appimage testing

.github/workflows/build.yml

@@ -71,6 +71,8 @@ jobs:
       run: command -V firejail && firejail --version
     - name: lab setup
       run: SHELL=/bin/bash make lab-setup
+    - name: run appimage tests
+      run: SHELL=/bin/bash make test-appimage
     - name: run chroot tests
       run: SHELL=/bin/bash make test-chroot
     - name: run sysutils tests

Makefile

@@ -314,7 +314,7 @@ mkman.sh \
 platform \
 src
 
-DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/root test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils test/chroot
+DISTFILES_TEST = test/Makefile test/apps test/apps-x11 test/apps-x11-xorg test/private-lib test/fnetfilter test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/fs test/sysutils
 
 .PHONY: dist
 dist: config.mk
@@ -372,7 +372,7 @@ $(TEST_TARGETS):
 
 
 # extract some data about the testing setup: kernel, network connectivity, user
-lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
+lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
 
 test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
 	echo "TEST COMPLETE"
@@ -380,6 +380,14 @@ test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-et
 test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
 	echo "TEST COMPLETE"
 
+# not included in "make dist" and "make test"
+test-appimage:
+	$(MAKE) -C test $(subst test-,,$@)
+
+# not included in "make dist" and "make test"
+test-chroot:
+	$(MAKE) -C test $(subst test-,,$@)
+
 # old gihub test; the new test is driven directly from .github/workflows/build.yml
 test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment
 	echo "TEST COMPLETE"
@@ -393,21 +401,9 @@ test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-uti
 test-private-lib:
 	$(MAKE) -C test $(subst test-,,$@)
 
-# requires root access
-test-chroot:
-	$(MAKE) -C test $(subst test-,,$@)
-
-# Huge appimage files, not included in "make dist" archive
-test-appimage:
-	$(MAKE) -C test $(subst test-,,$@)
-
 # Root access, network devices are created before the test
 # restart your computer to get rid of these devices
 test-network:
 	$(MAKE) -C test $(subst test-,,$@)
 
-# OverlayFS is not available on all platforms
-test-overlay:
-	$(MAKE) -C test $(subst test-,,$@)
-
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"

test/appimage/appimage-args.exp

@@ -8,97 +8,15 @@ spawn $env(SHELL)
 match_max 100000
 
 set appimage_id $spawn_id
-send -- "firejail --name=test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	"execvp argument 2"
-}
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"AppRun"
-}
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	"testfile"
-}
+send -- "firejail --name=test --appimage hello-x86_64.AppImage testfile\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-sleep 2
-
-spawn $env(SHELL)
-send -- "firejail --list\r"
 expect {
-	timeout {puts "TESTING ERROR 5\n";exit}
-	":firejail"
-}
-expect {
-	timeout {puts "TESTING ERROR 6\n";exit}
-	"appimage Leafpad"
-}
-after 100
-
-# grsecurity exit
-send -- "file /proc/sys/kernel/grsecurity\r"
-expect {
-	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
-	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
-	"cannot open" {puts "grsecurity not present\n"}
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"1 - testfile"
 }
 
-
-send -- "firejail --name=blablabla\r"
-expect {
-	timeout {puts "TESTING ERROR 7\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "firemon --seccomp --wrap\r"
-expect {
-	timeout {puts "TESTING ERROR 8\n";exit}
-	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-	"appimage Leafpad"
-}
-expect {
-	timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
-	"Seccomp:	2"
-}
-expect {
-	timeout {puts "TESTING ERROR 10\n";exit}
-	"name=blablabla"
-}
-after 100
-send -- "firemon --caps --wrap\r"
-expect {
-	timeout {puts "TESTING ERROR 11\n";exit}
-	"appimage Leafpad"
-}
-expect {
-	timeout {puts "TESTING ERROR 12\n";exit}
-	"CapBnd:"
-}
-expect {
-	timeout {puts "TESTING ERROR 13\n";exit}
-	"0000000000000000"
-}
-expect {
-	timeout {puts "TESTING ERROR 14\n";exit}
-	"name=blablabla"
-}
-after 100
-
-spawn $env(SHELL)
-send -- "firejail --shutdown=test\r"
-
-set spawn_id $appimage_id
-expect {
-	timeout {puts "shutdown\n";exit}
-	"AppImage detached"
-}
-
-after 100
-
+after 500
 puts "\nall done\n"

test/appimage/appimage-trace.exp

@@ -8,61 +8,28 @@ spawn $env(SHELL)
 match_max 100000
 set appimage_id $spawn_id
 
-send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.17-x86_64.AppImage\r"
+send -- "firejail --trace --timeout=00:00:05 --appimage hello-x86_64.AppImage\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
 expect {
 	timeout {puts "TESTING ERROR 2\n";exit}
-	"leafpad:socket"
+	"AppRun:exec"
 }
 expect {
 	timeout {puts "TESTING ERROR 3\n";exit}
-	"leafpad:connect"
+	"AppRun:opendir"
 }
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
-	"X11-unix/X0"
+	"Hello, World!"
 }
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
-	"Parent is shutting down, bye"
+	"ping:exec"
 }
-expect {
-	timeout {puts "shutdown\n"}
-	"AppImage detached"
-}
-sleep 1
 
-send -- "firejail --trace --timeout=00:00:05 --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
-expect {
-	timeout {puts "TESTING ERROR 11\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-	timeout {puts "TESTING ERROR 12\n";exit}
-	"leafpad:socket"
-}
-expect {
-	timeout {puts "TESTING ERROR 13\n";exit}
-	"leafpad:connect"
-}
-expect {
-	timeout {puts "TESTING ERROR 14\n";exit}
-	"X11-unix/X0"
-}
-expect {
-	timeout {puts "TESTING ERROR 15\n";exit}
-	"Parent is shutting down, bye"
-}
-expect {
-	timeout {puts "shutdown\n"}
-	"AppImage detached"
-}
-sleep 1
-
-
-after 100
+after 500
 
 puts "\nall done\n"

test/appimage/appimage-v1.exp

@@ -1,92 +0,0 @@
-#!/usr/bin/expect -f
-# This file is part of Firejail project
-# Copyright (C) 2014-2023 Firejail Authors
-# License GPL v2
-
-set timeout 10
-spawn $env(SHELL)
-match_max 100000
-set appimage_id $spawn_id
-
-send -- "firejail --name=test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "firejail --list\r"
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	":firejail"
-}
-expect {
-	timeout {puts "TESTING ERROR 3.1\n";exit}
-	"appimage Leafpad"
-}
-after 100
-
-# grsecurity exit
-send -- "file /proc/sys/kernel/grsecurity\r"
-expect {
-	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
-	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
-	"cannot open" {puts "grsecurity not present\n"}
-}
-
-
-send -- "firejail --name=blablabla\r"
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-sleep 2
-
-spawn $env(SHELL)
-send -- "firemon --seccomp --wrap\r"
-expect {
-	timeout {puts "TESTING ERROR 5\n";exit}
-	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-	"appimage Leafpad"
-}
-expect {
-	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
-	"Seccomp:	2"
-}
-expect {
-	timeout {puts "TESTING ERROR 5.1\n";exit}
-	"name=blablabla"
-}
-after 100
-send -- "firemon --caps --wrap\r"
-expect {
-	timeout {puts "TESTING ERROR 6\n";exit}
-	"appimage Leafpad"
-}
-expect {
-	timeout {puts "TESTING ERROR 6.1\n";exit}
-	"CapBnd:"
-}
-expect {
-	timeout {puts "TESTING ERROR 6.2\n";exit}
-	"0000000000000000"
-}
-expect {
-	timeout {puts "TESTING ERROR 6.3\n";exit}
-	"name=blablabla"
-}
-after 100
-
-spawn $env(SHELL)
-send -- "firejail --shutdown=test\r"
-
-set spawn_id $appimage_id
-expect {
-	timeout {puts "shutdown\n"}
-	"AppImage detached"
-}
-
-after 100
-
-puts "\nall done\n"

test/appimage/appimage-v2.exp

@@ -8,12 +8,24 @@ spawn $env(SHELL)
 match_max 100000
 set appimage_id $spawn_id
 
-send -- "firejail --name=test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
+send -- "firejail --name=test --appimage hello-x86_64.AppImage\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
 }
-sleep 2
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Hello, World!"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Operation not permitted"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"Hello, again!"
+}
+sleep 5
 
 spawn $env(SHELL)
 send -- "firejail --list\r"
@@ -23,19 +35,10 @@ expect {
 }
 expect {
 	timeout {puts "TESTING ERROR 3.1\n";exit}
-	"appimage Leafpad"
+	"appimage hello-x86_64"
 }
 after 100
 
-# grsecurity exit
-send -- "file /proc/sys/kernel/grsecurity\r"
-expect {
-	timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
-	"grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
-	"cannot open" {puts "grsecurity not present\n"}
-}
-
-
 send -- "firejail --name=blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
@@ -48,7 +51,7 @@ send -- "firemon --seccomp\r"
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
 	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-	"appimage Leafpad"
+	"appimage hello-x86_64"
 }
 expect {
 	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -62,7 +65,7 @@ after 100
 send -- "firemon --caps\r"
 expect {
 	timeout {puts "TESTING ERROR 6\n";exit}
-	"appimage Leafpad"
+	"appimage hello-x86_64"
 }
 expect {
 	timeout {puts "TESTING ERROR 6.1\n";exit}

test/appimage/appimage.sh

@@ -7,16 +7,13 @@ export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
-echo "TESTING: AppImage v1 (test/appimage/appimage-v1.exp)"
-./appimage-v1.exp
-
 echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
 ./appimage-v2.exp
 
 echo "TESTING: AppImage file name (test/appimage/filename.exp)"
 ./filename.exp
 
-echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
+echo "TESTING: AppImage args (test/appimage/appimage-args.exp)"
 ./appimage-args.exp
 
 echo "TESTING: AppImage trace (test/appimage/appimage-trace.exp)"

test/appimage/main.c

@@ -0,0 +1,32 @@
+// This is a simple hello program compiled on Debian 11 (glibc 2.31)
+// and packaged as an appimage using appimagetool from
+// https://github.com/AppImage/AppImageKit. The tool in installed
+// in the current directory.
+//
+// Building the appimage:
+//	mkdir -p AppDir/usr/bin
+//	gcc -o AppDir/usr/bin/hello main.c && strip AppDir/usr/bin/hello
+//	./appimagetool AppDir
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main(int argc, char **argv) {
+	// test args
+	int i;
+	for (i = 1; i < argc; i++)
+		printf("%d - %s\n", i, argv[i]);
+
+	printf("Hello, World!\n");
+
+	// elevate privileges - firejail should block it
+	system("ping -c 3 127.0.0.1\n");
+
+	printf("Hello, again!\n");
+	sleep(30);
+
+	return 0;
+}
+