters/syscall_test32 new file mode 100755 index 000000000..8d72f58c4 Binary files /dev/null and b/test/filters/syscall_test32 differ diff --git a/test/noroot.exp b/test/noroot.exp deleted file mode 100755 index 37d55fe78..000000000 --- a/test/noroot.exp +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug --noprofile --noroot --caps.drop=all --seccomp --cpu=0,1 --name=noroot-sandbox\r" -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "Child process initialized" -} -sleep 1 - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "CapBnd:" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "0000000000000000" -} - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Cpus_allowed:" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "3" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Cpus_allowed_list:" -} -puts "\n" - -send -- "cat /proc/self/status\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Seccomp:" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "2" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Cpus_allowed:" -} -puts "\n" - -send -- "ping 0\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Operation not permitted" -} -puts "\n" - -send -- "whoami\r" -expect { - timeout {puts "TESTING ERROR 55\\n";exit} - "netblue" -} -puts "\n" -send -- "exit\r" -sleep 2 - - -send -- "firejail --noroot --noprofile\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} -sleep 1 -send -- "whoami\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "netblue" -} -send -- "sudo -s\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} -} -puts "\n" -send -- "exit\r" -sleep 2 - -send -- "firejail --name=test --noroot --noprofile\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Child process initialized" -} -sleep 1 - -spawn $env(SHELL) -send -- "firejail --debug --join=test\r" -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "User namespace detected" -} -expect { - timeout {puts "TESTING ERROR 9\n";exit} - "Joining user namespace" -} -sleep 1 - -send -- "sudo -s\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";} - "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";} -} -puts "all done\n" diff --git a/test/protocol.exp b/test/protocol.exp deleted file mode 100755 index 018f4cd9b..000000000 --- a/test/protocol.exp +++ /dev/null @@ -1,184 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --protocol=unix ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 1.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 1.6\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 1.7\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 1.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 1.9\n";exit} - "Operation not supported" -} -sleep 1 - -send -- "firejail --noprofile --protocol=inet6,packet ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 2.5\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.6\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 2.7\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 2.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 2.9\n";exit} - "after socket" -} -sleep 1 - -# profile testing -send -- "firejail --profile=protocol1.profile ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 3.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 3.4\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.5\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 3.6\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 3.7\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 3.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 3.9\n";exit} - "Operation not supported" -} -sleep 1 - -send -- "firejail --profile=protocol2.profile ../src/tools/syscall_test socket\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 4.1\n";exit} - "socket AF_INET" -} -expect { - timeout {puts "TESTING ERROR 4.2\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.3\n";exit} - "socket AF_INET6" -} -expect { - timeout {puts "TESTING ERROR 4.4\n";exit} - "socket AF_NETLINK" -} -expect { - timeout {puts "TESTING ERROR 4.5\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.6\n";exit} - "socket AF_UNIX" -} -expect { - timeout {puts "TESTING ERROR 4.7\n";exit} - "Operation not supported" -} -expect { - timeout {puts "TESTING ERROR 4.8\n";exit} - "socket AF_PACKETX" -} -expect { - timeout {puts "TESTING ERROR 4.9\n";exit} - "after socket" -} -sleep 1 - - - - - -puts "\nall done\n" diff --git a/test/protocol1.profile b/test/protocol1.profile deleted file mode 100644 index 3e1ea2a29..000000000 --- a/test/protocol1.profile +++ /dev/null @@ -1 +0,0 @@ -protocol unix diff --git a/test/protocol2.profile b/test/protocol2.profile deleted file mode 100644 index b7eb4ab91..000000000 --- a/test/protocol2.profile +++ /dev/null @@ -1 +0,0 @@ -protocol inet6,packet diff --git a/test/seccomp-bad-empty.exp b/test/seccomp-bad-empty.exp deleted file mode 100755 index 631d67743..000000000 --- a/test/seccomp-bad-empty.exp +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp=\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Error: empty syscall lists are not allowed" -} - -send -- "firejail --seccomp.drop=\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Error: empty syscall lists are not allowed" -} - -send -- "firejail --seccomp.keep=\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Error: empty syscall lists are not allowed" -} - -send -- "firejail --profile=seccomp-bad-empty.profile\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Error: line 1 in seccomp-bad-empty.profile is invalid" -} - -send -- "firejail --profile=seccomp-bad-empty2.profile\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "Error: line 1 in seccomp-bad-empty2.profile is invalid" -} -sleep 1 -puts "\nall done\n" - diff --git a/test/seccomp-bad-empty.profile b/test/seccomp-bad-empty.profile deleted file mode 100644 index 2d4fcde7c..000000000 --- a/test/seccomp-bad-empty.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp.drop diff --git a/test/seccomp-bad-empty2.profile b/test/seccomp-bad-empty2.profile deleted file mode 100644 index c4e6c9f74..000000000 --- a/test/seccomp-bad-empty2.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp.keep diff --git a/test/seccomp-chmod-profile.exp b/test/seccomp-chmod-profile.exp deleted file mode 100755 index 098328cea..000000000 --- a/test/seccomp-chmod-profile.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --profile=seccomp.profile --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "touch testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "ls -l testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "testfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "chmod +x testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Bad system call" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp-chmod.exp b/test/seccomp-chmod.exp deleted file mode 100755 index b4a213206..000000000 --- a/test/seccomp-chmod.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp=chmod,fchmod,fchmodat --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "touch testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "ls -l testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "testfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "chmod +x testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Bad system call" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp-chown.exp b/test/seccomp-chown.exp deleted file mode 100755 index 69b896700..000000000 --- a/test/seccomp-chown.exp +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp=chown,fchown,fchownat,lchown --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "touch testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "ls -l testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "testfile" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - -send -- "chown netblue:netblue testfile;pwd\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Bad system call" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "/root" {puts "running as root"} - "/home" -} - - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp-debug.exp b/test/seccomp-debug.exp deleted file mode 100755 index 1034f040e..000000000 --- a/test/seccomp-debug.exp +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --seccomp --debug\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "SECCOMP Filter" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "BLACKLIST" -} -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "open_by_handle_at" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "exit\r" -after 100 -puts "all done\n" diff --git a/test/seccomp-dualfilter.exp b/test/seccomp-dualfilter.exp deleted file mode 100755 index afdf8a53a..000000000 --- a/test/seccomp-dualfilter.exp +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail ../src/tools/syscall_test mount\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "before mount" -} -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "after mount" {puts "TESTING ERROR 2.1\n";exit} - "Parent is shutting down" -} -sleep 1 - -send -- "firejail ../src/tools/syscall_test32 mount\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" -} -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "before mount" -} -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "after mount" {puts "TESTING ERROR 5.1\n";exit} - "Parent is shutting down" -} - -puts "\nall done\n" diff --git a/test/seccomp-empty.exp b/test/seccomp-empty.exp deleted file mode 100755 index 11abf2e00..000000000 --- a/test/seccomp-empty.exp +++ /dev/null @@ -1,145 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --debug --seccomp=chmod,fchmod,fchmodat --private\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 0.1\n";exit} - "mount" -} -expect { - timeout {puts "TESTING ERROR 0.2\n";exit} - "ptrace" -} -expect { - timeout {puts "TESTING ERROR 0.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 0.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 0.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 0.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 0.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 3 -puts "\n" - -send -- "firejail --debug --seccomp.drop=chmod,fchmod,fchmodat --private\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 1.1\n";exit} - "mount" {puts "TESTING ERROR 1.2\n";exit} - "ptrace" {puts "TESTING ERROR 1.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 1.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 1.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 1.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 1.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -puts "\n" - -sleep 2 -send -- "firejail --debug --profile=seccomp.profile --private\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 2.1\n";exit} - "mount" -} -expect { - timeout {puts "TESTING ERROR 2.2\n";exit} - "ptrace" -} -expect { - timeout {puts "TESTING ERROR 2.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 2.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 2.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 2.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 2.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -sleep 3 -puts "\n" - -send -- "firejail --debug --profile=seccomp-empty.profile --private\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "VALIDATE_ARCHITECTURE" -} -expect { - timeout {puts "TESTING ERROR 3.1\n";exit} - "mount" {puts "TESTING ERROR 3.2\n";exit} - "ptrace" {puts "TESTING ERROR 3.3\n";exit} - "chmod" -} -expect { - timeout {puts "TESTING ERROR 3.4\n";exit} - "fchmod" -} -expect { - timeout {puts "TESTING ERROR 3.5\n";exit} - "fchmodat" -} -expect { - timeout {puts "TESTING ERROR 3.6\n";exit} - "RETURN_ALLOW" -} -expect { - timeout {puts "TESTING ERROR 3.7\n";exit} - "Child process initialized" -} -sleep 2 -send -- "exit\r" -puts "\n" - diff --git a/test/seccomp-empty.profile b/test/seccomp-empty.profile deleted file mode 100644 index 8f71f55a5..000000000 --- a/test/seccomp-empty.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp.drop chmod,fchmod,fchmodat diff --git a/test/seccomp-errno.exp b/test/seccomp-errno.exp deleted file mode 100755 index e6678ab8f..000000000 --- a/test/seccomp-errno.exp +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "touch seccomp-test-file\r" -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "No such file or directory" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat --debug rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "unlinkat 2 ENOENT" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat,mkdir\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Child process initialized" -} -sleep 1 -send -- "rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 3\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "mkdir seccomp-test-dir\r" -expect { - timeout {puts "TESTING ERROR 4\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "exit\r" -sleep 1 - - -send -- "firejail --seccomp.enoent=unlinkat --seccomp.enoent=mkdir\r" -expect { - timeout {puts "TESTING ERROR 5\n";exit} - "errno enoent already configured" -} -sleep 1 - -send -- "firejail --seccomp.enoent=unlinkat --seccomp.eperm=mkdir\r" -expect { - timeout {puts "TESTING ERROR 6\n";exit} - "Child process initialized" -} -sleep 1 -send -- "rm seccomp-test-file\r" -expect { - timeout {puts "TESTING ERROR 7\n";exit} - "No such file or directory" -} -after 100 -puts "\n" - -send -- "mkdir seccomp-test-dir\r" -expect { - timeout {puts "TESTING ERROR 8\n";exit} - "Operation not permitted" -} -after 100 -puts "\n" - -send -- "exit\r" -sleep 1 - - - - -send -- "rm seccomp-test-file\r" -sleep 1 -puts "all done\n" diff --git a/test/seccomp-ptrace.exp b/test/seccomp-ptrace.exp deleted file mode 100755 index 9a9b7430e..000000000 --- a/test/seccomp-ptrace.exp +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "strace ls\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" {puts "version 1\n";} - " unexpected signal 31" {puts "version 2\n"} -} - -send -- "exit\r" -sleep 1 -puts "all done\n" diff --git a/test/seccomp-su.exp b/test/seccomp-su.exp deleted file mode 100755 index dcae6f869..000000000 --- a/test/seccomp-su.exp +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "firejail --noprofile --seccomp\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "sudo su -\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "effective uid is not 0" -} - -send -- "sudo ls\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "effective uid is not 0" -} - -send -- "ping google.com\r" -expect { - timeout {puts "TESTING ERROR 2\n";exit} - "Operation not permitted" -} - -send -- "exit\r" -sleep 1 -puts "all done\n" diff --git a/test/seccomp-umount.exp b/test/seccomp-umount.exp deleted file mode 100755 index c0107a084..000000000 --- a/test/seccomp-umount.exp +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/expect -f - -set timeout 10 -spawn $env(SHELL) -match_max 100000 - -send -- "sudo ls; sudo whoami; sudo pwd\r" -expect { - timeout {puts "TESTING ERROR: you need to root run this test as root\n";exit} - "root" -} - -send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" -expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" -} -sleep 2 - -send -- "umount /proc\r" -expect { - timeout {puts "TESTING ERROR 1\n";exit} - "Bad system call" -} - -send -- "exit\r" -sleep 1 -puts "\n" diff --git a/test/seccomp.profile b/test/seccomp.profile deleted file mode 100644 index cb0b15aee..000000000 --- a/test/seccomp.profile +++ /dev/null @@ -1 +0,0 @@ -seccomp chmod,fchmod,fchmodat -- cgit v1.2.3-70-g09d2