From d3b6581db7fcd0fb0897ada9910140f0e43f4ed1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 29 Nov 2016 10:04:43 -0500 Subject: testing and cleanup --- test/environment/dns.exp | 27 ++++++++++- test/environment/dns.profile | 3 ++ test/fs/fs.sh | 3 ++ test/fs/whitelist-dev.exp | 47 +++++++++++++++++++ test/fs/whitelist.exp | 26 +++++------ test/network/ip6.exp | 40 ++++++++++++++++ test/network/ip6.profile | 3 ++ test/network/iprange.exp | 103 +++++++++++++++++++++++++++++++++++++++++ test/network/iprange.profile | 2 + test/network/network.sh | 6 +++ test/network/veth-name.exp | 77 ++++++++++++++++++++++++++++++ test/network/veth-name.profile | 3 ++ test/root/root.sh | 3 ++ test/root/whitelist-mnt.exp | 86 ++++++++++++++++++++++++++++++++++ 14 files changed, 414 insertions(+), 15 deletions(-) create mode 100644 test/environment/dns.profile create mode 100755 test/fs/whitelist-dev.exp create mode 100644 test/network/ip6.profile create mode 100755 test/network/iprange.exp create mode 100644 test/network/iprange.profile create mode 100755 test/network/veth-name.exp create mode 100644 test/network/veth-name.profile create mode 100755 test/root/whitelist-mnt.exp (limited to 'test') diff --git a/test/environment/dns.exp b/test/environment/dns.exp index 40403aade..d00e9fb94 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp @@ -26,10 +26,33 @@ expect { } after 100 send -- "exit\r" -after 100 +sleep 1 + +send -- "firejail --profile=dns.profile\r" +expect { + timeout {puts "TESTING ERROR 12.1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "cat /etc/resolv.conf\r" +expect { + timeout {puts "TESTING ERROR 12.2\n";exit} + "nameserver 8.8.4.4" +} +expect { + timeout {puts "TESTING ERROR 12.3\n";exit} + "nameserver 8.8.8.8" +} +expect { + timeout {puts "TESTING ERROR 12.4\n";exit} + "nameserver 4.2.2.1" +} +after 100 +send -- "exit\r" +sleep 1 -# no chroot send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" expect { timeout {puts "TESTING ERROR 1.1\n";exit} diff --git a/test/environment/dns.profile b/test/environment/dns.profile new file mode 100644 index 000000000..d1b842c86 --- /dev/null +++ b/test/environment/dns.profile @@ -0,0 +1,3 @@ +dns 8.8.4.4 +dns 8.8.8.8 +dns 4.2.2.1 diff --git a/test/fs/fs.sh b/test/fs/fs.sh index d9a425661..611b62b09 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -88,6 +88,9 @@ echo "TESTING: double whitelist (test/fs/whitelist-double.exp)" echo "TESTING: whitelist (test/fs/whitelist.exp)" ./whitelist.exp +echo "TESTING: whitelist dev, var(test/fs/whitelist-dev.exp)" +./whitelist-dev.exp + echo "TESTING: fscheck --bind non root (test/fs/fscheck-bindnoroot.exp)" ./fscheck-bindnoroot.exp diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp new file mode 100755 index 000000000..a19d5cedf --- /dev/null +++ b/test/fs/whitelist-dev.exp @@ -0,0 +1,47 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --whitelist=/dev/null --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /dev | find /dev | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "firejail --whitelist=/var/tmp --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /dev | find /dev | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + + + +after 100 +puts "\nall done\n" + diff --git a/test/fs/whitelist.exp b/test/fs/whitelist.exp index 9a9a0f353..9b631b884 100755 --- a/test/fs/whitelist.exp +++ b/test/fs/whitelist.exp @@ -36,7 +36,7 @@ after 200 send -- "ln -s ~/fjtest-dir ~/fjtest-dir-lnk\r" after 200 -send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir\r" +send -- "firejail --whitelist=~/fjtest-file --whitelist=~/fjtest-dir --debug\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -49,19 +49,19 @@ expect { "2" } -send -- "cat fjtest-file\r" +send -- "cat ~/fjtest-file\r" expect { timeout {puts "TESTING ERROR 2\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 3\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "123" @@ -86,7 +86,7 @@ expect { "1" } -send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "123" @@ -111,37 +111,37 @@ expect { "4" } -send -- "cat fjtest-file\r" +send -- "cat ~/fjtest-file\r" expect { timeout {puts "TESTING ERROR 22\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 23\n";exit} "123" } -send -- "cat fjtest-dir/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 24\n";exit} "123" } -send -- "cat fjtest-file-lnk\r" +send -- "cat ~/fjtest-file-lnk\r" expect { timeout {puts "TESTING ERROR 25\n";exit} "123" } -send -- "cat fjtest-dir-lnk/fjtest-file\r" +send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" expect { timeout {puts "TESTING ERROR 26\n";exit} "123" } -send -- "cat fjtest-dir-lnk/fjtest-dir/fjtest-file\r" +send -- "cat ~/fjtest-dir-lnk/fjtest-dir/fjtest-file\r" expect { timeout {puts "TESTING ERROR 27\n";exit} "123" @@ -193,13 +193,13 @@ expect { "2" } -send -- "cat fjtest-file-lnk\r" +send -- "cat ~/fjtest-file-lnk\r" expect { timeout {puts "TESTING ERROR 42\n";exit} "123" } -send -- "cat fjtest-dir-lnk/fjtest-file\r" +send -- "cat ~/fjtest-dir-lnk/fjtest-file\r" expect { timeout {puts "TESTING ERROR 43\n";exit} "123" diff --git a/test/network/ip6.exp b/test/network/ip6.exp index f0fcebcf8..1db16c28a 100755 --- a/test/network/ip6.exp +++ b/test/network/ip6.exp @@ -43,6 +43,46 @@ expect { } send -- "exit\r" +sleep 2 + + +send -- "firejail --debug --profile=ip6.profile\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Installing network filter" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "DROP" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit} + "2001:db8:1f0a:3ec::2" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "Child process initialized" +} +sleep 2 + +send -- "/sbin/ifconfig\r" +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "inet6" +} +expect { + timeout {puts "TESTING ERROR 15\n";exit} + "2001:db8:0:f101::1" +} +expect { + timeout {puts "TESTING ERROR 16\n";exit} + "Scope:Global" { puts "Debian\n"} + "scopeid 0x0" { puts "Arch\n"} +} + +send -- "exit\r" + after 100 puts "\nall done\n" diff --git a/test/network/ip6.profile b/test/network/ip6.profile new file mode 100644 index 000000000..87afa3941 --- /dev/null +++ b/test/network/ip6.profile @@ -0,0 +1,3 @@ +net br0 +ip6 2001:0db8:0:f101::1/64 +netfilter6 ipv6.net diff --git a/test/network/iprange.exp b/test/network/iprange.exp new file mode 100755 index 000000000..a1b2ccab4 --- /dev/null +++ b/test/network/iprange.exp @@ -0,0 +1,103 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.50" {puts "10.10.30.50\n"} + "10.10.30.51" {puts "10.10.30.51\n"} + "10.10.30.52" {puts "10.10.30.52\n"} + "10.10.30.53" {puts "10.10.30.53\n"} + "10.10.30.54" {puts "10.10.30.54\n"} + "10.10.30.55" {puts "10.10.30.55\n"} +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 2 + +send -- "firejail --profile=iprange.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "10.10.30.50" {puts "10.10.30.50\n"} + "10.10.30.51" {puts "10.10.30.51\n"} + "10.10.30.52" {puts "10.10.30.52\n"} + "10.10.30.53" {puts "10.10.30.53\n"} + "10.10.30.54" {puts "10.10.30.54\n"} + "10.10.30.55" {puts "10.10.30.55\n"} +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} +sleep 1 +send -- "exit\r" +sleep 2 + + + +send -- "firejail --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "no network device configured" +} +after 100 + +send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "cannot configure the IP range twice for the same interface" +} +after 100 + +send -- "firejail --net=br1 --iprange=10.10.30.50\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "invalid IP range" +} +after 100 + +send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "IP range addresses not in network range" +} +after 100 + +send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r" +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "invalid IP range" +} +after 100 + + +after 100 + +puts "\nall done\n" + diff --git a/test/network/iprange.profile b/test/network/iprange.profile new file mode 100644 index 000000000..ecc01cd93 --- /dev/null +++ b/test/network/iprange.profile @@ -0,0 +1,2 @@ +net br1 +iprange 10.10.30.50,10.10.30.55 diff --git a/test/network/network.sh b/test/network/network.sh index e1646d64a..bea5dfb26 100755 --- a/test/network/network.sh +++ b/test/network/network.sh @@ -78,6 +78,12 @@ echo "TESTING: veth (net_veth.exp)" echo "TESTING: netfilter (net_netfilter.exp)" ./net_netfilter.exp +echo "TESTING: iprange (iprange.exp)" +./iprange.exp + +echo "TESTING: veth-name (veth-name.exp)" +./veth-name.exp + echo "TESTING: 4 bridges ARP (4bridges_arp.exp)" ./4bridges_arp.exp diff --git a/test/network/veth-name.exp b/test/network/veth-name.exp new file mode 100755 index 000000000..36ed41d92 --- /dev/null +++ b/test/network/veth-name.exp @@ -0,0 +1,77 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# +send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "10.10.30.50" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "blablabla" +} +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "master br1 state UP" +} +sleep 1 + + +send -- "firejail --profile=veth-name.profile\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "eth0" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "10.10.60.51" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "255.255.255.0" +} +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +sleep 1 + +spawn $env(SHELL) +send -- "ip link show\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "bingo" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "master br4 state UP" +} +sleep 1 + + +after 100 +puts "\nall done\n" + diff --git a/test/network/veth-name.profile b/test/network/veth-name.profile new file mode 100644 index 000000000..f00a74d63 --- /dev/null +++ b/test/network/veth-name.profile @@ -0,0 +1,3 @@ +net br4 +ip 10.10.60.51 +veth-name bingo diff --git a/test/root/root.sh b/test/root/root.sh index 494bd4fe7..01c372f68 100755 --- a/test/root/root.sh +++ b/test/root/root.sh @@ -53,6 +53,9 @@ fi echo "TESTING: fs private (test/root/private.exp)" ./private.exp +echo "TESTING: fs whitelist mnt, opt, media(test/root/whitelist-mnt.exp)" +./whitelist-mnt.exp + #******************************** # seccomp #******************************** diff --git a/test/root/whitelist-mnt.exp b/test/root/whitelist-mnt.exp new file mode 100755 index 000000000..58ae4fffc --- /dev/null +++ b/test/root/whitelist-mnt.exp @@ -0,0 +1,86 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "touch /mnt/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/mnt/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /mnt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "touch /opt/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/opt/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /opt | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + +send -- "touch /media/firejail-test-file\r" +after 100 +send -- "firejail --whitelist=/media/firejail-test-file --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /media | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "2" +} +after 100 +send -- "exit\r" +sleep 1 + + +send -- "firejail --whitelist=/var/run --whitelist=/var/lock --debug\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "find /var | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "" +} +after 100 +send -- "exit\r" +sleep 1 + + + +after 100 +puts "\nall done\n" + -- cgit v1.2.3-54-g00ecf