FireJail - piaskownica dla Linuxa
#1
Nie jestem biegły w systemach Unix/Linux, więc proszę wybaczyć moją ignorancję, jeśli piszę o czymś już znanym albo wręcz jakieś głupoty Smile
Cytaty pochodzą ze strony programu

[Obrazek: firejail-debug.png?w=960]

Cytat:Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, CentOS 7 and Fedora packages are provided. An Arch Linux package is maintained in AUR.

[Aby zobaczyć linki, zarejestruj się tutaj]


Cytat:Firejail Features

The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space. The following features are implemented:

Process Separation
Firejail restricts the processes visible in the sandbox by making the sandboxed program PID 1. Only processes started by this program and its descendants will be visible in the sandbox.

Filesystem Support
Three types of filesystems are supported: local, overlay and chroot filesystems. Filesystem trees can be further modified using security profiles. Multiple Firefox sandboxes can be ran in parallel on the same filesystem tree. (...)

Private Mode and Security Profiles
Private mode can be used on top of any type of filesystem described above. It basically isolates the current user directory form the processes running in the sandbox by mounting empty temporary filesystems on top of /root, /home and /tmp directories. Any files written in these directories will be discarded when the sandbox is closed. (...)

Seccomp Support
Seccomp (alias for “secure computing”) is a filtering mechanism that allows processes to specify an arbitrary filter of system calls (expressed as a Berkeley Packet Filter program) that should be forbidden. Berkeley Packet Filter support for seccomp was introduced in Linux kernel 3.5. (...)

Linux Capabilities Support
When enabled using –caps support, a security filter based on Linux capabilities (POSIX draft 1003.1e) is applied to all processes inside the sandbox. Currently the following capabilities are dropped:

CAP_SYS_MODULE – kernel module loading/unloading
CAP_SYS_RAWIO – IO port operations
CAP_SYS_BOOT – system reboot and replacing current kernel with a new one
CAP_SYS_NICE – raise process nice value
CAP_SYS_TTY_CONFIG – various privileged ioctl operations on virtual terminals
CAP_SYSLOG – privileged syslog operation
CAP_SYS_ADMIN – system administration privileges

Networking Support
Firejail can attach a new TCP/IP networking stack to the sandbox. This can be used to set up local Demilitarized Zones (DMZ), or to configure temporary networks for developing and testing various client/server programs. (...)

Monitoring Support
he sandboxes and the associated processes are listed using firejail –list command. A separate utility, firemon, based on Process Events Connector feature in Linux kernel allows the administrator to trace and log all fork, exec, id change, and exit events in the sandbox.

Both firejail and firemon include a –list option that lists the process tree for each sandbox. Also, a –top options similar to Linux top command is included.

[Aby zobaczyć linki, zarejestruj się tutaj]

Wątek na Wildersach

[Aby zobaczyć linki, zarejestruj się tutaj]

"Bezpieczeństwo jest podróżą, a nie celem samym w sobie - to nie jest problem, który można rozwiązać raz na zawsze"
"Zaufanie nie stanowi kontroli, a nadzieja nie jest strategią"
Odpowiedz
#2
Bardzo dobry i potężny program, a do tego łatwy w obsłudze. Przydaje się do programów desktopowych np. firefox jak i na serwerze.
Odpowiedz


Skocz do:


Użytkownicy przeglądający ten wątek: 1 gości