jaitest - simple sandbox testing utility program

.gitignore

@@ -22,6 +22,7 @@ firejail-users.5
 firejail.1
 firemon.1
 firecfg.1
+jailtest.5
 mkdeb.sh
 src/firejail/firejail
 src/firemon/firemon
@@ -40,6 +41,7 @@ src/fbuilder/fbuilder
 src/profstats/profstats
 src/bash_completion/firejail.bash_completion
 src/zsh_completion/_firejail
+src/jailtest/jailtest
 uids.h
 seccomp
 seccomp.debug

Makefile.in

@@ -23,13 +23,13 @@ endif
 
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
-APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats
+APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest
 SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
 COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
-MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5
+MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailtest.5
 SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp
 SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
 ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
@@ -109,6 +109,8 @@ endif
 	install -m 0755 src/firemon/firemon $(DESTDIR)$(bindir)
 	# firecfg executable
 	install -m 0755 src/firecfg/firecfg $(DESTDIR)$(bindir)
+	# jailtest executable
+	install -m 0755 src/jailtest/jailtest $(DESTDIR)$(bindir)
 	# libraries and plugins
 	install -m 0755 -d $(DESTDIR)$(libdir)/firejail
 	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) src/firecfg/firecfg.config
@@ -177,6 +179,7 @@ uninstall:
 	rm -f $(DESTDIR)$(bindir)/firemon
 	rm -f $(DESTDIR)$(bindir)/firecfg
 	rm -fr $(DESTDIR)$(libdir)/firejail
+	rm -fr $(DESTDIR)$(libdir)/jailtest
 	rm -fr $(DESTDIR)$(datarootdir)/doc/firejail
 	for man in $(MANPAGES); do \
 		rm -f $(DESTDIR)$(mandir)/man5/$$man*; \

README.md

@@ -198,7 +198,84 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 Milestone page: https://github.com/netblue30/firejail/milestone/1
 Release discussion: https://github.com/netblue30/firejail/issues/3696
 
+### jailtest
+`````
+JAILTEST(1)                    JAILTEST man page                   JAILTEST(1)
+
+NAME
+       jailtest - Simple utility program to test running sandboxes
+
+SYNOPSIS
+       sudo jailtest [OPTIONS] [directory]
+
+DESCRIPTION
+       WORK IN PROGRESS!  jailtest attaches itself to all sandboxes started by
+       the user and performs some basic tests on the sandbox filesystem:
+
+       1. Virtual directories
+              jailtest extracts a list with the main virtual  directories  in‐
+              stalled by the sandbox.  These directories are build by firejail
+              at startup using --private* and --whitelist commands.
+
+       2. Noexec test
+              jailtest inserts executable programs  in  /home/username,  /tmp,
+              and  /var/tmp  directories and tries to run them form inside the
+              sandbox, thus testing if the directory is executable or not.
+
+       3. Read access test
+              jailtest creates test files in the directories specified by  the
+              user and tries to read them from inside the sandbox.
+
+       The program is running as root exclusively under sudo.
+
+OPTIONS
+       --debug
+              Print debug messages
+
+       -?, --help
+              Print options end exit.
 
+       --version
+              Print program version and exit.
+
+       [directory]
+              One or more directories in user home to test for read access.
+
+OUTPUT
+       For each sandbox detected we print the following line:
+
+            PID:USER:Sandbox Name:Command
+
+       It is followed by relevant sandbox information, such as the virtual di‐
+       rectories and various warnings.
+
+EXAMPLE
+       $ sudo jailtest ~/.ssh ~/.gnupg
+       1429:netblue::/usr/bin/firejail /opt/firefox/firefox
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc,
+       5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net
+          Virtual dirs: /var/tmp, /dev,
+          Warning: I can read ~/.ssh
+       5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10
+          Virtual dirs: /tmp, /var/tmp, /dev,
+          Warning: I can run programs in /home/netblue
+       6394:netblue:libreoffice:/usr/bin/firejail libreoffice
+          Virtual dirs: /tmp, /var/tmp, /dev,
+
+LICENSE
+       This program is free software; you can redistribute it and/or modify it
+       under  the  terms of the GNU General Public License as published by the
+       Free Software Foundation; either version 2 of the License, or (at  your
+       option) any later version.
+
+       Homepage: https://firejail.wordpress.com
+
+SEE ALSO
+       firejail(1),  firecfg(1),  firejail-profile(5), firejail-login(5) fire‐
+       jail-users(5)
+
+0.9.65                             Feb 2021                        JAILTEST(1)
+`````
 
 ### Profile Statistics
 

configure

@@ -4269,7 +4269,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5000,7 +5000,10 @@ do
     "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;;
     "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;;
     "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;;
+    "src/zsh_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/zsh_completion/Makefile" ;;
+    "src/bash_completion/Makefile") CONFIG_FILES="$CONFIG_FILES src/bash_completion/Makefile" ;;
     "test/Makefile") CONFIG_FILES="$CONFIG_FILES test/Makefile" ;;
+    "src/jailtest/Makefile") CONFIG_FILES="$CONFIG_FILES src/jailtest/Makefile" ;;
 
   *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
   esac

configure.ac

@@ -234,7 +234,8 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
 src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
-src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile)
+src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
+src/jailtest/Makefile)
 
 echo
 echo "Configuration options:"

src/jailtest/Makefile.in

@@ -0,0 +1,14 @@
+all: jailtest
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/pid.h
+	$(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+jailtest: $(OBJS)
+	$(CC)  $(LDFLAGS) -o $@ $(OBJS)  ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
+
+clean:; rm -fr *.o jailtest *.gcov *.gcda *.gcno *.plist
+
+distclean: clean
+	rm -fr Makefile

src/jailtest/access.c

@@ -0,0 +1,124 @@
+#include "jailtest.h"
+#include <dirent.h>
+#include <sys/wait.h>
+
+typedef struct {
+	char *tfile;
+	char *tdir;
+} TestDir;
+
+#define MAX_TEST_FILES 16
+TestDir td[MAX_TEST_FILES];
+static int files_cnt = 0;
+
+void access_setup(const char *directory) {
+	// I am root!
+	assert(directory);
+	assert(user_home_dir);
+
+	if (files_cnt >= MAX_TEST_FILES) {
+		fprintf(stderr, "Error: maximum number of test directories exceded\n");
+		exit(1);
+	}
+
+	char *fname = strdup(directory);
+	if (!fname)
+		errExit("strdup");
+	if (strncmp(fname, "~/", 2) == 0) {
+		free(fname);
+		if (asprintf(&fname, "%s/%s", user_home_dir, directory + 2) == -1)
+			errExit("asprintf");
+	}
+
+	char *path = realpath(fname, NULL);
+	free(fname);
+	if (path == NULL) {
+		fprintf(stderr, "Warning: invalid directory %s, skipping...\n", directory);
+		return;
+	}
+
+	// file in home directory
+	if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
+		fprintf(stderr, "Warning: file %s is not in user home directory, skipping...\n", directory);
+		free(path);
+		return;
+	}
+
+	// try to open the dir as root
+	DIR *dir = opendir(path);
+	if (!dir) {
+		fprintf(stderr, "Warning: directory %s not found, skipping\n", directory);
+		free(path);
+		return;
+	}
+	closedir(dir);
+
+	// create a test file
+	char *test_file;
+	if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
+		errExit("asprintf");
+
+	FILE *fp = fopen(test_file, "w");
+	if (!fp) {
+		printf("Warning: I cannot create test file in directory %s, skipping...\n", directory);
+		return;
+	}
+	fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
+	fclose(fp);
+	int rv = chown(test_file, user_uid, user_gid);
+	if (rv)
+		errExit("chown");
+
+	char *dname = strdup(directory);
+	if (!dname)
+		errExit("strdup");
+	td[files_cnt].tdir = dname;
+	td[files_cnt].tfile = test_file;
+	files_cnt++;
+}
+
+void access_destroy(void) {
+	// remove test files
+	int i;
+
+	for (i = 0; i < files_cnt; i++) {
+		int rv = unlink(td[i].tfile);
+		(void) rv;
+	}
+	files_cnt = 0;
+}
+
+void access_test(void) {
+	// I am root in sandbox mount namespace
+	assert(user_uid);
+	int i;
+
+	pid_t child = fork();
+	if (child == -1)
+		errExit("fork");
+
+	if (child == 0) { // child
+		// drop privileges
+		if (setgid(user_gid) != 0)
+			errExit("setgid");
+		if (setuid(user_uid) != 0)
+			errExit("setuid");
+
+		for (i = 0; i < files_cnt; i++) {
+			assert(td[i].tfile);
+
+			// try to open the file for reading
+			FILE *fp = fopen(td[i].tfile, "r");
+			if (fp) {
+
+				printf("   Warning: I can read %s\n", td[i].tdir);
+				fclose(fp);
+			}
+		}
+		exit(0);
+	}
+
+	// wait for the child to finish
+	int status;
+	wait(&status);
+}

src/jailtest/jailtest.h

@@ -0,0 +1,32 @@
+#ifndef JAILTEST_H
+#define JAILTEST_H
+
+#include "../include/common.h"
+
+// main.c
+extern uid_t user_uid;
+extern gid_t user_gid;
+extern char *user_name;
+extern char *user_home_dir;
+
+// access.c
+void access_setup(const char *directory);
+void access_test(void);
+void access_destroy(void);
+
+// noexec.c
+void noexec_setup(void);
+void noexec_test(const char *msg);
+
+// virtual.c
+void virtual_setup(const char *directory);
+void virtual_destroy(void);
+void virtual_test(void);
+
+// utils.c
+char *get_sudo_user(void);
+char *get_homedir(const char *user, uid_t *uid, gid_t *gid);
+int find_child(pid_t parent, pid_t *child);
+pid_t switch_to_child(pid_t pid);
+
+#endif