From 746b6aa3b8bd5f8482078925901f09ed0f45c0b3 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 27 Aug 2015 12:37:57 -0400 Subject: [PATCH] testing --- README | 2 ++ RELNOTES | 1 + etc/generic.profile | 38 ++++--------------------- src/firejail/main.c | 7 +++-- test/firemon-caps.exp | 61 +++++++++++++++++----------------------- test/firemon-seccomp.exp | 10 +++---- test/net_local.exp | 6 ++-- test/net_netfilter.exp | 10 +++---- test/net_noip.exp | 6 ++-- test/net_noip2.exp | 6 ++-- 10 files changed, 57 insertions(+), 90 deletions(-) diff --git a/README b/README index 7513b492f..4c1850c7e 100644 --- a/README +++ b/README @@ -37,5 +37,7 @@ Michael Haas (https://github.com/mhaas) - bugfixes mjudtmann (https://github.com/mjudtmann) - lock firejail configuration in disable-mgmt.inc +iiotx (https://github.com/iiotx) + - use generci.profile by default Copyright (C) 2014, 2015 Firejail Authors diff --git a/RELNOTES b/RELNOTES index e78192284..e580fb878 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,6 +9,7 @@ firejail (0.9.29) baseline; urgency=low * support ~ and blanks in blacklist option * support "net none" command in profile files * added "net none" to Evince PDF viewer + * using /etc/firejail/generic.profile by default * bugfixes -- netblue30 Mon, 24 Aug 2015 20:25:00 -0500 diff --git a/etc/generic.profile b/etc/generic.profile index 83bf59e0a..f1c6af30d 100644 --- a/etc/generic.profile +++ b/etc/generic.profile @@ -1,38 +1,10 @@ ################################ -# Generic profile based on Firefox profile +# Generic GUI application profile ################################ -#include /etc/firejail/disable-mgmt.inc -# system directories -blacklist /sbin -blacklist /usr/sbin -# system management -blacklist ${PATH}/umount -blacklist ${PATH}/mount -blacklist ${PATH}/fusermount -blacklist ${PATH}/su -blacklist ${PATH}/sudo -blacklist ${PATH}/xinput -blacklist ${PATH}/strace - -#include /etc/firejail/disable-secret.inc -# HOME directory -blacklist ${HOME}/.ssh -tmpfs ${HOME}/.gnome2_private -blacklist ${HOME}/.gnome2/keyrings -blacklist ${HOME}/kde4/share/apps/kwallet -blacklist ${HOME}/kde/share/apps/kwallet -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.gnupg -blacklist ${HOME}/.local/share/recently-used.xbel - -blacklist ${HOME}/.adobe -blacklist ${HOME}/.macromedia -blacklist ${HOME}/.mozilla -blacklist ${HOME}/.icedove -blacklist ${HOME}/.thunderbird -blacklist ${HOME}/.config/opera -blacklist ${HOME}/.config/chromium -blacklist ${HOME}/.config/google-chrome +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-history.inc caps.drop all seccomp diff --git a/src/firejail/main.c b/src/firejail/main.c index 7db18181d..e02cf6215 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1065,11 +1065,12 @@ int main(int argc, char **argv) { } } + assert(cfg.command_name); + if (arg_debug) + printf("Command name #%s#\n", cfg.command_name); + // load the profile if (!arg_noprofile) { - assert(cfg.command_name); - if (arg_debug) - printf("Command name #%s#\n", cfg.command_name); if (!custom_profile) { // look for a profile in ~/.config/firejail directory char *usercfgdir; diff --git a/test/firemon-caps.exp b/test/firemon-caps.exp index 547d04c02..3dd6384db 100755 --- a/test/firemon-caps.exp +++ b/test/firemon-caps.exp @@ -4,7 +4,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=bingo1 --caps\r" +send -- "firejail --name=bingo1 --noprofile --caps\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -12,33 +12,33 @@ expect { sleep 1 spawn $env(SHELL) -send -- "firejail --name=bingo2\r" +send -- "firejail --name=bingo2 --noprofile\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 1\n";exit} "Child process initialized" } sleep 1 spawn $env(SHELL) -send -- "firejail --name=bingo3 --caps.drop=all\r" +send -- "firejail --name=bingo3 --noprofile --caps.drop=all\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "Child process initialized" } sleep 1 spawn $env(SHELL) -send -- "firejail --name=bingo4 --caps.drop=chown,kill\r" +send -- "firejail --noprofile --name=bingo4 --caps.drop=chown,kill\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "Child process initialized" } sleep 1 spawn $env(SHELL) -send -- "firejail --name=bingo5 --caps.keep=chown,kill\r" +send -- "firejail --noprofile --name=bingo5 --caps.keep=chown,kill\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 @@ -46,7 +46,7 @@ sleep 1 spawn $env(SHELL) send -- "firejail --name=bingo6 --profile=caps1.profile\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "Child process initialized" } sleep 1 @@ -59,77 +59,68 @@ expect { } sleep 1 - - - spawn $env(SHELL) send -- "firemon --caps\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} + timeout {puts "TESTING ERROR 8.1\n";exit} "bingo1" } expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 8.2\n";exit} "31cffff" } expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 8.3\n";exit} "bingo2" } expect { - timeout {puts "TESTING ERROR 4\n";exit} + timeout {puts "TESTING ERROR 8.4\n";exit} "fffffff" } expect { - timeout {puts "TESTING ERROR 5\n";exit} + timeout {puts "TESTING ERROR 8.5\n";exit} "bingo3" } expect { - timeout {puts "TESTING ERROR 6\n";exit} + timeout {puts "TESTING ERROR 8.6\n";exit} "000000000000" } expect { - timeout {puts "TESTING ERROR 7\n";exit} + timeout {puts "TESTING ERROR 8.7\n";exit} "bingo4" } expect { - timeout {puts "TESTING ERROR 8\n";exit} + timeout {puts "TESTING ERROR 8.8\n";exit} "ffffffde" } expect { - timeout {puts "TESTING ERROR 7\n";exit} + timeout {puts "TESTING ERROR 8.9\n";exit} "bingo5" } expect { - timeout {puts "TESTING ERROR 9\n";exit} + timeout {puts "TESTING ERROR 8.10\n";exit} "0000000000000021" } expect { - timeout {puts "TESTING ERROR 10\n";exit} + timeout {puts "TESTING ERROR 8.11\n";exit} "bingo6" } expect { - timeout {puts "TESTING ERROR 11\n";exit} + timeout {puts "TESTING ERROR 8.12\n";exit} "ffffffde" } expect { - timeout {puts "TESTING ERROR 12\n";exit} + timeout {puts "TESTING ERROR 8.13\n";exit} "bingo7" } expect { - timeout {puts "TESTING ERROR 13\n";exit} + timeout {puts "TESTING ERROR 8.14\n";exit} "0000000000000021" } +after 100 - - - - - -sleep 1 - -puts "\n" +puts "all done\n" diff --git a/test/firemon-seccomp.exp b/test/firemon-seccomp.exp index 0cf53b690..55817faf3 100755 --- a/test/firemon-seccomp.exp +++ b/test/firemon-seccomp.exp @@ -4,7 +4,7 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail --name=bingo1 --seccomp\r" +send -- "firejail --noprofile --name=bingo1 --seccomp\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Child process initialized" @@ -12,9 +12,9 @@ expect { sleep 1 spawn $env(SHELL) -send -- "firejail --name=bingo2\r" +send -- "firejail --noprofile --name=bingo2\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 0.1\n";exit} "Child process initialized" } sleep 1 @@ -40,6 +40,6 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "Seccomp: 0" } -sleep 1 +after 100 -puts "\n" +puts "all done\n" diff --git a/test/net_local.exp b/test/net_local.exp index 9302ec4ef..032c0427d 100755 --- a/test/net_local.exp +++ b/test/net_local.exp @@ -5,7 +5,7 @@ spawn $env(SHELL) match_max 100000 # check ip address -send -- "firejail --debug\r" +send -- "firejail --noprofile --debug\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Using the local network stack" @@ -19,7 +19,7 @@ send -- "exit\r" sleep 2 # check loopback -send -- "firejail\r" +send -- "firejail --noprofile\r" expect { timeout {puts "TESTING ERROR 9\n";exit} "Child process initialized" @@ -45,5 +45,5 @@ expect { "UP" } -puts "\n" +puts "all done\n" diff --git a/test/net_netfilter.exp b/test/net_netfilter.exp index 8583d4625..989fcc407 100755 --- a/test/net_netfilter.exp +++ b/test/net_netfilter.exp @@ -5,7 +5,7 @@ spawn $env(SHELL) match_max 100000 # check default netfilter on br0 -send -- "firejail --debug --net=br0 --ip=10.10.20.5 --netfilter\r" +send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Installing network filter" @@ -31,7 +31,7 @@ send -- "exit\r" sleep 1 # check default netfilter no new network -send -- "firejail --debug --netfilter\r" +send -- "firejail --debug --noprofile --netfilter\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "Installing network filter" {puts "TESTING ERROR 5.1\n";exit} @@ -45,7 +45,7 @@ send -- "exit\r" sleep 1 # check file filter netfilter on br0 -send -- "firejail --debug --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r" +send -- "firejail --debug --noprofile --net=br0 --ip=10.10.20.5 --netfilter=netfilter.filter\r" expect { timeout {puts "TESTING ERROR 6\n";exit} "Installing network filter" @@ -82,7 +82,7 @@ expect { } send -- "exit\r" -sleep 1 +after 100 -puts "\n" +puts "all done\n" diff --git a/test/net_noip.exp b/test/net_noip.exp index 3db67885d..8d28adb39 100755 --- a/test/net_noip.exp +++ b/test/net_noip.exp @@ -5,7 +5,7 @@ spawn $env(SHELL) match_max 100000 # check ip address -send -- "firejail --net=br0 --ip=none\r" +send -- "firejail --noprofile --net=br0 --ip=none\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" {puts "TESTING ERROR 1\n";exit} @@ -35,7 +35,7 @@ expect { timeout {puts "TESTING ERROR 6\n";exit} "home" } -sleep 1 +after 100 -puts "\n" +puts "all done\n" diff --git a/test/net_noip2.exp b/test/net_noip2.exp index 234aec8a8..58f90422b 100755 --- a/test/net_noip2.exp +++ b/test/net_noip2.exp @@ -5,7 +5,7 @@ spawn $env(SHELL) match_max 100000 # check ip address -send -- "firejail --net=br1 --ip=none --defaultgw=10.10.30.78\r" +send -- "firejail --noprofile --net=br1 --ip=none --defaultgw=10.10.30.78\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "eth0" {puts "TESTING ERROR 1\n";exit} @@ -35,7 +35,7 @@ expect { timeout {puts "TESTING ERROR 6\n";exit} "home" } -sleep 1 +after 100 -puts "\n" +puts "all done\n"