1 files changed, 210 insertions, 4 deletions

diff --git a/todo b/todo
index da732be9f..6bc73313f 100644
--- a/todo
+++ b/todo
@@ -74,11 +74,217 @@ CapEff:	0000000000000000
 CapBnd: 0000003fffffffff
 CapAmb: 0000000000000000
 
-11. cleanup thunderbird profile - disable-common was commented out
-
-12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
+11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
 Seccomp lists:
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
 https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
 
-13. check for --chroot why .config/pulse dir is not created
+12. check for --chroot why .config/pulse dir is not created
+
+13. print error line number for profile files in  profile_check_line()
+
+14. make rpms problems
+$ firejail --version
+firejail version 0.9.40
+User namespace support is disabled.
+
+$ rpmlint firejail-0.9.40-1.x86_64.rpm 
+firejail.x86_64: E: no-changelogname-tag
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
+firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
+firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
+firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
+
+$ rpmlint firejail-0.9.40-1.src.rpm
+firejail.src: E: no-changelogname-tag
+firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
+1 packages and 0 specfiles checked; 1 errors, 1 warnings.
+
+15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
+
+$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
+Reading profile /etc/firejail/default.profile
+Reading profile /etc/firejail/disable-common.inc
+Reading profile /etc/firejail/disable-programs.inc
+Reading profile /etc/firejail/disable-passwdmgr.inc
+
+** Note: you can use --noprofile to disable default.profile **
+
+Parent pid 6872, child pid 6873
+
+Child process initialized
+
+----- Firejail Audit: the Good, the Bad and the Ugly -----
+
+GOOD: Process PID 2, running in a PID namespace
+Container/sandbox: firejail
+GOOD: all capabilities are disabled
+
+
+Parent is shutting down, bye...
+
+16. Sound devices:
+/dev/snd
+
+
+    /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
+    /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
+    /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
+    /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
+    /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
+    /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
+    /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
+    /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
+    /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
+
+
+17. test 3d acceleration
+
+$ lspci -nn | grep VGA
+
+# apt-get install mesa-utils
+
+$ glxinfo  | grep rendering
+
+The output should be:
+
+direct rendering: Yes
+        
+$ glxinfo | grep "renderer string"
+
+OpenGL renderer string: Gallium 0.4 on AMD KAVERI
+
+
+glxgears stuck to 60fps may be due to VSync signal synchronization.
+To disable Vsync
+
+$ vblank_mode=0 glxgears
+
+19. testing snaps
+
+Install firejail from official repository
+sudo apt-get install firejail
+
+Check firejail version
+firejail --version
+
+Above command outputs: firejail version 0.9.38
+
+Search the snap 'ubuntu clock' application
+sudo snap find ubuntu-clock-app
+
+Install 'ubuntu clock' application using snap
+sudo snap install ubuntu-clock-app
+
+Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
+cd /snap/bin/
+ls -l
+
+Note: We see application name is: ubuntu-clock-app.clock
+
+Run application
+/snap/bin/ubuntu-clock-app.clock
+
+Note: Application starts-up without a problem and clock is displayed.
+
+Close application using mouse.
+
+Now try to firejail the application.
+firejail /snap/bin/ubuntu-clock-app.clock
+
+-------- Error message --------
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+
+** Note: you can use --noprofile to disable generic.profile **
+
+Parent pid 3770, child pid 3771
+
+Child process initialized
+need to run as root or suid
+
+parent is shutting down, bye...
+-------- End of Error message --------
+
+Try running as root as message instructs.
+sudo firejail /snap/bin/ubuntu-clock-app.clock
+
+extract env for process
+ps e -p <pid> | sed 's/ /\n/g' 
+
+
+20. check default disable - from grsecurity
+
+GRKERNSEC_HIDESYM
+/proc/kallsyms and other files
+
+GRKERNSEC_PROC_USER
+If you say Y here, non-root users will only be able to view their own
+processes, and restricts them from viewing network-related information,
+and viewing kernel symbol and module information.
+
+GRKERNSEC_PROC_ADD
+If you say Y here, additional restrictions will be placed on
+/proc that keep normal users from viewing device information and 
+slabinfo information that could be useful for exploits.
+
+21. Core Infrastructure Initiative (CII) Best Practices
+
+Proposal
+
+Someone closely involved with the project could go thought the criteria and keep them up-to-date.
+References
+
+    https://bestpractices.coreinfrastructure.org
+    https://twit.tv/shows/floss-weekly/episodes/389
+
+22. add support for read-write and noexec to Firetools
+
+23. AppArmor
+
+$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
+$ sudo apt-get install libapparmor-dev
+
+$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+$ sudo update-grub
+$ sudo reboot
+
+If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
+$ sudo aa-notify -p -f /var/log/audit/audit.log
+
+$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail
+firejail-default (enforce)
+
+24. check monitor proc behaviour for sandboxes with --blacklist=/proc
+also check --apparmor in this case
+
+25. fix firemon and firetools on systems with hidepid=2
+
+sudo mount -o remount,rw,hidepid=2 /proc
+
+26. mupdf profile
+
+27. LUKS 
+
+dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in 
+Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, 
+removable media, partitions, software RAID volumes, logical volumes, and files.
+
+28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
+
+  // block dbus session bus the hard way if necessary
+  if (cfg.dbus == 0) {
+    char *dbus_path;
+                if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
+                        errExit("asprintf");
+    fs_blacklist_file(dbus_path);
+    free(dbus_path);
+}
+
+29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
+
+30. /* coverity[toctou] */
+