github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
firejail/todo

86 lines
3.2 KiB
Text
Raw Blame History

1. Deal with .purple directory. It holds the confiig files for pidgin
2. Startup warnings on Arch Linux:
(all fine here)
$ ./firejail
Parent pid 2495, child pid 2496
Child process initialized
$
(warnings)
$ ./firejail --overlay
Parent pid 2500, child pid 2501
OverlayFS configured in /home/ablive/.firejail/2500 directory
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
Warning: failed to unmount /sys
Child process initialized
$
(warnings)
$ ./firejail --chroot=/media/mylinux
Parent pid 2503, child pid 2504
Warning: cannot find /var/run/utmp
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Child process initialized
$
3. Remove private.keep in 0.9.34 release (deprecated in 0.9.30)
4. Remove exclude-token from profile include in 0.9.34 (deprecated in 0.9.30)
5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
6. To investigate
// Restrict the set of allowable network protocol families
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_GE, AF_NETLINK + 1)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_AX25)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_IPX)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_APPLETALK)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_NETROM)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_BRIDGE)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_ATMPVC)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_X25)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_ROSE)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_DECnet)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_NETBEUI)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_SECURITY)));
CHECK_SECCOMP(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_SYS(socket), 1,
SCMP_A0(SCMP_CMP_EQ, AF_KEY)));
7. Tests not working on Arch:
profile_syntax.exp (profile syntax)
fs_chroot.exp (chroot as user)
private-etc.exp
8. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
Reference in a new issue View git blame Copy permalink