1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
2. SELinux integration
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"
3. abstract unix socket bridge, example for ibus:
before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
5. add support for --ip, --iprange, --mac and --mtu for --interface option
6. --shutdown does not clear sandboxes started with --join
7. profile for okular
8. profile for dillo
Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active.
This is probably a dillo problem.
9. --force sandbox in a overlayfs sandbox
$ sudo firejail --overlay
# su netblue
$ xterm &
$ firejail --force --private
Parent pid 77, child pid 78
Warning: failed to unmount /sys
Warning: cannot mount a new user namespace, going forward without it...
Child process initialized
Try to join the forced sandbox in xterm window:
$ firejail --join=77
Switching to pid 78, the first child process inside the sandbox
Warning: seccomp file not found
Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
$ ls ~ <----------------- all files are available, the directory is not empty!
10. Posibly capabilities broken for --join
$ firejail --name=test
...
$ firejail --debug --join=test
Switching to pid 18591, the first child process inside the sandbox
User namespace detected: /proc/18591/uid_map, 1000, 1000
Set caps filter 0
Set protocol filter: unix,inet,inet6
Read seccomp filter, size 792 bytes
However, in the join sandbox we have:
$ cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
Seccomp lists:
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
12. check for --chroot why .config/pulse dir is not created
13. print error line number for profile files in profile_check_line()
|
