fix todo

author: netblue30 <netblue30@yahoo.com> 2016-02-25 18:03:09 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-25 18:03:09 -0500
commit: 4e9800311cd1ae73a9050c4f80e2a7401ca12663 (patch)
tree: ea622b15ca85b9f94d153de0d97e3789ba99a811 /todo
parent: x11 fixes (diff)
download: firejail-4e9800311cd1ae73a9050c4f80e2a7401ca12663.tar.gz
firejail-4e9800311cd1ae73a9050c4f80e2a7401ca12663.tar.zst
firejail-4e9800311cd1ae73a9050c4f80e2a7401ca12663.zip
1 files changed, 34 insertions, 1 deletions
diff --git a/todo b/todo
index 78b49dde6..438637d24 100644
--- a/todo
+++ b/todo
@@ -1 +1,34 @@
-firejail --noprofile --net=eth0 --x11 xterm -fg white -bg black
+1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
+ksh and zsh seem to have it.
+Tests:
+a)
+cat </dev/tcp/time.nist.gov/13
+b)
+exec 3<>/dev/tcp/www.google.com/80
+echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
+cat <&3
+c) A list of attacks
+http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
+2. SELinux integration
+Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
+Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
+"desktops are notoriously difficult to use a mandatory access control system on"
+3. abstract unix socket bridge, example for ibus:
+before the sandbox is started
+socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
+in sandbox
+socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
+5. add support for --ip, --iprange, --mac and --mtu for --interface option
+6. --shutdown does not clear sandboxes started with --join
+7. profile for okular
author	netblue30 <netblue30@yahoo.com>	2016-02-25 18:03:09 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-25 18:03:09 -0500
commit	4e9800311cd1ae73a9050c4f80e2a7401ca12663 (patch)
tree	ea622b15ca85b9f94d153de0d97e3789ba99a811 /todo
parent	x11 fixes (diff)
download	firejail-4e9800311cd1ae73a9050c4f80e2a7401ca12663.tar.gz firejail-4e9800311cd1ae73a9050c4f80e2a7401ca12663.tar.zst firejail-4e9800311cd1ae73a9050c4f80e2a7401ca12663.zip

diff --git a/todo b/todo index 78b49dde6..438637d24 100644 --- a/todo +++ b/todo
@@ -1 +1,34 @@
1	firejail --noprofile --net=eth0 --x11 xterm -fg white -bg black	1	1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
		2	ksh and zsh seem to have it.
		3
		4	Tests:
		5	a)
		6	cat </dev/tcp/time.nist.gov/13
		7
		8	b)
		9	exec 3<>/dev/tcp/www.google.com/80
		10	echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
		11	cat <&3
		12
		13	c) A list of attacks
		14	http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
		15
		16	2. SELinux integration
		17
		18	Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
		19	Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
		20	"desktops are notoriously difficult to use a mandatory access control system on"
		21
		22	3. abstract unix socket bridge, example for ibus:
		23
		24	before the sandbox is started
		25	socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
		26	in sandbox
		27	socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
		28
		29	5. add support for --ip, --iprange, --mac and --mtu for --interface option
		30
		31	6. --shutdown does not clear sandboxes started with --join
		32
		33	7. profile for okular
		34