el muchacho Tux's lil' helper
Joined: 26 Mar 2015 Posts: 78
|
Posted: Mon Apr 20, 2015 2:42 pm Post subject: Firejail |
|
|
I'm quite surprise to see that a search for "Firejail" on this forum didn't produce any result.
For those who are into the security aspect of Gentoo, this is a great tool to look at. This is not in the official portage tree but in the overlays.
What it basically does is, allows you to run any program in a sandbox with:
- the seccomp you decide
- the capabilities you decide
- the chroot environment you decied
- the linux namespace you decide (separate PID tree, separate network stack if you wish, and a few others).
I find it much easier than AppArmor or other tools which do not even cover all those aspects at the same time.
All that config is very simple. In a config file, you put one-liners which will blacklist/whitelist/make read-only/make invisible the directories/files/system calls you wish to avoid:
Code: | # system directories
blacklist /sbin
blacklist /usr/sbin
# system management
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/strace
seccomp.drop fork
seccomp.keep read |
More info: https://l3net.wordpress.com/projects/firejail/ |
|