diff options
author | 2015-10-24 09:33:19 -0400 | |
---|---|---|
committer | 2015-10-24 09:33:19 -0400 | |
commit | d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44 (patch) | |
tree | 6da00a58b4bb545f5e852d0081e10081e36a2c64 /todo | |
parent | Merge pull request #89 from g4jc/master (diff) | |
download | firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.tar.gz firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.tar.zst firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.zip |
renamed ERRNO to BLACKLIST_ERRNO in seccomp.c
Diffstat (limited to 'todo')
-rw-r--r-- | todo | 38 |
1 files changed, 9 insertions, 29 deletions
@@ -34,35 +34,7 @@ $ | |||
34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | 34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) |
35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | 35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, |
36 | 36 | ||
37 | 6. To investigate | 37 | 6. add kexec_file_load to default seccomp filter |
38 | |||
39 | // Restrict the set of allowable network protocol families | ||
40 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
41 | SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1))); | ||
42 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
43 | SCMP_A0(SCMP_CMP_EQ, AF_AX25))); | ||
44 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
45 | SCMP_A0(SCMP_CMP_EQ, AF_IPX))); | ||
46 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
47 | SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK))); | ||
48 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
49 | SCMP_A0(SCMP_CMP_EQ, AF_NETROM))); | ||
50 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
51 | SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE))); | ||
52 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
53 | SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC))); | ||
54 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
55 | SCMP_A0(SCMP_CMP_EQ, AF_X25))); | ||
56 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
57 | SCMP_A0(SCMP_CMP_EQ, AF_ROSE))); | ||
58 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
59 | SCMP_A0(SCMP_CMP_EQ, AF_DECnet))); | ||
60 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
61 | SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI))); | ||
62 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
63 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); | ||
64 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
65 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); | ||
66 | 38 | ||
67 | 7. Tests not working on Arch: | 39 | 7. Tests not working on Arch: |
68 | profile_syntax.exp (profile syntax) | 40 | profile_syntax.exp (profile syntax) |
@@ -84,3 +56,11 @@ cat <&3 | |||
84 | c) A list of attacks | 56 | c) A list of attacks |
85 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ | 57 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ |
86 | 58 | ||
59 | 9. protocol filter: AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, AF_PACKET | ||
60 | |||
61 | // Create a raw IP socket with UDP protocol | ||
62 | sd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP); | ||
63 | |||
64 | // open a raw ethernet socket | ||
65 | s = socket(AF_PACKET, SOCK_DGRAM, htons(ETHERTYPE_IP)); | ||
66 | |||