github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

mainline merge: test caps join, testing seccomp/join

Browse source
This commit is contained in:
netblue30 2019-01-09 09:46:48 -05:00
parent 6fc51f43e8
commit 2e8a13800a
3 changed files with 266 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

96
test/filters/caps-join.exp Executable file
View file

@ -0,0 +1,96 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2018 Firejail Authors
# License GPL v2
set timeout 10
match_max 100000
spawn $env(SHELL)
set id1 $spawn_id
spawn $env(SHELL)
set id2 $spawn_id
send -- "stty -echo\r"
after 100
#
# regular run
#
set spawn_id $id1
send -- "firejail --name=jointesting\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
sleep 1
set spawn_id $id2
send -- "firejail --join=jointesting cat /proc/self/status\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"CapBnd: 0000000000000000"
}
sleep 1
set spawn_id $id1
send -- "exit\r"
after 100
#
# no caps
#
set spawn_id $id1
send -- "firejail --name=jointesting --noprofile\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"Child process initialized"
}
sleep 1
set spawn_id $id2
send -- "firejail --join=jointesting cat /proc/self/status\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"CapBnd:"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"fffffffff"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"CapAmb:"
}
sleep 1
set spawn_id $id1
send -- "exit\r"
after 100
#
# no caps
#
set spawn_id $id1
send -- "firejail --name=jointesting --noprofile --caps.keep=chown,fowner\r"
expect {
timeout {puts "TESTING ERROR20\n";exit}
"Child process initialized"
}
sleep 1
set spawn_id $id2
send -- "firejail --join=jointesting cat /proc/self/status\r"
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"CapBnd: 0000000000000009"
}
sleep 1
set spawn_id $id1
send -- "exit\r"
after 100
puts "all done\n"

13
test/filters/filters.sh
View file

@ -12,7 +12,6 @@ if [ -f /etc/debian_version ]; then
fi
export PATH="$PATH:/usr/lib/firejail:/usr/lib64/firejail"
if [ -f /sys/kernel/security/apparmor/profiles ]; then
echo "TESTING: apparmor (test/filters/apparmor.exp)"
./apparmor.exp
@ -42,7 +41,7 @@ echo "TESTING: seccomp postexec (test/filters/seccomp-postexec.exp)"
echo "TESTING: noroot (test/filters/noroot.exp)"
./noroot.exp
echo "TESTING: capabilities (test/filters/caps.exp)"
if grep -q "^CapBnd:\\s0000003fffffffff" /proc/self/status; then
echo "TESTING: capabilities (test/filters/caps.exp)"
./caps.exp
@ -53,6 +52,9 @@ fi
echo "TESTING: capabilities print (test/filters/caps-print.exp)"
./caps-print.exp
echo "TESTING: capabilities join (test/filters/caps-join.exp)"
./caps-join.exp
rm -f seccomp-test-file
if [ "$(uname -m)" = "x86_64" ]; then
echo "TESTING: fseccomp (test/filters/fseccomp.exp)"
@ -114,3 +116,10 @@ if [ "$(uname -m)" = "x86_64" ]; then
else
echo "TESTING SKIP: seccomp dual, not running on x86_64"
fi
if [ "$(uname -m)" = "x86_64" ]; then
echo "TESTING: seccomp join (test/filters/seccomp-join.exp)"
./seccomp-join.exp
else
echo "TESTING SKIP: seccomp join test implemented only for x86_64"
fi

159
test/filters/seccomp-join.exp Executable file
View file

@ -0,0 +1,159 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2018 Firejail Authors
# License GPL v2
set timeout 10
match_max 100000
spawn $env(SHELL)
set id1 $spawn_id
spawn $env(SHELL)
set id2 $spawn_id
send -- "stty -echo\r"
after 100
#
# regular run
#
set spawn_id $id1
send -- "firejail --name=jointesting --debug\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
sleep 1
set spawn_id $id2
send -- "firejail --debug --join=jointesting\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
sleep 1
send -- "exit\r"
after 100
set spawn_id $id1
send -- "exit\r"
after 100
#
# block secondary
#
set spawn_id $id1
send -- "firejail --name=jointesting --seccomp.block-secondary --debug\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 12\n";exit}
"Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
sleep 1
set spawn_id $id2
send -- "firejail --debug --join=jointesting\r"
expect {
timeout {puts "TESTING ERROR 14\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 15\n";exit}
"Installing /run/firejail/mnt/seccomp.block_secondary seccomp filter"
}
expect {
timeout {puts "TESTING ERROR 16\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
sleep 1
send -- "exit\r"
after 100
set spawn_id $id1
send -- "exit\r"
after 100
#
# protocol
#
set spawn_id $id1
send -- "firejail --name=jointesting --noprofile --protocol=inet --debug\r"
expect {
timeout {puts "TESTING ERROR 22\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
sleep 1
set spawn_id $id2
send -- "firejail --debug --join=jointesting\r"
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 24\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 25\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter"
}
sleep 1
send -- "exit\r"
after 100
set spawn_id $id1
send -- "exit\r"
after 100
#
# memory deny write execute
#
set spawn_id $id1
send -- "firejail --name=jointesting --noprofile --memory-deny-write-execute --debug\r"
expect {
timeout {puts "TESTING ERROR 32\n";exit}
"Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
}
sleep 1
set spawn_id $id2
send -- "firejail --debug --join=jointesting\r"
expect {
timeout {puts "TESTING ERROR 33\n";exit}
"Installing /run/firejail/mnt/seccomp seccomp filter" {puts "TESTING ERROR 34\n";exit}
"Installing /run/firejail/mnt/seccomp.32 seccomp filter" {puts "TESTING ERROR 35\n";exit}
"Installing /run/firejail/mnt/seccomp.protocol seccomp filter" {puts "TESTING ERROR 36\n";exit}
"Installing /run/firejail/mnt/seccomp.mdwx seccomp filter"
}
sleep 1
send -- "exit\r"
after 100
set spawn_id $id1
send -- "exit\r"
after 100
puts "all done\n"