Merge branch 'netblue30:master' into hostname-fixes

.github/workflows/build.yml

@@ -71,6 +71,8 @@ jobs:
       run: command -V firejail && firejail --version
     - name: lab setup
       run: SHELL=/bin/bash make lab-setup
+    - name: run chroot tests
+      run: SHELL=/bin/bash make test-chroot
     - name: run sysutils tests
       run: SHELL=/bin/bash make test-sysutils
     - name: run private-etc tests

Makefile

@@ -393,10 +393,6 @@ test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-uti
 test-private-lib:
 	$(MAKE) -C test $(subst test-,,$@)
 
-# a firejail-test account is required, public/private key setup
-test-ssh:
-	$(MAKE) -C test $(subst test-,,$@)
-
 # requires root access
 test-chroot:
 	$(MAKE) -C test $(subst test-,,$@)
@@ -410,19 +406,8 @@ test-appimage:
 test-network:
 	$(MAKE) -C test $(subst test-,,$@)
 
-# requires the same setup as test-network
-test-stress:
-	$(MAKE) -C test $(subst test-,,$@)
-
-# Tests running a root user
-test-root:
-	$(MAKE) -C test $(subst test-,,$@)
-
 # OverlayFS is not available on all platforms
 test-overlay:
 	$(MAKE) -C test $(subst test-,,$@)
 
 # For testing hidepid system, the command to set it up is "mount -o remount,rw,hidepid=2 /proc"
-
-test-all: test-root test-chroot test-network test-appimage test-overlay
-	echo "TEST COMPLETE"

test/appimage/appimage-args.exp

@@ -8,7 +8,7 @@ spawn $env(SHELL)
 match_max 100000
 
 set appimage_id $spawn_id
-send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
+send -- "firejail --name=test --debug --appimage Leafpad-0.8.17-x86_64.AppImage testfile\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"execvp argument 2"
@@ -91,7 +91,7 @@ expect {
 after 100
 
 spawn $env(SHELL)
-send -- "firejail --shutdown=appimage-test\r"
+send -- "firejail --shutdown=test\r"
 
 set spawn_id $appimage_id
 expect {

test/appimage/appimage-v1.exp

@@ -8,7 +8,7 @@ spawn $env(SHELL)
 match_max 100000
 set appimage_id $spawn_id
 
-send -- "firejail --name=appimage-test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
+send -- "firejail --name=test --debug --appimage Leafpad-0.8.17-x86_64.AppImage\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -79,7 +79,7 @@ expect {
 after 100
 
 spawn $env(SHELL)
-send -- "firejail --shutdown=appimage-test\r"
+send -- "firejail --shutdown=test\r"
 
 set spawn_id $appimage_id
 expect {

test/appimage/appimage-v2.exp

@@ -8,7 +8,7 @@ spawn $env(SHELL)
 match_max 100000
 set appimage_id $spawn_id
 
-send -- "firejail --name=appimage-test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
+send -- "firejail --name=test --appimage Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -79,7 +79,7 @@ expect {
 after 100
 
 spawn $env(SHELL)
-send -- "firejail --shutdown=appimage-test\r"
+send -- "firejail --shutdown=test\r"
 set spawn_id $appimage_id
 expect {
 	timeout {puts "shutdown\n"}

test/chroot/chroot.sh

@@ -11,7 +11,14 @@ rm -f unchroot
 gcc -o unchroot unchroot.c
 sudo ./configure
 
+
+echo "TESTING: chroot disabled (test/chroot/fs_chroot_disabled.exp)"
+sudo sed -i s/"chroot yes"/"# chroot no"/g /etc/firejail/firejail.config
+./fs_chroot_disabled.exp
+
+
 echo "TESTING: chroot (test/chroot/fs_chroot.exp)"
+sudo sed -i s/"# chroot no"/"chroot yes"/g /etc/firejail/firejail.config
 ./fs_chroot.exp
 
 echo "TESTING: unchroot as root (test/chroot/unchroot-as-root.exp)"

test/chroot/configure

@@ -8,7 +8,7 @@ ROOTDIR="/tmp/chroot"			# default chroot directory
 DEFAULT_FILES="/bin/bash /bin/sh "	# basic chroot files
 DEFAULT_FILES+="/etc/passwd /etc/nsswitch.conf /etc/group "
 DEFAULT_FILES+=`find /lib -name libnss*`	# files required by glibc
-DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
+DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/ping /usr/bin/touch /bin/grep"
 
 rm -fr $ROOTDIR
 mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc,sys}
@@ -18,6 +18,10 @@ mkdir -p $ROOTDIR/home/netblue/.config/firejail
 chown netblue:netblue $ROOTDIR/home/netblue
 chown netblue:netblue $ROOTDIR/home/netblue/.config
 cp /home/netblue/.Xauthority $ROOTDIR/home/netblue/.
+mkdir -p $ROOTDIR/home/runner/.config/firejail
+chown runner:runner $ROOTDIR/home/runner
+chown runner:runner $ROOTDIR/home/runner/.config
+
 cp -a /etc/skel $ROOTDIR/etc/.
 mkdir $ROOTDIR/home/someotheruser
 mkdir $ROOTDIR/boot
@@ -27,8 +31,6 @@ cp /etc/group $ROOTDIR/etc/.
 cp /etc/hosts $ROOTDIR/etc/.
 cp /etc/hostname $ROOTDIR/etc/.
 mkdir -p $ROOTDIR/usr/lib/x86_64-linux-gnu
-cp -a /usr/lib/x86_64-linux-gnu/openssl-1.0.0 $ROOTDIR/usr/lib/x86_64-linux-gnu/.
-cp -a /usr/lib/ssl $ROOTDIR/usr/lib/.
 touch $ROOTDIR/var/log/syslog
 touch $ROOTDIR/var/tmp/somefile
 SORTED=`for FILE in $* $DEFAULT_FILES; do echo " $FILE "; ldd $FILE | grep -v dynamic | cut -d " " -f 3; done | sort -u`
@@ -41,7 +43,7 @@ cp --parents /lib/ld-linux.so.2 $ROOTDIR
 cp unchroot $ROOTDIR/.
 touch $ROOTDIR/this-is-my-chroot
 
-cd $ROOTDIR; find .
+cd $ROOTDIR;
 mkdir -p usr/lib/firejail/
 cp /usr/lib/firejail/libtrace.so usr/lib/firejail/.
 

test/chroot/fs_chroot.exp

@@ -10,55 +10,61 @@ match_max 100000
 send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
-	"Error: --chroot option is not available on Grsecurity systems" {puts "\nall done\n"; exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms" {puts "chroot available\n"};
 }
 sleep 1
 
-send -- "cd /home;pwd\r"
+send -- "pwd\r"
 expect {
-	timeout {puts "TESTING ERROR 0.1\n";exit}
-	"home"
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"/home"
 }
-sleep 1
-send -- "bash\r"
-sleep 1
+after 100
 send -- "ls /\r"
 expect {
-	timeout {puts "TESTING ERROR 0.2\n";exit}
+	timeout {puts "TESTING ERROR 2\n";exit}
 	"this-is-my-chroot"
 }
 after 100
 
 send -- "ps aux\r"
 expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
+	timeout {puts "TESTING ERROR 3\n";exit}
 	"/bin/bash"
 }
 expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"bash"
-}
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
+	timeout {puts "TESTING ERROR 4\n";exit}
 	"ps aux"
 }
 after 100
 
-send -- "ps aux | wc -l; pwd\r"
+# check /sys directory
+send -- "ls /sys\r"
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
-	"6"
+	"block"
 }
-after 100
-
-# check /sys directory
-send -- "ls /sys\r"
 expect {
 	timeout {puts "TESTING ERROR 6\n";exit}
-	"block"
+	"class"
+}
+expect {
+	timeout {puts "TESTING ERROR 7\n";exit}
+	"dev"
 }
 after 100
 
+# check /bin directory
+send -- "ls /bin/find\r"
+expect {
+	timeout {puts "TESTING ERROR 8\n";exit}
+	"No such file or directory"
+}
+after 100
+send -- "/bin/ping 1.1.1.1\r"
+expect {
+	timeout {puts "TESTING ERROR 9\n";exit}
+	"Operation not permitted"
+}
 
 puts "all done\n"

test/root/option_bind_directory.exp → test/chroot/fs_chroot_disabled.exp

@@ -7,18 +7,11 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --bind=/tmp/chroot,mntpoint\r"
+send -- "firejail  --chroot=/tmp/chroot\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+	"feature is disabled"
 }
 sleep 1
 
-send -- "ls mntpoint;pwd\r"
-expect {
-	timeout {puts "TESTING ERROR 1\n";exit}
-	"root"
-}
-sleep 1
-
-puts "\n"
+puts "all done\n"

test/chroot/unchroot-as-root.exp

@@ -22,7 +22,7 @@ after 100
 send -- "./unchroot\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
-	"Bad system call"
+	"Operation not permitted"
 }
 after 100