x11 work

author: netblue30 <netblue30@yahoo.com> 2016-02-24 22:37:20 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-24 22:37:20 -0500
commit: 11e5b2ce21d6efa1ed0fea4db18e410427436162 (patch)
tree: f36791949f69817d9f47aec8dfd16d50f889ced7 /todo
parent: x11 work (diff)
download: firejail-11e5b2ce21d6efa1ed0fea4db18e410427436162.tar.gz
firejail-11e5b2ce21d6efa1ed0fea4db18e410427436162.tar.zst
firejail-11e5b2ce21d6efa1ed0fea4db18e410427436162.zip
1 files changed, 1 insertions, 34 deletions
diff --git a/todo b/todo
index 438637d24..78b49dde6 100644
--- a/todo
+++ b/todo
@@ -1,34 +1 @@
-1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
+firejail --noprofile --net=eth0 --x11 xterm -fg white -bg black
-ksh and zsh seem to have it.
-Tests:
-a)
-cat </dev/tcp/time.nist.gov/13
-b)
-exec 3<>/dev/tcp/www.google.com/80
-echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
-cat <&3
-c) A list of attacks
-http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
-2. SELinux integration
-Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
-Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
-"desktops are notoriously difficult to use a mandatory access control system on"
-3. abstract unix socket bridge, example for ibus:
-before the sandbox is started
-socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
-in sandbox
-socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
-5. add support for --ip, --iprange, --mac and --mtu for --interface option
-6. --shutdown does not clear sandboxes started with --join
-7. profile for okular
author	netblue30 <netblue30@yahoo.com>	2016-02-24 22:37:20 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-24 22:37:20 -0500
commit	11e5b2ce21d6efa1ed0fea4db18e410427436162 (patch)
tree	f36791949f69817d9f47aec8dfd16d50f889ced7 /todo
parent	x11 work (diff)
download	firejail-11e5b2ce21d6efa1ed0fea4db18e410427436162.tar.gz firejail-11e5b2ce21d6efa1ed0fea4db18e410427436162.tar.zst firejail-11e5b2ce21d6efa1ed0fea4db18e410427436162.zip

diff --git a/todo b/todo index 438637d24..78b49dde6 100644 --- a/todo +++ b/todo
@@ -1,34 +1 @@
1	1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections	firejail --noprofile --net=eth0 --x11 xterm -fg white -bg black
2	ksh and zsh seem to have it.
3
4	Tests:
5	a)
6	cat </dev/tcp/time.nist.gov/13
7
8	b)
9	exec 3<>/dev/tcp/www.google.com/80
10	echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
11	cat <&3
12
13	c) A list of attacks
14	http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
15
16	2. SELinux integration
17
18	Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
19	Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
20	"desktops are notoriously difficult to use a mandatory access control system on"
21
22	3. abstract unix socket bridge, example for ibus:
23
24	before the sandbox is started
25	socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
26	in sandbox
27	socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
28
29	5. add support for --ip, --iprange, --mac and --mtu for --interface option
30
31	6. --shutdown does not clear sandboxes started with --join
32
33	7. profile for okular
34