github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-16 14:16:16 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions

network testing; merges

Browse source
This commit is contained in:
netblue30 2023-03-02 10:34:03 -05:00
parent 61a7ddc5e5
commit 336ecb5d65
43 changed files with 74 additions and 2304 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README
View file

@ -701,7 +701,7 @@ Liorst4 (https://github.com/Liorst4)
Lockdis (https://github.com/Lockdis)
- Added crow, nyx, and google-earth-pro profiles
Lukáš Krejčí (https://github.com/lskrejci)
- fixed parsing of --keep-var-tmp
- fixed parsing of --keep-var-tmp
luzpaz (https://github.com/luzpaz)
- code spelling fixes
lxeiqr (https://github.com/lxeiqr)
@ -717,6 +717,8 @@ mahdi1234 (https://github.com/mahdi1234)
- Seamonkey profiles
Manuel Dipolt (https://github.com/xeniter)
- stack alignment for the ARM Architecture
Marek Küthe (https://github.com/marek22k)
- allow loading plugins in gajim
Martin Carpenter (https://github.com/mcarpenter)
- security audit and bug fixes
- Centos 6.x support

7
RELNOTES
View file

@ -2,12 +2,15 @@ firejail (0.9.73) baseline; urgency=low
* work in progress
* feature: Add "keep-shell-rc" command and option (#1127 #5634)
* feature: Print the argument when failing with "too long arguments" (#5677)
* feature: a random hostname is assigned to each sandbox unless
overwritten using --hostname command
* modif: Stop forwarding own double-dash to the shell (#5599 #5600)
* modif: Prevent sandbox name (--name=) and host name (--hostname=)
from containing only digits (#5578)
* modif: Escape control characters of the command line (#5613)
* modif: Allow only letters and digits for sandbox name (--name=) and
host name (--hostname=)
* bugfix: fix --hostname and --hosts-file commands
* bugfix: qutebrowser: links will not open in the existing instance (#5601
#5618)
* build: auto-generate syntax files (#5627)
@ -15,11 +18,13 @@ firejail (0.9.73) baseline; urgency=low
* build: mkdeb.sh: pass all arguments to ./configure (#5654)
* build: deb: enable apparmor by default & remove deb-apparmor (#5668)
* build: Fix whitespace and add .editorconfig (#5674)
* test: split individual test groups in github workflows
* test: add chroot, appimage and network tests in github workflows
* docs: remove apparmor options in --help when building without apparmor
support (#5589)
* docs: selinux.c: Split Copyright notice & use same license as upstream
(#5667)
* new profiles: fix-qdf, qpdf, zlib-flate
* new profiles: fix-qdf, qpdf, zlib-flate
-- netblue30 <netblue30@yahoo.com> Mon, 16 Jan 2023 09:00:00 -0500
firejail (0.9.72) baseline; urgency=low

177
test/network/4bridges_arp.exp
View file

@ -1,177 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check eth0
send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 0.0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"10.10.20"
}
expect {
timeout {puts "TESTING ERROR 0.2\n";exit}
"255.255.255.248"
}
expect {
timeout {puts "TESTING ERROR 0.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check eth1
send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 1.0\n";exit}
"eth1"
}
expect {
timeout {puts "TESTING ERROR 1.1\n";exit}
"10.10.30"
}
expect {
timeout {puts "TESTING ERROR 1.2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 1.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 1.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check eth2
send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 2.0\n";exit}
"eth2"
}
expect {
timeout {puts "TESTING ERROR 2.1\n";exit}
"10.10.40"
}
expect {
timeout {puts "TESTING ERROR 2.2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 2.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 2.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check eth3
send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 3.0\n";exit}
"eth3"
}
expect {
timeout {puts "TESTING ERROR 3.1\n";exit}
"10.10.50"
}
expect {
timeout {puts "TESTING ERROR 3.2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 3.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check loopback
send -- "firejail --net=br0 --net=br1 --net=br2 --net=br3 --protocol=unix,inet,netlink\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"lo"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"127.0.0.1"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"255.0.0.0"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
# check default gateway
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.1\n";exit}
"default via 10.10.20.1 dev eth0"
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "old iproute2\n";}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.30.0/24 dev eth1 proto kernel scope link" {puts "old iproute2\n";}
"10.10.30.0/24 dev eth1 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.40.0/24 dev eth2 proto kernel scope link" {puts "old iproute2\n";}
"10.10.40.0/24 dev eth2 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.50.0/24 dev eth3 proto kernel scope link" {puts "old iproute2\n";}
"10.10.50.0/24 dev eth3 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "exit\r"
after 100
puts "\nall done\n"

181
test/network/4bridges_ip.exp
View file

@ -1,181 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check eth0
send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 0.0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"10.10.20"
}
expect {
timeout {puts "TESTING ERROR 0.2\n";exit}
"255.255.255.248"
}
expect {
timeout {puts "TESTING ERROR 0.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check eth1
send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 1.0\n";exit}
"eth1"
}
expect {
timeout {puts "TESTING ERROR 1.1\n";exit}
"10.10.30.50"
}
expect {
timeout {puts "TESTING ERROR 1.2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 1.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 1.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check eth2
send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 2.0\n";exit}
"eth2"
}
expect {
timeout {puts "TESTING ERROR 2.1\n";exit}
"10.10.40.100"
}
expect {
timeout {puts "TESTING ERROR 2.2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 2.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 2.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check eth3
send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3\r"
expect {
timeout {puts "TESTING ERROR 3.0\n";exit}
"eth3"
}
expect {
timeout {puts "TESTING ERROR 3.1\n";exit}
"10.10.50"
}
expect {
timeout {puts "TESTING ERROR 3.2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 3.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check loopback
send -- "firejail --net=br0 --net=br1 --ip=10.10.30.50 --net=br2 --ip=10.10.40.100 --net=br3 --protocol=unix,inet,netlink\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"lo"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"127.0.0.1"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"255.0.0.0"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
# check default gateway
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.1\n";exit}
"default via 10.10.20.1 dev eth0"
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "old iproute2\n";}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.3\n";exit}
"10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" {puts "old iproute2\n";}
"10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.4\n";exit}
"10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" {puts "old iproute2\n";}
"10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.5\n";exit}
"10.10.50.0/24 dev eth3 proto kernel scope link" {puts "old iproute2\n";}
"10.10.50.0/24 dev eth3 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "exit\r"
after 100
puts "\nall done\n"

14
test/network/README
View file

@ -1,14 +0,0 @@
Warning: this test requires root access to configure a number of bridge, mac
and vlan devices. Please take a look at configure file. By the time you are
finished testing, you'll probably have to reboot the computer to get your
networking subsystem back to normal.
Limitations - to be investigated and fixed:
- the test is assuming an eth0 wired interface to be present
- using netstat and ifconfig - this needs to be moved to iproute2
- configure script inserts an entry in system netfilter configuration
- the test will probably not work on grsecurity settings
- macvlan interfaces don't seem to work correctly under VirtualBox
Run the test:
$ ./network.sh | grep TESTING

68
test/network/bandwidth.exp
View file

@ -1,68 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test --net=br0\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --bandwidth=test status\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"qdisc * 0: dev eth0"
}
sleep 1
send -- "firejail --bandwidth=test set br0 50 10\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"Configuring interface eth0"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"configuring tc ingress"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"configuring tc egress"
}
send -- "firejail --bandwidth=test status\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"dev eth0"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"rate 80Kbit burst 10Kb"
}
sleep 1
send -- "firejail --bandwidth=test clear br0\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Removing bandwidth limits"
}
sleep 1
send -- "stty -echo\r"
after 100
send -- "firejail --bandwidth=test status; echo done\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"rate 80Kbit burst 10Kb" {puts "TESTING ERROR 9\n";exit}
"done"
}
after 100
puts "\nall done\n"

12
test/network/dns-print.exp
View file

@ -7,17 +7,17 @@ set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test-dns --net=eth0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r"
send -- "firejail --name=test --net=br0 --dns=1.2.3.4 --dns=2.3.4.5 --dns=3.4.5.6\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --dns.print=test-dns\r"
send -- "firejail --dns.print=test\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
timeout {puts "TESTING ERROR 1\n";exit}
"nameserver 1.2.3.4"
}
expect {
@ -25,10 +25,10 @@ expect {
"nameserver 2.3.4.5"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
timeout {puts "TESTING ERROR 3\n";exit}
"nameserver 3.4.5.6"
}
after 100
after 500
puts "\nall done\n"

53
test/network/firemon-arp.exp
View file

@ -1,53 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
#send -- "ping -c 3 192.168.1.1\r"
#expect {
# timeout {puts "TESTING ERROR 0\n";exit}
# "3 packets transmitted"
#}
#sleep 1
send -- "firejail --name=test1\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --name=test2\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firemon --arp\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"name=test1"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"192.168.1.1 dev eth0 lladdr" {puts "Debian testing\n";}
"192.168.1.1 dev enp0s3 lladdr" {puts "Centos 7 testing\n";}
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"REACHABLE"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"name=test2"
}
after 100
puts "\nall done\n"

66
test/network/firemon-interfaces.exp
View file

@ -1,66 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=eth0 --name=test1\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --net=eth0 --name=test2\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firemon --interface\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"Link status"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"lo UP"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"eth0-"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"IPv4 status"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"lo UP"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"eth0-"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"IPv6 status"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"lo UP"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"eth0-"
}
after 100
puts "\n"

52
test/network/firemon-route.exp
View file

@ -1,52 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test1\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --name=test2\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firemon --route\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"name=test1"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";}
"0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";}
"0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";}
"0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";}
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"10.10.30.0/24, dev br1, scope link src 10.10.30.1"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"10.10.50.0/24, dev br3, scope link src 10.10.50.1"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"name=test2"
}
after 100
puts "\nalldone\n"

63
test/network/interface.exp
View file

@ -1,63 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
#
# interface
#
set timeout 10
spawn $env(SHELL)
match_max 100000
set overlay [lindex $argv 0]
set chroot [lindex $argv 1]
#
# N
#
# todo: seems to be unable to find interface eth0.7
#send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6 --interface=eth0.7\r"
send -- "firejail --noprofile --interface=eth0.5 --interface=eth0.6\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "/sbin/ifconfig\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"eth0.5"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"Link" {puts "old net-tools\n";}
"flags" {puts "new net-tools\n";}
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"10.10.205.10"
}
after 100
send -- "/sbin/ifconfig\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth0.6"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"Link" {puts "old net-tools\n";}
"flags" {puts "new net-tools\n";}
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"10.10.206.10"
}
after 100
send -- "exit\r"
sleep 1
puts "\nall done\n"

100
test/network/ip6.exp
View file

@ -1,100 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --debug --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 --netfilter6=ipv6.net\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Installing IPv6 firewall"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"DROP"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
"2001:db8:1f0a:3ec::2"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "/sbin/ifconfig\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"inet6"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"2001:db8:0:f101::1"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"Scope:Global" { puts "Debian\n"}
"scopeid 0x0<global>" { puts "Arch\n"}
}
send -- "exit\r"
sleep 2
send -- "firejail --debug --profile=ip6.profile\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"Installing IPv6 firewall"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"DROP"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"unable to initialize table 'filter'" {puts "\nTESTING SKIP 2: no IPv6 support\n"; exit}
"2001:db8:1f0a:3ec::2"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "/sbin/ifconfig\r"
expect {
timeout {puts "TESTING ERROR 14\n";exit}
"inet6"
}
expect {
timeout {puts "TESTING ERROR 15\n";exit}
"2001:db8:0:f101::1"
}
expect {
timeout {puts "TESTING ERROR 16\n";exit}
"Scope:Global" { puts "Debian\n"}
"scopeid 0x0<global>" { puts "Arch\n"}
}
send -- "exit\r"
sleep 2
send -- "firejail --debug --netfilter6=ipv6.net\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"Installing IPv6 firewall" {puts "TESTING ERROR 12\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
after 100
puts "\nall done\n"

3
test/network/ip6.profile
View file

@ -1,3 +0,0 @@
net br0
ip6 2001:0db8:0:f101::1/64
netfilter6 ipv6.net

102
test/network/iprange.exp
View file

@ -1,102 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"10.10.30.50" {puts "10.10.30.50\n"}
"10.10.30.51" {puts "10.10.30.51\n"}
"10.10.30.52" {puts "10.10.30.52\n"}
"10.10.30.53" {puts "10.10.30.53\n"}
"10.10.30.54" {puts "10.10.30.54\n"}
"10.10.30.55" {puts "10.10.30.55\n"}
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
sleep 1
send -- "firejail --profile=iprange.profile\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"10.10.30.50" {puts "10.10.30.50\n"}
"10.10.30.51" {puts "10.10.30.51\n"}
"10.10.30.52" {puts "10.10.30.52\n"}
"10.10.30.53" {puts "10.10.30.53\n"}
"10.10.30.54" {puts "10.10.30.54\n"}
"10.10.30.55" {puts "10.10.30.55\n"}
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
sleep 1
send -- "firejail --iprange=10.10.30.50,10.10.30.55\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"no network device configured"
}
after 100
send -- "firejail --net=br1 --iprange=10.10.30.50,10.10.30.55 --iprange=10.10.30.50,10.10.30.55\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"cannot configure the IP range twice for the same interface"
}
after 100
send -- "firejail --net=br1 --iprange=10.10.30.50\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"invalid IP range"
}
after 100
send -- "firejail --net=br0 --iprange=10.10.30.50,10.10.30.55\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"IP range addresses not in network range"
}
after 100
send -- "firejail --net=br1 --iprange=10.10.30.55,10.10.30.50\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"invalid IP range"
}
after 100
after 100
puts "\nall done\n"

2
test/network/iprange.profile
View file

@ -1,2 +0,0 @@
net br1
iprange 10.10.30.50,10.10.30.55

8
test/network/ipv6.net
View file

@ -1,8 +0,0 @@
# Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP
COMMIT
# Completed on Wed Jan 13 10:53:40 2016

9
test/network/net-profile.profile
View file

@ -1,9 +0,0 @@
net br0
mac 00:11:22:33:44:55
mtu 1000
net br1
ip 10.10.30.50
net br2
ip 10.10.40.100
net br3
defaultgw 10.10.20.2

74
test/network/net_arp.exp
View file

@ -1,74 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
# will fail
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 5n";exit}
"cannot assign an IP address"
}
send -- "firejail --net=br0 sleep 20 &\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"cannot assign an IP address"
}
# check firejail --list
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 7.1\n";exit}
"sleep 20"
}
expect {
timeout {puts "TESTING ERROR 7.2\n";exit}
"sleep 20"
}
expect {
timeout {puts "TESTING ERROR 7.3\n";exit}
"sleep 20"
}
expect {
timeout {puts "TESTING ERROR 7.4\n";exit}
"sleep 20"
}
expect {
timeout {puts "TESTING ERROR 7.5\n";exit}
"sleep 20"
}
# wait for sandboxes to be shutdown
sleep 30
puts "\n"

18
test/network/net_badip.exp
View file

@ -1,18 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check eth0
send -- "firejail --net=br0 --net=br1 --ip=10.100.10.47\r"
expect {
timeout {puts "TESTING ERROR 0.0\n";exit}
"the IP address is not"
}
after 100
puts "\n"

50
test/network/net_defaultgw.exp
View file

@ -1,50 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --net=br0 --ip=10.10.20.5 --defaultgw=10.10.20.2 --protocol=unix,inet,netlink\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"10.10.20.5"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"255.255.255.248"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
# check default gateway
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.1\n";exit}
"default via 10.10.20.2 dev eth0"
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "old iproute2\n";}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "exit\r"
after 100
puts "\nall done\n"

45
test/network/net_defaultgw2.exp
View file

@ -1,45 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.30.89 --protocol=unix,inet,netlink\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth1"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
# check default gateway
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.1\n";exit}
"default via 10.10.30.89 dev eth1"
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.2\n";exit}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "old iproute2\n";}
"10.10.20.0/29 dev eth0 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 10.3\n";exit}
"10.10.30.0/24 dev eth1 proto kernel scope link" {puts "old iproute2\n";}
"10.10.30.0/24 dev eth1 proto kernel scope link" {puts "new iproute2\n";}
}
send -- "exit\r"
after 100
puts "\nall done\n"

20
test/network/net_defaultgw3.exp
View file

@ -1,20 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --net=br0 --net=br1 --defaultgw=10.10.95.89\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"default gateway 10.10.95.89 is not in the range of any network"
}
after 100
puts "\n"

36
test/network/net_ip.exp
View file

@ -94,8 +94,40 @@ expect {
}
after 500
send -- "firejail --noprofile --net=br0 --ip=none ip addr show\r"
expect {
timeout {puts "TESTING ERROR 17\n";exit}
"eth0" {puts "TESTING ERROR 18\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 20\n";exit}
"inet " {puts "TESTING ERROR 21\n";exit}
"inet6"
}
after 500
send -- "firejail --net=br0 --mtu=1000 --noprofile ip link show\r"
expect {
timeout {puts "TESTING ERROR 22\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 24\n";exit}
"mtu 1000"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
"state UP"
}
after 100
after 500
puts "\nall done\n"

49
test/network/net_local.exp
View file

@ -1,49 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --noprofile --debug\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Using the local network stack"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check loopback
send -- "firejail --noprofile\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "/sbin/ifconfig\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"lo"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"127.0.0.1"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"255.0.0.0"
}
send -- "exit\r"
after 100
puts "all done\n"

42
test/network/net_macvlan2.exp
View file

@ -1,42 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r"
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"eth0-"
}
expect {
timeout {puts "TESTING ERROR 0.2\n";exit}
"eth1-"
}
expect {
timeout {puts "TESTING ERROR 0.3\n";exit}
"eth2-"
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
"eth3-"
}
expect {
timeout {puts "TESTING ERROR 0.5\n";exit}
"Default gateway 192.168.1.1"
}
expect {
timeout {puts "TESTING ERROR 0.6\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "exit\r"
sleep 1
after 100
puts "\nall done\n"

34
test/network/net_mtu.exp
View file

@ -1,34 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --net=br0 --mtu=1000 --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "ip link show\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"mtu 1000"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"state UP"
}
send -- "exit\r"
after 100
puts "\nall done\n"

79
test/network/net_netfilter.exp
View file

@ -8,83 +8,20 @@ spawn $env(SHELL)
match_max 100000
# check default netfilter on br0
send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r"
send -- "firejail --name=test --net=br0 --netfilter\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Installing firewall"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Chain INPUT (policy DROP"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"ACCEPT all -- any any anywhere"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"ACCEPT icmp -- any any anywhere"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check default netfilter no new network
send -- "firejail --debug --noprofile --netfilter\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Installing network filter" {puts "TESTING ERROR 5.1\n";exit}
"Chain INPUT (policy DROP" {puts "TESTING ERROR 5.1\n";exit}
"ACCEPT all -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit}
"ACCEPT icmp -- any any anywhere" {puts "TESTING ERROR 5.1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
# check file filter netfilter on br0
send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"Installing firewall"
}
expect {
timeout {puts "TESTING ERROR 6.1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "ping -c 1 -w 3 10.10.20.1\r"
expect {
timeout {puts "TESTING ERROR 6.2\n";exit}
"0 received, 100% packet loss"
}
send -- "exit\r"
sleep 1
# check profile netfilter on br0
send -- "firejail --debug --net=br0 --ip=10.10.20.5 --profile=netfilter.profile\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Installing firewall"
}
expect {
timeout {puts "TESTING ERROR 7.1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 2
send -- "ping -c 1 -w 3 10.10.20.1\r"
spawn $env(SHELL)
# check default netfilter no new network
send -- "firejail --netfilter.print=test\r"
expect {
timeout {puts "TESTING ERROR 7.2\n";exit}
"0 received, 100% packet loss"
timeout {puts "TESTING ERROR 1\n";exit}
"ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED"
}
send -- "exit\r"
after 100
after 500
puts "all done\n"

48
test/network/net_noip.exp
View file

@ -1,48 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --noprofile --net=br0 --ip=none\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"0.0.0.0" {puts "TESTING ERROR 3\n";exit}
"eth0" {puts "TESTING ERROR 4\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"10.10.20" {puts "TESTING ERROR 7\n";exit}
"done"
}
send -- "exit\r"
after 100
puts "all done\n"

47
test/network/net_noip2.exp
View file

@ -1,47 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --noprofile --net=br1 --ip=none --defaultgw=10.10.30.78\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"0.0.0.0" {puts "TESTING ERROR 3\n";exit}
"eth0" {puts "TESTING ERROR 4\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"10.10.30" {puts "TESTING ERROR 7\n";exit}
"done"
}
send -- "exit\r"
after 100
puts "all done\n"

2
test/network/net_none.exp
View file

@ -38,6 +38,6 @@ expect {
"3"
}
send -- "exit\r"
after 100
after 500
puts "\nall done\n"

78
test/network/net_profile.exp
View file

@ -1,78 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check eth0
send -- "firejail --profile=net-profile.profile\r"
expect {
timeout {puts "TESTING ERROR 0.0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"00:11:22:33:44:55"
}
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"10.10.20"
}
expect {
timeout {puts "TESTING ERROR 0.2\n";exit}
"255.255.255.248"
}
expect {
timeout {puts "TESTING ERROR 0.3\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 0.4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" {puts "old iproute2\n";}
"10.10.30.0/24 dev eth1 proto kernel scope link src 10.10.30.50" {puts "new iproute2\n";}
}
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" {puts "old iproute2\n";}
"10.10.40.0/24 dev eth2 proto kernel scope link src 10.10.40.100" {puts "new iproute2\n";}
}
# check default gw
send -- "ip route show\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"default via 10.10.20.2 dev eth0"
}
# check mtu
send -- "ip link show\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"mtu 1000"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"state UP"
}
send -- "exit\r"
after 100
puts "\nall done\n"

18
test/network/net_scan.exp
View file

@ -8,14 +8,14 @@ spawn $env(SHELL)
match_max 100000
#
send -- "firejail --net=br1 --ip=10.10.30.50\r"
send -- "firejail --net=br0 --ip=10.10.20.50\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"10.10.30.50"
"10.10.20.50"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
@ -28,14 +28,14 @@ expect {
sleep 1
spawn $env(SHELL)
send -- "firejail --net=br1 --ip=10.10.30.51\r"
send -- "firejail --net=br0 --ip=10.10.20.60\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"10.10.30.51"
"10.10.20.60"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
@ -48,18 +48,18 @@ expect {
sleep 1
spawn $env(SHELL)
send -- "firejail --net=br1 --scan\r"
send -- "firejail --net=br0 --scan\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"10.10.30.50"
"10.10.20.50"
}
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"10.10.30.51"
"10.10.20.60"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
@ -67,8 +67,4 @@ expect {
}
sleep 1
after 100
puts "\nall done\n"

244
test/network/net_unconfigured.exp
View file

@ -1,244 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
# check ip address
send -- "firejail --noprofile --net=br-unconfigured --ip=none\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0" {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"0.0.0.0" {puts "TESTING ERROR 3\n";exit}
"eth0" {puts "TESTING ERROR 4\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"done"
}
send -- "exit\r"
after 100
send -- "exit\r"
after 100
# check ip address
send -- "firejail --noprofile --net=br-unconfigured\r"
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"eth0" {puts "TESTING ERROR 8\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"0.0.0.0" {puts "TESTING ERROR 10\n";exit}
"eth0" {puts "TESTING ERROR 11\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"done"
}
send -- "exit\r"
after 100
send -- "exit\r"
after 100
# check ip address
send -- "firejail --noprofile --net=br-unconfigured --defaultgw=10.10.80.1\r"
expect {
timeout {puts "TESTING ERROR 14\n";exit}
"eth0" {puts "TESTING ERROR 15\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 16\n";exit}
"0.0.0.0" {puts "TESTING ERROR 17\n";exit}
"eth0" {puts "TESTING ERROR 18\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 19\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 20\n";exit}
"done"
}
send -- "exit\r"
after 100
send -- "exit\r"
after 100
# check ip address
send -- "firejail --noprofile --net=br-unconfigured --ip=10.10.80.1 --defaultgw=10.10.80.1\r"
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"eth0" {puts "TESTING ERROR 22\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"0.0.0.0" {puts "TESTING ERROR 24\n";exit}
"eth0" {puts "TESTING ERROR 25\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 26\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"done"
}
send -- "exit\r"
after 100
send -- "exit\r"
after 100
# check ip address
send -- "firejail --noprofile --net=br-unconfigured --ip=10.10.80.1 --netmask=255.255.255.0 --defaultgw=10.10.80.1\r"
expect {
timeout {puts "TESTING ERROR 28\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 29\n";exit}
"10.10.80.1"
}
expect {
timeout {puts "TESTING ERROR 30\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "bash\r"
sleep 1
send -- "stty -echo\r"
after 100
# no default gateway configured
send -- "netstat -rn;echo done\r"
expect {
timeout {puts "TESTING ERROR 31\n";exit}
"0.0.0.0"
}
expect {
timeout {puts "TESTING ERROR 32\n";exit}
"10.10.80.1"
}
expect {
timeout {puts "TESTING ERROR 33\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 34\n";exit}
"10.10.80.0"
}
expect {
timeout {puts "TESTING ERROR 35\n";exit}
"0.0.0.0"
}
expect {
timeout {puts "TESTING ERROR 36\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 37\n";exit}
"done"
}
sleep 1
# eth0 configured
send -- "/sbin/ifconfig;echo done\r"
expect {
timeout {puts "TESTING ERROR 38\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 39\n";exit}
"10.10.80.1"
}
expect {
timeout {puts "TESTING ERROR 40\n";exit}
"done"
}
send -- "exit\r"
after 100
send -- "exit\r"
after 100
puts "all done\n"

141
test/network/net_veth.exp
View file

@ -1,141 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=eth0\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"lo"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"127.0.0.1"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"255.0.0.0"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth0-"
}
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"Default gateway"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
send -- "firejail --net=eth0 --net=eth0 --net=eth0 --net=eth0\r"
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"lo"
}
expect {
timeout {puts "TESTING ERROR 12\n";exit}
"127.0.0.1"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"255.0.0.0"
}
expect {
timeout {puts "TESTING ERROR 14\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 15\n";exit}
"eth0-"
}
expect {
timeout {puts "TESTING ERROR 16\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 17\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 18\n";exit}
"eth1-"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 20\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"eth2-"
}
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 22\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"eth3-"
}
expect {
timeout {puts "TESTING ERROR 24\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
"UP"
}
expect {
timeout {puts "TESTING ERROR 26\n";exit}
"Default gateway"
}
expect {
timeout {puts "TESTING ERROR 27\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
send -- "exit\r"
sleep 1
send -- "firejail --net=eth0 --ip=10.10.20.1\r"
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"the IP address is not in the interface range"
}
after 100
puts "\n"

67
test/network/netfilter-template.exp
View file

@ -1,67 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/blablabla\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"invalid network filter file"
}
sleep 1
send -- "firejail --net=br1 --ip=10.10.30.10 --name=test1 --netfilter=/etc/firejail/tcpserver.net,5555 ./tcpserver 5555\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --netfilter.print=test1\r"
expect {
timeout {puts "TESTING ERROR 1.1\n";exit}
"Chain INPUT"
}
expect {
timeout {puts "TESTING ERROR 1.2\n";exit}
"Chain FORWARD"
}
expect {
timeout {puts "TESTING ERROR 1.3\n";exit}
"Chain OUTPUT"
}
sleep 1
send -- "telnet 10.10.30.10 5555\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"Connected to 10.10.30.10"
}
sleep 1
send "sdfklsjadfl;ksadjfl;sdkfj\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"response"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Connection closed"
}
sleep 1
send -- "telnet 10.10.30.10 5556\r"
expect {
timeout {puts "OK\n"}
"Connected to 10.10.30.10" {puts "TESTING ERROR 6\n";exit}
"dikasdfjasdjf"
}
after 100
puts "all done\n"

6
test/network/netfilter.filter
View file

@ -1,6 +0,0 @@
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
COMMIT

1
test/network/netfilter.profile
View file

@ -1 +0,0 @@
netfilter netfilter.filter

34
test/network/netns.exp
View file

@ -1,34 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --netns=red --noprofile\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
after 100
send -- "ip link show\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"LOOPBACK"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"DOWN"
}
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"link/loopback"
}
after 100
send -- "exit\r"
after 100
puts "all done\n"

38
test/network/netstats.exp
View file

@ -1,38 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --net=eth0 --name=test1\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --net=eth0 --name=test2\r"
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "firejail --netstats\r"
sleep 4
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"name=test1"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"name=test2"
}
after 100
puts "\n"

99
test/network/network.sh
View file

@ -10,9 +10,6 @@ export LC_ALL=C
sudo brctl addbr br0
sudo ip link set br0 up
sudo ip addr add 10.10.20.1/24 dev br0
sudo brctl addbr br1
sudo ip link set br1 up
sudo ip addr add 10.10.30.1/24 dev br1
ip addr show
echo "TESTING: no network (net_none.exp)"
@ -24,92 +21,14 @@ echo "TESTING: network IP (net_ip.exp)"
echo "TESTING: network MAC (net_mac.exp)"
./net_mac.exp
echo "TESTING: network scan (net_scan.exp)"
./net_scan.exp
echo "TESTING: netfilter (net_netfilter.exp)"
./net_netfilter.exp
#echo "TESTING: unconfigured network (net_unconfigured.exp)"
#./net_unconfigured.exp
#
#echo "TESTING: netfilter template (netfilter-template.exp)"
#rm -f ./tcpserver
#gcc -o tcpserver tcpserver.c
#./netfilter-template.exp
#rm ./tcpserver
#
#echo "TESTING: firemon interface (firemon-interfaces.exp)"
#sudo ./firemon-interfaces.exp
#
#echo "TESTING: netns (netns.exp)"
#./netns.exp
#
#echo "TESTING: print dns (dns-print.exp)"
#./dns-print.exp
#
#echo "TESTING: firemon arp (firemon-arp.exp)"
#./firemon-arp.exp
#
#echo "TESTING: firemon netstats (netstats.exp)"
#./netstats.exp
#
#echo "TESTING: firemon route (firemon-route.exp)"
#./firemon-route.exp
#
#echo "TESTING: network profile (net_profile.exp)"
#./net_profile.exp
#
#echo "TESTING: bandwidth (bandwidth.exp)"
#./bandwidth.exp
#
#echo "TESTING: IPv6 support (ip6.exp)"
#./ip6.exp
#
#echo "TESTING: local network (net_local.exp)"
#./net_local.exp
#
#
#echo "TESTING: network MTU (net_mtu.exp)"
#./net_mtu.exp
#
#echo "TESTING: network bad IP (net_badip.exp)"
#./net_badip.exp
#
#echo "TESTING: network no IP test 1 (net_noip.exp)"
#./net_noip.exp
#
#echo "TESTING: network no IP test 2 (net_noip2.exp)"
#./net_noip2.exp
#
#echo "TESTING: network default gateway test 1 (net_defaultgw.exp)"
#./net_defaultgw.exp
#
#echo "TESTING: network default gateway test 2 (net_defaultgw2.exp)"
#./net_defaultgw2.exp
#
#echo "TESTING: network default gateway test 3 (net_defaultgw3.exp)"
#./net_defaultgw3.exp
#
#echo "TESTING: scan (net_scan.exp)"
#./net_scan.exp
#
#echo "TESTING: interface (interface.exp)"
#./interface.exp
#
#echo "TESTING: veth (net_veth.exp)"
#./net_veth.exp
#
#echo "TESTING: netfilter (net_netfilter.exp)"
#./net_netfilter.exp
#
#echo "TESTING: iprange (iprange.exp)"
#./iprange.exp
#
#echo "TESTING: veth-name (veth-name.exp)"
#./veth-name.exp
#
#echo "TESTING: macvlan2 (net_macvlan2.exp)"
#./net_macvlan2.exp
#
#echo "TESTING: 4 bridges ARP (4bridges_arp.exp)"
#./4bridges_arp.exp
#
#echo "TESTING: 4 bridges IP (4bridges_ip.exp)"
#./4bridges_ip.exp
echo "TESTING: print dns (dns-print.exp)"
./dns-print.exp
sudo ip link set br0 down
sudo brctl delbr br0

108
test/network/tcpserver.c
View file

@ -1,108 +0,0 @@
/*
* Copyright (C) 2014-2023 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <string.h>
int main(int argc, char **argv) {
int fd, newfd, client_len;
struct sockaddr_in serv_addr, client_addr;
int n, pid;
if (argc < 2) {
printf("Usage: ./server port-number\n");
return 1;
}
int portno = atoi(argv[1]);
// init socket
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd < 0) {
perror("ERROR opening socket");
return 1;
}
// Initialize socket structure
memset(&serv_addr, 0, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = INADDR_ANY;
serv_addr.sin_port = htons(portno);
// bind
if (bind(fd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
perror("bind");
return 1;
}
// listen - 5 pending conncections
if (listen(fd, 5) < 0) {
perror("listen");
return 1;
}
client_len = sizeof(client_addr);
while (1) {
newfd = accept(fd, (struct sockaddr *) &client_addr, &client_len);
if (newfd < 0) {
perror("accept");
return 1;
}
/* Create child process */
pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
if (pid == 0) {
// child
close(fd);
#define MAXBUF 4096
char buf[MAXBUF];
memset(buf, 0, MAXBUF);
int rcv = read(newfd, buf, MAXBUF - 1);
if (rcv < 0) {
perror("read");
exit(1);
}
int sent = write(newfd, "response\n", 9);
if (sent < 9) {
perror("write");
return 1;
}
exit(0);
}
else
close(newfd);
}
return 0;
}

76
test/network/veth-name.exp
View file

@ -1,76 +0,0 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2023 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
#
send -- "firejail --net=br1 --ip=10.10.30.50 --veth-name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"10.10.30.50"
}
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "ip link show\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"blablabla"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"master br1 state UP"
}
sleep 1
send -- "firejail --profile=veth-name.profile\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"eth0"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"10.10.60.51"
}
expect {
timeout {puts "TESTING ERROR 8\n";exit}
"255.255.255.0"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
sleep 1
spawn $env(SHELL)
send -- "ip link show\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
"bingo"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"master br4 state UP"
}
sleep 1
after 100
puts "\nall done\n"

3
test/network/veth-name.profile
View file

@ -1,3 +0,0 @@
net br4
ip 10.10.60.51
veth-name bingo