1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
Firejail Feature Testing
N - normal user filesystem
O - overlay filesystem
C - chroot filesystem
1. Default features (tesing with --noprofile)
1.1 disable /boot
- N, O, C
1.2 new /proc
- N, O, C
1.3 new /sys
- N, O fails remount, C fails remount
1.4 mask other users
- home directory: N, O, C
- /etc/passwd: N, O, C to test
- /etc/group: N, O, C to test
1.5 PID namespace
- N, O, C
1.6 new /var/log
- N, O, C
1.7 new /var/tmp
-N, O, C
1.8 disable /etc/firejail and ~/.config/firejail
-N, O, C
1.9 mount namespace
1.10 disable /selinux
- N, O, C
2. Networking features
2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname)
- N, O, C
- ping disabled for C by default seccomp filter, use "getent hosts bingo"
2.2 DNS (use --dns=4.2.2.1, use "dig google.com")
- N, O, C
2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com)
- N, O, C
- test --ip: N, O, C
2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw)
- N, O, C
- ping disabled for C by default seccomp filter - transfer test not implemented for C
- test --ip: N, O, C
2.5 interface
- N, O, C
2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn)
- N, O, C
3. Filesystem features (use --noprofile)
3.1 private
3.2 read-only
3.3 blacklist
3.4 whitelist home
|