github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-16 06:06:03 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

testing

Browse source
This commit is contained in:
smitsohu 2022-12-24 03:06:46 +01:00
parent ddc76329b5
commit 5116c1cedd
6 changed files with 452 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
test/filters/filters.sh
View file

@ -30,6 +30,16 @@ else
echo "TESTING SKIP: memwrexe binary only running on x86_64 and i686."
fi
if [[ $(uname -m) == "x86_64" ]]; then
echo "TESTING: restrict-namespaces (test/filters/namespaces.exp)"
./namespaces.exp
elif [[ $(uname -m) == "i686" ]]; then
echo "TESTING: restrict-namespaces (test/filters/namespaces-32.exp)"
./namespaces-32.exp
else
echo "TESTING SKIP: namespaces binary only running on x86_64 and i686."
fi
echo "TESTING: debug options (test/filters/debug.exp)"
./debug.exp

BIN
test/filters/namespaces Executable file
View file

Binary file not shown.

BIN
test/filters/namespaces-32 Executable file
View file

Binary file not shown.

173
test/filters/namespaces-32.exp Executable file
View file

@ -0,0 +1,173 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
#
# clone
#
send -- "firejail --noprofile ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"clone successful"
}
after 100
send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 clone user\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone user\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 clone cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone cgroup\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone ipc\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 clone mnt,net,pid,uts\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"clone successful"
}
after 100
#
# unshare
#
send -- "firejail --noprofile ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 14\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 15\n";exit}
"unshare successful"
}
after 100
send -- "firejail --noprofile --restrict-namespaces ./namespaces-32 unshare user\r"
expect {
timeout {puts "TESTING ERROR 16\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 17\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare user\r"
expect {
timeout {puts "TESTING ERROR 18\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces-32 unshare cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 20\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare cgroup\r"
expect {
timeout {puts "TESTING ERROR 22\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare ipc\r"
expect {
timeout {puts "TESTING ERROR 24\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces-32 unshare mnt,net,pid,uts\r"
expect {
timeout {puts "TESTING ERROR 26\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"unshare successful"
}
after 100
puts "\nall done\n"

96
test/filters/namespaces.c Normal file
View file

@ -0,0 +1,96 @@
#define _GNU_SOURCE
#include <errno.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <unistd.h>
#ifndef CLONE_NEWTIME
#define CLONE_NEWTIME 0x00000080
#endif
#define STACK_SIZE 1024 * 1024
static int usage() {
fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n");
exit(1);
}
static void die(const char *msg) {
fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno));
exit(1);
}
static int ns_flags(const char *list) {
int flags = 0;
char *dup = strdup(list);
if (!dup)
die("cannot allocate memory");
char *token = strtok(dup, ",");
while (token) {
if (strcmp(token, "cgroup") == 0)
flags |= CLONE_NEWCGROUP;
else if (strcmp(token, "ipc") == 0)
flags |= CLONE_NEWIPC;
else if (strcmp(token, "net") == 0)
flags |= CLONE_NEWNET;
else if (strcmp(token, "mnt") == 0)
flags |= CLONE_NEWNS;
else if (strcmp(token, "pid") == 0)
flags |= CLONE_NEWPID;
else if (strcmp(token, "time") == 0)
flags |= CLONE_NEWTIME;
else if (strcmp(token, "user") == 0)
flags |= CLONE_NEWUSER;
else if (strcmp(token, "uts") == 0)
flags |= CLONE_NEWUTS;
else
usage();
token = strtok(NULL, ",");
}
free(dup);
return flags;
}
static int child(void *arg) {
(void) arg;
fprintf(stderr, "clone successful\n");
return 0;
}
int main (int argc, char **argv) {
if (argc != 3)
usage();
int flags = ns_flags(argv[2]);
if (getuid() != 0)
flags |= CLONE_NEWUSER;
if (strcmp(argv[1], "clone") == 0) {
void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (stack == MAP_FAILED)
die("mmap");
if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0)
die("clone");
}
else if (strcmp(argv[1], "unshare") == 0) {
if (unshare(flags))
die("unshare");
fprintf(stderr, "unshare successful\n");
}
else
usage();
return 0;
}

173
test/filters/namespaces.exp Executable file
View file

@ -0,0 +1,173 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2022 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
#
# clone
#
send -- "firejail --noprofile ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"clone successful"
}
after 100
send -- "firejail --noprofile --restrict-namespaces ./namespaces clone user\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone user\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces clone cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone cgroup\r"
expect {
timeout {puts "TESTING ERROR 8\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 9\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone ipc\r"
expect {
timeout {puts "TESTING ERROR 10\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 11\n";exit}
"Error: clone: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces clone mnt,net,pid,uts\r"
expect {
timeout {puts "TESTING ERROR 12\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 13\n";exit}
"clone successful"
}
after 100
#
# unshare
#
send -- "firejail --noprofile ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 14\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 15\n";exit}
"unshare successful"
}
after 100
send -- "firejail --noprofile --restrict-namespaces ./namespaces unshare user\r"
expect {
timeout {puts "TESTING ERROR 16\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 17\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare user\r"
expect {
timeout {puts "TESTING ERROR 18\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 19\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=user ./namespaces unshare cgroup,ipc,mnt,net,pid,user,uts\r"
expect {
timeout {puts "TESTING ERROR 20\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 21\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare cgroup\r"
expect {
timeout {puts "TESTING ERROR 22\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 23\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare ipc\r"
expect {
timeout {puts "TESTING ERROR 24\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 25\n";exit}
"Error: unshare: Operation not permitted"
}
after 100
send -- "firejail --noprofile --restrict-namespaces=cgroup,ipc ./namespaces unshare mnt,net,pid,uts\r"
expect {
timeout {puts "TESTING ERROR 26\n";exit}
-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
}
expect {
timeout {puts "TESTING ERROR 27\n";exit}
"unshare successful"
}
after 100
puts "\nall done\n"