path: root/todo

1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.

Tests:
a)
cat </dev/tcp/time.nist.gov/13

b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3

c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

2. SELinux integration

Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"

3. abstract unix socket bridge, example for ibus:

before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock

5. add support for --ip, --iprange, --mac and --mtu for --interface option

6. --shutdown does not clear sandboxes started with --join

7. profile for okular

8. profile for dillo
Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active.
This is probably a dillo problem.

9. --force sandbox in a overlayfs sandbox

$ sudo firejail --overlay
# su netblue
$ xterm &
$ firejail --force --private
Parent pid 77, child pid 78
Warning: failed to unmount /sys

Warning: cannot mount a new user namespace, going forward without it...
Child process initialized

Try to join the forced sandbox in xterm window:
$ firejail --join=77
Switching to pid 78, the first child process inside the sandbox
Warning: seccomp file not found
Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
$ ls ~ <----------------- all files are available, the directory is not empty!

10. Posibly capabilities broken for --join

$ firejail --name=test
...
$ firejail --debug --join=test
Switching to pid 18591, the first child process inside the sandbox
User namespace detected: /proc/18591/uid_map, 1000, 1000
Set caps filter 0
Set protocol filter: unix,inet,inet6
Read seccomp filter, size 792 bytes

However, in the join sandbox we have:
$ cat /proc/self/status | grep Cap
CapInh:	0000000000000000
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	0000003fffffffff
CapAmb:	0000000000000000

11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
Seccomp lists:
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl

12. check for --chroot why .config/pulse dir is not created

13. print error line number for profile files in  profile_check_line()

14. make rpms problems
$ firejail --version
firejail version 0.9.40
User namespace support is disabled.

$ rpmlint firejail-0.9.40-1.x86_64.rpm 
firejail.x86_64: E: no-changelogname-tag
firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi

$ rpmlint firejail-0.9.40-1.src.rpm
firejail.src: E: no-changelogname-tag
firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
1 packages and 0 specfiles checked; 1 errors, 1 warnings.

15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles

$ firejail  --caps.keep=chown,net_bind_service src/faudit/faudit
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 6872, child pid 6873

Child process initialized

----- Firejail Audit: the Good, the Bad and the Ugly -----

GOOD: Process PID 2, running in a PID namespace
Container/sandbox: firejail
GOOD: all capabilities are disabled


Parent is shutting down, bye...

16. Sound devices:
/dev/snd


    /dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
    /dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
    /dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
    /dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
    /dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
    /dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
    /dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
    /dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
    /dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44


17. test 3d acceleration

$ lspci -nn | grep VGA

# apt-get install mesa-utils

$ glxinfo  | grep rendering

The output should be:

direct rendering: Yes
	
$ glxinfo | grep "renderer string"

OpenGL renderer string: Gallium 0.4 on AMD KAVERI


glxgears stuck to 60fps may be due to VSync signal synchronization.
To disable Vsync

$ vblank_mode=0 glxgears

18. Add nosound in all profiles with private-dev (including server.profile)
test hedgewars!

19. new syscalls:
create_module
name_to_handle_at
ioprio_set, 

???
146	- sched_get_priority_max
147	- sched_get_priority_min
204	- sched_getaffinity
315	- sched_getattr
143	- sched_getparam
145	- sched_getscheduler
148	- sched_rr_get_interval
203	- sched_setaffinity
314	- sched_setattr
142	- sched_setparam
144	- sched_setscheduler
24	- sched_yield