diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-10-24 09:33:19 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-10-24 09:33:19 -0400 |
| commit | d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44 (patch) | |
| tree | 6da00a58b4bb545f5e852d0081e10081e36a2c64 /todo | |
| parent | Merge pull request #89 from g4jc/master (diff) | |
| download | firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.tar.gz firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.tar.zst firejail-d32b4d874d6a57c2b1ec5ba5330a2f8b9cd67e44.zip | |
renamed ERRNO to BLACKLIST_ERRNO in seccomp.c
Diffstat (limited to 'todo')
| -rw-r--r-- | todo | 38 |
1 files changed, 9 insertions, 29 deletions
| @@ -34,35 +34,7 @@ $ | |||
| 34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) | 34 | 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) |
| 35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, | 35 | RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, |
| 36 | 36 | ||
| 37 | 6. To investigate | 37 | 6. add kexec_file_load to default seccomp filter |
| 38 | |||
| 39 | // Restrict the set of allowable network protocol families | ||
| 40 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 41 | SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1))); | ||
| 42 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 43 | SCMP_A0(SCMP_CMP_EQ, AF_AX25))); | ||
| 44 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 45 | SCMP_A0(SCMP_CMP_EQ, AF_IPX))); | ||
| 46 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 47 | SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK))); | ||
| 48 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 49 | SCMP_A0(SCMP_CMP_EQ, AF_NETROM))); | ||
| 50 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 51 | SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE))); | ||
| 52 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 53 | SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC))); | ||
| 54 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 55 | SCMP_A0(SCMP_CMP_EQ, AF_X25))); | ||
| 56 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 57 | SCMP_A0(SCMP_CMP_EQ, AF_ROSE))); | ||
| 58 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 59 | SCMP_A0(SCMP_CMP_EQ, AF_DECnet))); | ||
| 60 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 61 | SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI))); | ||
| 62 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 63 | SCMP_A0(SCMP_CMP_EQ, AF_SECURITY))); | ||
| 64 | CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1, | ||
| 65 | SCMP_A0(SCMP_CMP_EQ, AF_KEY))); | ||
| 66 | 38 | ||
| 67 | 7. Tests not working on Arch: | 39 | 7. Tests not working on Arch: |
| 68 | profile_syntax.exp (profile syntax) | 40 | profile_syntax.exp (profile syntax) |
| @@ -84,3 +56,11 @@ cat <&3 | |||
| 84 | c) A list of attacks | 56 | c) A list of attacks |
| 85 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ | 57 | http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ |
| 86 | 58 | ||
| 59 | 9. protocol filter: AF_UNIX, AF_INET, AF_INET6, AF_NETLINK, AF_PACKET | ||
| 60 | |||
| 61 | // Create a raw IP socket with UDP protocol | ||
| 62 | sd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP); | ||
| 63 | |||
| 64 | // open a raw ethernet socket | ||
| 65 | s = socket(AF_PACKET, SOCK_DGRAM, htons(ETHERTYPE_IP)); | ||
| 66 | |||