mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
157 lines
5.2 KiB
Text
157 lines
5.2 KiB
Text
1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay
|
|
|
|
2. Startup warnings on Arch Linux:
|
|
|
|
(all fine here)
|
|
$ ./firejail
|
|
Parent pid 2495, child pid 2496
|
|
Child process initialized
|
|
$
|
|
|
|
(warnings)
|
|
$ ./firejail --overlay
|
|
Parent pid 2500, child pid 2501
|
|
OverlayFS configured in /home/ablive/.firejail/2500 directory
|
|
Warning: /var/lock not mounted
|
|
Warning: cannot find /var/run/utmp
|
|
Warning: failed to unmount /sys
|
|
Child process initialized
|
|
$
|
|
|
|
(warnings)
|
|
$ ./firejail --chroot=/media/mylinux
|
|
Parent pid 2503, child pid 2504
|
|
Warning: cannot find /var/run/utmp
|
|
Dropping all Linux capabilities and enforcing default seccomp filter
|
|
Warning: failed to unmount /sys
|
|
Child process initialized
|
|
$
|
|
|
|
5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
|
|
RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
|
|
|
|
6. Tests not working on Arch:
|
|
profile_syntax.exp (profile syntax)
|
|
fs_chroot.exp (chroot as user)
|
|
private-etc.exp
|
|
|
|
7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
|
|
ksh and zsh seem to have it.
|
|
|
|
Tests:
|
|
a)
|
|
cat </dev/tcp/time.nist.gov/13
|
|
|
|
b)
|
|
exec 3<>/dev/tcp/www.google.com/80
|
|
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
|
|
cat <&3
|
|
|
|
c) A list of attacks
|
|
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
|
|
|
|
8. SELinux
|
|
|
|
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
|
|
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
|
|
"desktops are notoriously difficult to use a mandatory access control system on"
|
|
|
|
9. blacklist .muttrc, contains passwords in clear text
|
|
|
|
10. abstract unix socket bridge, example for ibus:
|
|
|
|
before the sandbox is started
|
|
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
|
|
|
|
in sandbox
|
|
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
|
|
|
|
11. autotest for config options:
|
|
|
|
./configure --enable-fatal-warnings --prefix=/usr
|
|
./configure --enable-fatal-warnings --disable-seccomp --prefix=/usr
|
|
./configure --enable-fatal-warnings --disable-chroot --prefix=/usr
|
|
./configure --enable-fatal-warnings --disable-bind --prefix=/usr
|
|
|
|
12. do not allow symlinks for --bind
|
|
|
|
13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0
|
|
|
|
14. check chroot does not allow on symlinks
|
|
15. do not attempt to mount /sys if unmount fails
|
|
|
|
$ firejail --noprofile --chroot=/tmp/chroot
|
|
Parent pid 13915, child pid 13916
|
|
Warning: cannot mount tmpfs on top of /var/log
|
|
Warning: cannot find /var/run/utmp
|
|
Warning: cannot find home directory
|
|
Dropping all Linux capabilities and enforcing default seccomp filter
|
|
Warning: failed to unmount /sys
|
|
Warning: failed to mount /sys
|
|
Warning: cannot disable /sys/firmware directory
|
|
Warning: cannot disable /sys/hypervisor directory
|
|
Warning: cannot disable /sys/fs directory
|
|
Warning: cannot disable /sys/module directory
|
|
Warning: cannot disable /sys/power directory
|
|
Child process initialized
|
|
|
|
16. add support for --ip, --iprange, --mac and --mtu for --interface option
|
|
|
|
17. private-home clashing with blacklist
|
|
$ firejail --private-home=.mozilla
|
|
Reading profile /etc/firejail/generic.profile
|
|
Reading profile /etc/firejail/disable-mgmt.inc
|
|
Reading profile /etc/firejail/disable-secret.inc
|
|
Reading profile /etc/firejail/disable-common.inc
|
|
|
|
** Note: you can use --noprofile to disable generic.profile **
|
|
|
|
Parent pid 8193, child pid 8194
|
|
/run/firejail/mnt/cp: cannot access `/home/netblue/.mozilla': Permission denied
|
|
Error system cp -a --parents:duplicate(381): No such file or directory
|
|
Child process initialized
|
|
$ ls -la
|
|
total 4
|
|
drwx------ 3 test test 100 Nov 25 07:59 .
|
|
drwxr-xr-x 3 65534 65534 60 Nov 25 07:59 ..
|
|
-rw-r--r-- 1 test test 3392 Nov 25 07:59 .bashrc
|
|
dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
|
|
-rw------- 1 test test 0 Nov 25 07:59 .Xauthority
|
|
|
|
|
|
|
|
|
|
18. whitelist clashing with blacklist
|
|
$ firejail --whitelist=~/.mozilla
|
|
Reading profile /etc/firejail/generic.profile
|
|
Reading profile /etc/firejail/disable-mgmt.inc
|
|
Reading profile /etc/firejail/disable-secret.inc
|
|
Reading profile /etc/firejail/disable-common.inc
|
|
|
|
** Note: you can use --noprofile to disable generic.profile **
|
|
|
|
Parent pid 9440, child pid 9441
|
|
Child process initialized
|
|
$ ls -al
|
|
total 8
|
|
drwx------ 3 netblue netblue 100 Nov 25 08:09 .
|
|
drwxr-xr-x 3 65534 65534 60 Nov 25 08:09 ..
|
|
-rw-r--r-- 1 netblue netblue 3392 Nov 25 08:09 .bashrc
|
|
dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
|
|
-rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority
|
|
|
|
|
|
19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
|
|
|
|
20. Check this out:
|
|
|
|
I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only.
|
|
Here's what my fstab looks like now:
|
|
|
|
/dev/mapper/asdf-home /home ext4 nosuid,noatime,nodev 0 2
|
|
/dev/mapper/asdf-opt /opt ext4 discard,noatime,nosuid 0 2
|
|
/dev/mapper/asdf-usr--bin /usr/bin ext4 defaults,nosuid,noatime,rw 0 2
|
|
/dev/mapper/asdf-usr--local /usr/local ext4 defaults,nosuid,noatime,ro 0 2
|
|
/dev/mapper/asdf-usr--sbin /usr/sbin ext4 defaults,nosuid,,noatime,ro 0 2
|
|
/dev/mapper/asdf-var /var ext4 discard,noatime,nodev,nosuid 0 2
|
|
tmpfs /tmp tmpfs noatime,nosuid,nodev,size=2G 0 1
|