From 759dc6ade2bcb7408dbbf3dc31230fc7534ca29d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 19 Dec 2016 10:24:25 -0500 Subject: [PATCH] testing --- README | 5 + README.md | 9 ++ RELNOTES | 4 +- .../fix_private-bin_for_symlinked_sh.py | 0 src/firejail/usage.c | 4 +- src/man/firejail.txt | 9 ++ test/appimage/appimage-args.exp | 97 +++++++++++++++++++ test/appimage/appimage.sh | 6 +- test/fs/private-home-dir.exp | 62 +++++++++++- 9 files changed, 191 insertions(+), 5 deletions(-) rename {etc => contrib}/fix_private-bin_for_symlinked_sh.py (100%) create mode 100755 test/appimage/appimage-args.exp diff --git a/README b/README index 42a1f580a..5dc50c9bf 100644 --- a/README +++ b/README @@ -97,6 +97,10 @@ valoq (https://github.com/valoq) - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile - disable gnupg and systemd directories under /run/user +thewisenerd (https://github.com/thewisenerd) + - appimage: pass commandline arguments +KOLANICH (https://github.com/KOLANICH) + - added symlink fixer Jesse Smith (https://github.com/slicer69) - added QupZilla profile Lari Rauno (https://github.com/tuutti) @@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip) - support for files and directories starting with ~ in blacklist option - support for files and directories with spaces in blacklist option - lots of other fixes + - implement the --allow-private-blacklist option sarneaud (https://github.com/sarneaud) - rewrite globbing code to fix various minor issues - added noblacklist command for profile files diff --git a/README.md b/README.md index a8722f810..9057a9a88 100644 --- a/README.md +++ b/README.md @@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is Example: $ firejail --machine-id + + --allow-private-blacklist + Allow blacklisting files in private home directory. By default + these blacklists are disabled. + + Example: + $ firejail --allow-private-blacklist --private=~/priv-dir + --blacklist=~/.mozilla + ````` ## New Profiles xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2, diff --git a/RELNOTES b/RELNOTES index 7144b2bf3..2d57b1a88 100644 --- a/RELNOTES +++ b/RELNOTES @@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low * feature: private /opt directory (--private-opt, profile support) * feature: private /srv directory (--private-srv, profile support) * feature: spoof machine-id - * feature: config support for firejail prompt in terminal + * feature: config support for firejail prompt in terminals + * feature: pass command line arguments to appimages + * feature: --allow-private-blacklist option * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, diff --git a/etc/fix_private-bin_for_symlinked_sh.py b/contrib/fix_private-bin_for_symlinked_sh.py similarity index 100% rename from etc/fix_private-bin_for_symlinked_sh.py rename to contrib/fix_private-bin_for_symlinked_sh.py diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1131abe5f..9f4dfd44c 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -30,8 +30,8 @@ void usage(void) { printf("Options:\n"); printf(" -- - signal the end of options and disables further option processing.\n"); printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); - printf(" --allow-private-blacklist - allow blacklisting things in private\n"); - printf("\tdirectories.\n"); + printf(" --allow-private-blacklist - allow blacklisting files in private\n"); + printf("\thome directories.\n"); printf(" --allusers - all user home directories are visible inside the sandbox.\n"); printf(" --apparmor - enable AppArmor confinement.\n"); printf(" --appimage - sandbox an AppImage application.\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5b43b1ca5..60c21cbc1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -84,6 +84,15 @@ Example: .br $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox .TP +\fB\-\-allow-private-blacklist +Allow blacklisting files in private home directory. By default these blacklists are disabled. +.br + +.br +Example: +.br +$ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla +.TP \fB\-\-allusers All directories under /home are visible inside the sandbox. By default, only current user home directory is visible. .br diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp new file mode 100755 index 000000000..93dba69ad --- /dev/null +++ b/test/appimage/appimage-args.exp @@ -0,0 +1,97 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "execvp argument 2" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "AppRun" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "testfile" +} +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --list\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + ":firejail" +} +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "appimage Leafpad" +} +after 100 + +# grsecurity exit +send -- "file /proc/sys/kernel/grsecurity\r" +expect { + timeout {puts "TESTING ERROR - grsecurity detection\n";exit} + "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit} + "cannot open" {puts "grsecurity not present\n"} +} + + +send -- "firejail --name=blablabla\r" +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firemon --seccomp\r" +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} + "appimage Leafpad" +} +expect { + timeout {puts "TESTING ERROR 9 (seccomp)\n";exit} + "Seccomp: 2" +} +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "name=blablabla" +} +after 100 +send -- "firemon --caps\r" +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "appimage Leafpad" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "CapBnd:" +} +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "0000000000000000" +} +expect { + timeout {puts "TESTING ERROR 14\n";exit} + "name=blablabla" +} +after 100 + +spawn $env(SHELL) +send -- "firejail --shutdown=appimage-test\r" +sleep 3 + +puts "\nall done\n" + diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh index db221ec8a..bb646e189 100755 --- a/test/appimage/appimage.sh +++ b/test/appimage/appimage.sh @@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)" ./appimage-v2.exp echo "TESTING: AppImage file name (test/appimage/filename.exp)"; -./filename.exp \ No newline at end of file +./filename.exp + +echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)" +./appimage-args.exp + diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp index 5491be834..f85a939b1 100755 --- a/test/fs/private-home-dir.exp +++ b/test/fs/private-home-dir.exp @@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} { send -- "touch ~/.Xauthority\r" } after 100 +send -- "rm -fr ~/_firejail_test_dir_\r" +after 100 send -- "mkdir ~/_firejail_test_dir_\r" sleep 1 @@ -65,6 +67,64 @@ expect { "private directory should be owned by the current user" } sleep 1 +send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r" +after 100 +send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r" +sleep 1 +send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "Not blacklist" +} +expect { + timeout {puts "TESTING ERROR 7\n";exit} + "test_dir_2" +} +expect { + timeout {puts "TESTING ERROR 8\n";exit} + "Child process initialized" +} -puts "all done\n" +sleep 1 + +send -- "find ~\r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "testfile" +} +after 100 + +send -- "exit\r" +sleep 1 + +send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "Disable" +} +expect { + timeout {puts "TESTING ERROR 11\n";exit} + "test_dir_2" +} +expect { + timeout {puts "TESTING ERROR 12\n";exit} + "Child process initialized" +} + +sleep 1 + +send -- "ls ~/test_dir_2\r" +expect { + timeout {puts "TESTING ERROR 13\n";exit} + "cannot open directory" +} +after 100 + +send "exit\r" +sleep 1 + +send -- "rm -fr ~/_firejail_test_dir_\r" +after 100 + +puts "\nall done\n"