blob: 49d08d22d8952eaa8c10ac439e0d36c534dfee8f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2019 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --audit\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Firejail Audit"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"is running in a PID namespace"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"container/sandbox firejail"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"seccomp BPF enabled"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"all capabilities are disabled"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"dev directory seems to be fully populated"
}
after 100
send -- "firejail --audit\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"Firejail Audit"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"is running in a PID namespace"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"container/sandbox firejail"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"seccomp BPF enabled"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"all capabilities are disabled"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"dev directory seems to be fully populated"
}
after 100
send -- "firejail --audit=blablabla\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"cannot find the audit program"
}
after 100
send -- "firejail --audit=\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"invalid audit program"
}
after 100
# run audit executable without a sandbox
send -- "faudit\r"
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"is not running in a PID namespace"
}
expect {
timeout {puts "TESTING ERROR 14\n";exit}
"BAD: seccomp disabled"
}
expect {
timeout {puts "TESTING ERROR 15\n";exit}
"BAD: the capability map is"
}
expect {
timeout {puts "TESTING ERROR 16\n";exit}
"MAYBE: /dev directory seems to be fully populated"
}
after 100
# test seccomp
send -- "firejail --seccomp.drop=mkdir --audit\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
"Firejail Audit"
}
expect {
timeout {puts "TESTING ERROR 18\n";exit}
"GOOD: seccomp BPF enabled"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
"UGLY: mount syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 20\n";exit}
"UGLY: umount2 syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"UGLY: ptrace syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 22\n";exit}
"UGLY: swapon syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"UGLY: swapoff syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 24\n";exit}
"UGLY: init_module syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
"UGLY: delete_module syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 26\n";exit}
"UGLY: chroot syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"UGLY: pivot_root syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 28\n";exit}
"UGLY: iopl syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 29\n";exit}
"UGLY: ioperm syscall permitted"
}
expect {
timeout {puts "TESTING ERROR 30\n";exit}
"GOOD: all capabilities are disabled"
}
after 100
puts "\nall done\n"
|
