mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
61 lines
1.5 KiB
Text
61 lines
1.5 KiB
Text
Firejail Feature Testing
|
|
|
|
N - normal user filesystem
|
|
O - overlay filesystem
|
|
C - chroot filesystem
|
|
|
|
|
|
|
|
1. Default features (tesing with --noprofile)
|
|
|
|
1.1 disable /boot
|
|
1.2 new /proc
|
|
1.3 new /sys
|
|
- N, O fails remount, C fails remount
|
|
|
|
1.4 mask other users
|
|
- home directory: N, O, C
|
|
- /etc/passwd: N, O, C to test
|
|
- /etc/group: N, O, C to test
|
|
|
|
1.5 PID namespace
|
|
1.6 new /var/log
|
|
1.7 new /var/tmp
|
|
1.8 disable firejail config and run time information
|
|
1.9 mount namespace
|
|
1.10 disable /selinux
|
|
|
|
|
|
2. Networking features
|
|
|
|
2.1 Hostname (use --hostname=newhostname, do a ping and cat /etc/hostname)
|
|
- ping disabled for C by default seccomp filter, use "getent hosts bingo"
|
|
|
|
2.2 DNS (use --dns=4.2.2.1, use "dig google.com")
|
|
2.3 mac-vlan (use --net=eth0 and --noprofile; run ifconfig and dig google.com)
|
|
2.4 bridge (use --net=br0 and --noprofile; run ifconfig, netstat -rn, ping default gw)
|
|
- ping disabled for C by default seccomp filter - transfer test not implemented for C
|
|
2.5 interface
|
|
2.6 Default gw (--noprofile --net=eth0 --defaultgw=192.168.1.10, run netstat -rn)
|
|
|
|
|
|
3. Filesystem features (use --noprofile)
|
|
|
|
3.1 private
|
|
3.2 read-only
|
|
3.3 blacklist
|
|
3.4 whitelist home
|
|
- N braking on Fedora
|
|
3.5 private-dev
|
|
- O, C - somehow /dev/log is missing
|
|
- N - problems on Debian wheezy 32-bit, Fedora
|
|
3.6 private-etc
|
|
- O not working - todo
|
|
3.7 private-tmp
|
|
3.8 private-bin
|
|
- O, C not working - todo
|
|
3.9 whitelist dev
|
|
- N not working on Debian wheezy (32-bit and 64-bit) - todo
|
|
3.10 whitelist tmp
|
|
- O not working on Arch Linux - todo
|
|
3.11 mkdir
|