#!/usr/bin/expect -f # This file is part of Firejail project # Copyright (C) 2014-2018 Firejail Authors # License GPL v2 set timeout 10 spawn $env(SHELL) match_max 100000 send -- "firejail --audit\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Firejail Audit" } expect { timeout {puts "TESTING ERROR 1\n";exit} "is running in a PID namespace" } expect { timeout {puts "TESTING ERROR 2\n";exit} "container/sandbox firejail" } expect { timeout {puts "TESTING ERROR 3\n";exit} "seccomp BPF enabled" } expect { timeout {puts "TESTING ERROR 4\n";exit} "all capabilities are disabled" } expect { timeout {puts "TESTING ERROR 5\n";exit} "dev directory seems to be fully populated" } after 100 send -- "firejail --audit\r" expect { timeout {puts "TESTING ERROR 6\n";exit} "Firejail Audit" } expect { timeout {puts "TESTING ERROR 7\n";exit} "is running in a PID namespace" } expect { timeout {puts "TESTING ERROR 8\n";exit} "container/sandbox firejail" } expect { timeout {puts "TESTING ERROR 9\n";exit} "seccomp BPF enabled" } expect { timeout {puts "TESTING ERROR 10\n";exit} "all capabilities are disabled" } expect { timeout {puts "TESTING ERROR 11\n";exit} "dev directory seems to be fully populated" } after 100 send -- "firejail --audit=blablabla\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "cannot find the audit program" } after 100 send -- "firejail --audit=\r" expect { timeout {puts "TESTING ERROR 12\n";exit} "invalid audit program" } after 100 # run audit executable without a sandbox send -- "faudit\r" expect { timeout {puts "TESTING ERROR 13\n";exit} "is not running in a PID namespace" } expect { timeout {puts "TESTING ERROR 14\n";exit} "BAD: seccomp disabled" } expect { timeout {puts "TESTING ERROR 15\n";exit} "BAD: the capability map is" } expect { timeout {puts "TESTING ERROR 16\n";exit} "MAYBE: /dev directory seems to be fully populated" } after 100 # test seccomp send -- "firejail --seccomp.drop=mkdir --audit\r" expect { timeout {puts "TESTING ERROR 17\n";exit} "Firejail Audit" } expect { timeout {puts "TESTING ERROR 18\n";exit} "GOOD: seccomp BPF enabled" } expect { timeout {puts "TESTING ERROR 19\n";exit} "UGLY: mount syscall permitted" } expect { timeout {puts "TESTING ERROR 20\n";exit} "UGLY: umount2 syscall permitted" } expect { timeout {puts "TESTING ERROR 21\n";exit} "UGLY: ptrace syscall permitted" } expect { timeout {puts "TESTING ERROR 22\n";exit} "UGLY: swapon syscall permitted" } expect { timeout {puts "TESTING ERROR 23\n";exit} "UGLY: swapoff syscall permitted" } expect { timeout {puts "TESTING ERROR 24\n";exit} "UGLY: init_module syscall permitted" } expect { timeout {puts "TESTING ERROR 25\n";exit} "UGLY: delete_module syscall permitted" } expect { timeout {puts "TESTING ERROR 26\n";exit} "UGLY: chroot syscall permitted" } expect { timeout {puts "TESTING ERROR 27\n";exit} "UGLY: pivot_root syscall permitted" } expect { timeout {puts "TESTING ERROR 28\n";exit} "UGLY: iopl syscall permitted" } expect { timeout {puts "TESTING ERROR 29\n";exit} "UGLY: ioperm syscall permitted" } expect { timeout {puts "TESTING ERROR 30\n";exit} "GOOD: all capabilities are disabled" } after 100 puts "\nall done\n"