jailtest

author: netblue30 <netblue30@protonmail.com> 2021-02-23 08:40:02 -0500
committer: netblue30 <netblue30@protonmail.com> 2021-02-23 08:40:02 -0500
commit: 80868ffa70784fae2642c3d9219e08a17822bc86 (patch)
tree: 430b0a9c90e9adad7b18f601e3fc5ba1d92bebe2 /README.md
parent: hardening ssh, tor (diff)
download: firejail-80868ffa70784fae2642c3d9219e08a17822bc86.tar.gz
firejail-80868ffa70784fae2642c3d9219e08a17822bc86.tar.zst
firejail-80868ffa70784fae2642c3d9219e08a17822bc86.zip
1 files changed, 49 insertions, 33 deletions
diff --git a/README.md b/README.md
index bf067012b..ab9e91791 100644
--- a/README.md
+++ b/README.md
@@ -226,7 +226,11 @@ DESCRIPTION
              jailtest creates test files in the directories specified by  the
              user and tries to read them from inside the sandbox.
-       The program is running as root exclusively under sudo.
+       4. AppArmor test
+       5. Seccomp test
+       The program is started as root using sudo.
 OPTIONS
       --debug
@@ -239,7 +243,8 @@ OPTIONS
              Print program version and exit.
       [directory]
-              One or more directories in user home to test for read access.
+              One  or  more  directories in user home to test for read access.
+              ~/.ssh and ~/.gnupg are tested by default.
 OUTPUT
       For each sandbox detected we print the following line:
@@ -250,17 +255,28 @@ OUTPUT
       rectories and various warnings.
 EXAMPLE
-       $ sudo jailtest ~/.ssh ~/.gnupg
+       $ sudo jailtest
-       1429:netblue::/usr/bin/firejail /opt/firefox/firefox
+       2014:netblue::firejail /usr/bin/gimp
-          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc,
+          Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
-       5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net
+          Warning: I can run programs in /home/netblue
-          Virtual dirs: /var/tmp, /dev,
+       2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
+          Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
          Warning: I can read ~/.ssh
-       5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10
+       2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
+       pimage
          Virtual dirs: /tmp, /var/tmp, /dev,
+       26090:netblue::/usr/bin/firejail /opt/firefox/firefox
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
+                        /run/user/1000,
+       26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
+          Warning: AppArmor not enabled
+          Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
+                        /usr/share, /run/user/1000,
          Warning: I can run programs in /home/netblue
-       6394:netblue:libreoffice:/usr/bin/firejail libreoffice
-          Virtual dirs: /tmp, /var/tmp, /dev,
 LICENSE
       This program is free software; you can redistribute it and/or modify it
@@ -271,8 +287,8 @@ LICENSE
       Homepage: https://firejail.wordpress.com
 SEE ALSO
-       firejail(1),  firecfg(1),  firejail-profile(5), firejail-login(5) fire‐
+       firejail(1),  firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
-       jail-users(5)
+       gin(5), firejail-users(5),
 0.9.65                             Feb 2021                        JAILTEST(1)
 `````
@@ -287,28 +303,28 @@ $ ./profstats *.profile
 Warning: multiple caps in transmission-daemon.profile
 Stats:
-    profiles                    1064
+    profiles                    1077
-    include local profile       1064   (include profile-name.local)
+    include local profile       1077   (include profile-name.local)
-    include globals             1064   (include globals.local)
+    include globals             1077   (include globals.local)
-    blacklist ~/.ssh            959   (include disable-common.inc)
+    blacklist ~/.ssh            971   (include disable-common.inc)
-    seccomp                     975
+    seccomp                     988
-    capabilities                1063
+    capabilities                1076
-    noexec                      944   (include disable-exec.inc)
+    noexec                      960   (include disable-exec.inc)
-    memory-deny-write-execute   229
+    memory-deny-write-execute   231
-    apparmor                    605
+    apparmor                    621
-    private-bin                 564
+    private-bin                 571
-    private-dev                 932
+    private-dev                 949
-    private-etc                 462
+    private-etc                 470
-    private-tmp                 823
+    private-tmp                 835
-    whitelist home directory    502
+    whitelist home directory    508
-    whitelist var               744   (include whitelist-var-common.inc)
+    whitelist var               758   (include whitelist-var-common.inc)
-    whitelist run/user          461   (include whitelist-runuser-common.inc
+    whitelist run/user          539   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         451   (include whitelist-usr-share-common.inc
+    whitelist usr/share         526   (include whitelist-usr-share-common.inc
-    net none                    345
+    net none                    354
-    dbus-user none              564
+    dbus-user none              573
-    dbus-user filter            85
+    dbus-user filter            86
-    dbus-system none            696
+    dbus-system none            706
    dbus-system filter          7
 ```
author	netblue30 <netblue30@protonmail.com>	2021-02-23 08:40:02 -0500
committer	netblue30 <netblue30@protonmail.com>	2021-02-23 08:40:02 -0500
commit	80868ffa70784fae2642c3d9219e08a17822bc86 (patch)
tree	430b0a9c90e9adad7b18f601e3fc5ba1d92bebe2 /README.md
parent	hardening ssh, tor (diff)
download	firejail-80868ffa70784fae2642c3d9219e08a17822bc86.tar.gz firejail-80868ffa70784fae2642c3d9219e08a17822bc86.tar.zst firejail-80868ffa70784fae2642c3d9219e08a17822bc86.zip

diff --git a/README.md b/README.md index bf067012b..ab9e91791 100644 --- a/README.md +++ b/README.md
@@ -226,7 +226,11 @@ DESCRIPTION
226	jailtest creates test files in the directories specified by the	226	jailtest creates test files in the directories specified by the
227	user and tries to read them from inside the sandbox.	227	user and tries to read them from inside the sandbox.
228		228
229	The program is running as root exclusively under sudo.	229	4. AppArmor test
		230
		231	5. Seccomp test
		232
		233	The program is started as root using sudo.
230		234
231	OPTIONS	235	OPTIONS
232	--debug	236	--debug
@@ -239,7 +243,8 @@ OPTIONS
239	Print program version and exit.	243	Print program version and exit.
240		244
241	[directory]	245	[directory]
242	One or more directories in user home to test for read access.	246	One or more directories in user home to test for read access.
		247	~/.ssh and ~/.gnupg are tested by default.
243		248
244	OUTPUT	249	OUTPUT
245	For each sandbox detected we print the following line:	250	For each sandbox detected we print the following line:
@@ -250,17 +255,28 @@ OUTPUT
250	rectories and various warnings.	255	rectories and various warnings.
251		256
252	EXAMPLE	257	EXAMPLE
253	$ sudo jailtest ~/.ssh ~/.gnupg	258	$ sudo jailtest
254	1429:netblue::/usr/bin/firejail /opt/firefox/firefox	259	2014:netblue::firejail /usr/bin/gimp
255	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc,	260	Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
256	5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net	261	Warning: I can run programs in /home/netblue
257	Virtual dirs: /var/tmp, /dev,	262
		263	2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
		264	Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
258	Warning: I can read ~/.ssh	265	Warning: I can read ~/.ssh
259	5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10	266
		267	2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐
		268	pimage
260	Virtual dirs: /tmp, /var/tmp, /dev,	269	Virtual dirs: /tmp, /var/tmp, /dev,
		270
		271	26090:netblue::/usr/bin/firejail /opt/firefox/firefox
		272	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
		273	/run/user/1000,
		274
		275	26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
		276	Warning: AppArmor not enabled
		277	Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
		278	/usr/share, /run/user/1000,
261	Warning: I can run programs in /home/netblue	279	Warning: I can run programs in /home/netblue
262	6394:netblue:libreoffice:/usr/bin/firejail libreoffice
263	Virtual dirs: /tmp, /var/tmp, /dev,
264		280
265	LICENSE	281	LICENSE
266	This program is free software; you can redistribute it and/or modify it	282	This program is free software; you can redistribute it and/or modify it
@@ -271,8 +287,8 @@ LICENSE
271	Homepage: https://firejail.wordpress.com	287	Homepage: https://firejail.wordpress.com
272		288
273	SEE ALSO	289	SEE ALSO
274	firejail(1), firecfg(1), firejail-profile(5), firejail-login(5) fire‐	290	firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐
275	jail-users(5)	291	gin(5), firejail-users(5),
276		292
277	0.9.65 Feb 2021 JAILTEST(1)	293	0.9.65 Feb 2021 JAILTEST(1)
278	`````	294	`````
@@ -287,28 +303,28 @@ $ ./profstats *.profile
287	Warning: multiple caps in transmission-daemon.profile	303	Warning: multiple caps in transmission-daemon.profile
288		304
289	Stats:	305	Stats:
290	profiles 1064	306	profiles 1077
291	include local profile 1064 (include profile-name.local)	307	include local profile 1077 (include profile-name.local)
292	include globals 1064 (include globals.local)	308	include globals 1077 (include globals.local)
293	blacklist ~/.ssh 959 (include disable-common.inc)	309	blacklist ~/.ssh 971 (include disable-common.inc)
294	seccomp 975	310	seccomp 988
295	capabilities 1063	311	capabilities 1076
296	noexec 944 (include disable-exec.inc)	312	noexec 960 (include disable-exec.inc)
297	memory-deny-write-execute 229	313	memory-deny-write-execute 231
298	apparmor 605	314	apparmor 621
299	private-bin 564	315	private-bin 571
300	private-dev 932	316	private-dev 949
301	private-etc 462	317	private-etc 470
302	private-tmp 823	318	private-tmp 835
303	whitelist home directory 502	319	whitelist home directory 508
304	whitelist var 744 (include whitelist-var-common.inc)	320	whitelist var 758 (include whitelist-var-common.inc)
305	whitelist run/user 461 (include whitelist-runuser-common.inc	321	whitelist run/user 539 (include whitelist-runuser-common.inc
306	or blacklist ${RUNUSER})	322	or blacklist ${RUNUSER})
307	whitelist usr/share 451 (include whitelist-usr-share-common.inc	323	whitelist usr/share 526 (include whitelist-usr-share-common.inc
308	net none 345	324	net none 354
309	dbus-user none 564	325	dbus-user none 573
310	dbus-user filter 85	326	dbus-user filter 86
311	dbus-system none 696	327	dbus-system none 706
312	dbus-system filter 7	328	dbus-system filter 7
313	```	329	```
314		330