github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-16 14:16:16 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6
firejail/todo
netblue30 59f60106a6 profile cleanup
2016-01-22 09:08:35 -05:00

123 lines
4.2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay
2. Startup warnings on Arch Linux:
(all fine here)
$ ./firejail
Parent pid 2495, child pid 2496
Child process initialized
$
(warnings)
$ ./firejail --overlay
Parent pid 2500, child pid 2501
OverlayFS configured in /home/ablive/.firejail/2500 directory
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
Warning: failed to unmount /sys
Child process initialized
$
(warnings)
$ ./firejail --chroot=/media/mylinux
Parent pid 2503, child pid 2504
Warning: cannot find /var/run/utmp
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Child process initialized
$
5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
6. Tests not working on Arch:
profile_syntax.exp (profile syntax)
fs_chroot.exp (chroot as user)
private-etc.exp
7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
8. SELinux
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"
9. blacklist .muttrc, contains passwords in clear text
10. abstract unix socket bridge, example for ibus:
before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
12. do not allow symlinks for --bind
13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0
15. do not attempt to mount /sys if unmount fails
$ firejail --noprofile --chroot=/tmp/chroot
Parent pid 13915, child pid 13916
Warning: cannot mount tmpfs on top of /var/log
Warning: cannot find /var/run/utmp
Warning: cannot find home directory
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Warning: failed to mount /sys
Warning: cannot disable /sys/firmware directory
Warning: cannot disable /sys/hypervisor directory
Warning: cannot disable /sys/fs directory
Warning: cannot disable /sys/module directory
Warning: cannot disable /sys/power directory
Child process initialized
16. add support for --ip, --iprange, --mac and --mtu for --interface option
17. private-home clashing with blacklist
whitelist clashing with blacklist
19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
21. restrict chars in filenames
try to open url-encoded filenames
const char badChars[] = "-\n\r ,;'\\<\"";
(https://www.securecoding.cert.org/confluence/display/c/MSC09-C.+Character+encoding%3A+Use+subset+of+ASCII+for+safety)
strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]",
"}", "\\", "|", ";", ":", "\"", "'", "&#8216;", "&#8217;", "&#8220;", "&#8221;", "&#8211;", "&#8212;",
"—", "", ",", "<", ".", ">", "/", "?");
(https://github.com/vito/chyrp/blob/35c646dda657300b345a233ab10eaca7ccd4ec10/includes/helpers.php#L516)
$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}");
(wordpress)
rework the calls to invalid_filename(), depending if globing is allowed or not, include * in the list for non-globing files
The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
22. --shutdown does not clear sandboxes started with --join on Debian jessie
23. to document:
http://lwn.net/Articles/414813/
echo 1 > /proc/sys/kernel/dmesg_restrict
Reference in a new issue View git blame Copy permalink