more jailtest

netblue30 · Mar 8, 2021 · b69074f · b69074f
1 parent c8cdcff
commit b69074f
Show file tree

Hide file tree

Showing 5 changed files with 122 additions and 2 deletions.
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
@@ -442,6 +442,7 @@ blacklist ${PATH}/mount
 blacklist ${PATH}/mount.ecryptfs_private
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
+blacklist ${PATH}/nmap
 blacklist ${PATH}/newgidmap
 blacklist ${PATH}/newgrp
 blacklist ${PATH}/newuidmap
@@ -452,6 +453,7 @@ blacklist ${PATH}/sg
 blacklist ${PATH}/strace
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
+blacklist ${PATH}/tcpdump
 blacklist ${PATH}/umount
 blacklist ${PATH}/unix_chkpwd
 blacklist ${PATH}/xev

diff --git a/etc/profile-m-z/tcpdump.profile b/etc/profile-m-z/tcpdump.profile
@@ -8,6 +8,7 @@ include globals.local
 
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist ${PATH}/tcpdump
 
 include disable-common.inc
 include disable-devel.inc

diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h
@@ -38,6 +38,10 @@ void access_destroy(void);
 void noexec_setup(void);
 void noexec_test(const char *msg);
 
+// sysfiles.c
+void sysfiles_setup(const char *file);
+void sysfiles_test(void);
+
 // virtual.c
 void virtual_setup(const char *directory);
 void virtual_destroy(void);

diff --git a/src/jailtest/main.c b/src/jailtest/main.c
@@ -114,8 +114,32 @@ int main(int argc, char **argv) {
  virtual_setup("/bin");
  virtual_setup("/usr/share");
  virtual_setup(user_run_dir);
-
-
+ // basic sysfiles
+ sysfiles_setup("/etc/shadow");
+ sysfiles_setup("/etc/gshadow");
+ sysfiles_setup("/usr/bin/mount");
+ sysfiles_setup("/usr/bin/su");
+ sysfiles_setup("/usr/bin/ksu");
+ sysfiles_setup("/usr/bin/sudo");
+ sysfiles_setup("/usr/bin/strace");
+ // X11
+ sysfiles_setup("/usr/bin/xev");
+ sysfiles_setup("/usr/bin/xinput");
+ // compilers
+ sysfiles_setup("/usr/bin/gcc");
+ sysfiles_setup("/usr/bin/clang");
+ // networking
+ sysfiles_setup("/usr/bin/dig");
+ sysfiles_setup("/usr/bin/nslookup");
+ sysfiles_setup("/usr/bin/resolvectl");
+ sysfiles_setup("/usr/bin/nc");
+ sysfiles_setup("/usr/bin/ncat");
+ sysfiles_setup("/usr/bin/nmap");
+ sysfiles_setup("/usr/sbin/tcpdump");
+ // terminals
+ sysfiles_setup("/usr/bin/gnome-terminal");
+ sysfiles_setup("/usr/bin/xfce4-terminal");
+ sysfiles_setup("/usr/bin/lxterminal");
 
  // print processes
  pid_read(0);
@@ -145,6 +169,7 @@ int main(int argc, char **argv) {
  noexec_test("/var/tmp");
  noexec_test(user_run_dir);
  access_test();
+ sysfiles_test();
  }
  else {
  printf(" Error: I cannot join the process mount space\n");

diff --git a/src/jailtest/sysfiles.c b/src/jailtest/sysfiles.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+ char *tfile;
+} TestFile;
+
+#define MAX_TEST_FILES 32
+TestFile tf[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void sysfiles_setup(const char *file) {
+ // I am root!
+ assert(file);
+
+ if (files_cnt >= MAX_TEST_FILES) {
+ fprintf(stderr, "Error: maximum number of system test files exceded\n");
+ exit(1);
+ }
+
+ if (access(file, F_OK)) {
+ // no such file
+ return;
+ }
+
+
+ char *fname = strdup(file);
+ if (!fname)
+ errExit("strdup");
+
+ tf[files_cnt].tfile = fname;
+ files_cnt++;
+}
+
+void sysfiles_test(void) {
+ // I am root in sandbox mount namespace
+ assert(user_uid);
+ int i;
+
+ pid_t child = fork();
+ if (child == -1)
+ errExit("fork");
+
+ if (child == 0) { // child
+ // drop privileges
+ if (setgid(user_gid) != 0)
+ errExit("setgid");
+ if (setuid(user_uid) != 0)
+ errExit("setuid");
+
+ for (i = 0; i < files_cnt; i++) {
+ assert(tf[i].tfile);
+
+ // try to open the file for reading
+ FILE *fp = fopen(tf[i].tfile, "r");
+ if (fp) {
+
+ printf(" Warning: I can access %s\n", tf[i].tfile);
+ fclose(fp);
+ }
+ }
+ exit(0);
+ }
+
+ // wait for the child to finish
+ int status;
+ wait(&status);
+}