1. 30 Nov, 2015 1 commit
  2. 20 Nov, 2015 1 commit
    • intrigeri's avatar
      Test suite: run ping as root. · 59a55080
      intrigeri authored
      On Jessie, setcap is used by default instead of setuid root for /bin/ping,
      but aufs does not support file capabilities:
      
        $ /sbin/getcap /bin/ping
        Failed to get capabilities of file `/bin/ping' (Operation not supported)
      
        $ /sbin/getcap /lib/live/mount/rootfs/filesystem.squashfs/bin/ping
        /lib/live/mount/rootfs/filesystem.squashfs/bin/ping = cap_net_raw+ep
      
      We could of course make /bin/ping setuid root back, just as it has
      always been, but with our firewall it'll only allow pinging the LAN; for
      now, I'm deciding that the limited usefulness is not worth the security
      implications (even though we confine ping with AppArmor), and ping will
      remain root only for now. We'll see how much sensible complains we get
      during the 2.0 beta and RC phases.
      59a55080
  3. 07 Sep, 2015 1 commit
  4. 08 Jul, 2015 1 commit
    • intrigeri's avatar
      Test suite: run ping as root. · 8be56369
      intrigeri authored
      For some reason, on Jessie, running ping as a regular users results in "ping:
      icmp open socket: Operation not permitted", with exit code == 2. But as root, it
      "works" and the firewall blocks the packets. This is rather an improvement than
      a problem (stuff is blocked earlier, which is cheaper), so let's just deal with
      it in the test suite only, by running ping as root: the main purpose here is to
      test the firewall.
      
      This change also affects the netcat command used to open TCP and UDP
      connections, for code simplicity's sake. Here again, the goal is to test
      the firewall.
      8be56369
  5. 15 May, 2015 1 commit
  6. 10 Apr, 2015 2 commits
  7. 23 Feb, 2015 1 commit
  8. 09 Feb, 2015 2 commits
  9. 03 Feb, 2015 1 commit
    • Tails developers's avatar
      Move misc code into FirewallLeakCheck. · 9704789f
      Tails developers authored
      This is where it belongs, and soon we'll need to use the same code in
      a scenario hook, and calling a step in such a way makes me
      uncomfortable.
      
      (FWIW, this is a remnant from the good ol' unmerged
      test/firewall-check-tag branch.)
      9704789f
  10. 19 Jan, 2015 2 commits
  11. 02 Apr, 2013 1 commit