--help fixes

1 files changed, 7 insertions, 303 deletions

diff --git a/todo b/todo
index 86917e6cd..e2816f47c 100644
--- a/todo
+++ b/todo
@@ -1,303 +1,7 @@
-1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
-ksh and zsh seem to have it.
-
-Tests:
-a)
-cat </dev/tcp/time.nist.gov/13
-
-b)
-exec 3<>/dev/tcp/www.google.com/80
-echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
-cat <&3
-
-c) A list of attacks
-http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
-
-2. SELinux integration
-
-Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
-Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
-"desktops are notoriously difficult to use a mandatory access control system on"
-
-3. abstract unix socket bridge, example for ibus:
-
-before the sandbox is started
-socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
-in sandbox
-socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
-
-5. add support for --ip, --iprange, --mac and --mtu for --interface option
-
-6. --shutdown does not clear sandboxes started with --join
-
-7. profile for okular
-
-8. profile for dillo
-Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active.
-This is probably a dillo problem.
-
-9. --force sandbox in a overlayfs sandbox
-
-$ sudo firejail --overlay
-# su netblue
-$ xterm &
-$ firejail --force --private
-Parent pid 77, child pid 78
-Warning: failed to unmount /sys
-
-Warning: cannot mount a new user namespace, going forward without it...
-Child process initialized
-
-Try to join the forced sandbox in xterm window:
-$ firejail --join=77
-Switching to pid 78, the first child process inside the sandbox
-Warning: seccomp file not found
-Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
-$ ls ~ <----------------- all files are available, the directory is not empty!
-
-10. Posibly capabilities broken for --join
-
-$ firejail --name=test
-...
-$ firejail --debug --join=test
-Switching to pid 18591, the first child process inside the sandbox
-User namespace detected: /proc/18591/uid_map, 1000, 1000
-Set caps filter 0
-Set protocol filter: unix,inet,inet6
-Read seccomp filter, size 792 bytes
-
-However, in the join sandbox we have:
-$ cat /proc/self/status | grep Cap
-CapInh: 0000000000000000
-CapPrm: 0000000000000000
-CapEff: 0000000000000000
-CapBnd: 0000003fffffffff
-CapAmb: 0000000000000000
-
-11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
-Seccomp lists:
-https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
-https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
-
-12. check for --chroot why .config/pulse dir is not created
-
-13. print error line number for profile files in  profile_check_line()
-
-14. make rpms problems
-$ firejail --version
-firejail version 0.9.40
-User namespace support is disabled.
-
-$ rpmlint firejail-0.9.40-1.x86_64.rpm 
-firejail.x86_64: E: no-changelogname-tag
-firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
-firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
-firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
-firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
-firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
-
-$ rpmlint firejail-0.9.40-1.src.rpm
-firejail.src: E: no-changelogname-tag
-firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
-1 packages and 0 specfiles checked; 1 errors, 1 warnings.
-
-15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
-
-$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
-Reading profile /etc/firejail/default.profile
-Reading profile /etc/firejail/disable-common.inc
-Reading profile /etc/firejail/disable-programs.inc
-Reading profile /etc/firejail/disable-passwdmgr.inc
-
-** Note: you can use --noprofile to disable default.profile **
-
-Parent pid 6872, child pid 6873
-
-Child process initialized
-
------ Firejail Audit: the Good, the Bad and the Ugly -----
-
-GOOD: Process PID 2, running in a PID namespace
-Container/sandbox: firejail
-GOOD: all capabilities are disabled
-
-
-Parent is shutting down, bye...
-
-16. Sound devices:
-/dev/snd
-
-
-    /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
-    /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
-    /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
-    /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
-    /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
-    /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
-    /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
-    /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
-    /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
-
-
-17. test 3d acceleration
-
-$ lspci -nn | grep VGA
-
-# apt-get install mesa-utils
-
-$ glxinfo  | grep rendering
-
-The output should be:
-
-direct rendering: Yes
-        
-$ glxinfo | grep "renderer string"
-
-OpenGL renderer string: Gallium 0.4 on AMD KAVERI
-
-
-glxgears stuck to 60fps may be due to VSync signal synchronization.
-To disable Vsync
-
-$ vblank_mode=0 glxgears
-
-19. testing snaps
-
-Install firejail from official repository
-sudo apt-get install firejail
-
-Check firejail version
-firejail --version
-
-Above command outputs: firejail version 0.9.38
-
-Search the snap 'ubuntu clock' application
-sudo snap find ubuntu-clock-app
-
-Install 'ubuntu clock' application using snap
-sudo snap install ubuntu-clock-app
-
-Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
-cd /snap/bin/
-ls -l
-
-Note: We see application name is: ubuntu-clock-app.clock
-
-Run application
-/snap/bin/ubuntu-clock-app.clock
-
-Note: Application starts-up without a problem and clock is displayed.
-
-Close application using mouse.
-
-Now try to firejail the application.
-firejail /snap/bin/ubuntu-clock-app.clock
-
--------- Error message --------
-Reading profile /etc/firejail/generic.profile
-Reading profile /etc/firejail/disable-mgmt.inc
-Reading profile /etc/firejail/disable-secret.inc
-Reading profile /etc/firejail/disable-common.inc
-
-** Note: you can use --noprofile to disable generic.profile **
-
-Parent pid 3770, child pid 3771
-
-Child process initialized
-need to run as root or suid
-
-parent is shutting down, bye...
--------- End of Error message --------
-
-Try running as root as message instructs.
-sudo firejail /snap/bin/ubuntu-clock-app.clock
-
-extract env for process
-ps e -p <pid> | sed 's/ /\n/g' 
-
-
-20. check default disable - from grsecurity
-
-GRKERNSEC_HIDESYM
-/proc/kallsyms and other files
-
-GRKERNSEC_PROC_USER
-If you say Y here, non-root users will only be able to view their own
-processes, and restricts them from viewing network-related information,
-and viewing kernel symbol and module information.
-
-GRKERNSEC_PROC_ADD
-If you say Y here, additional restrictions will be placed on
-/proc that keep normal users from viewing device information and 
-slabinfo information that could be useful for exploits.
-
-21. Core Infrastructure Initiative (CII) Best Practices
-
-Proposal
-
-Someone closely involved with the project could go thought the criteria and keep them up-to-date.
-References
-
-    https://bestpractices.coreinfrastructure.org
-    https://twit.tv/shows/floss-weekly/episodes/389
-
-22. add support for read-write and noexec to Firetools
-
-23. AppArmor
-
-$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
-$ sudo apt-get install libapparmor-dev
-
-$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
-$ sudo update-grub
-$ sudo reboot
-
-If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
-$ sudo aa-notify -p -f /var/log/audit/audit.log
-
-$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail
-firejail-default (enforce)
-
-24. check monitor proc behaviour for sandboxes with --blacklist=/proc
-also check --apparmor in this case
-
-25. fix firemon and firetools on systems with hidepid=2
-
-sudo mount -o remount,rw,hidepid=2 /proc
-
-26. mupdf profile
-
-27. LUKS 
-
-dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in 
-Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, 
-removable media, partitions, software RAID volumes, logical volumes, and files.
-
-28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
-
-  // block dbus session bus the hard way if necessary
-  if (cfg.dbus == 0) {
-    char *dbus_path;
-                if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
-                        errExit("asprintf");
-    fs_blacklist_file(dbus_path);
-    free(dbus_path);
-}
-
-29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
-
-30.
-$ sudo firejail --fs.print=test
-[sudo] password for netblue: 
-tmpfs /run/firejail/mnt                 << ????????????????
-sandbox name: test
-sandbox pid: 5790
-sandbox filesystem: local
-install mount namespace
-read-only /etc
-read-only /var
-read-only /bin
-
-31. --private and --allusers are coliding
-
-32. machine-id defined in rfc4122
+add --nosound to --help
+--force
+--git-install
+--git-uninstall
+--join-or-start
+--netns
+--private-opt