1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay
2. Startup warnings on Arch Linux:
(all fine here)
$ ./firejail
Parent pid 2495, child pid 2496
Child process initialized
$
(warnings)
$ ./firejail --overlay
Parent pid 2500, child pid 2501
OverlayFS configured in /home/ablive/.firejail/2500 directory
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
Warning: failed to unmount /sys
Child process initialized
$
(warnings)
$ ./firejail --chroot=/media/mylinux
Parent pid 2503, child pid 2504
Warning: cannot find /var/run/utmp
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Child process initialized
$
5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
6. Tests not working on Arch:
profile_syntax.exp (profile syntax)
fs_chroot.exp (chroot as user)
private-etc.exp
7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
8. SELinux
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"
9. blacklist .muttrc, contains passwords in clear text
10. abstract unix socket bridge, example for ibus:
before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
11. autotest for config options:
./configure --enable-fatal-warnings --prefix=/usr
./configure --enable-fatal-warnings --disable-seccomp --prefix=/usr
./configure --enable-fatal-warnings --disable-chroot --prefix=/usr
./configure --enable-fatal-warnings --disable-bind --prefix=/usr
12. do not allow symlinks for --bind
13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0
14. check chroot does not allow on symlinks
15. do not attempt to mount /sys if unmount fails
$ firejail --noprofile --chroot=/tmp/chroot
Parent pid 13915, child pid 13916
Warning: cannot mount tmpfs on top of /var/log
Warning: cannot find /var/run/utmp
Warning: cannot find home directory
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Warning: failed to mount /sys
Warning: cannot disable /sys/firmware directory
Warning: cannot disable /sys/hypervisor directory
Warning: cannot disable /sys/fs directory
Warning: cannot disable /sys/module directory
Warning: cannot disable /sys/power directory
Child process initialized
16. add support for --ip, --iprange, --mac and --mtu for --interface option
17. private-home clashing with blacklist
$ firejail --private-home=.mozilla
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use --noprofile to disable generic.profile **
Parent pid 8193, child pid 8194
/run/firejail/mnt/cp: cannot access `/home/netblue/.mozilla': Permission denied
Error system cp -a --parents:duplicate(381): No such file or directory
Child process initialized
$ ls -la
total 4
drwx------ 3 test test 100 Nov 25 07:59 .
drwxr-xr-x 3 65534 65534 60 Nov 25 07:59 ..
-rw-r--r-- 1 test test 3392 Nov 25 07:59 .bashrc
dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
-rw------- 1 test test 0 Nov 25 07:59 .Xauthority
18. whitelist clashing with blacklist
$ firejail --whitelist=~/.mozilla
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use --noprofile to disable generic.profile **
Parent pid 9440, child pid 9441
Child process initialized
$ ls -al
total 8
drwx------ 3 netblue netblue 100 Nov 25 08:09 .
drwxr-xr-x 3 65534 65534 60 Nov 25 08:09 ..
-rw-r--r-- 1 netblue netblue 3392 Nov 25 08:09 .bashrc
dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
-rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority
19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
20. Check this out:
I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only.
Here's what my fstab looks like now:
/dev/mapper/asdf-home /home ext4 nosuid,noatime,nodev 0 2
/dev/mapper/asdf-opt /opt ext4 discard,noatime,nosuid 0 2
/dev/mapper/asdf-usr--bin /usr/bin ext4 defaults,nosuid,noatime,rw 0 2
/dev/mapper/asdf-usr--local /usr/local ext4 defaults,nosuid,noatime,ro 0 2
/dev/mapper/asdf-usr--sbin /usr/sbin ext4 defaults,nosuid,,noatime,ro 0 2
/dev/mapper/asdf-var /var ext4 discard,noatime,nodev,nosuid 0 2
tmpfs /tmp tmpfs noatime,nosuid,nodev,size=2G 0 1
|
