github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

test apparmor

Browse source
This commit is contained in:
netblue30 2023-03-04 11:48:00 -05:00
parent 295a207490
commit 1bab42a724
6 changed files with 94 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View file

@ -73,6 +73,8 @@ jobs:
run: SHELL=/bin/bash make lab-setup
- name: run firecfg tests
run: SHELL=/bin/bash make test-firecfg
- name: run apparmor tests
run: SHELL=/bin/bash make test-apparmor
- name: run network tests
run: SHELL=/bin/bash make test-network
- name: run appimage tests

26
test/apparmor/apparmor-norun.exp Executable file
View file

@ -0,0 +1,26 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# start a bash session
send -- "firejail --apparmor\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
# ... and try to run a local program
send -- "./a.out --help\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Usage: ./a.out" {puts "TESTING ERROR 2\n";exit}
"denied"
}
after 500
puts "\nall done\n"

26
test/apparmor/apparmor-run.exp Executable file
View file

@ -0,0 +1,26 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# start a bash session
send -- "firejail --apparmor=test-profile\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
# ... and try to run a local program
send -- "./a.out --help\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"denied" {puts "TESTING ERROR 2\n";exit}
"Usage: ./a.out"
}
after 500
puts "\nall done\n"

2
test/apparmor/apparmor.exp
View file

@ -54,6 +54,6 @@ expect {
timeout {puts "TESTING ERROR 7\n";exit}
"AppArmor: firejail-default//&unconfined enforce"
}
after 100
after 500
puts "\nall done\n"

36
test/apparmor/apparmor.sh Executable file
View file

@ -0,0 +1,36 @@
#!/bin/bash
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
export LC_ALL=C
# sudo /usr/sbin/apparmor_parser -r /etc/apparmor.d/firejail-default
if [[ -f /sys/kernel/security/apparmor/profiles ]]; then
# setup
cp test-profile /tmp/.
sudo /usr/sbin/apparmor_parser -r /tmp/test-profile
cp /usr/bin/pwd a.out
echo "TESTING: apparmor firemon (test/filters/apparmor.exp)"
./apparmor.exp
echo "TESTING: apparmor norun test (test/filters/apparmor-norun.exp)"
./apparmor-norun.exp
echo "TESTING: apparmor run test (test/filters/apparmor-run.exp)"
./apparmor-run.exp
# cleanup
rm -f a.out
sudo /usr/sbin/apparmor_parser -R /tmp/test-profile
else
echo "TESTING SKIP: no apparmor support in Linux kernel (test/filters/apparmor.exp)"
fi

3
test/apparmor/test-profile Normal file
View file

@ -0,0 +1,3 @@
profile test-profile flags=(attach_disconnected,mediate_deleted) {
/{,**} rklmwix,
}