small fixes

author: netblue30 <netblue30@yahoo.com> 2016-02-21 09:43:33 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-21 09:43:33 -0500
commit: c89ebb846a9df5288b482941fe8d205f675be39b (patch)
tree: 14bf7bb798142c869b4a1edf1d0ddf818a37581d /todo
parent: testing (diff)
download: firejail-c89ebb846a9df5288b482941fe8d205f675be39b.tar.gz
firejail-c89ebb846a9df5288b482941fe8d205f675be39b.tar.zst
firejail-c89ebb846a9df5288b482941fe8d205f675be39b.zip
1 files changed, 5 insertions, 95 deletions
diff --git a/todo b/todo
index 8e8ffc9f2..662ca935b 100644
--- a/todo
+++ b/todo
@@ -1,41 +1,4 @@
-1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay
+1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
-2. Startup warnings on Arch Linux:
-(all fine here)
-$ ./firejail
-Parent pid 2495, child pid 2496
-Child process initialized
-$
-(warnings)
-$ ./firejail --overlay
-Parent pid 2500, child pid 2501
-OverlayFS configured in /home/ablive/.firejail/2500 directory
-Warning: /var/lock not mounted
-Warning: cannot find /var/run/utmp
-Warning: failed to unmount /sys
-Child process initialized
-$ 
-(warnings)
-$ ./firejail --chroot=/media/mylinux
-Parent pid 2503, child pid 2504
-Warning: cannot find /var/run/utmp
-Dropping all Linux capabilities and enforcing default seccomp filter
-Warning: failed to unmount /sys
-Child process initialized
-$
-5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
-RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, 
-6. Tests not working on Arch:
-profile_syntax.exp (profile syntax)
-fs_chroot.exp (chroot as user)
-private-etc.exp
-7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
 ksh and zsh seem to have it.
 Tests:
@@ -50,74 +13,21 @@ cat <&3
 c) A list of attacks
 http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
-8. SELinux
+2. SELinux integration
 Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
 Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
 "desktops are notoriously difficult to use a mandatory access control system on"
-9. blacklist .muttrc, contains passwords in clear text
+3. abstract unix socket bridge, example for ibus:
-10. abstract unix socket bridge, example for ibus:
 before the sandbox is started
 socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
 in sandbox
 socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
-12. do not allow symlinks for --bind
+5. add support for --ip, --iprange, --mac and --mtu for --interface option
-13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0
-15. do not attempt to mount /sys if unmount fails
-$ firejail --noprofile --chroot=/tmp/chroot
-Parent pid 13915, child pid 13916
-Warning: cannot mount tmpfs on top of /var/log
-Warning: cannot find /var/run/utmp
-Warning: cannot find home directory
-Dropping all Linux capabilities and enforcing default seccomp filter
-Warning: failed to unmount /sys
-Warning: failed to mount /sys
-Warning: cannot disable /sys/firmware directory
-Warning: cannot disable /sys/hypervisor directory
-Warning: cannot disable /sys/fs directory
-Warning: cannot disable /sys/module directory
-Warning: cannot disable /sys/power directory
-Child process initialized
-16. add support for --ip, --iprange, --mac and --mtu for --interface option
-17. private-home clashing with blacklist
-whitelist clashing with blacklist
-19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
-21. restrict chars in filenames
-try to open url-encoded filenames
-const char badChars[] = "-\n\r ,;'\\<\""; 
-(https://www.securecoding.cert.org/confluence/display/c/MSC09-C.+Character+encoding%3A+Use+subset+of+ASCII+for+safety)
-strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]",
-                       "}", "\\", "|", ";", ":", "\"", "'", "&#8216;", "&#8217;", "&#8220;", "&#8221;", "&#8211;", "&#8212;",
-                       "—", "–", ",", "<", ".", ">", "/", "?");
-(https://github.com/vito/chyrp/blob/35c646dda657300b345a233ab10eaca7ccd4ec10/includes/helpers.php#L516)
-$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}");
-(wordpress)
-rework the calls to invalid_filename(), depending if globing is allowed or not, include * in the list for non-globing files
-The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>
-http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
-22. --shutdown does not clear sandboxes started with --join on Debian jessie
-23. to document:
+6. --shutdown does not clear sandboxes started with --join
-http://lwn.net/Articles/414813/
-echo 1 > /proc/sys/kernel/dmesg_restrict
author	netblue30 <netblue30@yahoo.com>	2016-02-21 09:43:33 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-21 09:43:33 -0500
commit	c89ebb846a9df5288b482941fe8d205f675be39b (patch)
tree	14bf7bb798142c869b4a1edf1d0ddf818a37581d /todo
parent	testing (diff)
download	firejail-c89ebb846a9df5288b482941fe8d205f675be39b.tar.gz firejail-c89ebb846a9df5288b482941fe8d205f675be39b.tar.zst firejail-c89ebb846a9df5288b482941fe8d205f675be39b.zip

diff --git a/todo b/todo index 8e8ffc9f2..662ca935b 100644 --- a/todo +++ b/todo
@@ -1,41 +1,4 @@
1	1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay	1	1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
2
3	2. Startup warnings on Arch Linux:
4
5	(all fine here)
6	$ ./firejail
7	Parent pid 2495, child pid 2496
8	Child process initialized
9	$
10
11	(warnings)
12	$ ./firejail --overlay
13	Parent pid 2500, child pid 2501
14	OverlayFS configured in /home/ablive/.firejail/2500 directory
15	Warning: /var/lock not mounted
16	Warning: cannot find /var/run/utmp
17	Warning: failed to unmount /sys
18	Child process initialized
19	$
20
21	(warnings)
22	$ ./firejail --chroot=/media/mylinux
23	Parent pid 2503, child pid 2504
24	Warning: cannot find /var/run/utmp
25	Dropping all Linux capabilities and enforcing default seccomp filter
26	Warning: failed to unmount /sys
27	Child process initialized
28	$
29
30	5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
31	RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
32
33	6. Tests not working on Arch:
34	profile_syntax.exp (profile syntax)
35	fs_chroot.exp (chroot as user)
36	private-etc.exp
37
38	7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
39	ksh and zsh seem to have it.	2	ksh and zsh seem to have it.
40		3
41	Tests:	4	Tests:
@@ -50,74 +13,21 @@ cat <&3
50	c) A list of attacks	13	c) A list of attacks
51	http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/	14	http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
52		15
53	8. SELinux	16	2. SELinux integration
54		17
55	Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html	18	Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
56	Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/	19	Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
57	"desktops are notoriously difficult to use a mandatory access control system on"	20	"desktops are notoriously difficult to use a mandatory access control system on"
58		21
59	9. blacklist .muttrc, contains passwords in clear text	22	3. abstract unix socket bridge, example for ibus:
60
61	10. abstract unix socket bridge, example for ibus:
62		23
63	before the sandbox is started	24	before the sandbox is started
64	socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &	25	socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
65
66	in sandbox	26	in sandbox
67	socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock	27	socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
68		28
69	12. do not allow symlinks for --bind	29	5. add support for --ip, --iprange, --mac and --mtu for --interface option
70
71	13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0
72
73	15. do not attempt to mount /sys if unmount fails
74
75	$ firejail --noprofile --chroot=/tmp/chroot
76	Parent pid 13915, child pid 13916
77	Warning: cannot mount tmpfs on top of /var/log
78	Warning: cannot find /var/run/utmp
79	Warning: cannot find home directory
80	Dropping all Linux capabilities and enforcing default seccomp filter
81	Warning: failed to unmount /sys
82	Warning: failed to mount /sys
83	Warning: cannot disable /sys/firmware directory
84	Warning: cannot disable /sys/hypervisor directory
85	Warning: cannot disable /sys/fs directory
86	Warning: cannot disable /sys/module directory
87	Warning: cannot disable /sys/power directory
88	Child process initialized
89
90	16. add support for --ip, --iprange, --mac and --mtu for --interface option
91
92	17. private-home clashing with blacklist
93	whitelist clashing with blacklist
94
95	19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
96
97	21. restrict chars in filenames
98
99	try to open url-encoded filenames
100
101	const char badChars[] = "-\n\r ,;'\\<\"";
102	(https://www.securecoding.cert.org/confluence/display/c/MSC09-C.+Character+encoding%3A+Use+subset+of+ASCII+for+safety)
103
104	strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]",
105	"}", "\\", "\|", ";", ":", "\"", "'", "‘", "’", "“", "”", "–", "—",
106	"—", "–", ",", "<", ".", ">", "/", "?");
107	(https://github.com/vito/chyrp/blob/35c646dda657300b345a233ab10eaca7ccd4ec10/includes/helpers.php#L516)
108
109	$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "\|", "~", "`", "!", "{", "}");
110	(wordpress)
111
112	rework the calls to invalid_filename(), depending if globing is allowed or not, include * in the list for non-globing files
113
114	The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>
115	http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
116
117	22. --shutdown does not clear sandboxes started with --join on Debian jessie
118		30
119	23. to document:	31	6. --shutdown does not clear sandboxes started with --join
120		32
121	http://lwn.net/Articles/414813/
122	echo 1 > /proc/sys/kernel/dmesg_restrict
123		33