From 1902bd413e70567d51caa229b3726a3d12bff12a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 4 Apr 2017 09:45:38 -0400 Subject: --help fixes --- todo | 310 ++----------------------------------------------------------------- 1 file changed, 7 insertions(+), 303 deletions(-) (limited to 'todo') diff --git a/todo b/todo index 86917e6cd..e2816f47c 100644 --- a/todo +++ b/todo @@ -1,303 +1,7 @@ -1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections -ksh and zsh seem to have it. - -Tests: -a) -cat /dev/tcp/www.google.com/80 -echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3 -cat <&3 - -c) A list of attacks -http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ - -2. SELinux integration - -Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html -Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/ -"desktops are notoriously difficult to use a mandatory access control system on" - -3. abstract unix socket bridge, example for ibus: - -before the sandbox is started -socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc & -in sandbox -socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock - -5. add support for --ip, --iprange, --mac and --mtu for --interface option - -6. --shutdown does not clear sandboxes started with --join - -7. profile for okular - -8. profile for dillo -Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active. -This is probably a dillo problem. - -9. --force sandbox in a overlayfs sandbox - -$ sudo firejail --overlay -# su netblue -$ xterm & -$ firejail --force --private -Parent pid 77, child pid 78 -Warning: failed to unmount /sys - -Warning: cannot mount a new user namespace, going forward without it... -Child process initialized - -Try to join the forced sandbox in xterm window: -$ firejail --join=77 -Switching to pid 78, the first child process inside the sandbox -Warning: seccomp file not found -Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer. -$ ls ~ <----------------- all files are available, the directory is not empty! - -10. Posibly capabilities broken for --join - -$ firejail --name=test -... -$ firejail --debug --join=test -Switching to pid 18591, the first child process inside the sandbox -User namespace detected: /proc/18591/uid_map, 1000, 1000 -Set caps filter 0 -Set protocol filter: unix,inet,inet6 -Read seccomp filter, size 792 bytes - -However, in the join sandbox we have: -$ cat /proc/self/status | grep Cap -CapInh: 0000000000000000 -CapPrm: 0000000000000000 -CapEff: 0000000000000000 -CapBnd: 0000003fffffffff -CapAmb: 0000000000000000 - -11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/ -Seccomp lists: -https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl -https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl - -12. check for --chroot why .config/pulse dir is not created - -13. print error line number for profile files in profile_check_line() - -14. make rpms problems -$ firejail --version -firejail version 0.9.40 -User namespace support is disabled. - -$ rpmlint firejail-0.9.40-1.x86_64.rpm -firejail.x86_64: E: no-changelogname-tag -firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so -firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so -firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so -firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile -firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi - -$ rpmlint firejail-0.9.40-1.src.rpm -firejail.src: E: no-changelogname-tag -firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found -1 packages and 0 specfiles checked; 1 errors, 1 warnings. - -15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles - -$ firejail --caps.keep=chown,net_bind_service src/faudit/faudit -Reading profile /etc/firejail/default.profile -Reading profile /etc/firejail/disable-common.inc -Reading profile /etc/firejail/disable-programs.inc -Reading profile /etc/firejail/disable-passwdmgr.inc - -** Note: you can use --noprofile to disable default.profile ** - -Parent pid 6872, child pid 6873 - -Child process initialized - ------ Firejail Audit: the Good, the Bad and the Ugly ----- - -GOOD: Process PID 2, running in a PID namespace -Container/sandbox: firejail -GOOD: all capabilities are disabled - - -Parent is shutting down, bye... - -16. Sound devices: -/dev/snd - - - /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4 - /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3 - /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12 - /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20 - /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19 - /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28 - /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36 - /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35 - /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44 - - -17. test 3d acceleration - -$ lspci -nn | grep VGA - -# apt-get install mesa-utils - -$ glxinfo | grep rendering - -The output should be: - -direct rendering: Yes - -$ glxinfo | grep "renderer string" - -OpenGL renderer string: Gallium 0.4 on AMD KAVERI - - -glxgears stuck to 60fps may be due to VSync signal synchronization. -To disable Vsync - -$ vblank_mode=0 glxgears - -19. testing snaps - -Install firejail from official repository -sudo apt-get install firejail - -Check firejail version -firejail --version - -Above command outputs: firejail version 0.9.38 - -Search the snap 'ubuntu clock' application -sudo snap find ubuntu-clock-app - -Install 'ubuntu clock' application using snap -sudo snap install ubuntu-clock-app - -Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/ -cd /snap/bin/ -ls -l - -Note: We see application name is: ubuntu-clock-app.clock - -Run application -/snap/bin/ubuntu-clock-app.clock - -Note: Application starts-up without a problem and clock is displayed. - -Close application using mouse. - -Now try to firejail the application. -firejail /snap/bin/ubuntu-clock-app.clock - --------- Error message -------- -Reading profile /etc/firejail/generic.profile -Reading profile /etc/firejail/disable-mgmt.inc -Reading profile /etc/firejail/disable-secret.inc -Reading profile /etc/firejail/disable-common.inc - -** Note: you can use --noprofile to disable generic.profile ** - -Parent pid 3770, child pid 3771 - -Child process initialized -need to run as root or suid - -parent is shutting down, bye... --------- End of Error message -------- - -Try running as root as message instructs. -sudo firejail /snap/bin/ubuntu-clock-app.clock - -extract env for process -ps e -p | sed 's/ /\n/g' - - -20. check default disable - from grsecurity - -GRKERNSEC_HIDESYM -/proc/kallsyms and other files - -GRKERNSEC_PROC_USER -If you say Y here, non-root users will only be able to view their own -processes, and restricts them from viewing network-related information, -and viewing kernel symbol and module information. - -GRKERNSEC_PROC_ADD -If you say Y here, additional restrictions will be placed on -/proc that keep normal users from viewing device information and -slabinfo information that could be useful for exploits. - -21. Core Infrastructure Initiative (CII) Best Practices - -Proposal - -Someone closely involved with the project could go thought the criteria and keep them up-to-date. -References - - https://bestpractices.coreinfrastructure.org - https://twit.tv/shows/floss-weekly/episodes/389 - -22. add support for read-write and noexec to Firetools - -23. AppArmor - -$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify -$ sudo apt-get install libapparmor-dev - -$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub -$ sudo update-grub -$ sudo reboot - -If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message. -$ sudo aa-notify -p -f /var/log/audit/audit.log - -$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail -firejail-default (enforce) - -24. check monitor proc behaviour for sandboxes with --blacklist=/proc -also check --apparmor in this case - -25. fix firemon and firetools on systems with hidepid=2 - -sudo mount -o remount,rw,hidepid=2 /proc - -26. mupdf profile - -27. LUKS - -dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in -Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, -removable media, partitions, software RAID volumes, logical volumes, and files. - -28. Merge --dbus=none from https://github.com/Sidnioulz/firejail - - // block dbus session bus the hard way if necessary - if (cfg.dbus == 0) { - char *dbus_path; - if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1) - errExit("asprintf"); - fs_blacklist_file(dbus_path); - free(dbus_path); -} - -29. grsecurity - move test after "firejail --name=blablabla" in /test/apps* - -30. -$ sudo firejail --fs.print=test -[sudo] password for netblue: -tmpfs /run/firejail/mnt << ???????????????? -sandbox name: test -sandbox pid: 5790 -sandbox filesystem: local -install mount namespace -read-only /etc -read-only /var -read-only /bin - -31. --private and --allusers are coliding - -32. machine-id defined in rfc4122 +add --nosound to --help +--force +--git-install +--git-uninstall +--join-or-start +--netns +--private-opt -- cgit v1.2.3-70-g09d2