On Sat, Apr 22, 2017 at 11:02:58PM +0200, Petter Reinholdtsen wrote: > [Reiner Herrmann] > > It sounds like you are looking for the --trace command. > > It does, doesn't it. But while I had indeed missed the applicability of > the --trace argument, I was hoping for something that could report > everything that was blocked, not everything that was used. There is a > lot of noice is the --trace output, for example about files in /usr/ > being read. I hoped to start with a fairly restricted setup and log > everything that was blocked, create a profile to open access to the > blocked stuff that should be opened. > > Is there a way to do this?
To reduce noise you could perhaps filter (grep) for the syscalls you are interested in and only for negative return values (which would indicate an error / that something was blocked). > Or perhaps there is a way to take the output from --trace and create a > draft profile? Not that I'm aware of, but I think that's a good suggestion. > Also, is there a way to restrict a firejail client to look up only some > DNS names? For Minecraft, it is fairly well known which subdomain will > be looked up, and it would be useful to set a restiction there in case > the Java code was compromized when automatically downloaded by the > launcher. You could set up your own small dns server (like dnsmasq) and configure it to only resolve the hostname you are interested in. And then tell firejail with --dns that only this nameserver should be used. Or if you don't expect the IP addresses to change you could use your own /etc/hosts file so that only the hosts from there can be resolved, and configure an invalid nameserver (localhost or so). Another possibility is to use netfilter/iptables. You write your netfilter rules that only allow access to certain hosts / ports and use --netfilter for applying them in the sandbox. This would be more secure than preventing DNS lookups, because with the DNS/nameserver blocks mentioned above, a compromised application would still be able to perform its own DNS lookup by directly querying the nameservers (or having hardcoded IP addresses, etc...). Regards, Reiner
signature.asc
Description: Digital signature
