testing

onny · Dec 19, 2016 · 759dc6a · 759dc6a
1 parent d94f357
commit 759dc6a
Show file tree

Hide file tree

Showing 9 changed files with 191 additions and 5 deletions.
diff --git a/README b/README
@@ -97,6 +97,10 @@ valoq (https://github.com/valoq)
  - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles
  - added wget profile
  - disable gnupg and systemd directories under /run/user
+thewisenerd (https://github.com/thewisenerd)
+ - appimage: pass commandline arguments
+KOLANICH (https://github.com/KOLANICH)
+ - added symlink fixer
 Jesse Smith (https://github.com/slicer69)
  - added QupZilla profile
 Lari Rauno (https://github.com/tuutti)
@@ -317,6 +321,7 @@ Peter Millerchip (https://github.com/pmillerchip)
  - support for files and directories starting with ~ in blacklist option
  - support for files and directories with spaces in blacklist option
  - lots of other fixes
+ - implement the --allow-private-blacklist option
 sarneaud (https://github.com/sarneaud)
  - rewrite globbing code to fix various minor issues
  - added noblacklist command for profile files

diff --git a/README.md b/README.md
@@ -81,6 +81,15 @@ Use this issue to request new profiles: https://github.com/netblue30/firejail/is
 
  Example:
  $ firejail --machine-id
+
+ --allow-private-blacklist
+ Allow blacklisting files in private home directory. By default
+ these blacklists are disabled.
+
+ Example:
+ $ firejail --allow-private-blacklist --private=~/priv-dir
+ --blacklist=~/.mozilla
+ 
 `````
 ## New Profiles
 xiphos, Tor Browser Bundle, display (imagemagik), Wire, mumble, zoom, Guayadeque, qemu, keypass2,

diff --git a/RELNOTES b/RELNOTES
@@ -13,7 +13,9 @@ firejail (0.9.45) baseline; urgency=low
  * feature: private /opt directory (--private-opt, profile support)
  * feature: private /srv directory (--private-srv, profile support)
  * feature: spoof machine-id
- * feature: config support for firejail prompt in terminal
+ * feature: config support for firejail prompt in terminals
+ * feature: pass command line arguments to appimages
+ * feature: --allow-private-blacklist option
  * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire,
  * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
  * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,

diff --git a/etc/fix_private-bin_for_symlinked_sh.py → contrib/fix_private-bin_for_symlinked_sh.py b/etc/fix_private-bin_for_symlinked_sh.py → contrib/fix_private-bin_for_symlinked_sh.py
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -30,8 +30,8 @@ void usage(void) {
  printf("Options:\n");
  printf(" -- - signal the end of options and disables further option processing.\n");
  printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
- printf(" --allow-private-blacklist - allow blacklisting things in private\n");
- printf("\tdirectories.\n");
+ printf(" --allow-private-blacklist - allow blacklisting files in private\n");
+ printf("\thome directories.\n");
  printf(" --allusers - all user home directories are visible inside the sandbox.\n");
  printf(" --apparmor - enable AppArmor confinement.\n");
  printf(" --appimage - sandbox an AppImage application.\n");

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -84,6 +84,15 @@ Example:
 .br
 $ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
 .TP
+\fB\-\-allow-private-blacklist
+Allow blacklisting files in private home directory. By default these blacklists are disabled.
+.br
+
+.br
+Example:
+.br
+$ firejail --allow-private-blacklist --private=~/priv-dir --blacklist=~/.mozilla
+.TP
 \fB\-\-allusers
 All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
 .br

diff --git a/test/appimage/appimage-args.exp b/test/appimage/appimage-args.exp
@@ -0,0 +1,97 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
+expect {
+ timeout {puts "TESTING ERROR 1\n";exit}
+ "execvp argument 2"
+}
+expect {
+ timeout {puts "TESTING ERROR 2\n";exit}
+ "AppRun"
+}
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ "testfile"
+}
+expect {
+ timeout {puts "TESTING ERROR 4\n";exit}
+ "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ ":firejail"
+}
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ "appimage Leafpad"
+}
+after 100
+
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+ timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+ "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+ "cannot open" {puts "grsecurity not present\n"}
+}
+
+
+send -- "firejail --name=blablabla\r"
+expect {
+ timeout {puts "TESTING ERROR 7\n";exit}
+ "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+ timeout {puts "TESTING ERROR 8\n";exit}
+ "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
+ "appimage Leafpad"
+}
+expect {
+ timeout {puts "TESTING ERROR 9 (seccomp)\n";exit}
+ "Seccomp: 2"
+}
+expect {
+ timeout {puts "TESTING ERROR 10\n";exit}
+ "name=blablabla"
+}
+after 100
+send -- "firemon --caps\r"
+expect {
+ timeout {puts "TESTING ERROR 11\n";exit}
+ "appimage Leafpad"
+}
+expect {
+ timeout {puts "TESTING ERROR 12\n";exit}
+ "CapBnd:"
+}
+expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "0000000000000000"
+}
+expect {
+ timeout {puts "TESTING ERROR 14\n";exit}
+ "name=blablabla"
+}
+after 100
+
+spawn $env(SHELL)
+send -- "firejail --shutdown=appimage-test\r"
+sleep 3
+
+puts "\nall done\n"
+
diff --git a/test/appimage/appimage.sh b/test/appimage/appimage.sh
@@ -13,4 +13,8 @@ echo "TESTING: AppImage v2 (test/appimage/appimage-v2.exp)"
 ./appimage-v2.exp
 
 echo "TESTING: AppImage file name (test/appimage/filename.exp)";
-./filename.exp
+./filename.exp
+
+echo "TESTING: AppImage argsv1 (test/appimage/appimage-args.exp)"
+./appimage-args.exp
+
diff --git a/test/fs/private-home-dir.exp b/test/fs/private-home-dir.exp
@@ -21,6 +21,8 @@ if {[file exists ~/.Xauthority]} {
  send -- "touch ~/.Xauthority\r"
 }
 after 100
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
 send -- "mkdir ~/_firejail_test_dir_\r"
 sleep 1
 
@@ -65,6 +67,64 @@ expect {
  "private directory should be owned by the current user"
 }
 sleep 1
+send -- "mkdir ~/_firejail_test_dir_/test_dir_2\r"
+after 100
+send -- "touch ~/_firejail_test_dir_/test_dir_2/testfile\r"
+sleep 1
 
+send -- "firejail --debug --noprofile --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ "Not blacklist"
+}
+expect {
+ timeout {puts "TESTING ERROR 7\n";exit}
+ "test_dir_2"
+}
+expect {
+ timeout {puts "TESTING ERROR 8\n";exit}
+ "Child process initialized"
+}
+
+sleep 1
+
+send -- "find ~\r"
+expect {
+ timeout {puts "TESTING ERROR 9\n";exit}
+ "testfile"
+}
+after 100
+
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --debug --noprofile --allow-private-blacklist --blacklist=~/test_dir_2 --private=~/_firejail_test_dir_\r"
+expect {
+ timeout {puts "TESTING ERROR 10\n";exit}
+ "Disable"
+}
+expect {
+ timeout {puts "TESTING ERROR 11\n";exit}
+ "test_dir_2"
+}
+expect {
+ timeout {puts "TESTING ERROR 12\n";exit}
+ "Child process initialized"
+}
+
+sleep 1
+
+send -- "ls ~/test_dir_2\r"
+expect {
+ timeout {puts "TESTING ERROR 13\n";exit}
+ "cannot open directory"
+}
+after 100
+
+send "exit\r"
+sleep 1
+
+send -- "rm -fr ~/_firejail_test_dir_\r"
+after 100
 
-puts "all done\n"
+puts "\nall done\n"