From 80868ffa70784fae2642c3d9219e08a17822bc86 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 23 Feb 2021 08:40:02 -0500 Subject: jailtest --- README.md | 82 ++++++++++++++++----------- src/jailtest/access.c | 19 +++++++ src/jailtest/apparmor.c | 40 +++++++++++++ src/jailtest/jailtest.h | 28 +++++++++- src/jailtest/main.c | 35 +++++++++++- src/jailtest/noexec.c | 19 +++++++ src/jailtest/seccomp.c | 47 ++++++++++++++++ src/jailtest/utils.c | 130 ++++++++++++++++++------------------------- src/jailtest/virtual.c | 34 +++++++++-- src/man/firecfg.txt | 11 ++-- src/man/firejail-login.txt | 11 ++-- src/man/firejail-profile.txt | 12 ++-- src/man/firejail-users.txt | 11 ++-- src/man/firejail.txt | 12 ++-- src/man/firemon.txt | 11 ++-- src/man/jailtest.txt | 58 +++++++++++++------ 16 files changed, 398 insertions(+), 162 deletions(-) create mode 100644 src/jailtest/apparmor.c create mode 100644 src/jailtest/seccomp.c diff --git a/README.md b/README.md index bf067012b..ab9e91791 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,11 @@ DESCRIPTION jailtest creates test files in the directories specified by the user and tries to read them from inside the sandbox. - The program is running as root exclusively under sudo. + 4. AppArmor test + + 5. Seccomp test + + The program is started as root using sudo. OPTIONS --debug @@ -239,7 +243,8 @@ OPTIONS Print program version and exit. [directory] - One or more directories in user home to test for read access. + One or more directories in user home to test for read access. + ~/.ssh and ~/.gnupg are tested by default. OUTPUT For each sandbox detected we print the following line: @@ -250,17 +255,28 @@ OUTPUT rectories and various warnings. EXAMPLE - $ sudo jailtest ~/.ssh ~/.gnupg - 1429:netblue::/usr/bin/firejail /opt/firefox/firefox - Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, - 5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net - Virtual dirs: /var/tmp, /dev, + $ sudo jailtest + 2014:netblue::firejail /usr/bin/gimp + Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, + Warning: I can run programs in /home/netblue + + 2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net + Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, Warning: I can read ~/.ssh - 5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10 + + 2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.ap‐ + pimage Virtual dirs: /tmp, /var/tmp, /dev, + + 26090:netblue::/usr/bin/firejail /opt/firefox/firefox + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, + /run/user/1000, + + 26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor + Warning: AppArmor not enabled + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, + /usr/share, /run/user/1000, Warning: I can run programs in /home/netblue - 6394:netblue:libreoffice:/usr/bin/firejail libreoffice - Virtual dirs: /tmp, /var/tmp, /dev, LICENSE This program is free software; you can redistribute it and/or modify it @@ -271,8 +287,8 @@ LICENSE Homepage: https://firejail.wordpress.com SEE ALSO - firejail(1), firecfg(1), firejail-profile(5), firejail-login(5) fire‐ - jail-users(5) + firejail(1), firemon(1), firecfg(1), firejail-profile(5), firejail-lo‐ + gin(5), firejail-users(5), 0.9.65 Feb 2021 JAILTEST(1) ````` @@ -287,28 +303,28 @@ $ ./profstats *.profile Warning: multiple caps in transmission-daemon.profile Stats: - profiles 1064 - include local profile 1064 (include profile-name.local) - include globals 1064 (include globals.local) - blacklist ~/.ssh 959 (include disable-common.inc) - seccomp 975 - capabilities 1063 - noexec 944 (include disable-exec.inc) - memory-deny-write-execute 229 - apparmor 605 - private-bin 564 - private-dev 932 - private-etc 462 - private-tmp 823 - whitelist home directory 502 - whitelist var 744 (include whitelist-var-common.inc) - whitelist run/user 461 (include whitelist-runuser-common.inc + profiles 1077 + include local profile 1077 (include profile-name.local) + include globals 1077 (include globals.local) + blacklist ~/.ssh 971 (include disable-common.inc) + seccomp 988 + capabilities 1076 + noexec 960 (include disable-exec.inc) + memory-deny-write-execute 231 + apparmor 621 + private-bin 571 + private-dev 949 + private-etc 470 + private-tmp 835 + whitelist home directory 508 + whitelist var 758 (include whitelist-var-common.inc) + whitelist run/user 539 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 451 (include whitelist-usr-share-common.inc - net none 345 - dbus-user none 564 - dbus-user filter 85 - dbus-system none 696 + whitelist usr/share 526 (include whitelist-usr-share-common.inc + net none 354 + dbus-user none 573 + dbus-user filter 86 + dbus-system none 706 dbus-system filter 7 ``` diff --git a/src/jailtest/access.c b/src/jailtest/access.c index e68227bd2..4e737dc7a 100644 --- a/src/jailtest/access.c +++ b/src/jailtest/access.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "jailtest.h" #include #include diff --git a/src/jailtest/apparmor.c b/src/jailtest/apparmor.c new file mode 100644 index 000000000..43ab8fad0 --- /dev/null +++ b/src/jailtest/apparmor.c @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailtest.h" + +#ifdef HAVE_APPARMOR +#include + +void apparmor_test(pid_t pid) { + char *label = NULL; + char *mode = NULL; + int rv = aa_gettaskcon(pid, &label, &mode); + if (rv == -1 || mode == NULL) + printf(" Warning: AppArmor not enabled\n"); +} + + +#else +void apparmor_test(uid_t pid) { + (void) pid; + return; +} +#endif + diff --git a/src/jailtest/jailtest.h b/src/jailtest/jailtest.h index 678f94bef..10174cc9a 100644 --- a/src/jailtest/jailtest.h +++ b/src/jailtest/jailtest.h @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #ifndef JAILTEST_H #define JAILTEST_H @@ -8,6 +27,7 @@ extern uid_t user_uid; extern gid_t user_gid; extern char *user_name; extern char *user_home_dir; +extern char *user_run_dir; // access.c void access_setup(const char *directory); @@ -23,10 +43,16 @@ void virtual_setup(const char *directory); void virtual_destroy(void); void virtual_test(void); +// apparmor.c +void apparmor_test(pid_t pid); + +// seccomp.c +void seccomp_test(pid_t pid); + // utils.c char *get_sudo_user(void); char *get_homedir(const char *user, uid_t *uid, gid_t *gid); -int find_child(pid_t parent, pid_t *child); +int find_child(pid_t pid); pid_t switch_to_child(pid_t pid); #endif \ No newline at end of file diff --git a/src/jailtest/main.c b/src/jailtest/main.c index 78f162706..850277bc5 100644 --- a/src/jailtest/main.c +++ b/src/jailtest/main.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "jailtest.h" #include "../include/firejail_user.h" #include "../include/pid.h" @@ -7,6 +26,7 @@ uid_t user_uid = 0; gid_t user_gid = 0; char *user_name = NULL; char *user_home_dir = NULL; +char *user_run_dir = NULL; int arg_debug = 0; static char *usage_str = @@ -73,9 +93,13 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: root user not supported\n"); exit(1); } + if (asprintf(&user_run_dir, "/run/user/%d", user_uid) == -1) + errExit("asprintf"); // test setup atexit(cleanup); + access_setup("~/.ssh"); + access_setup("~/.gnupg"); if (findex > 0) { for (i = findex; i < argc; i++) access_setup(argv[i]); @@ -88,6 +112,10 @@ int main(int argc, char **argv) { virtual_setup("/dev"); virtual_setup("/etc"); virtual_setup("/bin"); + virtual_setup("/usr/share"); + virtual_setup(user_run_dir); + + // print processes pid_read(0); @@ -98,8 +126,12 @@ int main(int argc, char **argv) { continue; // in case the pid is that of a firejail process, use the pid of the first child process - uid_t pid = switch_to_child(i); + uid_t pid = find_child(i); + printf("\n"); pid_print_list(i, 0); // no wrapping + apparmor_test(pid); + seccomp_test(pid); + fflush(0); pid_t child = fork(); if (child == -1) @@ -111,6 +143,7 @@ int main(int argc, char **argv) { noexec_test(user_home_dir); noexec_test("/tmp"); noexec_test("/var/tmp"); + noexec_test(user_run_dir); access_test(); } else { diff --git a/src/jailtest/noexec.c b/src/jailtest/noexec.c index d2f85514a..4347b7eef 100644 --- a/src/jailtest/noexec.c +++ b/src/jailtest/noexec.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "jailtest.h" #include #include diff --git a/src/jailtest/seccomp.c b/src/jailtest/seccomp.c new file mode 100644 index 000000000..2cecb4b4d --- /dev/null +++ b/src/jailtest/seccomp.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailtest.h" +#define MAXBUF 4096 + +void seccomp_test(pid_t pid) { + char *file; + if (asprintf(&file, "/proc/%d/status", pid) == -1) + errExit("asprintf"); + + FILE *fp = fopen(file, "r"); + if (!fp) { + printf(" Error: cannot open %s\n", file); + free(file); + return; + } + + char buf[MAXBUF]; + while (fgets(buf, MAXBUF, fp)) { + if (strncmp(buf, "Seccomp:", 8) == 0) { + int val = -1; + int rv = sscanf(buf + 8, "\t%d", &val); + if (rv != 1 || val == 0) + printf(" Warning: seccomp not enabled\n"); + break; + } + } + fclose(fp); + free(file); +} diff --git a/src/jailtest/utils.c b/src/jailtest/utils.c index b24783355..41c21b753 100644 --- a/src/jailtest/utils.c +++ b/src/jailtest/utils.c @@ -1,4 +1,24 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "jailtest.h" +#include "../include/pid.h" #include #include #include @@ -38,87 +58,45 @@ errexit: exit(1); } -int find_child(pid_t parent, pid_t *child) { - *child = 0; // use it to flag a found child +// find the second child process for the specified pid +// return -1 if not found +// +// Example: +//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt +// 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt +// 14792:netblue:/usr/bin/transmission-qt +// We need 14792, the first real sandboxed process +// duplicate from src/firemon/main.c +int find_child(int id) { + int i; + int first_child = -1; - DIR *dir; - if (!(dir = opendir("/proc"))) { - // sleep 2 seconds and try again - sleep(2); - if (!(dir = opendir("/proc"))) { - fprintf(stderr, "Error: cannot open /proc directory\n"); - exit(1); - } - } - - struct dirent *entry; - char *end; - while (*child == 0 && (entry = readdir(dir))) { - pid_t pid = strtol(entry->d_name, &end, 10); - if (end == entry->d_name || *end) - continue; - if (pid == parent) - continue; - - // open stat file - char *file; - if (asprintf(&file, "/proc/%u/status", pid) == -1) { - perror("asprintf"); - exit(1); - } - FILE *fp = fopen(file, "r"); - if (!fp) { - free(file); - continue; - } - - // look for firejail executable name - char buf[BUFLEN]; - while (fgets(buf, BUFLEN - 1, fp)) { - if (strncmp(buf, "PPid:", 5) == 0) { - char *ptr = buf + 5; - while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { - ptr++; - } - if (*ptr == '\0') { - fprintf(stderr, "Error: cannot read /proc file\n"); - exit(1); - } - if (parent == atoi(ptr)) { - // we don't want /usr/bin/xdg-dbus-proxy! - char *cmdline = pid_proc_cmdline(pid); - if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) != 0) - *child = pid; - free(cmdline); - } - break; // stop reading the file + // find the first child + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 2 && pids[i].parent == id) { + // skip /usr/bin/xdg-dbus-proxy (started by firejail for dbus filtering) + char *cmdline = pid_proc_cmdline(i); + if (strncmp(cmdline, XDG_DBUS_PROXY_PATH, strlen(XDG_DBUS_PROXY_PATH)) == 0) { + free(cmdline); + continue; } + free(cmdline); + first_child = i; + break; } - fclose(fp); - free(file); } - closedir(dir); - return (*child)? 0:1; // 0 = found, 1 = not found -} -pid_t switch_to_child(pid_t pid) { - pid_t rv = pid; - errno = 0; - char *comm = pid_proc_comm(pid); - if (!comm) { - if (errno == ENOENT) - fprintf(stderr, "Error: cannot find process with pid %d\n", pid); - else - fprintf(stderr, "Error: cannot read /proc file\n"); - exit(1); - } + if (first_child == -1) + return -1; - if (strcmp(comm, "firejail") == 0) { - if (find_child(pid, &rv) == 1) { - fprintf(stderr, "Error: no valid sandbox\n"); - exit(1); - } + // find the second-level child + for (i = 0; i < max_pids; i++) { + if (pids[i].level == 3 && pids[i].parent == first_child) + return i; } - free(comm); - return rv; + + // if a second child is not found, return the first child pid + // this happens for processes sandboxed with --join + return first_child; } + diff --git a/src/jailtest/virtual.c b/src/jailtest/virtual.c index 48296fdb1..fcdcf9720 100644 --- a/src/jailtest/virtual.c +++ b/src/jailtest/virtual.c @@ -1,3 +1,22 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ #include "jailtest.h" #include #include @@ -64,7 +83,8 @@ void virtual_test(void) { assert(user_uid); int i; - printf(" Virtual dirs: "); fflush(0); + int cnt = 0; + cnt += printf(" Virtual dirs: "); fflush(0); for (i = 0; i < files_cnt; i++) { assert(files[i]); @@ -85,15 +105,21 @@ void virtual_test(void) { FILE *fp = fopen(files[i], "r"); if (fp) fclose(fp); - else - printf("%s, ", dirs[i]); + else { + if (cnt == 0) + cnt += printf("\n "); + cnt += printf("%s, ", dirs[i]); + if (cnt > 60) + cnt = 0; + } fflush(0); - exit(0); + exit(cnt); } // wait for the child to finish int status; wait(&status); + cnt = WEXITSTATUS(status); } printf("\n"); } diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 2c02aee47..dbb9397c6 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt @@ -130,8 +130,9 @@ This program is free software; you can redistribute it and/or modify it under th .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailtest (1) diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 430e86cc8..ce27729b7 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -34,8 +34,9 @@ Firejail is free software; you can redistribute it and/or modify it under the te .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-users (5), +.BR jailtest (1) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5e77b5f70..c7dc4c434 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -889,10 +889,12 @@ Firejail is free software; you can redistribute it and/or modify it under the te .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-login\fR\|(5), -\&\flfirejail-users\fR\|(5), +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailtest (1) + .UR https://github.com/netblue30/firejail/wiki/Creating-Profiles .UE diff --git a/src/man/firejail-users.txt b/src/man/firejail-users.txt index 6fa09e05e..c5a9c1848 100644 --- a/src/man/firejail-users.txt +++ b/src/man/firejail-users.txt @@ -54,8 +54,9 @@ as published by the Free Software Foundation; either version 2 of the License, o .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5) -\&\flfirejail-login\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR jailtest (1) diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e85a02ee8..9e89d4e79 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -3332,11 +3332,13 @@ This program is free software; you can redistribute it and/or modify it under th .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfiremon\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5), -\&\flfirejail-users\fR\|(5), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailtest (1) + .UR https://github.com/netblue30/firejail/wiki .UE , .UR https://github.com/netblue30/firejail diff --git a/src/man/firemon.txt b/src/man/firemon.txt index cea6c0265..64f15a1f0 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -115,8 +115,9 @@ This program is free software; you can redistribute it and/or modify it under th .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), +.BR jailtest (1) diff --git a/src/man/jailtest.txt b/src/man/jailtest.txt index bc1999163..1b64097ea 100644 --- a/src/man/jailtest.txt +++ b/src/man/jailtest.txt @@ -19,9 +19,12 @@ and tries to run them form inside the sandbox, thus testing if the directory is \fB3. Read access test jailtest creates test files in the directories specified by the user and tries to read them from inside the sandbox. - .TP -The program is running as root exclusively under sudo. +\fB4. AppArmor test +.TP +\fB5. Seccomp test +.TP +The program is started as root using sudo. .SH OPTIONS .TP @@ -35,7 +38,7 @@ Print options end exit. Print program version and exit. .TP \fB[directory] -One or more directories in user home to test for read access. +One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default. .SH OUTPUT For each sandbox detected we print the following line: @@ -46,37 +49,58 @@ It is followed by relevant sandbox information, such as the virtual directories .SH EXAMPLE +$ sudo jailtest .br -$ sudo jailtest ~/.ssh ~/.gnupg +2014:netblue::firejail /usr/bin/gimp .br -1429:netblue::/usr/bin/firejail /opt/firefox/firefox + Virtual dirs: /tmp, /var/tmp, /dev, /usr/share, .br - Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, + Warning: I can run programs in /home/netblue +.br + .br -5602:netblue::/usr/bin/firejail /usr/bin/ssh netblue@x.y.z.net +2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net .br - Virtual dirs: /var/tmp, /dev, + Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000, .br Warning: I can read ~/.ssh .br -5926:netblue::/usr/bin/firejail /usr/bin/gimp-2.10 + +.br +2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage .br Virtual dirs: /tmp, /var/tmp, /dev, .br - Warning: I can run programs in /home/netblue + .br -6394:netblue:libreoffice:/usr/bin/firejail libreoffice +26090:netblue::/usr/bin/firejail /opt/firefox/firefox .br - Virtual dirs: /tmp, /var/tmp, /dev, + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share, .br + /run/user/1000, +.br + +.br +26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor +.br + Warning: AppArmor not enabled +.br + Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin, +.br + /usr/share, /run/user/1000, +.br + Warning: I can run programs in /home/netblue +.br + .SH LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP Homepage: https://firejail.wordpress.com .SH SEE ALSO -\&\flfirejail\fR\|(1), -\&\flfirecfg\fR\|(1), -\&\flfirejail-profile\fR\|(5), -\&\flfirejail-login\fR\|(5) -\&\flfirejail-users\fR\|(5) +.BR firejail (1), +.BR firemon (1), +.BR firecfg (1), +.BR firejail-profile (5), +.BR firejail-login (5), +.BR firejail-users (5), -- cgit v1.2.3-54-g00ecf