1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
|
1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
2. SELinux integration
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"
3. abstract unix socket bridge, example for ibus:
before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
5. add support for --ip, --iprange, --mac and --mtu for --interface option
6. --shutdown does not clear sandboxes started with --join
7. profile for okular
8. profile for dillo
Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active.
This is probably a dillo problem.
9. --force sandbox in a overlayfs sandbox
$ sudo firejail --overlay
# su netblue
$ xterm &
$ firejail --force --private
Parent pid 77, child pid 78
Warning: failed to unmount /sys
Warning: cannot mount a new user namespace, going forward without it...
Child process initialized
Try to join the forced sandbox in xterm window:
$ firejail --join=77
Switching to pid 78, the first child process inside the sandbox
Warning: seccomp file not found
Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
$ ls ~ <----------------- all files are available, the directory is not empty!
10. Posibly capabilities broken for --join
$ firejail --name=test
...
$ firejail --debug --join=test
Switching to pid 18591, the first child process inside the sandbox
User namespace detected: /proc/18591/uid_map, 1000, 1000
Set caps filter 0
Set protocol filter: unix,inet,inet6
Read seccomp filter, size 792 bytes
However, in the join sandbox we have:
$ cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
Seccomp lists:
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
12. check for --chroot why .config/pulse dir is not created
13. print error line number for profile files in profile_check_line()
14. make rpms problems
$ firejail --version
firejail version 0.9.40
User namespace support is disabled.
$ rpmlint firejail-0.9.40-1.x86_64.rpm
firejail.x86_64: E: no-changelogname-tag
firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
$ rpmlint firejail-0.9.40-1.src.rpm
firejail.src: E: no-changelogname-tag
firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
1 packages and 0 specfiles checked; 1 errors, 1 warnings.
15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
$ firejail --caps.keep=chown,net_bind_service src/faudit/faudit
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 6872, child pid 6873
Child process initialized
----- Firejail Audit: the Good, the Bad and the Ugly -----
GOOD: Process PID 2, running in a PID namespace
Container/sandbox: firejail
GOOD: all capabilities are disabled
Parent is shutting down, bye...
16. Sound devices:
/dev/snd
/dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
/dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
/dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
/dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
/dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
/dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
/dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
/dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
/dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
17. test 3d acceleration
$ lspci -nn | grep VGA
# apt-get install mesa-utils
$ glxinfo | grep rendering
The output should be:
direct rendering: Yes
$ glxinfo | grep "renderer string"
OpenGL renderer string: Gallium 0.4 on AMD KAVERI
glxgears stuck to 60fps may be due to VSync signal synchronization.
To disable Vsync
$ vblank_mode=0 glxgears
19. testing snaps
Install firejail from official repository
sudo apt-get install firejail
Check firejail version
firejail --version
Above command outputs: firejail version 0.9.38
Search the snap 'ubuntu clock' application
sudo snap find ubuntu-clock-app
Install 'ubuntu clock' application using snap
sudo snap install ubuntu-clock-app
Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
cd /snap/bin/
ls -l
Note: We see application name is: ubuntu-clock-app.clock
Run application
/snap/bin/ubuntu-clock-app.clock
Note: Application starts-up without a problem and clock is displayed.
Close application using mouse.
Now try to firejail the application.
firejail /snap/bin/ubuntu-clock-app.clock
-------- Error message --------
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use --noprofile to disable generic.profile **
Parent pid 3770, child pid 3771
Child process initialized
need to run as root or suid
parent is shutting down, bye...
-------- End of Error message --------
Try running as root as message instructs.
sudo firejail /snap/bin/ubuntu-clock-app.clock
extract env for process
ps e -p <pid> | sed 's/ /\n/g'
20. check default disable - from grsecurity
GRKERNSEC_HIDESYM
/proc/kallsyms and other files
GRKERNSEC_PROC_USER
If you say Y here, non-root users will only be able to view their own
processes, and restricts them from viewing network-related information,
and viewing kernel symbol and module information.
GRKERNSEC_PROC_ADD
If you say Y here, additional restrictions will be placed on
/proc that keep normal users from viewing device information and
slabinfo information that could be useful for exploits.
21. Core Infrastructure Initiative (CII) Best Practices
Proposal
Someone closely involved with the project could go thought the criteria and keep them up-to-date.
References
https://bestpractices.coreinfrastructure.org
https://twit.tv/shows/floss-weekly/episodes/389
22. add support for read-write and noexec to Firetools
23. AppArmor
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
$ sudo apt-get install libapparmor-dev
$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo update-grub
$ sudo reboot
If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
$ sudo aa-notify -p -f /var/log/audit/audit.log
$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail
firejail-default (enforce)
24. check monitor proc behaviour for sandboxes with --blacklist=/proc
also check --apparmor in this case
25. fix firemon and firetools on systems with hidepid=2
sudo mount -o remount,rw,hidepid=2 /proc
26. mupdf profile
27. LUKS
dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in
Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks,
removable media, partitions, software RAID volumes, logical volumes, and files.
28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
// block dbus session bus the hard way if necessary
if (cfg.dbus == 0) {
char *dbus_path;
if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
errExit("asprintf");
fs_blacklist_file(dbus_path);
free(dbus_path);
}
29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
30.
$ sudo firejail --fs.print=test
[sudo] password for netblue:
tmpfs /run/firejail/mnt << ????????????????
sandbox name: test
sandbox pid: 5790
sandbox filesystem: local
install mount namespace
read-only /etc
read-only /var
read-only /bin
31. --private and --allusers are coliding
32. machine-id defined in rfc4122
|
