madaidan
madaidan
Firejail has way too large attack surface that has led to many [privilege escalations and sandbox escapes](https://www.openwall.com/lists/oss-security/2017/01/05/4) in the past. It would be better if orjail used [bubblewrap](https://github.com/containers/bubblewrap) instead which...
seccomp-bpf allows you to filter which syscalls an application is allowed to use. Firejail and bubblewrap (#62) both have seccomp support. Firejail also has a [seccomp guide](https://firejail.wordpress.com/documentation-2/seccomp-guide/). Orjail shouldn't use...
This is a workaround for https://github.com/containers/bubblewrap/issues/198 It checks if /proc/mounts contains anything related to `hidepid`. I'm very new to C so sorry if there's anything wrong. It worked fine when...
The only missing parts of this are the /tmp, /dev/shm and /run restrictions as systemd doesn't seem to like them: dev-shm.mount: Cannot create mount unit for API file system /dev/shm
linux-hardened makes some sysctl constants read-only but there's many more scattered throughout the kernel. This makes a few more of them read-only.
Trusted Path Execution (TPE) will restrict certain users so they are only able to execute files in root-owned directories writable only by root. This makes it far harder for an...
This creates the fs.romount_protect sysctl to enable read-only mount protection. If romount_protect is set to (1), filesystems will be protected in the following ways: * No new writable mounts will...
This creates the sysfs_restrict sysctl which restricts access to sysfs. When enabled, sysfs and any filesystem mounted under it (e.g. debugfs) will be accessible only by root. The default value...
This creates a CONFIG_SECURITY_MODHARDEN option and when enabled, restricts module auto-loading to CAP_SYS_MODULE. This is based on GRKERNSEC_MODHARDEN.
It's a common error to grant too much permission to these objects, with impact ranging from denial of service and information leaking to privilege escalation. https://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ This creates the kernel.harden_ipc...