diff options
Diffstat (limited to 'todo')
-rw-r--r-- | todo | 214 |
1 files changed, 210 insertions, 4 deletions
@@ -74,11 +74,217 @@ CapEff: 0000000000000000 | |||
74 | CapBnd: 0000003fffffffff | 74 | CapBnd: 0000003fffffffff |
75 | CapAmb: 0000000000000000 | 75 | CapAmb: 0000000000000000 |
76 | 76 | ||
77 | 11. cleanup thunderbird profile - disable-common was commented out | 77 | 11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ |
78 | |||
79 | 12. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ | ||
80 | Seccomp lists: | 78 | Seccomp lists: |
81 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl | 79 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl |
82 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl | 80 | https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl |
83 | 81 | ||
84 | 13. check for --chroot why .config/pulse dir is not created | 82 | 12. check for --chroot why .config/pulse dir is not created |
83 | |||
84 | 13. print error line number for profile files in profile_check_line() | ||
85 | |||
86 | 14. make rpms problems | ||
87 | $ firejail --version | ||
88 | firejail version 0.9.40 | ||
89 | User namespace support is disabled. | ||
90 | |||
91 | $ rpmlint firejail-0.9.40-1.x86_64.rpm | ||
92 | firejail.x86_64: E: no-changelogname-tag | ||
93 | firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so | ||
94 | firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so | ||
95 | firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so | ||
96 | firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile | ||
97 | firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi | ||
98 | |||
99 | $ rpmlint firejail-0.9.40-1.src.rpm | ||
100 | firejail.src: E: no-changelogname-tag | ||
101 | firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found | ||
102 | 1 packages and 0 specfiles checked; 1 errors, 1 warnings. | ||
103 | |||
104 | 15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles | ||
105 | |||
106 | $ firejail --caps.keep=chown,net_bind_service src/faudit/faudit | ||
107 | Reading profile /etc/firejail/default.profile | ||
108 | Reading profile /etc/firejail/disable-common.inc | ||
109 | Reading profile /etc/firejail/disable-programs.inc | ||
110 | Reading profile /etc/firejail/disable-passwdmgr.inc | ||
111 | |||
112 | ** Note: you can use --noprofile to disable default.profile ** | ||
113 | |||
114 | Parent pid 6872, child pid 6873 | ||
115 | |||
116 | Child process initialized | ||
117 | |||
118 | ----- Firejail Audit: the Good, the Bad and the Ugly ----- | ||
119 | |||
120 | GOOD: Process PID 2, running in a PID namespace | ||
121 | Container/sandbox: firejail | ||
122 | GOOD: all capabilities are disabled | ||
123 | |||
124 | |||
125 | Parent is shutting down, bye... | ||
126 | |||
127 | 16. Sound devices: | ||
128 | /dev/snd | ||
129 | |||
130 | |||
131 | /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4 | ||
132 | /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3 | ||
133 | /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12 | ||
134 | /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20 | ||
135 | /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19 | ||
136 | /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28 | ||
137 | /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36 | ||
138 | /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35 | ||
139 | /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44 | ||
140 | |||
141 | |||
142 | 17. test 3d acceleration | ||
143 | |||
144 | $ lspci -nn | grep VGA | ||
145 | |||
146 | # apt-get install mesa-utils | ||
147 | |||
148 | $ glxinfo | grep rendering | ||
149 | |||
150 | The output should be: | ||
151 | |||
152 | direct rendering: Yes | ||
153 | |||
154 | $ glxinfo | grep "renderer string" | ||
155 | |||
156 | OpenGL renderer string: Gallium 0.4 on AMD KAVERI | ||
157 | |||
158 | |||
159 | glxgears stuck to 60fps may be due to VSync signal synchronization. | ||
160 | To disable Vsync | ||
161 | |||
162 | $ vblank_mode=0 glxgears | ||
163 | |||
164 | 19. testing snaps | ||
165 | |||
166 | Install firejail from official repository | ||
167 | sudo apt-get install firejail | ||
168 | |||
169 | Check firejail version | ||
170 | firejail --version | ||
171 | |||
172 | Above command outputs: firejail version 0.9.38 | ||
173 | |||
174 | Search the snap 'ubuntu clock' application | ||
175 | sudo snap find ubuntu-clock-app | ||
176 | |||
177 | Install 'ubuntu clock' application using snap | ||
178 | sudo snap install ubuntu-clock-app | ||
179 | |||
180 | Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ | ||
181 | cd /snap/bin/ | ||
182 | ls -l | ||
183 | |||
184 | Note: We see application name is: ubuntu-clock-app.clock | ||
185 | |||
186 | Run application | ||
187 | /snap/bin/ubuntu-clock-app.clock | ||
188 | |||
189 | Note: Application starts-up without a problem and clock is displayed. | ||
190 | |||
191 | Close application using mouse. | ||
192 | |||
193 | Now try to firejail the application. | ||
194 | firejail /snap/bin/ubuntu-clock-app.clock | ||
195 | |||
196 | -------- Error message -------- | ||
197 | Reading profile /etc/firejail/generic.profile | ||
198 | Reading profile /etc/firejail/disable-mgmt.inc | ||
199 | Reading profile /etc/firejail/disable-secret.inc | ||
200 | Reading profile /etc/firejail/disable-common.inc | ||
201 | |||
202 | ** Note: you can use --noprofile to disable generic.profile ** | ||
203 | |||
204 | Parent pid 3770, child pid 3771 | ||
205 | |||
206 | Child process initialized | ||
207 | need to run as root or suid | ||
208 | |||
209 | parent is shutting down, bye... | ||
210 | -------- End of Error message -------- | ||
211 | |||
212 | Try running as root as message instructs. | ||
213 | sudo firejail /snap/bin/ubuntu-clock-app.clock | ||
214 | |||
215 | extract env for process | ||
216 | ps e -p <pid> | sed 's/ /\n/g' | ||
217 | |||
218 | |||
219 | 20. check default disable - from grsecurity | ||
220 | |||
221 | GRKERNSEC_HIDESYM | ||
222 | /proc/kallsyms and other files | ||
223 | |||
224 | GRKERNSEC_PROC_USER | ||
225 | If you say Y here, non-root users will only be able to view their own | ||
226 | processes, and restricts them from viewing network-related information, | ||
227 | and viewing kernel symbol and module information. | ||
228 | |||
229 | GRKERNSEC_PROC_ADD | ||
230 | If you say Y here, additional restrictions will be placed on | ||
231 | /proc that keep normal users from viewing device information and | ||
232 | slabinfo information that could be useful for exploits. | ||
233 | |||
234 | 21. Core Infrastructure Initiative (CII) Best Practices | ||
235 | |||
236 | Proposal | ||
237 | |||
238 | Someone closely involved with the project could go thought the criteria and keep them up-to-date. | ||
239 | References | ||
240 | |||
241 | https://bestpractices.coreinfrastructure.org | ||
242 | https://twit.tv/shows/floss-weekly/episodes/389 | ||
243 | |||
244 | 22. add support for read-write and noexec to Firetools | ||
245 | |||
246 | 23. AppArmor | ||
247 | |||
248 | $ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify | ||
249 | $ sudo apt-get install libapparmor-dev | ||
250 | |||
251 | $ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub | ||
252 | $ sudo update-grub | ||
253 | $ sudo reboot | ||
254 | |||
255 | If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. | ||
256 | $ sudo aa-notify -p -f /var/log/audit/audit.log | ||
257 | |||
258 | $ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail | ||
259 | firejail-default (enforce) | ||
260 | |||
261 | 24. check monitor proc behaviour for sandboxes with --blacklist=/proc | ||
262 | also check --apparmor in this case | ||
263 | |||
264 | 25. fix firemon and firetools on systems with hidepid=2 | ||
265 | |||
266 | sudo mount -o remount,rw,hidepid=2 /proc | ||
267 | |||
268 | 26. mupdf profile | ||
269 | |||
270 | 27. LUKS | ||
271 | |||
272 | dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in | ||
273 | Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, | ||
274 | removable media, partitions, software RAID volumes, logical volumes, and files. | ||
275 | |||
276 | 28. Merge --dbus=none from https://github.com/Sidnioulz/firejail | ||
277 | |||
278 | // block dbus session bus the hard way if necessary | ||
279 | if (cfg.dbus == 0) { | ||
280 | char *dbus_path; | ||
281 | if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1) | ||
282 | errExit("asprintf"); | ||
283 | fs_blacklist_file(dbus_path); | ||
284 | free(dbus_path); | ||
285 | } | ||
286 | |||
287 | 29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* | ||
288 | |||
289 | 30. /* coverity[toctou] */ | ||
290 | |||