1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page"
.SH NAME
jailcheck \- Simple utility program to test running sandboxes
.SH SYNOPSIS
sudo jailcheck [OPTIONS] [directory]
.SH DESCRIPTION
jailcheck attaches itself to all sandboxes started by the user and performs some basic tests
on the sandbox filesystem:
.TP
\fB1. Virtual directories
jailcheck extracts a list with the main virtual directories installed by the sandbox.
These directories are build by firejail at startup using --private* and --whitelist commands.
.TP
\fB2. Noexec test
jailcheck inserts executable programs in /home/username, /tmp, and /var/tmp directories
and tries to run them from inside the sandbox, thus testing if the directory is executable or not.
.TP
\fB3. Read access test
jailcheck creates test files in the directories specified by the user and tries to read
them from inside the sandbox.
.TP
\fB4. AppArmor test
.TP
\fB5. Seccomp test
.TP
\fB6. Networking test
.TP
The program is started as root using sudo.
.SH OPTIONS
.TP
\fB\-\-debug
Print debug messages.
.TP
\fB\-?\fR, \fB\-\-help\fR
Print options and exit.
.TP
\fB\-\-version
Print program version and exit.
.TP
\fB[directory]
One or more directories in user home to test for read access. ~/.ssh and ~/.gnupg are tested by default.
.SH OUTPUT
For each sandbox detected we print the following line:
PID:USER:Sandbox Name:Command
It is followed by relevant sandbox information, such as the virtual directories and various warnings.
.SH EXAMPLE
$ sudo jailcheck
.br
2014:netblue::firejail /usr/bin/gimp
.br
Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
.br
Warning: I can run programs in /home/netblue
.br
Networking: disabled
.br
.br
2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
.br
Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
.br
Warning: I can read ~/.ssh
.br
Networking: enabled
.br
.br
2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
.br
Virtual dirs: /tmp, /var/tmp, /dev,
.br
Networking: enabled
.br
.br
26090:netblue::/usr/bin/firejail /opt/firefox/firefox
.br
Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
.br
/run/user/1000,
.br
Networking: enabled
.br
.br
26160:netblue:tor:firejail --private=~/tor-browser_en-US ./start-tor
.br
Warning: AppArmor not enabled
.br
Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /bin,
.br
/usr/share, /run/user/1000,
.br
Warning: I can run programs in /home/netblue
.br
Networking: enabled
.br
.SH LICENSE
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
.PP
Homepage: https://firejail.wordpress.com
.SH SEE ALSO
.BR firejail (1),
.BR firemon (1),
.BR firecfg (1),
.BR firejail-profile (5),
.BR firejail-login (5),
.BR firejail-users (5),
|
