diff options
author | netblue30 <netblue30@yahoo.com> | 2017-04-04 09:45:38 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-04-04 09:45:38 -0400 |
commit | 1902bd413e70567d51caa229b3726a3d12bff12a (patch) | |
tree | ac4b6ce84d931bef94a2080394e75d63f985114f | |
parent | Extra vivaldi-stable files (diff) | |
download | firejail-1902bd413e70567d51caa229b3726a3d12bff12a.tar.gz firejail-1902bd413e70567d51caa229b3726a3d12bff12a.tar.zst firejail-1902bd413e70567d51caa229b3726a3d12bff12a.zip |
--help fixes
-rw-r--r-- | src/firejail/usage.c | 7 | ||||
-rw-r--r-- | todo | 310 |
2 files changed, 13 insertions, 304 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 9c91b4630..a21633349 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -74,6 +74,7 @@ void usage(void) { | |||
74 | printf(" --dns.print=name|pid - print DNS configuration.\n"); | 74 | printf(" --dns.print=name|pid - print DNS configuration.\n"); |
75 | 75 | ||
76 | printf(" --env=name=value - set environment variable.\n"); | 76 | printf(" --env=name=value - set environment variable.\n"); |
77 | printf(" --force - attempt to start a new sandbox inside the existing sandbox.\n"); | ||
77 | printf(" --fs.print=name|pid - print the filesystem log.\n"); | 78 | printf(" --fs.print=name|pid - print the filesystem log.\n"); |
78 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); | 79 | printf(" --get=name|pid filename - get a file from sandbox container.\n"); |
79 | #ifdef HAVE_GIT_INSTALL | 80 | #ifdef HAVE_GIT_INSTALL |
@@ -98,6 +99,7 @@ void usage(void) { | |||
98 | #ifdef HAVE_NETWORK | 99 | #ifdef HAVE_NETWORK |
99 | printf(" --join-network=name|pid - join the network namespace.\n"); | 100 | printf(" --join-network=name|pid - join the network namespace.\n"); |
100 | #endif | 101 | #endif |
102 | printf(" --join-or-start=name|pid - join the sandbox or start a new one.\n"); | ||
101 | printf(" --list - list all sandboxes.\n"); | 103 | printf(" --list - list all sandboxes.\n"); |
102 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); | 104 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); |
103 | #ifdef HAVE_NETWORK | 105 | #ifdef HAVE_NETWORK |
@@ -115,6 +117,7 @@ void usage(void) { | |||
115 | printf(" --net=none - enable a new, unconnected network namespace.\n"); | 117 | printf(" --net=none - enable a new, unconnected network namespace.\n"); |
116 | printf(" --netfilter[=filename] - enable the default client network filter.\n"); | 118 | printf(" --netfilter[=filename] - enable the default client network filter.\n"); |
117 | printf(" --netfilter6=filename - enable the IPv6 network filter.\n"); | 119 | printf(" --netfilter6=filename - enable the IPv6 network filter.\n"); |
120 | printf(" --netns=name - Run the program in a named, persistent network namespace.\n"); | ||
118 | printf(" --netstats - monitor network statistics.\n"); | 121 | printf(" --netstats - monitor network statistics.\n"); |
119 | #endif | 122 | #endif |
120 | printf(" --nice=value - set nice value.\n"); | 123 | printf(" --nice=value - set nice value.\n"); |
@@ -122,11 +125,12 @@ void usage(void) { | |||
122 | printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); | 125 | printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); |
123 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); | 126 | printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); |
124 | printf(" --nogroups - disable supplementary groups.\n"); | 127 | printf(" --nogroups - disable supplementary groups.\n"); |
128 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); | ||
125 | printf(" --noprofile - do not use a security profile.\n"); | 129 | printf(" --noprofile - do not use a security profile.\n"); |
126 | #ifdef HAVE_USERNS | 130 | #ifdef HAVE_USERNS |
127 | printf(" --noroot - install a user namespace with only the current user.\n"); | 131 | printf(" --noroot - install a user namespace with only the current user.\n"); |
128 | #endif | 132 | #endif |
129 | printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); | 133 | printf(" --nosound - disable sound system.\n"); |
130 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); | 134 | printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); |
131 | printf(" --output=logfile - stdout logging and log rotation.\n"); | 135 | printf(" --output=logfile - stdout logging and log rotation.\n"); |
132 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); | 136 | printf(" --overlay - mount a filesystem overlay on top of the current filesystem.\n"); |
@@ -147,6 +151,7 @@ void usage(void) { | |||
147 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); | 151 | printf(" --private-etc=file,directory - build a new /etc in a temporary\n"); |
148 | printf("\tfilesystem, and copy the files and directories in the list.\n"); | 152 | printf("\tfilesystem, and copy the files and directories in the list.\n"); |
149 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); | 153 | printf(" --private-tmp - mount a tmpfs on top of /tmp directory.\n"); |
154 | printf(" --private-opt=file,directory - build a new /opt in a temporary filesystem.\n"); | ||
150 | printf(" --profile=filename - use a custom profile.\n"); | 155 | printf(" --profile=filename - use a custom profile.\n"); |
151 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); | 156 | printf(" --profile-path=directory - use this directory to look for profile files.\n"); |
152 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); | 157 | printf(" --protocol=protocol,protocol,protocol - enable protocol filter.\n"); |
@@ -1,303 +1,7 @@ | |||
1 | 1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections | 1 | add --nosound to --help |
2 | ksh and zsh seem to have it. | 2 | --force |
3 | 3 | --git-install | |
4 | Tests: | 4 | --git-uninstall |
5 | a) | 5 | --join-or-start |
6 | cat </dev/tcp/time.nist.gov/13 | 6 | --netns |
7 | 7 | --private-opt | |
8 | b) | ||
9 | exec 3<>/dev/tcp/www.google.com/80 | ||
10 | echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3 | ||
11 | cat <&3 | ||
12 | |||
13 | c) A list of attacks | ||
14 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ | ||
15 | |||
16 | 2. SELinux integration | ||
17 | |||
18 | Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html | ||
19 | Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/ | ||
20 | "desktops are notoriously difficult to use a mandatory access control system on" | ||
21 | |||
22 | 3. abstract unix socket bridge, example for ibus: | ||
23 | |||
24 | before the sandbox is started | ||
25 | socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc & | ||
26 | in sandbox | ||
27 | socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock | ||
28 | |||
29 | 5. add support for --ip, --iprange, --mac and --mtu for --interface option | ||
30 | |||
31 | 6. --shutdown does not clear sandboxes started with --join | ||
32 | |||
33 | 7. profile for okular | ||
34 | |||
35 | 8. profile for dillo | ||
36 | Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. | ||
37 | This is probably a dillo problem. | ||
38 | |||
39 | 9. --force sandbox in a overlayfs sandbox | ||
40 | |||
41 | $ sudo firejail --overlay | ||
42 | # su netblue | ||
43 | $ xterm & | ||
44 | $ firejail --force --private | ||
45 | Parent pid 77, child pid 78 | ||
46 | Warning: failed to unmount /sys | ||
47 | |||
48 | Warning: cannot mount a new user namespace, going forward without it... | ||
49 | Child process initialized | ||
50 | |||
51 | Try to join the forced sandbox in xterm window: | ||
52 | $ firejail --join=77 | ||
53 | Switching to pid 78, the first child process inside the sandbox | ||
54 | Warning: seccomp file not found | ||
55 | Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. | ||
56 | $ ls ~ <----------------- all files are available, the directory is not empty! | ||
57 | |||
58 | 10. Posibly capabilities broken for --join | ||
59 | |||
60 | $ firejail --name=test | ||
61 | ... | ||
62 | $ firejail --debug --join=test | ||
63 | Switching to pid 18591, the first child process inside the sandbox | ||
64 | User namespace detected: /proc/18591/uid_map, 1000, 1000 | ||
65 | Set caps filter 0 | ||
66 | Set protocol filter: unix,inet,inet6 | ||
67 | Read seccomp filter, size 792 bytes | ||
68 | |||
69 | However, in the join sandbox we have: | ||
70 | $ cat /proc/self/status | grep Cap | ||
71 | CapInh: 0000000000000000 | ||
72 | CapPrm: 0000000000000000 | ||
73 | CapEff: 0000000000000000 | ||
74 | CapBnd: 0000003fffffffff | ||
75 | CapAmb: 0000000000000000 | ||
76 | |||
77 | 11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ | ||
78 | Seccomp lists: | ||
79 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl | ||
80 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl | ||
81 | |||
82 | 12. check for --chroot why .config/pulse dir is not created | ||
83 | |||
84 | 13. print error line number for profile files in profile_check_line() | ||
85 | |||
86 | 14. make rpms problems | ||
87 | $ firejail --version | ||
88 | firejail version 0.9.40 | ||
89 | User namespace support is disabled. | ||
90 | |||
91 | $ rpmlint firejail-0.9.40-1.x86_64.rpm | ||
92 | firejail.x86_64: E: no-changelogname-tag | ||
93 | firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so | ||
94 | firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so | ||
95 | firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so | ||
96 | firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile | ||
97 | firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi | ||
98 | |||
99 | $ rpmlint firejail-0.9.40-1.src.rpm | ||
100 | firejail.src: E: no-changelogname-tag | ||
101 | firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found | ||
102 | 1 packages and 0 specfiles checked; 1 errors, 1 warnings. | ||
103 | |||
104 | 15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles | ||
105 | |||
106 | $ firejail --caps.keep=chown,net_bind_service src/faudit/faudit | ||
107 | Reading profile /etc/firejail/default.profile | ||
108 | Reading profile /etc/firejail/disable-common.inc | ||
109 | Reading profile /etc/firejail/disable-programs.inc | ||
110 | Reading profile /etc/firejail/disable-passwdmgr.inc | ||
111 | |||
112 | ** Note: you can use --noprofile to disable default.profile ** | ||
113 | |||
114 | Parent pid 6872, child pid 6873 | ||
115 | |||
116 | Child process initialized | ||
117 | |||
118 | ----- Firejail Audit: the Good, the Bad and the Ugly ----- | ||
119 | |||
120 | GOOD: Process PID 2, running in a PID namespace | ||
121 | Container/sandbox: firejail | ||
122 | GOOD: all capabilities are disabled | ||
123 | |||
124 | |||
125 | Parent is shutting down, bye... | ||
126 | |||
127 | 16. Sound devices: | ||
128 | /dev/snd | ||
129 | |||
130 | |||
131 | /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4 | ||
132 | /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3 | ||
133 | /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12 | ||
134 | /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20 | ||
135 | /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19 | ||
136 | /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28 | ||
137 | /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36 | ||
138 | /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35 | ||
139 | /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44 | ||
140 | |||
141 | |||
142 | 17. test 3d acceleration | ||
143 | |||
144 | $ lspci -nn | grep VGA | ||
145 | |||
146 | # apt-get install mesa-utils | ||
147 | |||
148 | $ glxinfo | grep rendering | ||
149 | |||
150 | The output should be: | ||
151 | |||
152 | direct rendering: Yes | ||
153 | |||
154 | $ glxinfo | grep "renderer string" | ||
155 | |||
156 | OpenGL renderer string: Gallium 0.4 on AMD KAVERI | ||
157 | |||
158 | |||
159 | glxgears stuck to 60fps may be due to VSync signal synchronization. | ||
160 | To disable Vsync | ||
161 | |||
162 | $ vblank_mode=0 glxgears | ||
163 | |||
164 | 19. testing snaps | ||
165 | |||
166 | Install firejail from official repository | ||
167 | sudo apt-get install firejail | ||
168 | |||
169 | Check firejail version | ||
170 | firejail --version | ||
171 | |||
172 | Above command outputs: firejail version 0.9.38 | ||
173 | |||
174 | Search the snap 'ubuntu clock' application | ||
175 | sudo snap find ubuntu-clock-app | ||
176 | |||
177 | Install 'ubuntu clock' application using snap | ||
178 | sudo snap install ubuntu-clock-app | ||
179 | |||
180 | Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ | ||
181 | cd /snap/bin/ | ||
182 | ls -l | ||
183 | |||
184 | Note: We see application name is: ubuntu-clock-app.clock | ||
185 | |||
186 | Run application | ||
187 | /snap/bin/ubuntu-clock-app.clock | ||
188 | |||
189 | Note: Application starts-up without a problem and clock is displayed. | ||
190 | |||
191 | Close application using mouse. | ||
192 | |||
193 | Now try to firejail the application. | ||
194 | firejail /snap/bin/ubuntu-clock-app.clock | ||
195 | |||
196 | -------- Error message -------- | ||
197 | Reading profile /etc/firejail/generic.profile | ||
198 | Reading profile /etc/firejail/disable-mgmt.inc | ||
199 | Reading profile /etc/firejail/disable-secret.inc | ||
200 | Reading profile /etc/firejail/disable-common.inc | ||
201 | |||
202 | ** Note: you can use --noprofile to disable generic.profile ** | ||
203 | |||
204 | Parent pid 3770, child pid 3771 | ||
205 | |||
206 | Child process initialized | ||
207 | need to run as root or suid | ||
208 | |||
209 | parent is shutting down, bye... | ||
210 | -------- End of Error message -------- | ||
211 | |||
212 | Try running as root as message instructs. | ||
213 | sudo firejail /snap/bin/ubuntu-clock-app.clock | ||
214 | |||
215 | extract env for process | ||
216 | ps e -p <pid> | sed 's/ /\n/g' | ||
217 | |||
218 | |||
219 | 20. check default disable - from grsecurity | ||
220 | |||
221 | GRKERNSEC_HIDESYM | ||
222 | /proc/kallsyms and other files | ||
223 | |||
224 | GRKERNSEC_PROC_USER | ||
225 | If you say Y here, non-root users will only be able to view their own | ||
226 | processes, and restricts them from viewing network-related information, | ||
227 | and viewing kernel symbol and module information. | ||
228 | |||
229 | GRKERNSEC_PROC_ADD | ||
230 | If you say Y here, additional restrictions will be placed on | ||
231 | /proc that keep normal users from viewing device information and | ||
232 | slabinfo information that could be useful for exploits. | ||
233 | |||
234 | 21. Core Infrastructure Initiative (CII) Best Practices | ||
235 | |||
236 | Proposal | ||
237 | |||
238 | Someone closely involved with the project could go thought the criteria and keep them up-to-date. | ||
239 | References | ||
240 | |||
241 | https://bestpractices.coreinfrastructure.org | ||
242 | https://twit.tv/shows/floss-weekly/episodes/389 | ||
243 | |||
244 | 22. add support for read-write and noexec to Firetools | ||
245 | |||
246 | 23. AppArmor | ||
247 | |||
248 | $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify | ||
249 | $ sudo apt-get install libapparmor-dev | ||
250 | |||
251 | $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub | ||
252 | $ sudo update-grub | ||
253 | $ sudo reboot | ||
254 | |||
255 | If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. | ||
256 | $ sudo aa-notify -p -f /var/log/audit/audit.log | ||
257 | |||
258 | $ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail | ||
259 | firejail-default (enforce) | ||
260 | |||
261 | 24. check monitor proc behaviour for sandboxes with --blacklist=/proc | ||
262 | also check --apparmor in this case | ||
263 | |||
264 | 25. fix firemon and firetools on systems with hidepid=2 | ||
265 | |||
266 | sudo mount -o remount,rw,hidepid=2 /proc | ||
267 | |||
268 | 26. mupdf profile | ||
269 | |||
270 | 27. LUKS | ||
271 | |||
272 | dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in | ||
273 | Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, | ||
274 | removable media, partitions, software RAID volumes, logical volumes, and files. | ||
275 | |||
276 | 28. Merge --dbus=none from https://github.com/Sidnioulz/firejail | ||
277 | |||
278 | // block dbus session bus the hard way if necessary | ||
279 | if (cfg.dbus == 0) { | ||
280 | char *dbus_path; | ||
281 | if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1) | ||
282 | errExit("asprintf"); | ||
283 | fs_blacklist_file(dbus_path); | ||
284 | free(dbus_path); | ||
285 | } | ||
286 | |||
287 | 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* | ||
288 | |||
289 | 30. | ||
290 | $ sudo firejail --fs.print=test | ||
291 | [sudo] password for netblue: | ||
292 | tmpfs /run/firejail/mnt << ???????????????? | ||
293 | sandbox name: test | ||
294 | sandbox pid: 5790 | ||
295 | sandbox filesystem: local | ||
296 | install mount namespace | ||
297 | read-only /etc | ||
298 | read-only /var | ||
299 | read-only /bin | ||
300 | |||
301 | 31. --private and --allusers are coliding | ||
302 | |||
303 | 32. machine-id defined in rfc4122 | ||