testing

Makefile.in

@@ -161,6 +161,8 @@ dist:
  tar -cJvf $(NAME)-$(VERSION).tar.xz $(NAME)-$(VERSION)
  rm -fr $(NAME)-$(VERSION)
 
+asc:; ./mkasc.sh $(VERSION)
+
 deb: dist
  ./mkdeb.sh $(NAME) $(VERSION)
 
@@ -173,9 +175,6 @@ install-snap: snap
 test-compile: dist
  cd test/compile; ./compile.sh $(NAME)-$(VERSION)
 
-test-root:
- cd test/root; su -c ./root.sh | grep TESTING
-
 .PHONY: rpms
 rpms:
  ./platform/rpm/mkrpm.sh $(NAME) $(VERSION)
@@ -189,7 +188,19 @@ cppcheck: clean
 scan-build: clean
  scan-build make
 
-asc:; ./mkasc.sh $(VERSION)
+gcov-test-initialized:
+ ./gcov-test-init.sh
+
+gcov: gcov-test-initialized
+ lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
+ rm -fr gcov-dir
+ genhtml gcov-file --output-directory gcov-dir
+
+
+#
+# make test
+#
+
 
 test-profiles:
  cd test/profiles; ./profiles.sh | grep TESTING
@@ -218,21 +229,25 @@ test-filters:
 test-arguments:
  cd test/arguments; ./arguments.sh | grep TESTING
 
-test-network:
- cd test/network; ./network.sh | grep TESTING
-
 test-fs:
  cd test/fs; ./fs.sh | grep TESTING
 
 test: test-profiles test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
  echo "TEST COMPLETE"
 
-gcov-test-initialized:
- ./gcov-test-init.sh
-
-gcov: gcov-test-initialized
- lcov --capture -d src/firejail -d src/firemon -d src/fseccomp -d src/fnet -d src/ftee -d src/lib -d src/firecfg --output-file gcov-file
- rm -fr gcov-dir
- genhtml gcov-file --output-directory gcov-dir
+#
+# individual tests, some of them requiring root access
+#
+
+# root access, network devices are created before the test
+test-network:
+ cd test/network; ./network.sh | grep TESTING
+
+# all the tests are run as root
+test-root:
+ cd test/root; su -c ./root.sh | grep TESTING
 
-
+# runs as regular user
+test-overlay:
+ cd test/overlay; ./overlay.sh | grep TESTING
+

src/firejail/fs.c

@@ -919,6 +919,9 @@ void fs_overlayfs(void) {
  }
 
  // chroot in the new filesystem
+#ifdef HAVE_GCOV
+ __gcov_flush();
+#endif
  if (chroot(oroot) == -1)
  errExit("chroot");
 
@@ -1102,6 +1105,9 @@ void fs_chroot(const char *rootdir) {
  }
 
  // chroot into the new directory
+#ifdef HAVE_GCOV
+ __gcov_flush();
+#endif
  if (arg_debug)
  printf("Chrooting into %s\n", rootdir);
  if (chroot(rootdir) < 0)

src/fnet/interface.c

@@ -29,13 +29,18 @@
 #include <net/route.h>
 #include <linux/if_bridge.h>
 
-// add a veth device to a bridge
-void net_bridge_add_interface(const char *bridge, const char *dev) {
- if (strlen(bridge) > IFNAMSIZ) {
- fprintf(stderr, "Error fnet: invalid network device name %s\n", bridge);
+static void check_if_name(const char *ifname) {
+ if (strlen(ifname) > IFNAMSIZ) {
+ fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
  exit(1);
  }
+}
 
+// add a veth device to a bridge
+void net_bridge_add_interface(const char *bridge, const char *dev) {
+ check_if_name(bridge);
+ check_if_name(dev);
+
  // somehow adding the interface to the bridge resets MTU on bridge device!!!
  // workaround: restore MTU on the bridge device
  // todo: put a real fix in
@@ -69,18 +74,14 @@ void net_bridge_add_interface(const char *bridge, const char *dev) {
  close(sock);
 
  int mtu2 = net_get_mtu(bridge);
- if (mtu1 != mtu2) {
+ if (mtu1 != mtu2)
  net_set_mtu(bridge, mtu1);
- }
 }
 
 
 // bring interface up
 void net_if_up(const char *ifname) {
- if (strlen(ifname) > IFNAMSIZ) {
- fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
- exit(1);
- }
+ check_if_name(ifname);
 
  int sock = socket(AF_INET,SOCK_DGRAM,0);
  if (sock < 0)
@@ -93,40 +94,28 @@ void net_if_up(const char *ifname) {
  ifr.ifr_addr.sa_family = AF_INET;
 
  // read the existing flags
- if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
- close(sock);
- printf("Error fnet: cannot bring up interface %s\n", ifname);
+ if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
  errExit("ioctl");
- }
 
  ifr.ifr_flags |= IFF_UP;
 
  // set the new flags
- if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0) {
- close(sock);
- printf("Error fnet: cannot bring up interface %s\n", ifname);
+ if (ioctl( sock, SIOCSIFFLAGS, &ifr ) < 0)
  errExit("ioctl");
- }
 
  // checking
  // read the existing flags
- if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
- close(sock);
- printf("Error fnet: cannot bring up interface %s\n", ifname);
+ if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
  errExit("ioctl");
- }
 
  // wait not more than 500ms for the interface to come up
  int cnt = 0;
  while (cnt < 50) {
  usleep(10000); // sleep 10ms
 
  // read the existing flags
- if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0) {
- close(sock);
- printf("Error fnet: cannot bring up interface %s\n", ifname);
+ if (ioctl(sock, SIOCGIFFLAGS, &ifr ) < 0)
  errExit("ioctl");
- }
  if (ifr.ifr_flags & IFF_RUNNING)
  break;
  cnt++;
@@ -136,12 +125,8 @@ void net_if_up(const char *ifname) {
 }
 
 int net_get_mtu(const char *ifname) {
+ check_if_name(ifname);
  int mtu = 0;
- if (strlen(ifname) > IFNAMSIZ) {
- fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
- exit(1);
- }
-
  int s;
  struct ifreq ifr;
 
@@ -160,11 +145,7 @@ int net_get_mtu(const char *ifname) {
 }
 
 void net_set_mtu(const char *ifname, int mtu) {
- if (strlen(ifname) > IFNAMSIZ) {
- fprintf(stderr, "Error fnet: invalid network device name %s\n", ifname);
- exit(1);
- }
-
+ check_if_name(ifname);
  int s;
  struct ifreq ifr;
 
@@ -246,6 +227,7 @@ void net_ifprint(int scan) {
 }
 
 int net_get_mac(const char *ifname, unsigned char mac[6]) {
+ check_if_name(ifname);
 
  struct ifreq ifr;
  int sock;
@@ -267,11 +249,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
 
 // configure interface ipv4 address
 void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
- if (strlen(ifname) > IFNAMSIZ) {
- fprintf(stderr, "Error: invalid network device name %s\n", ifname);
- exit(1);
- }
-
+ check_if_name(ifname);
  int sock = socket(AF_INET,SOCK_DGRAM,0);
  if (sock < 0)
  errExit("socket");
@@ -282,34 +260,29 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
  ifr.ifr_addr.sa_family = AF_INET;
 
  ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
- if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) {
- close(sock);
- fprintf(stderr, "Error fnet: cannot find interface %s\n", ifname);
+ if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) 
  errExit("ioctl");
- }
 
  if (ip != 0) {
  ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(mask);
- if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) {
- close(sock);
+ if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0)
  errExit("ioctl");
- }
  }
 
  // configure mtu
  if (mtu > 0) {
  ifr.ifr_mtu = mtu;
- if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0) {
- close(sock);
+ if (ioctl( sock, SIOCSIFMTU, &ifr ) < 0)
  errExit("ioctl");
- }
  }
 
  close(sock);
  usleep(10000); // sleep 10ms
+ return;
 }
 
 int net_if_mac(const char *ifname, const unsigned char mac[6]) {
+ check_if_name(ifname);
  struct ifreq ifr;
  int sock;
 
@@ -335,6 +308,7 @@ struct ifreq6 {
  unsigned int ifr6_ifindex;
 };
 void net_if_ip6(const char *ifname, const char *addr6) {
+ check_if_name(ifname);
  if (strchr(addr6, ':') == NULL) {
  fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
  exit(1);

test/overlay/firefox-x11-xorg.exp

@@ -0,0 +1,90 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --overlay --name=test --x11=xorg firefox -no-remote www.gentoo.org\r"
+sleep 10
+
+spawn $env(SHELL)
+send -- "firejail --list\r"
+expect {
+ timeout {puts "TESTING ERROR 3\n";exit}
+ ":firejail"
+}
+expect {
+ timeout {puts "TESTING ERROR 3.1\n";exit}
+ "firefox" {puts "firefox detected\n";}
+ "iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+ timeout {puts "TESTING ERROR 3.2\n";exit}
+ "no-remote"
+}
+sleep 1
+# grsecurity exit
+send -- "file /proc/sys/kernel/grsecurity\r"
+expect {
+ timeout {puts "TESTING ERROR - grsecurity detection\n";exit}
+ "grsecurity: directory" {puts "grsecurity present, exiting...\n";exit}
+ "cannot open" {puts "grsecurity not present\n"}
+}
+send -- "firejail --overlay --name=blablabla\r"
+expect {
+ timeout {puts "TESTING ERROR 4\n";exit}
+ "Child process initialized"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --seccomp\r"
+expect {
+ timeout {puts "TESTING ERROR 5\n";exit}
+ " firefox" {puts "firefox detected\n";}
+ " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+ timeout {puts "TESTING ERROR 5.0\n";exit}
+ "no-remote"
+}
+expect {
+ timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
+ "Seccomp: 2"
+}
+expect {
+ timeout {puts "TESTING ERROR 5.1\n";exit}
+ "name=blablabla"
+}
+sleep 1
+send -- "firemon --caps\r"
+expect {
+ timeout {puts "TESTING ERROR 6\n";exit}
+ " firefox" {puts "firefox detected\n";}
+ " iceweasel" {puts "iceweasel detected\n";}
+}
+expect {
+ timeout {puts "TESTING ERROR 6.0\n";exit}
+ "no-remote"
+}
+expect {
+ timeout {puts "TESTING ERROR 6.1\n";exit}
+ "CapBnd:"
+}
+expect {
+ timeout {puts "TESTING ERROR 6.2\n";exit}
+ "0000000000000000"
+}
+expect {
+ timeout {puts "TESTING ERROR 6.3\n";exit}
+ "name=blablabla"
+}
+sleep 1
+send -- "firejail --shutdown=test\r"
+sleep 3
+
+puts "\nall done\n"
+