1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay 2. Startup warnings on Arch Linux: (all fine here) $ ./firejail Parent pid 2495, child pid 2496 Child process initialized $ (warnings) $ ./firejail --overlay Parent pid 2500, child pid 2501 OverlayFS configured in /home/ablive/.firejail/2500 directory Warning: /var/lock not mounted Warning: cannot find /var/run/utmp Warning: failed to unmount /sys Child process initialized $ (warnings) $ ./firejail --chroot=/media/mylinux Parent pid 2503, child pid 2504 Warning: cannot find /var/run/utmp Dropping all Linux capabilities and enforcing default seccomp filter Warning: failed to unmount /sys Child process initialized $ 5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI) RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog, 6. Tests not working on Arch: profile_syntax.exp (profile syntax) fs_chroot.exp (chroot as user) private-etc.exp 7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections ksh and zsh seem to have it. Tests: a) cat /dev/tcp/www.google.com/80 echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3 cat <&3 c) A list of attacks http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/ 8. SELinux Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/ "desktops are notoriously difficult to use a mandatory access control system on" 9. blacklist .muttrc, contains passwords in clear text 10. abstract unix socket bridge, example for ibus: before the sandbox is started socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc & in sandbox socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock 12. do not allow symlinks for --bind 13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0 15. do not attempt to mount /sys if unmount fails $ firejail --noprofile --chroot=/tmp/chroot Parent pid 13915, child pid 13916 Warning: cannot mount tmpfs on top of /var/log Warning: cannot find /var/run/utmp Warning: cannot find home directory Dropping all Linux capabilities and enforcing default seccomp filter Warning: failed to unmount /sys Warning: failed to mount /sys Warning: cannot disable /sys/firmware directory Warning: cannot disable /sys/hypervisor directory Warning: cannot disable /sys/fs directory Warning: cannot disable /sys/module directory Warning: cannot disable /sys/power directory Child process initialized 16. add support for --ip, --iprange, --mac and --mtu for --interface option 17. private-home clashing with blacklist whitelist clashing with blacklist 19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 21. restrict chars in filenames try to open url-encoded filenames const char badChars[] = "-\n\r ,;'\\<\""; (https://www.securecoding.cert.org/confluence/display/c/MSC09-C.+Character+encoding%3A+Use+subset+of+ASCII+for+safety) strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]", "}", "\\", "|", ";", ":", "\"", "'", "‘", "’", "“", "”", "–", "—", "—", "–", ",", "<", ".", ">", "/", "?"); (https://github.com/vito/chyrp/blob/35c646dda657300b345a233ab10eaca7ccd4ec10/includes/helpers.php#L516) $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}"); (wordpress) rework the calls to invalid_filename(), depending if globing is allowed or not, include * in the list for non-globing files The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, , , and http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276 22. --shutdown does not clear sandboxes started with --join on Debian jessie