private-etc testing

netblue30 · Feb 7, 2023 · cb1104e · cb1104e
1 parent 4a4bd8a
commit cb1104e
Show file tree

Hide file tree

Showing 13 changed files with 284 additions and 53 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -60,7 +60,7 @@ jobs:
     - name: update package information
       run: sudo apt-get update
     - name: install dependencies
-      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec
+      run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois
     - name: configure
       run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr
     - name: make
@@ -73,6 +73,8 @@ jobs:
       run: SHELL=/bin/bash make lab-setup
     - name: run sysutils tests
       run: SHELL=/bin/bash make test-sysutils
+    - name: run private-etc tests
+      run: SHELL=/bin/bash make test-private-etc
     - name: run profile tests
       run: SHELL=/bin/bash make test-profiles
     - name: run fcopy tests

diff --git a/Makefile b/Makefile
@@ -368,7 +368,7 @@ scan-build: clean
 # make test
 #
 
-TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter
+TESTS=profiles apps apps-x11 apps-x11-xorg sysutils utils environment filters fs fcopy fnetfilter private-etc
 TEST_TARGETS=$(patsubst %,test-%,$(TESTS))
 
 $(TEST_TARGETS):
@@ -378,7 +378,7 @@ $(TEST_TARGETS):
 # extract some data about the testing setup: kernel, network connectivity, user
 lab-setup:; uname -r; pwd; whoami; cat /etc/resolv.conf; cat /etc/hosts; ls /etc
 
-test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
+test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters
 	echo "TEST COMPLETE"
 
 test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters

diff --git a/test/fs/fs.sh b/test/fs/fs.sh
@@ -80,12 +80,6 @@ rm -fr ~/_firejail_test_dir1
 rm -f ~/_firejail_test_link1
 rm -f ~/_firejail_test_link2
 
-echo "TESTING: private-etc (test/fs/private-etc.exp)"
-./private-etc.exp
-
-#echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
-#./private-etc-empty.exp
-
 echo "TESTING: private-bin (test/fs/private-bin.exp)"
 ./private-bin.exp
 

diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile
diff --git a/test/private-etc/etc-cleanup.exp b/test/private-etc/etc-cleanup.exp
@@ -0,0 +1,33 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "/usr/lib/firejail/etc-cleanup p1.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"old: private-etc passwd,group,resolv.conf,X11"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"new: private-etc @x11"
+}
+after 500
+
+send -- "/usr/lib/firejail/etc-cleanup p3.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"old: private-etc @tls-ca,os-release,@x11,mime.types,mailcap"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"new: private-etc @tls-ca,@x11,mailcap,mime.types,os-release"
+}
+after 500
+
+
+puts "\nall done\n"
diff --git a/test/private-etc/groups.exp b/test/private-etc/groups.exp
@@ -0,0 +1,132 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --private-etc ls -l /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Private /etc installed in"
+}
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"cron" {puts "TESTING ERROR 2\n"; exit}
+	"shadow" {puts "TESTING ERROR 3\n"; exit}
+	"ssl" {puts "TESTING ERROR 4\n"; exit}
+	"ld.so.cache"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"cron" {puts "TESTING ERROR 2\n"; exit}
+	"shadow" {puts "TESTING ERROR 3\n"; exit}
+	"ssl" {puts "TESTING ERROR 4\n"; exit}
+	"nsswitch.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"cron" {puts "TESTING ERROR 2\n"; exit}
+	"shadow" {puts "TESTING ERROR 3\n"; exit}
+	"ssl" {puts "TESTING ERROR 4\n"; exit}
+	"resolv.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"cron" {puts "TESTING ERROR 2\n"; exit}
+	"shadow" {puts "TESTING ERROR 3\n"; exit}
+	"xdg" {puts "TESTING ERROR 4\n"; exit}
+	"Parent is shutting down"
+}
+after 500
+
+
+send -- "firejail --private-etc=@tls-ca ls -l /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"Private /etc installed in"
+}
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"cron" {puts "TESTING ERROR 12\n"; exit}
+	"shadow" {puts "TESTING ERROR 13\n"; exit}
+	"ca-certificates"
+}
+expect {
+	timeout {puts "TESTING ERROR 14\n";exit}
+	"cron" {puts "TESTING ERROR 12\n"; exit}
+	"shadow" {puts "TESTING ERROR 13\n"; exit}
+	"nsswitch.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 15\n";exit}
+	"cron" {puts "TESTING ERROR 12\n"; exit}
+	"shadow" {puts "TESTING ERROR 13\n"; exit}
+	"resolv.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 16\n";exit}
+	"cron" {puts "TESTING ERROR 12\n"; exit}
+	"shadow" {puts "TESTING ERROR 13\n"; exit}
+	"ssl"
+}
+after 500
+
+
+send -- "firejail --private-etc --nosound ls -l /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 20\n";exit}
+	"Private /etc installed in"
+}
+expect {
+	timeout {puts "TESTING ERROR 21\n";exit}
+	"cron" {puts "TESTING ERROR 22\n"; exit}
+	"shadow" {puts "TESTING ERROR 23\n"; exit}
+	"machine-id" {puts "TESTING ERROR 24\n"; exit}
+	"nsswitch.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 25\n";exit}
+	"Parent is shutting down"
+}
+after 500
+
+send -- "firejail --private-etc --net=none ls -l /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 30\n";exit}
+	"Private /etc installed in"
+}
+expect {
+	timeout {puts "TESTING ERROR 31\n";exit}
+	"cron" {puts "TESTING ERROR 32\n"; exit}
+	"shadow" {puts "TESTING ERROR 33\n"; exit}
+	"nsswitch.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 34\n";exit}
+	"resolv.conf" {puts "TESTING ERROR 35\n"; exit}
+	"Parent is shutting down"
+}
+after 500
+
+send -- "firejail --private-etc=@x11 ls -l /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 40\n";exit}
+	"Private /etc installed in"
+}
+expect {
+	timeout {puts "TESTING ERROR 41\n";exit}
+	"cron" {puts "TESTING ERROR 42\n"; exit}
+	"shadow" {puts "TESTING ERROR 43\n"; exit}
+	"nsswitch.conf"
+}
+expect {
+	timeout {puts "TESTING ERROR 44\n";exit}
+	"xdg"
+}
+after 100
+
+
+puts "\nall done\n"
diff --git a/test/private-etc/p1.profile b/test/private-etc/p1.profile
@@ -0,0 +1 @@
+private-etc passwd,group,resolv.conf,X11
diff --git a/test/private-etc/p2.profile b/test/private-etc/p2.profile
@@ -0,0 +1 @@
+private-etc @x11
diff --git a/test/private-etc/p3.profile b/test/private-etc/p3.profile
@@ -0,0 +1 @@
+private-etc @tls-ca,os-release,@x11,mime.types,mailcap
diff --git a/test/fs/private-etc.exp → test/private-etc/private-etc.exp b/test/fs/private-etc.exp → test/private-etc/private-etc.exp
@@ -7,7 +7,6 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-# directory with ~
 send -- "firejail --private-etc=passwd,group,resolv.conf,X11\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}

diff --git a/test/private-etc/private-etc.sh b/test/private-etc/private-etc.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+echo "TESTING: private-etc (test/private-etc/private-etc.exp)"
+./private-etc.exp
+
+echo "TESTING: profile (test/private-etc/profile.exp)"
+./private-etc.exp
+
+echo "TESTING: groups (test/private-etc/groups.exp)"
+./groups.exp
+
+echo "TESTING: etc-cleanup (test/private-etc/etc-cleanup.exp)"
+./etc-cleanup.exp
+
diff --git a/test/private-etc/profile.exp b/test/private-etc/profile.exp
@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2022 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=p1.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+send -- "LC_ALL=C ls -al /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"X11"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"group"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"passwd"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"resolv.conf"
+}
+
+
+send -- "file /etc/shadow\r"
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"No such file or directory"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=p2.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+send -- "LC_ALL=C ls -al /etc\r"
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"X11"
+}
+expect {
+	timeout {puts "TESTING ERROR 14\n";exit}
+	"group"
+}
+expect {
+	timeout {puts "TESTING ERROR 15\n";exit}
+	"passwd"
+}
+expect {
+	timeout {puts "TESTING ERROR 16\n";exit}
+	"resolv.conf"
+}
+
+
+send -- "file /etc/shadow\r"
+expect {
+	timeout {puts "TESTING ERROR 17\n";exit}
+	"No such file or directory"
+}
+after 100
+send -- "exit\r"
+sleep 1
+
+
+
+
+
+
+
+
+
+
+after 100
+puts "\nall done\n"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		private-etc @tls-ca,os-release,@x11,mime.types,mailcap