-
Notifications
You must be signed in to change notification settings - Fork 0
/
todo
303 lines (241 loc) · 11.4 KB
/
todo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
* gnome-keyring
https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement
nice article on gnome keyring
http://mdeslaur.blogspot.com/2009/11/gnome-keyring.html
* list dbus sockets
sudo netstat -nap | grep dbus | grep CONNECTED | awk '{print $8}' | sort | uniq -c
* char " needs to be escaped
$ firejail svn commit -m "exit program if an invalid option is detected"
Parent pid 4415, child pid 4416
Interface IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0 192.168.1.60 255.255.255.0 UP
Child process initialized
svn: Commit failed (details follow):
svn: '/home/netblue/work/firejail-sf/program' is not under version control
parent is shutting down, bye...
* in overlay mode "sudo su -" doesn't work
netblue@ubuntu:~/work/firejail-sf$ firejail --overlay
Parent pid 4173, child pid 4174
Error: failed to unmount /sys
Interface IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0 192.168.1.47 255.255.255.0 UP
Child process initialized
[netblue@ubuntu firejail-sf]$ sudo su -
[sudo] password for netblue:
su: System error
[netblue@ubuntu firejail-sf]$
* private /dev directory
CAP_MKNOD and mknod() syscall - create special files including device files under /dev directory
libvirt-lxc containers clears CPA_MKNOD from the bounding set
libvirt-lxc
static virLXCCgroupDevicePolicy devices[] = {
348 {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_NULL},
349 {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_ZERO},
350 {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_FULL},
351 {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_RANDOM},
352 {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_URANDOM},
353 {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_TTY},
354 {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX},
355 {'c', LXC_DEV_MAJ_FUSE, LXC_DEV_MIN_FUSE},
356 {0, 0, 0}};
357
/dev/zero
/dev/null
/dev/full
/dev/random
/dev/urandom
they also seem to use tty and fuse
/dev/ptmx symlinked to /dev/pts/ptmx
/dev/stdin symlinked to /proc/self/fd/0
/dev/stdout symlinked to /proc/self/fd/1
/dev/stderr symlinked to /proc/self/fd/2
/dev/fd symlinked to /proc/self/fd
/dev/console symlinked to /dev/pts/0
LXC:
lxc.cgroup.devices.deny = a # Deny all access to devices
lxc.cgroup.devices.allow = c 1:3 rwm # dev/null
lxc.cgroup.devices.allow = c 1:5 rwm # dev/zero
lxc.cgroup.devices.allow = c 5:1 rwm # dev/console
lxc.cgroup.devices.allow = c 5:0 rwm # dev/tty
lxc.cgroup.devices.allow = c 4:0 rwm # dev/tty0
lxc.cgroup.devices.allow = c 1:9 rwm # dev/urandom
lxc.cgroup.devices.allow = c 1:8 rwm # dev/random
lxc.cgroup.devices.allow = c 136:* rwm # dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm # dev/pts/ptmx
lxc.cgroup.devices.allow = c 254:0 rwm
static const struct lxc_devs lxc_devs[] = {
{ "null", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 3 },
{ "zero", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 },
{ "full", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 7 },
{ "urandom", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 9 },
{ "random", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 8 },
{ "tty", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 5, 0 },
{ "console", S_IFCHR | S_IRUSR | S_IWUSR, 5, 1 },
};
Gnome sandbox: https://wiki.gnome.org/Projects/SandboxedApps/Sandbox
/dev/full, /dev/null, /dev/random, /dev/urandom, /dev/tty and /dev/zero
/dev/shm is a private tmpfs
/dev/dri is a bind mount of the host /dev/dri
video device:
/dev/video*
sound devices:
/dev/dsp
/dev/adsp
/dev/audio
/dev/sndstat
/dev/mixer
$ ls /dev/snd
by-path controlC0 pcmC0D0c pcmC0D0p pcmC0D1c pcmC0D2p seq timer
$ lsusb --verbose | less
$ cat /dev/sndstat
Sound Driver:3.8.1a-980706 (ALSA v1.0.24 emulation code)
Kernel: Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3+deb7u2 x86_64
Config options: 0
Installed drivers:
Type 10: ALSA emulation
Card config:
Intel ICH with ALC655 at irq 23
Audio devices: NOT ENABLED IN CONFIG
Synth devices: NOT ENABLED IN CONFIG
Midi devices: NOT ENABLED IN CONFIG
Timers:
31: system timer
Mixers: NOT ENABLED IN CONFIG
$ lsmod | grep snd
snd_intel8x0 30903 2
snd_ac97_codec 106942 1 snd_intel8x0
snd_pcm 68083 2 snd_ac97_codec,snd_intel8x0
snd_page_alloc 13003 2 snd_pcm,snd_intel8x0
snd_timer 22917 1 snd_pcm
snd 52889 8 snd_timer,snd_pcm,snd_ac97_codec,snd_intel8x0
ac97_bus 12510 1 snd_ac97_codec
soundcore 13065 1 snd
netblue@debian:~/work/firejail/trunk$ lspci | grep Audio
00:10.2 Multimedia audio controller: NVIDIA Corporation MCP51 AC97 Audio Controller (rev a2)
netblue@debian:~/work/firejail/trunk$
* bug???
netblue@debian:~/work/firejail-sf$ firejail --trace svn commit -m "0.9.14 testing"
Parent pid 7848, child pid 7849
Interface IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0 192.168.1.60 255.255.255.0 UP
br0 10.10.20.1 255.255.255.248 UP
br1 10.10.30.1 255.255.255.0 UP
br2 10.10.40.1 255.255.255.0 UP
br3 10.10.50.1 255.255.255.0 UP
Child process initialized
1:bash:open /dev/tty
1:svn:open /etc/subversion/servers
1:svn:open /home/netblue/.subversion/servers
1:svn:open /etc/subversion/config
1:svn:open /home/netblue/.subversion/config
1:svn:open /home/netblue/work/firejail-sf/.svn/entries
1:svn:open /home/netblue/work/firejail-sf/.svn/entries
1:svn:open /home/netblue/work/firejail-sf/.svn/entries
1:svn:open /home/netblue/work/firejail-sf/.svn/entries
1:svn:open /home/netblue/work/firejail-sf/.svn/entries
1:svn:open /home/netblue/work/firejail-sf/.svn/lock
1:svn:open /home/netblue/work/firejail-sf/.svn/entries
1:svn:unlink /home/netblue/work/firejail-sf/.svn/lock
svn: Commit failed (details follow):
svn: '/home/netblue/work/firejail-sf/testing' is not under version control
parent is shutting down, bye...
* AppArmor
http://lists.freedesktop.org/archives/systemd-devel/2014-February/016917.html
https://code.google.com/p/psutil/issues/detail?id=483
* Ubuntu cgroups:
cgroups are not mounted by default!
$ sudo su -
# cd /sys/fs/cgroup
# mkdir
# modprobe cls_cgroup
# mount -t cgroup -o cpuset,cpuacct,devices,memory,net_cls cgroup root
# mkdir root/g1
* Icon theme
http://tiheum.deviantart.com/art/Faenza-Icons-173323228
* systemd integration
see playpen: https://github.com/thestinger/playpen
allows setting: memory limit, devices, cpu accounting, blockio accounting
it has a learn mode where he records all syscalls for whitelisting purposes
* login box article
http://www.jwz.org/xscreensaver/toolkits.html
* nice linux namespaces article: http://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces
* check default caps blacklist for docker version 0.12
* The proof of concept exploit relies on a kernel capability that allows a process to open any file in the
host based on its inode. On most systems, the inode of the / (root) filesystem is 2. With this information
and the kernel capability it is possible to walk the host’s filesystem tree until you find the object you wish
to open and then extract sensitive information like passwords.
* nice explanation of chmod g+s: http://www.library.yale.edu/wsg/docs/permissions/sgid.htm
* HOST stats
if ((f=fopen("/proc/stat", "r" ))==NULL) {
209 RETURN_WITH_SET_ERROR_WITH_ERRNO("cpu", SG_ERROR_OPEN, "/proc/stat");
210 }
211
212 while( ( fgets(line, sizeof(line), f) != NULL ) && (matched < 4) ) {
213 if( ( ( strncmp( line, "cpu", strlen("cpu" ) ) == 0 ) && isblank(line[strlen("cpu")]) ) ) {
214 /* The very first line should be cpu */
215 proc_stat_cpu = sscanf(line, "cpu %llu %llu %llu %llu %llu",
216 &cpu_stats_buf->user,
217 &cpu_stats_buf->nice,
218 &cpu_stats_buf->kernel,
219 &cpu_stats_buf->idle,
220 &cpu_stats_buf->iowait);
221
cpu_stats_buf->total = cpu_stats_buf->user + cpu_stats_buf->nice + cpu_stats_buf->kernel + cpu_stats_buf->idle;
sg_get_cpu_percents_int(sg_cpu_percents *cpu_percent_buf, const sg_cpu_stats *cpu_stats_buf){
cpu_percent_buf->user = ((double)cpu_stats_buf->user) / ((double)cpu_stats_buf->total) * 100;
440 cpu_percent_buf->kernel = ((double)cpu_stats_buf->kernel) / ((double)cpu_stats_buf->total) * 100;
441 cpu_percent_buf->idle = ((double)cpu_stats_buf->idle) / ((double)cpu_stats_buf->total) * 100;
442 cpu_percent_buf->iowait = ((double)cpu_stats_buf->iowait) / ((double)cpu_stats_buf->total) * 100;
443 cpu_percent_buf->swap = ((double)cpu_stats_buf->swap) / ((double)cpu_stats_buf->total) * 100;
444 cpu_percent_buf->nice = ((double)cpu_stats_buf->nice) / ((double)cpu_stats_buf->total) * 100;
cpu — Measures the number of jiffies (1/100 of a second for x86 systems) that the system has been in user mode,
user mode with low priority (nice), system mode, idle task, I/O wait, IRQ (hardirq), and softirq respectively.
double LxQtCpuLoad::getLoadCpu() const
{
#ifdef STATGRAB_NEWER_THAN_0_90
size_t count;
sg_cpu_percents* cur = sg_get_cpu_percents(&count);
#else
sg_cpu_percents* cur = sg_get_cpu_percents();
#endif
return (cur->user + cur->kernel + cur->nice);
}
if ((f = fopen("/proc/meminfo", "r")) == NULL) {
214 RETURN_WITH_SET_ERROR_WITH_ERRNO("mem", SG_ERROR_OPEN, "/proc/meminfo");
215 }
216
217 #define MEM_TOTAL_PREFIX "MemTotal:"
218 #define MEM_FREE_PREFIX "MemFree:"
219 #define MEM_CACHED_PREFIX "Cached:"
220
221 while ((line_ptr = fgets(line_buf, sizeof(line_buf), f)) != NULL) {
222 if ( sscanf(line_buf, "%*s %lld kB", &value) != 1)
223 continue;
224
225 if (strncmp(line_buf, MEM_TOTAL_PREFIX, sizeof(MEM_TOTAL_PREFIX) - 1) == 0)
226 mem_stats_buf->total = value;
227 else if (strncmp(line_buf, MEM_FREE_PREFIX, sizeof(MEM_FREE_PREFIX) - 1) == 0)
228 mem_stats_buf->free = value;
229 else if (strncmp(line_buf, MEM_CACHED_PREFIX, sizeof(MEM_CACHED_PREFIX) - 1) == 0)
230 mem_stats_buf->cache = value;
231 }
232
233 mem_stats_buf->free += mem_stats_buf->cache;
234
235 mem_stats_buf->total *= 1024;
236 mem_stats_buf->free *= 1024;
237 mem_stats_buf->cache *= 1024;
238
239 #undef MEM_TOTAL_PREFIX
240 #undef MEM_FREE_PREFIX
241 #undef MEM_CACHED_PREFIX
242
243 fclose(f);
244 mem_stats_buf->used = mem_stats_buf->total - mem_stats_buf->free;
* systemd-nspawn seems to denay:
--capability)
comps='CAP_BLOCK_SUSPEND CAP_IPC_LOCK CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_MODULE CAP_SYS_PACCT CAP_SYS_RAWIO
CAP_SYS_TIME CAP_SYSLOG CAP_WAKE_ALARM CAP_NET_ADMIN'