Introduction - 概要 - Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. - Firejail (1) より引用- Vine Linux Vine Linux
Usage generic.profile(snip) include /etc/firejail/disable-mgmt.inc ← include する file の指定 include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc blacklist ${HOME}/.pki/nssdb ← blacklist の指定 blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx blacklist ${HOME}/.password-store caps.drop all ← フィルタの指定 seccomp protocol unix,inet,inet6 Vine Linux Vine Linux
Usage [email protected]:~$ sudo firejail --net=enp3s0 --ip=192.168.0.10 /usr/sbin/apache2ctl start Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/disable-mgmt.inc ** Note : you can use --noprofile to disable server.profile ** Parent pid 4152, child pid 4153 The new log disrectory is /proc/4153/root/var/log Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-4152 1a:2b:3c:4d 192.168.0.10 255.255.255.0 UP Default gateway 192.168.0.1 Child process initialized * Starting Apache httpd web server apache2 Vine Linux Vine Linux
At the end •手軽なサンドボックス構築・利用ツールとして紹介 •活用方法の模索:多彩なオプションの把握が鍵 ➔ コンテナーと類似した使い方もできる? •既存コンテナーエンジンとの連携 ➔ 「Can I use Firejail as a container engine?」との FAQ に「Yes, Firejail can run Docker, LXC and OpenVZ containers.」との回答。要調査。 Vine Linux Vine Linux
toshi_kd
mizunohiroaki
oracle4engineer
carta_engineering
hhc0null
doradora09
sbtechnight
takufujii
tsubakimoto_s
teckl
sakaitakeshi
tarao
koba1t
philhawksworth
holman
chrislema
yeseniaperezcruz
akmur
geeforr
erikaheidi
davidbonilla
sugarenia
malarkey
nonsquared
tmm1