forked from netblue30/firejail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
todo
117 lines (86 loc) · 4.11 KB
/
todo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
1. Getting "Warning: failed to unmount /sys" on --chroot and --overlay
2. Startup warnings on Arch Linux:
(all fine here)
$ ./firejail
Parent pid 2495, child pid 2496
Child process initialized
$
(warnings)
$ ./firejail --overlay
Parent pid 2500, child pid 2501
OverlayFS configured in /home/ablive/.firejail/2500 directory
Warning: /var/lock not mounted
Warning: cannot find /var/run/utmp
Warning: failed to unmount /sys
Child process initialized
$
(warnings)
$ ./firejail --chroot=/media/mylinux
Parent pid 2503, child pid 2504
Warning: cannot find /var/run/utmp
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Child process initialized
$
5. Add IRC clients: KVIrc (KDE), BitchX (CLI), Smuxi, Konversation (KDE), HexChat, Irssi (CLI), WeeChat (CLI)
RSS: Liferea, akregator (KDE), newsbeuter (CLI), rawdog,
6. Tests not working on Arch:
profile_syntax.exp (profile syntax)
fs_chroot.exp (chroot as user)
private-etc.exp
7. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
8. SELinux
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"
9. blacklist .muttrc, contains passwords in clear text
10. abstract unix socket bridge, example for ibus:
before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
12. do not allow symlinks for --bind
13. While using --net=eth0 assign the name of the interface inside the sandbox as eth0
15. do not attempt to mount /sys if unmount fails
$ firejail --noprofile --chroot=/tmp/chroot
Parent pid 13915, child pid 13916
Warning: cannot mount tmpfs on top of /var/log
Warning: cannot find /var/run/utmp
Warning: cannot find home directory
Dropping all Linux capabilities and enforcing default seccomp filter
Warning: failed to unmount /sys
Warning: failed to mount /sys
Warning: cannot disable /sys/firmware directory
Warning: cannot disable /sys/hypervisor directory
Warning: cannot disable /sys/fs directory
Warning: cannot disable /sys/module directory
Warning: cannot disable /sys/power directory
Child process initialized
16. add support for --ip, --iprange, --mac and --mtu for --interface option
17. private-home clashing with blacklist
whitelist clashing with blacklist
19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
21. restrict chars in filenames
try to open url-encoded filenames
const char badChars[] = "-\n\r ,;'\\<\"";
(https://www.securecoding.cert.org/confluence/display/c/MSC09-C.+Character+encoding%3A+Use+subset+of+ASCII+for+safety)
strip = array("~", "`", "!", "@", "#", "$", "%", "^", "&", "*", "(", ")", "_", "=", "+", "[", "{", "]",
"}", "\\", "|", ";", ":", "\"", "'", "‘", "’", "“", "”", "–", "—",
"—", "–", ",", "<", ".", ">", "/", "?");
(https://github.com/vito/chyrp/blob/35c646dda657300b345a233ab10eaca7ccd4ec10/includes/helpers.php#L516)
$special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}");
(wordpress)
rework the calls to invalid_filename(), depending if globing is allowed or not, include * in the list for non-globing files
The POSIX standard defines what a “portable filename” is. This turns out to be just A-Z, a-z, 0-9, <period>, <underscore>, and <hyphen>
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_276
22. --shutdown does not clear sandboxes started with --join on Debian jessie