diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 82 |
1 files changed, 49 insertions, 33 deletions
@@ -226,7 +226,11 @@ DESCRIPTION | |||
226 | jailtest creates test files in the directories specified by the | 226 | jailtest creates test files in the directories specified by the |
227 | user and tries to read them from inside the sandbox. | 227 | user and tries to read them from inside the sandbox. |
228 | 228 | ||
229 | The program is running as root exclusively under sudo. | 229 | 4. AppArmor test |
230 | |||
231 | 5. Seccomp test | ||
232 | |||
233 | The program is started as root using sudo. | ||
230 | 234 | ||
231 | OPTIONS | 235 | OPTIONS |
232 | --debug | 236 | --debug |
@@ -239,7 +243,8 @@ OPTIONS | |||
239 | Print program version and exit. | 243 | Print program version and exit. |
240 | 244 | ||
241 | [directory] | 245 | [directory] |
242 | One or more directories in user home to test for read access. | 246 | One or more directories in user home to test for read access. |
247 | ~/.ssh and ~/.gnupg are tested by default. | ||
243 | 248 | ||
244 | OUTPUT | 249 | OUTPUT |
245 | For each sandbox detected we print the following line: | 250 | For each sandbox detected we print the following line: |
@@ -250,17 +255,28 @@ OUTPUT | |||
250 | rectories and various warnings. | 255 | rectories and various warnings. |
251 | 256 | ||
252 | EXAMPLE | 257 | EXAMPLE |
253 | $ sudo jailtest ~/.ssh ~/.gnupg | 258 | $ sudo jailtest |
254 | 1429:netblue::/usr/bin/firejail /opt/firefox/firefox | 259 | 2014:netblue::firejail /usr/bin/gimp |
255 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, | 260 | Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, |
256 | 5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net | 261 | Warning: I can run programs in /home/netblue |
257 | Virtual dirs: /var/tmp, /dev, | 262 | |
263 | 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net | ||
264 | Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, | ||
258 | Warning: I can read ~/.ssh | 265 | Warning: I can read ~/.ssh |
259 | 5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10 | 266 | |
267 | 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ | ||
268 | pimage | ||
260 | Virtual dirs: /tmp, /var/tmp, /dev, | 269 | Virtual dirs: /tmp, /var/tmp, /dev, |
270 | |||
271 | 26090:netblue::/usr/bin/firejail /opt/firefox/firefox | ||
272 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, | ||
273 | /run/user/1000, | ||
274 | |||
275 | 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor | ||
276 | Warning: AppArmor not enabled | ||
277 | Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, | ||
278 | /usr/share, /run/user/1000, | ||
261 | Warning: I can run programs in /home/netblue | 279 | Warning: I can run programs in /home/netblue |
262 | 6394:netblue:libreoffice:/usr/bin/firejail libreoffice | ||
263 | Virtual dirs: /tmp, /var/tmp, /dev, | ||
264 | 280 | ||
265 | LICENSE | 281 | LICENSE |
266 | This program is free software; you can redistribute it and/or modify it | 282 | This program is free software; you can redistribute it and/or modify it |
@@ -271,8 +287,8 @@ LICENSE | |||
271 | Homepage: https://firejail.wordpress.com | 287 | Homepage: https://firejail.wordpress.com |
272 | 288 | ||
273 | SEE ALSO | 289 | SEE ALSO |
274 | firejail(1), firecfg(1), firejail-profile(5), firejail-login(5) fire‐ | 290 | firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ |
275 | jail-users(5) | 291 | gin(5), firejail-users(5), |
276 | 292 | ||
277 | 0.9.65 Feb 2021 JAILTEST(1) | 293 | 0.9.65 Feb 2021 JAILTEST(1) |
278 | ````` | 294 | ````` |
@@ -287,28 +303,28 @@ $ ./profstats *.profile | |||
287 | Warning: multiple caps in transmission-daemon.profile | 303 | Warning: multiple caps in transmission-daemon.profile |
288 | 304 | ||
289 | Stats: | 305 | Stats: |
290 | profiles 1064 | 306 | profiles 1077 |
291 | include local profile 1064 (include profile-name.local) | 307 | include local profile 1077 (include profile-name.local) |
292 | include globals 1064 (include globals.local) | 308 | include globals 1077 (include globals.local) |
293 | blacklist ~/.ssh 959 (include disable-common.inc) | 309 | blacklist ~/.ssh 971 (include disable-common.inc) |
294 | seccomp 975 | 310 | seccomp 988 |
295 | capabilities 1063 | 311 | capabilities 1076 |
296 | noexec 944 (include disable-exec.inc) | 312 | noexec 960 (include disable-exec.inc) |
297 | memory-deny-write-execute 229 | 313 | memory-deny-write-execute 231 |
298 | apparmor 605 | 314 | apparmor 621 |
299 | private-bin 564 | 315 | private-bin 571 |
300 | private-dev 932 | 316 | private-dev 949 |
301 | private-etc 462 | 317 | private-etc 470 |
302 | private-tmp 823 | 318 | private-tmp 835 |
303 | whitelist home directory 502 | 319 | whitelist home directory 508 |
304 | whitelist var 744 (include whitelist-var-common.inc) | 320 | whitelist var 758 (include whitelist-var-common.inc) |
305 | whitelist run/user 461 (include whitelist-runuser-common.inc | 321 | whitelist run/user 539 (include whitelist-runuser-common.inc |
306 | or blacklist ${RUNUSER}) | 322 | or blacklist ${RUNUSER}) |
307 | whitelist usr/share 451 (include whitelist-usr-share-common.inc | 323 | whitelist usr/share 526 (include whitelist-usr-share-common.inc |
308 | net none 345 | 324 | net none 354 |
309 | dbus-user none 564 | 325 | dbus-user none 573 |
310 | dbus-user filter 85 | 326 | dbus-user filter 86 |
311 | dbus-system none 696 | 327 | dbus-system none 706 |
312 | dbus-system filter 7 | 328 | dbus-system filter 7 |
313 | ``` | 329 | ``` |
314 | 330 | ||