Permalink
Fetching contributors…
Cannot retrieve contributors at this time
304 lines (209 sloc) 9 KB
1. Disable /dev/tcp in bash. Compiled time: --enable-net-redirections, --disable-net-redirections
ksh and zsh seem to have it.
Tests:
a)
cat </dev/tcp/time.nist.gov/13
b)
exec 3<>/dev/tcp/www.google.com/80
echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3
cat <&3
c) A list of attacks
http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
2. SELinux integration
Firefox selinux disabled (RedHat): http://danwalsh.livejournal.com/72697.html
Firefox selinux enabled (Gentoo hardened): http://blog.siphos.be/2015/08/why-we-do-confine-firefox/
"desktops are notoriously difficult to use a mandatory access control system on"
3. abstract unix socket bridge, example for ibus:
before the sandbox is started
socat UNIX-LISTEN:/tmp/mysoc,fork ABSTRACT-CONNECT:/tmp/dbus-awBoQTCc &
in sandbox
socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
5. add support for --ip, --iprange, --mac and --mtu for --interface option
6. --shutdown does not clear sandboxes started with --join
7. profile for okular
8. profile for dillo
Also, in dillo open a directory (file:///etc), when the browser window is closed the sandbox still remains active.
This is probably a dillo problem.
9. --force sandbox in a overlayfs sandbox
$ sudo firejail --overlay
# su netblue
$ xterm &
$ firejail --force --private
Parent pid 77, child pid 78
Warning: failed to unmount /sys
Warning: cannot mount a new user namespace, going forward without it...
Child process initialized
Try to join the forced sandbox in xterm window:
$ firejail --join=77
Switching to pid 78, the first child process inside the sandbox
Warning: seccomp file not found
Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.
$ ls ~ <----------------- all files are available, the directory is not empty!
10. Posibly capabilities broken for --join
$ firejail --name=test
...
$ firejail --debug --join=test
Switching to pid 18591, the first child process inside the sandbox
User namespace detected: /proc/18591/uid_map, 1000, 1000
Set caps filter 0
Set protocol filter: unix,inet,inet6
Read seccomp filter, size 792 bytes
However, in the join sandbox we have:
$ cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
11. check seccomp on Docker: https://docs.docker.com/engine/security/seccomp/
Seccomp lists:
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_64.tbl
https://github.com/torvalds/linux/blob/1e75a9f34a5ed5902707fb74b468356c55142b71/arch/x86/entry/syscalls/syscall_32.tbl
12. check for --chroot why .config/pulse dir is not created
13. print error line number for profile files in profile_check_line()
14. make rpms problems
$ firejail --version
firejail version 0.9.40
User namespace support is disabled.
$ rpmlint firejail-0.9.40-1.x86_64.rpm
firejail.x86_64: E: no-changelogname-tag
firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtracelog.so
firejail.x86_64: W: unstripped-binary-or-object /usr/lib64/firejail/libtrace.so
firejail.x86_64: E: missing-call-to-setgroups /usr/lib64/firejail/libtrace.so
firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/google-play-music-desktop-player.profile
firejail.x86_64: W: conffile-without-noreplace-flag /etc/firejail/rtorrent.profi
$ rpmlint firejail-0.9.40-1.src.rpm
firejail.src: E: no-changelogname-tag
firejail.src: W: invalid-url Source0: https://github.com/netblue30/firejail/archive/0.9.40.tar.gz#/firejail-0.9.40.tar.gz HTTP Error 404: Not Found
1 packages and 0 specfiles checked; 1 errors, 1 warnings.
15. bug: capabiliteis declared on the command line take precedence over caps declared in profiles
$ firejail --caps.keep=chown,net_bind_service src/faudit/faudit
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 6872, child pid 6873
Child process initialized
----- Firejail Audit: the Good, the Bad and the Ugly -----
GOOD: Process PID 2, running in a PID namespace
Container/sandbox: firejail
GOOD: all capabilities are disabled
Parent is shutting down, bye...
16. Sound devices:
/dev/snd
/dev/snd/pcmC0D0 -> /dev/audio0 (/dev/audio) -> minor 4
/dev/snd/pcmC0D0 -> /dev/dsp0 (/dev/dsp) -> minor 3
/dev/snd/pcmC0D1 -> /dev/adsp0 (/dev/adsp) -> minor 12
/dev/snd/pcmC1D0 -> /dev/audio1 -> minor 4+16 = 20
/dev/snd/pcmC1D0 -> /dev/dsp1 -> minor 3+16 = 19
/dev/snd/pcmC1D1 -> /dev/adsp1 -> minor 12+16 = 28
/dev/snd/pcmC2D0 -> /dev/audio2 -> minor 4+32 = 36
/dev/snd/pcmC2D0 -> /dev/dsp2 -> minor 3+32 = 35
/dev/snd/pcmC2D1 -> /dev/adsp2 -> minor 12+32 = 44
17. test 3d acceleration
$ lspci -nn | grep VGA
# apt-get install mesa-utils
$ glxinfo | grep rendering
The output should be:
direct rendering: Yes
$ glxinfo | grep "renderer string"
OpenGL renderer string: Gallium 0.4 on AMD KAVERI
glxgears stuck to 60fps may be due to VSync signal synchronization.
To disable Vsync
$ vblank_mode=0 glxgears
19. testing snaps
Install firejail from official repository
sudo apt-get install firejail
Check firejail version
firejail --version
Above command outputs: firejail version 0.9.38
Search the snap 'ubuntu clock' application
sudo snap find ubuntu-clock-app
Install 'ubuntu clock' application using snap
sudo snap install ubuntu-clock-app
Ubuntu snap packages are installed in /snap/// directory and can be executed from /snap/bin/
cd /snap/bin/
ls -l
Note: We see application name is: ubuntu-clock-app.clock
Run application
/snap/bin/ubuntu-clock-app.clock
Note: Application starts-up without a problem and clock is displayed.
Close application using mouse.
Now try to firejail the application.
firejail /snap/bin/ubuntu-clock-app.clock
-------- Error message --------
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use --noprofile to disable generic.profile **
Parent pid 3770, child pid 3771
Child process initialized
need to run as root or suid
parent is shutting down, bye...
-------- End of Error message --------
Try running as root as message instructs.
sudo firejail /snap/bin/ubuntu-clock-app.clock
extract env for process
ps e -p <pid> | sed 's/ /\n/g'
20. check default disable - from grsecurity
GRKERNSEC_HIDESYM
/proc/kallsyms and other files
GRKERNSEC_PROC_USER
If you say Y here, non-root users will only be able to view their own
processes, and restricts them from viewing network-related information,
and viewing kernel symbol and module information.
GRKERNSEC_PROC_ADD
If you say Y here, additional restrictions will be placed on
/proc that keep normal users from viewing device information and
slabinfo information that could be useful for exploits.
21. Core Infrastructure Initiative (CII) Best Practices
Proposal
Someone closely involved with the project could go thought the criteria and keep them up-to-date.
References
https://bestpractices.coreinfrastructure.org
https://twit.tv/shows/floss-weekly/episodes/389
22. add support for read-write and noexec to Firetools
23. AppArmor
$ sudo apt-get install apparmor apparmor-profiles apparmor-utils apparmor-notify
$ sudo apt-get install libapparmor-dev
$ sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
$ sudo update-grub
$ sudo reboot
If you are using auditd, start aa-notify to get notification whenever a program causes a DENIED message.
$ sudo aa-notify -p -f /var/log/audit/audit.log
$ sudo cat /sys/kernel/security/apparmor/profiles | grep firejail
firejail-default (enforce)
24. check monitor proc behaviour for sandboxes with --blacklist=/proc
also check --apparmor in this case
25. fix firemon and firetools on systems with hidepid=2
sudo mount -o remount,rw,hidepid=2 /proc
26. mupdf profile
27. LUKS
dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in
Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks,
removable media, partitions, software RAID volumes, logical volumes, and files.
28. Merge --dbus=none from https://github.com/Sidnioulz/firejail
// block dbus session bus the hard way if necessary
if (cfg.dbus == 0) {
char *dbus_path;
if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1)
errExit("asprintf");
fs_blacklist_file(dbus_path);
free(dbus_path);
}
29. grsecurity - move test after "firejail --name=blablabla" in /test/apps*
30.
$ sudo firejail --fs.print=test
[sudo] password for netblue:
tmpfs /run/firejail/mnt << ????????????????
sandbox name: test
sandbox pid: 5790
sandbox filesystem: local
install mount namespace
read-only /etc
read-only /var
read-only /bin
31. --private and --allusers are coliding
32. machine-id defined in rfc4122