github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

major cleanup and testing

Browse source
This commit is contained in:
netblue30 2016-11-13 10:47:20 -05:00
parent 3ed5918832
commit 63e16bfcd9
27 changed files with 493 additions and 186 deletions
Download patch file Download diff file Expand all files Collapse all files

32
Makefile.in
View file

@ -146,7 +146,7 @@ uninstall:
rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES" DISTFILES = "src etc platform configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/appimage test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils" DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
dist: dist:
mv config.status config.status.old mv config.status config.status.old
@ -232,26 +232,34 @@ test-arguments:
test-fs: test-fs:
cd test/fs; ./fs.sh | grep TESTING cd test/fs; ./fs.sh | grep TESTING
test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
echo "TEST COMPLETE"
##########################################
# Individual tests, some of them require root access
# The tests are very intrussive, by the time you are done
# with them you will need to restart your computer.
##########################################
# Huge appimage files, not included in "make dist" archive
test-appimage: test-appimage:
cd test/appimage; ./appimage.sh | grep TESTING cd test/appimage; ./appimage.sh | grep TESTING
test: test-profiles test-fs test-utils test-environment test-appimage test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments # Root access, network devices are created before the test
echo "TEST COMPLETE" # restart your computer to get rid of these devices
#
# individual tests, some of them requiring root access
#
# root access, network devices are created before the test
test-network: test-network:
cd test/network; ./network.sh | grep TESTING cd test/network; ./network.sh | grep TESTING
# all the tests are run as root # Tesets running a root user
test-root: test-root:
cd test/root; su -c ./root.sh | grep TESTING cd test/root; su -c ./root.sh | grep TESTING
# runs as regular user # OverlayFS is not available on all platforms
test-overlay: test-overlay:
cd test/overlay; ./overlay.sh | grep TESTING cd test/overlay; ./overlay.sh | grep TESTING
# mount -o remount,rw,hidepid=2 /proc # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
test-all: test-root test-network test-appimage test-overlay test
echo "TEST COMPLETE"

8
src/firejail/appimage.c
View file

@ -94,14 +94,8 @@ void appimage_set(const char *appimage_path) {
if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1)
errExit("asprintf"); errExit("asprintf");
EUID_ROOT(); EUID_ROOT();
if (mkdir(mntdir, 0700) == -1) { mkdir_attr(mntdir, 0700, getuid(), getgid());
fprintf(stderr, "Error: cannot create appimage mount point\n");
exit(1);
}
if (set_perms(mntdir, getuid(), getgid(), 0700))
errExit("set_perms");
EUID_USER(); EUID_USER();
ASSERT_PERMS(mntdir, getuid(), getgid(), 0700);
// mount // mount
char *mode; char *mode;

1
src/firejail/firejail.h
View file

@ -461,6 +461,7 @@ void flush_stdin(void);
void create_empty_dir_as_root(const char *dir, mode_t mode); void create_empty_dir_as_root(const char *dir, mode_t mode);
void create_empty_file_as_root(const char *dir, mode_t mode); void create_empty_file_as_root(const char *dir, mode_t mode);
int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
// fs_var.c // fs_var.c
void fs_var_log(void); // mounting /var/log void fs_var_log(void); // mounting /var/log

101
src/firejail/fs.c
View file

@ -247,21 +247,13 @@ void fs_blacklist(void) {
// process bind command // process bind command
if (strncmp(entry->data, "bind ", 5) == 0) { if (strncmp(entry->data, "bind ", 5) == 0) {
struct stat s;
char *dname1 = entry->data + 5; char *dname1 = entry->data + 5;
char *dname2 = split_comma(dname1); char *dname2 = split_comma(dname1);
if (dname2 == NULL) { if (dname2 == NULL ||
fprintf(stderr, "Error: second directory missing in bind command\n"); stat(dname1, &s) == -1 ||
entry = entry->next; stat(dname2, &s) == -1) {
continue; fprintf(stderr, "Error: invalid bind command, directory missing\n");
}
struct stat s;
if (stat(dname1, &s) == -1) {
fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
entry = entry->next;
continue;
}
if (stat(dname2, &s) == -1) {
fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
entry = entry->next; entry = entry->next;
continue; continue;
} }
@ -410,10 +402,9 @@ void fs_rdonly(const char *dir) {
int rv = stat(dir, &s); int rv = stat(dir, &s);
if (rv == 0) { if (rv == 0) {
// mount --bind /bin /bin // mount --bind /bin /bin
if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount read-only");
// mount --bind -o remount,ro /bin // mount --bind -o remount,ro /bin
if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
errExit("mount read-only"); errExit("mount read-only");
fs_logger2("read-only", dir); fs_logger2("read-only", dir);
} }
@ -428,15 +419,15 @@ static void fs_rdwr(const char *dir) {
// if the file is outside /home directory, allow only root user // if the file is outside /home directory, allow only root user
uid_t u = getuid(); uid_t u = getuid();
if (u != 0 && s.st_uid != u) { if (u != 0 && s.st_uid != u) {
fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); if (!arg_quiet)
fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
return; return;
} }
// mount --bind /bin /bin // mount --bind /bin /bin
if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount read-write");
// mount --bind -o remount,rw /bin // mount --bind -o remount,rw /bin
if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
errExit("mount read-write"); errExit("mount read-write");
fs_logger2("read-write", dir); fs_logger2("read-write", dir);
} }
@ -449,37 +440,16 @@ void fs_noexec(const char *dir) {
int rv = stat(dir, &s); int rv = stat(dir, &s);
if (rv == 0) { if (rv == 0) {
// mount --bind /bin /bin // mount --bind /bin /bin
if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount noexec");
// mount --bind -o remount,ro /bin // mount --bind -o remount,ro /bin
if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
errExit("mount read-only"); mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
errExit("mount noexec");
fs_logger2("noexec", dir); fs_logger2("noexec", dir);
} }
} }
void fs_rdonly_noexit(const char *dir) {
assert(dir);
// check directory exists
struct stat s;
int rv = stat(dir, &s);
if (rv == 0) {
int merr = 0;
// mount --bind /bin /bin
if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
merr = 1;
// mount --bind -o remount,ro /bin
if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0)
merr = 1;
if (merr)
fprintf(stderr, "Warning: cannot mount %s read-only\n", dir);
else
fs_logger2("read-only", dir);
}
}
// mount /proc and /sys directories // mount /proc and /sys directories
void fs_proc_sys_dev_boot(void) { void fs_proc_sys_dev_boot(void) {
if (arg_debug) if (arg_debug)
@ -489,10 +459,8 @@ void fs_proc_sys_dev_boot(void) {
fs_logger("remount /proc"); fs_logger("remount /proc");
// remount /proc/sys readonly // remount /proc/sys readonly
if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
errExit("mounting /proc/sys"); mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
errExit("mounting /proc/sys"); errExit("mounting /proc/sys");
fs_logger("read-only /proc/sys"); fs_logger("read-only /proc/sys");
@ -646,12 +614,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
errExit("asprintf"); errExit("asprintf");
if (stat(dirname, &s) == -1) { if (stat(dirname, &s) == -1) {
/* coverity[toctou] */ mkdir_attr(dirname, 0700, 0, 0);
if (mkdir(dirname, 0700))
errExit("mkdir");
if (chmod(dirname, 0700) == -1)
errExit("chmod");
ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
} }
else if (is_link(dirname)) { else if (is_link(dirname)) {
fprintf(stderr, "Error: invalid ~/.firejail directory\n"); fprintf(stderr, "Error: invalid ~/.firejail directory\n");
@ -733,11 +696,7 @@ void fs_overlayfs(void) {
char *oroot; char *oroot;
if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
errExit("asprintf"); errExit("asprintf");
if (mkdir(oroot, 0755)) mkdir_attr(oroot, 0755, 0, 0);
errExit("mkdir");
if (chmod(oroot, 0755) == -1)
errExit("chmod");
ASSERT_PERMS(oroot, 0, 0, 0755);
struct stat s; struct stat s;
char *basedir = RUN_MNT_DIR; char *basedir = RUN_MNT_DIR;
@ -766,11 +725,9 @@ void fs_overlayfs(void) {
// no need to check arg_overlay_reuse // no need to check arg_overlay_reuse
if (stat(odiff, &s) != 0) { if (stat(odiff, &s) != 0) {
if (mkdir(odiff, 0755)) mkdir_attr(odiff, 0755, 0, 0);
errExit("mkdir");
} }
else if (set_perms(odiff, 0, 0, 0755))
if (set_perms(odiff, 0, 0, 0755))
errExit("set_perms"); errExit("set_perms");
char *owork; char *owork;
@ -779,11 +736,9 @@ void fs_overlayfs(void) {
// no need to check arg_overlay_reuse // no need to check arg_overlay_reuse
if (stat(owork, &s) != 0) { if (stat(owork, &s) != 0) {
if (mkdir(owork, 0755)) mkdir_attr(owork, 0755, 0, 0);
errExit("mkdir");
} }
else if (set_perms(owork, 0, 0, 0755))
if (set_perms(owork, 0, 0, 0755))
errExit("chown"); errExit("chown");
// mount overlayfs // mount overlayfs
@ -839,11 +794,9 @@ void fs_overlayfs(void) {
// no need to check arg_overlay_reuse // no need to check arg_overlay_reuse
if (stat(hdiff, &s) != 0) { if (stat(hdiff, &s) != 0) {
if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO)) mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
errExit("mkdir");
} }
else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
errExit("set_perms"); errExit("set_perms");
if(asprintf(&hwork, "%s/hwork", basedir) == -1) if(asprintf(&hwork, "%s/hwork", basedir) == -1)
@ -851,11 +804,9 @@ void fs_overlayfs(void) {
// no need to check arg_overlay_reuse // no need to check arg_overlay_reuse
if (stat(hwork, &s) != 0) { if (stat(hwork, &s) != 0) {
if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO)) mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0);
errExit("mkdir");
} }
else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
errExit("set_perms"); errExit("set_perms");
// no homedir in overlay so now mount another overlay for /home // no homedir in overlay so now mount another overlay for /home

6
src/firejail/fs_bin.c
View file

@ -212,11 +212,7 @@ void fs_private_bin_list(void) {
assert(private_list); assert(private_list);
// create /run/firejail/mnt/bin directory // create /run/firejail/mnt/bin directory
if (mkdir(RUN_BIN_DIR, 0755) == -1) mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
errExit("mkdir");
if (chmod(RUN_BIN_DIR, 0755) == -1)
errExit("chmod");
ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755);
// copy the list of files in the new etc directory // copy the list of files in the new etc directory
// using a new child process without root privileges // using a new child process without root privileges

32
src/firejail/fs_dev.c
View file

@ -65,11 +65,7 @@ static void deventry_mount(void) {
if (arg_debug) if (arg_debug)
printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
if (dir) { if (dir) {
if (mkdir(dev[i].dev_fname, 0755) == -1) mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
errExit("mkdir");
if (chmod(dev[i].dev_fname, 0755) == -1)
errExit("chmod");
ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755);
} }
else { else {
struct stat s; struct stat s;
@ -130,11 +126,7 @@ void fs_private_dev(void){
// create DRI_DIR // create DRI_DIR
// keep a copy of dev directory // keep a copy of dev directory
if (mkdir(RUN_DEV_DIR, 0755) == -1) mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
errExit("mkdir");
if (chmod(RUN_DEV_DIR, 0755) == -1)
errExit("chmod");
ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755);
if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mounting /dev/dri"); errExit("mounting /dev/dri");
@ -179,12 +171,7 @@ void fs_private_dev(void){
// create /dev/shm // create /dev/shm
if (arg_debug) if (arg_debug)
printf("Create /dev/shm directory\n"); printf("Create /dev/shm directory\n");
if (mkdir("/dev/shm", 01777) == -1) mkdir_attr("/dev/shm", 01777, 0, 0);
errExit("mkdir");
// mkdir sets only the file permission bits
if (chmod("/dev/shm", 01777) < 0)
errExit("chmod");
ASSERT_PERMS("/dev/shm", 0, 0, 01777);
fs_logger("mkdir /dev/shm"); fs_logger("mkdir /dev/shm");
// create devices // create devices
@ -206,11 +193,7 @@ void fs_private_dev(void){
#endif #endif
// pseudo-terminal // pseudo-terminal
if (mkdir("/dev/pts", 0755) == -1) mkdir_attr("/dev/pts", 0755, 0, 0);
errExit("mkdir");
if (chmod("/dev/pts", 0755) == -1)
errExit("chmod");
ASSERT_PERMS("/dev/pts", 0, 0, 0755);
fs_logger("mkdir /dev/pts"); fs_logger("mkdir /dev/pts");
create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
fs_logger("mknod /dev/pts/ptmx"); fs_logger("mknod /dev/pts/ptmx");
@ -260,12 +243,7 @@ void fs_dev_shm(void) {
if (lnk) { if (lnk) {
if (!is_dir(lnk)) { if (!is_dir(lnk)) {
// create directory // create directory
if (mkdir(lnk, 01777)) mkdir_attr(lnk, 01777, 0, 0);
errExit("mkdir");
// mkdir sets only the file permission bits
if (chmod(lnk, 01777))
errExit("chmod");
ASSERT_PERMS(lnk, 0, 0, 01777);
} }
if (arg_debug) if (arg_debug)
printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk);

6
src/firejail/fs_etc.c
View file

@ -132,11 +132,7 @@ void fs_private_etc_list(void) {
} }
// create /run/firejail/mnt/etc directory // create /run/firejail/mnt/etc directory
if (mkdir(RUN_ETC_DIR, 0755) == -1) mkdir_attr(RUN_ETC_DIR, 0755, 0, 0);
errExit("mkdir");
if (chmod(RUN_ETC_DIR, 0755) == -1)
errExit("chmod");
ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755);
fs_logger("tmpfs /etc"); fs_logger("tmpfs /etc");
fs_logger_print(); // save the current log fs_logger_print(); // save the current log

23
src/firejail/fs_var.c
View file

@ -98,10 +98,7 @@ static void build_dirs(void) {
// create directories under /var/log // create directories under /var/log
DirData *ptr = dirlist; DirData *ptr = dirlist;
while (ptr) { while (ptr) {
if (mkdir(ptr->name, ptr->st_mode)) mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid);
errExit("mkdir");
if (chown(ptr->name, ptr->st_uid, ptr->st_gid))
errExit("chown");
fs_logger2("mkdir", ptr->name); fs_logger2("mkdir", ptr->name);
ptr = ptr->next; ptr = ptr->next;
} }
@ -223,18 +220,10 @@ void fs_var_cache(void) {
gid = p->pw_gid; gid = p->pw_gid;
} }
int rv = mkdir("/var/cache/lighttpd/compress", 0755); mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
if (rv == -1)
errExit("mkdir");
if (chown("/var/cache/lighttpd/compress", uid, gid) < 0)
errExit("chown");
fs_logger("mkdir /var/cache/lighttpd/compress"); fs_logger("mkdir /var/cache/lighttpd/compress");
rv = mkdir("/var/cache/lighttpd/uploads", 0755); mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
if (rv == -1)
errExit("mkdir");
if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0)
errExit("chown");
fs_logger("/var/cache/lighttpd/uploads"); fs_logger("/var/cache/lighttpd/uploads");
} }
} }
@ -268,11 +257,7 @@ void fs_var_lock(void) {
if (lnk) { if (lnk) {
if (!is_dir(lnk)) { if (!is_dir(lnk)) {
// create directory // create directory
if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
errExit("mkdir");
if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
errExit("chmod");
ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO);
} }
if (arg_debug) if (arg_debug)
printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);

14
src/firejail/join.c
View file

@ -229,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
exit(1); exit(1);
} }
else { else {
if (join_namespace(pid, "ipc")) if (join_namespace(pid, "ipc") ||
exit(1); join_namespace(pid, "net") ||
if (join_namespace(pid, "net")) join_namespace(pid, "pid") ||
exit(1); join_namespace(pid, "uts") ||
if (join_namespace(pid, "pid")) join_namespace(pid, "mnt"))
exit(1);
if (join_namespace(pid, "uts"))
exit(1);
if (join_namespace(pid, "mnt"))
exit(1); exit(1);
} }

36
src/firejail/util.c
View file

@ -731,4 +731,40 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
return 0; return 0;
} }
void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
assert(fname);
mode &= 07777;
#if 0
printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode);
if (S_ISLNK(mode))
printf("l");
else if (S_ISDIR(mode))
printf("d");
else if (S_ISCHR(mode))
printf("c");
else if (S_ISBLK(mode))
printf("b");
else if (S_ISSOCK(mode))
printf("s");
else
printf("-");
printf( (mode & S_IRUSR) ? "r" : "-");
printf( (mode & S_IWUSR) ? "w" : "-");
printf( (mode & S_IXUSR) ? "x" : "-");
printf( (mode & S_IRGRP) ? "r" : "-");
printf( (mode & S_IWGRP) ? "w" : "-");
printf( (mode & S_IXGRP) ? "x" : "-");
printf( (mode & S_IROTH) ? "r" : "-");
printf( (mode & S_IWOTH) ? "w" : "-");
printf( (mode & S_IXOTH) ? "x" : "-");
printf("\n");
#endif
if (mkdir(fname, mode) == -1 ||
chmod(fname, mode) == -1 ||
chown(fname, uid, gid)) {
fprintf(stderr, "Error: failed to create %s directory\n", fname);
errExit("mkdir/chmod");
}
ASSERT_PERMS(fname, uid, gid, mode);
}

6
test/appimage/appimage-v1.exp
View file

@ -7,7 +7,7 @@ set timeout 10
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
send -- "firejail --appimage Leafpad-0.8.17-x86_64.AppImage\r" send -- "firejail --name=appimage-test --appimage Leafpad-0.8.17-x86_64.AppImage\r"
expect { expect {
timeout {puts "TESTING ERROR 1\n";exit} timeout {puts "TESTING ERROR 1\n";exit}
"Child process initialized" "Child process initialized"
@ -77,5 +77,9 @@ expect {
} }
after 100 after 100
spawn $env(SHELL)
send -- "firejail --shutdown=appimage-test\r"
sleep 3
puts "\nall done\n" puts "\nall done\n"

4
test/appimage/appimage-v2.exp
View file

@ -77,5 +77,9 @@ expect {
} }
after 100 after 100
spawn $env(SHELL)
send -- "firejail --shutdown=appimage-test\r"
sleep 3
puts "\nall done\n" puts "\nall done\n"

36
test/apps-x11/apps-x11.sh
View file

@ -6,6 +6,33 @@
export MALLOC_CHECK_=3 export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
echo "TESTING: no x11 (test/apps-x11/x11-none.exp)"
./x11-none.exp
which xterm
if [ "$?" -eq 0 ];
then
echo "TESTING: xterm x11 xorg"
./xterm-xorg.exp
which xpra
if [ "$?" -eq 0 ];
then
echo "TESTING: xterm x11 xpra"
./xterm-xpra.exp
fi
which Xephyr
if [ "$?" -eq 0 ];
then
echo "TESTING: xterm x11 xephyr"
./xterm-xephyr.exp
fi
else
echo "TESTING SKIP: xterm not found"
fi
# check xpra/xephyr # check xpra/xephyr
which xpra which xpra
if [ "$?" -eq 0 ]; if [ "$?" -eq 0 ];
@ -23,15 +50,6 @@ else
fi fi
fi fi
which xterm
if [ "$?" -eq 0 ];
then
echo "TESTING: xterm x11"
./xterm.exp
else
echo "TESTING SKIP: xterm not found"
fi
which firefox which firefox
if [ "$?" -eq 0 ]; if [ "$?" -eq 0 ];
then then

48
test/apps-x11/x11-none.exp Executable file
View file

@ -0,0 +1,48 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2016 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test --x11=none\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"use network namespace in firejail"
}
sleep 1
send -- "firejail --name=test --net=none --x11=none\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Child process initialized"
}
sleep 1
send -- "ls -al /tmp/.X11-unix\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"cannot open directory"
}
after 100
send -- "xterm\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"DISPLAY is not set"
}
after 100
send -- "export DISPLAY=:0.0\r"
after 100
send -- "xterm\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Xt error"
}
after 100
puts "\nall done\n"

59
test/apps-x11/x11-xephyr.exp Executable file
View file

@ -0,0 +1,59 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2016 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test --x11=xephyr xterm\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Child process initialized"
}
exit
sleep 5
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"use network namespace in firejail"
}
sleep 1
send -- "firejail --name=test --net=none --x11=none\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Child process initialized"
}
sleep 1
send -- "ls -al /tmp/.X11-unix\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"cannot open directory"
}
after 100
send -- "xterm\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"DISPLAY is not set"
}
after 100
send -- "export DISPLAY=:0.0\r"
after 100
send -- "xterm\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Xt error"
}
after 100
puts "\nall done\n"

86
test/apps-x11/xterm-xephyr.exp Executable file
View file

@ -0,0 +1,86 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2016 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test --x11=xephyr xterm\r"
sleep 10
spawn $env(SHELL)
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
":firejail"
}
expect {
timeout {puts "TESTING ERROR 3.1\n";exit}
"xterm"
}
sleep 1
# grsecurity exit
send -- "file /proc/sys/kernel/grsecurity\r"
expect {
timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
"cannot open" {puts "grsecurity not present\n"}
}
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Child process initialized"
}
sleep 2
spawn $env(SHELL)
send -- "firemon --seccomp\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
":firejail"
}
expect {
timeout {puts "TESTING ERROR 5.0\n";exit}
"xterm"
}
expect {
timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
"Seccomp: 2"
}
expect {
timeout {puts "TESTING ERROR 5.1\n";exit}
"name=blablabla"
}
sleep 1
send -- "firemon --caps\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
":firejail"
}
expect {
timeout {puts "TESTING ERROR 6.0\n";exit}
"xterm"
}
expect {
timeout {puts "TESTING ERROR 6.1\n";exit}
"CapBnd"
}
expect {
timeout {puts "TESTING ERROR 6.2\n";exit}
"0000000000000000"
}
expect {
timeout {puts "TESTING ERROR 6.3\n";exit}
"name=blablabla"
}
sleep 1
send -- "firejail --shutdown=test\r"
sleep 3
puts "\nall done\n"

2
test/apps-x11/xterm.exp → test/apps-x11/xterm-xorg.exp
View file

@ -7,7 +7,7 @@ set timeout 10
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
send -- "firejail --name=test --x11 xterm\r" send -- "firejail --name=test --x11=xorg xterm\r"
sleep 10 sleep 10
spawn $env(SHELL) spawn $env(SHELL)

86
test/apps-x11/xterm-xpra.exp Executable file
View file

@ -0,0 +1,86 @@
#!/usr/bin/expect -f
# This file is part of Firejail project
# Copyright (C) 2014-2016 Firejail Authors
# License GPL v2
set timeout 10
spawn $env(SHELL)
match_max 100000
send -- "firejail --name=test --x11=xpra xterm\r"
sleep 10
spawn $env(SHELL)
send -- "firejail --list\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
":firejail"
}
expect {
timeout {puts "TESTING ERROR 3.1\n";exit}
"xterm"
}
sleep 1
# grsecurity exit
send -- "file /proc/sys/kernel/grsecurity\r"
expect {
timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
"cannot open" {puts "grsecurity not present\n"}
}
send -- "firejail --name=blablabla\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Child process initialized"
}
sleep 2
spawn $env(SHELL)
send -- "firemon --seccomp\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
":firejail"
}
expect {
timeout {puts "TESTING ERROR 5.0\n";exit}
"xterm"
}
expect {
timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
"Seccomp: 2"
}
expect {
timeout {puts "TESTING ERROR 5.1\n";exit}
"name=blablabla"
}
sleep 1
send -- "firemon --caps\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
":firejail"
}
expect {
timeout {puts "TESTING ERROR 6.0\n";exit}
"xterm"
}
expect {
timeout {puts "TESTING ERROR 6.1\n";exit}
"CapBnd"
}
expect {
timeout {puts "TESTING ERROR 6.2\n";exit}
"0000000000000000"
}
expect {
timeout {puts "TESTING ERROR 6.3\n";exit}
"name=blablabla"
}
sleep 1
send -- "firejail --shutdown=test\r"
sleep 3
puts "\nall done\n"

4
test/fs/read-write.exp
View file

@ -20,12 +20,14 @@ expect {
timeout {puts "TESTING ERROR 1\n";exit} timeout {puts "TESTING ERROR 1\n";exit}
"done" "done"
} }
after 100
send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r" send -- "echo mytest >~/_firejail_test_dir/test1/b;echo done\r"
expect { expect {
timeout {puts "TESTING ERROR 2\n";exit} timeout {puts "TESTING ERROR 2\n";exit}
"done" "done"
} }
after 100
send -- "cat ~/_firejail_test_dir/a;echo done\r" send -- "cat ~/_firejail_test_dir/a;echo done\r"
expect { expect {
@ -33,7 +35,7 @@ expect {
"mytest" {puts "TESTING ERROR 4\n";exit} "mytest" {puts "TESTING ERROR 4\n";exit}
"done" "done"
} }
after 100
send -- "cat ~/_firejail_test_dir/test1/b;echo done\r" send -- "cat ~/_firejail_test_dir/test1/b;echo done\r"
expect { expect {

12
test/network/firemon-arp.exp
View file

@ -4,12 +4,12 @@ set timeout 10
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
send -- "ping -c 3 192.168.1.1\r" #send -- "ping -c 3 192.168.1.1\r"
expect { #expect {
timeout {puts "TESTING ERROR 0\n";exit} # timeout {puts "TESTING ERROR 0\n";exit}
"3 packets transmitted" # "3 packets transmitted"
} #}
sleep 1 #sleep 1
send -- "firejail --name=test1\r" send -- "firejail --name=test1\r"
expect { expect {

20
test/root/firejail.config Normal file
View file

@ -0,0 +1,20 @@
bind yes
chroot yes
chroot-desktop yes
file-transfer yes
force-nonewprivs no
network yes
overlayfs yes
private-bin-no-local no
private-home yes
quiet-by-default no
remount-proc-sys yes
restricted-network no
# netfilter-default /etc/iptables.iptables.rules
seccomp yes
userns yes
whitelist yes
x11 yes
xephyr-screen 800x600
xephyr-window-title yes
xephyr-extra-params -grayscale

6
test/root/root.sh
View file

@ -1,5 +1,8 @@
#!/bin/bash #!/bin/bash
# set a new firejail config file
cp firejail.config /etc/firejail/firejail.config
#******************************** #********************************
# servers # servers
#******************************** #********************************
@ -91,3 +94,6 @@ else
echo "TESTING SKIP: firecfg, firefox not found" echo "TESTING SKIP: firecfg, firefox not found"
fi fi
# restore the default config file
cp ../../etc/firejail.config /etc/firejail/firejail.config

2
test/root/seccomp-umount.exp
View file

@ -7,7 +7,7 @@ set timeout 10
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
send -- "firejail --net=br0 --ip=10.10.20.5 --seccomp --noprofile\r" send -- "firejail --seccomp --noprofile\r"
expect { expect {
timeout {puts "TESTING ERROR 0\n";exit} timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized" "Child process initialized"

2
test/utils/join.exp
View file

@ -8,7 +8,7 @@ cd /home
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
send -- "firejail --name=jointesting\r" send -- "firejail --name=jointesting --cpu=0 --nice=2\r"
expect { expect {
timeout {puts "TESTING ERROR 0\n";exit} timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized" "Child process initialized"

42
test/utils/ls.exp
View file

@ -3,6 +3,8 @@
set timeout 10 set timeout 10
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
set firstspawn $spawn_id
send -- "rm -f lstesting\r" send -- "rm -f lstesting\r"
sleep 1 sleep 1
@ -11,11 +13,11 @@ expect {
timeout {puts "TESTING ERROR 0\n";exit} timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized" "Child process initialized"
} }
sleep 2 sleep 1
send -- "echo my_testing > ~/lstesting\r" send -- "echo my_testing > ~/lstesting\r"
sleep 2 after 100
# ls
spawn $env(SHELL) spawn $env(SHELL)
send -- "firejail --ls=test ~/.\r" send -- "firejail --ls=test ~/.\r"
expect { expect {
@ -23,14 +25,44 @@ expect {
"lstesting" "lstesting"
} }
sleep 1 sleep 1
# get
send -- "firejail --get=test ~/lstesting\r" send -- "firejail --get=test ~/lstesting\r"
sleep 2 sleep 1
send -- "cat lstesting\r" send -- "cat lstesting\r"
expect { expect {
timeout {puts "TESTING ERROR 3\n";exit} timeout {puts "TESTING ERROR 2n";exit}
"my_testing" "my_testing"
} }
after 100
# put
send -- "echo put_test > ~/lstesting\r"
after 100
send -- "firejail --put=test ~/lstesting ~/lstesting_2\r"
sleep 1 sleep 1
set spawn_id $firstspawn
send -- "ls -al ~\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"lstesting_2"
}
after 100
send -- "cat ~/lstesting_2\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"put_test"
}
after 100
send -- "exit\r"
sleep 1
send -- "rm -f lstesting\r" send -- "rm -f lstesting\r"
after 100 after 100

4
test/utils/utils.sh
View file

@ -88,10 +88,10 @@ echo "TESTING: top (test/utils/top.exp)"
echo "TESTING: file transfer (test/utils/ls.exp)" echo "TESTING: file transfer (test/utils/ls.exp)"
./ls.exp ./ls.exp
echo "TESTING: firemon --seccomp (test/utils/firemon-seccomp.exp)" echo "TESTING: firemon seccomp (test/utils/firemon-seccomp.exp)"
./firemon-seccomp.exp ./firemon-seccomp.exp
echo "TESTING: firemon --caps (test/utils/firemon-caps.exp)" echo "TESTING: firemon caps (test/utils/firemon-caps.exp)"
./firemon-caps.exp ./firemon-caps.exp
echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)" echo "TESTING: firemon cpu (test/utils/firemon-cpu.exp)"

1
todo
View file

@ -286,4 +286,5 @@ removable media, partitions, software RAID volumes, logical volumes, and files.
29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
30. /* coverity[toctou] */