Last active
September 8, 2021 11:49
-
-
Save rusty-snake/c6d773fc27ddde9071461e0fe4010610 to your computer and use it in GitHub Desktop.
Revisions
-
rusty-snake revised this gist
Sep 8, 2021 . 1 changed file with 1 addition and 164 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,164 +1 @@ https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options -
Aug 11, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Comparison of firejail and systemd's hardening options **TL;DR:** These tables list equivalent options rather than equal options. Read their docs! @@ -146,7 +146,7 @@ D-Bus filtering is not implemented for systemd and blocking the system-bus socke | `env FOO=bar` | `Environment=FOO=bar` | | `rmenv` | `UnsetEnvironment=EDITOR` | ## Uncategorized | firejail | systemd | | -------- | ------- | -
Aug 11, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -32,7 +32,7 @@ documentation of the option you use! | `chroot /foobaz` | `RootDirectory=/foobaz` | | `disable-mnt` | `InaccessiblePaths=/mnt`<br>`InaccessiblePaths=/media`<br>`InaccessiblePaths=/run/mount`(breaks systemd)<br>`InaccessiblePaths=/run/media` | | `mkdir` | Not Implemented<br>You can use `RuntimeDirectory=`, `StateDirectory=`, `CacheDirectory=`, `LogsDirectory=`, `ConfigurationDirectory=`.<br>You could write a `[email protected]` and use `After=mkdir\x2fetc\x2fdnsmasq.service`/`[email protected]`. | | `mkfile` | Not Implemented | | `noexec /tmp` | `NoExecPaths=/tmp` | | Not Implemented | `ExecPaths=/tmp/bin` | | `private-bin bash,getenforce,python3` | `TemporaryFileSystem=/bin`<br>`TemporaryFileSystem=/usr/bin`<br>`TemporaryFileSystem=/sbin`<br>`TemporaryFileSystem=/usr/sbin`<br>`BindReadOnlyPaths=/bin/bash`<br>`BindReadOnlyPaths=/usr/bin/python3`<br>`BindReadOnlyPaths=/usr/sbin/getenforce` | -
Aug 11, 2021 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,7 +31,7 @@ documentation of the option you use! | `blacklist /boot` | `InaccessiblePaths=/boot` | | `chroot /foobaz` | `RootDirectory=/foobaz` | | `disable-mnt` | `InaccessiblePaths=/mnt`<br>`InaccessiblePaths=/media`<br>`InaccessiblePaths=/run/mount`(breaks systemd)<br>`InaccessiblePaths=/run/media` | | `mkdir` | Not Implemented<br>You can use `RuntimeDirectory=`, `StateDirectory=`, `CacheDirectory=`, `LogsDirectory=`, `ConfigurationDirectory=`.<br>You could write a `[email protected]` and use `After=mkdir\x2fetc\x2fdnsmasq.service`/`[email protected]`. | | `mkfile` | Not Implemented <sup>2</sup> | | `noexec /tmp` | `NoExecPaths=/tmp` | | Not Implemented | `ExecPaths=/tmp/bin` | @@ -104,7 +104,8 @@ documentation of the option you use! | `hostname myhost` | Not Implemented | | `net none` | `PrivateNetwork=yes` | | `net eth0` | Not Implemented | | `netfilter /etc/firejail/myfilter.net` | Not Implemented | | Not Implemented | `IPIngressFilterPath=` `IPEgressFilterPath=` | | `net eth0`<br>`netfilter ipdenyallow.net` | `IPAddressDeny=` `IPAddressAllow=` | | `netns NAME` | `NetworkNamespacePath=/var/run/netns/NAME` | | `protocol unix,inet,inet6` | `RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6` | -
Aug 11, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,7 +35,7 @@ documentation of the option you use! | `mkfile` | Not Implemented <sup>2</sup> | | `noexec /tmp` | `NoExecPaths=/tmp` | | Not Implemented | `ExecPaths=/tmp/bin` | | `private-bin bash,getenforce,python3` | `TemporaryFileSystem=/bin`<br>`TemporaryFileSystem=/usr/bin`<br>`TemporaryFileSystem=/sbin`<br>`TemporaryFileSystem=/usr/sbin`<br>`BindReadOnlyPaths=/bin/bash`<br>`BindReadOnlyPaths=/usr/bin/python3`<br>`BindReadOnlyPaths=/usr/sbin/getenforce` | | `private-cwd` | `WorkingDirectory=~` | | `private-cwd /root` | `WorkingDirectory=/root` | | `private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl` | `TemporaryFileSystem=/etc`<br>`BindReadOnlyPaths=-/etc/ca-certificates`<br>`BindReadOnlyPaths=-/etc/crypto-policies`<br>`BindReadOnlyPaths=-/etc/nsswitch.conf`<br>`BindReadOnlyPaths=-/etc/pki`<br>`BindReadOnlyPaths=-/etc/resolv.conf`<br>`BindReadOnlyPaths=-/etc/ssl` | @@ -103,7 +103,7 @@ documentation of the option you use! | `hosts-file` | Not Implemented | | `hostname myhost` | Not Implemented | | `net none` | `PrivateNetwork=yes` | | `net eth0` | Not Implemented | | `netfilter /etc/firejail/myfilter.net` | fixme | | `net eth0`<br>`netfilter ipdenyallow.net` | `IPAddressDeny=` `IPAddressAllow=` | | `netns NAME` | `NetworkNamespacePath=/var/run/netns/NAME` | -
Aug 11, 2021 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,11 @@ # Comparison of systemd's hardening options with firejail and vice versa **TL;DR:** These tables list equivalent options rather than equal options. Read their docs! **NOTE:** Keep in mind that systemd is made to run and sandbox system-service while firejail has its focus on desktop programs. Therefore some options differ in their behavior, for example does firejail's `private-tmp` always bind-mount `/tmp/.X11-unix`, while systemd's `PrivateTmp=yes` does not. Always read the documentation of the option you use! - [`man 5 systemd.exec`] @@ -87,7 +87,7 @@ documentation of the option you use! | `seccomp.block-secondary` | `SystemCallArchitectures=native` | | `seccomp.drop @debug` | `SystemCallFilter=~@debug` | | `seccomp.keep @file-system,mount` | `SystemCallFilter=@file-system mount` | | [#3106](https://github.com/netblue30/firejail/issues/3106) | `SystemCallFilter=@system-service` | | `seccomp-error-action EPERM` (default) | `SystemCallErrorNumber=EPERM` | | `seccomp-error-action kill` | `SystemCallErrorNumber=` (default) | | `caps.drop sys_time,wake_alarm`<br>`seccomp.drop @clock`<br>`read-only /dev/rtc*` | `ProtectClock=yes` | -
Aug 10, 2021 . 1 changed file with 6 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -31,7 +31,7 @@ documentation of the option you use! | `blacklist /boot` | `InaccessiblePaths=/boot` | | `chroot /foobaz` | `RootDirectory=/foobaz` | | `disable-mnt` | `InaccessiblePaths=/mnt`<br>`InaccessiblePaths=/media`<br>`InaccessiblePaths=/run/mount`(breaks systemd)<br>`InaccessiblePaths=/run/media` | | `mkdir` | Not Implemented<br>You can use `RuntimeDirectory=`, `StateDirectory=`, `CacheDirectory=`, `LogsDirectory=`, `ConfigurationDirectory=`<br>You could write a `[email protected]` and use `After=mkdir\x2fetc\x2fdnsmasq.service`/`[email protected]` | | `mkfile` | Not Implemented <sup>2</sup> | | `noexec /tmp` | `NoExecPaths=/tmp` | | Not Implemented | `ExecPaths=/tmp/bin` | @@ -74,7 +74,7 @@ documentation of the option you use! | `nou2f` | `InaccessiblePaths=/dev/hidraw*` | | `novideo` | `InaccessiblePaths=/dev/video*` | ## Seccomp, mdwe, Capabilities and NNP | firejail | systemd | | -------- | ------- | @@ -83,8 +83,6 @@ documentation of the option you use! | `caps.keep net_bind_service` | `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` | | `memory-deny-write-execute` | `MemoryDenyWriteExecute=yes`<br>`SystemCallFilter=~memfd_create` | | `nonewprivs` | `NoNewPrivileges=yes` | | `seccomp` | `SystemCallFilter=<omitted because it is to long, look at syscalls.txt>` | | `seccomp.block-secondary` | `SystemCallArchitectures=native` | | `seccomp.drop @debug` | `SystemCallFilter=~@debug` | @@ -109,6 +107,7 @@ documentation of the option you use! | `netfilter /etc/firejail/myfilter.net` | fixme | | `net eth0`<br>`netfilter ipdenyallow.net` | `IPAddressDeny=` `IPAddressAllow=` | | `netns NAME` | `NetworkNamespacePath=/var/run/netns/NAME` | | `protocol unix,inet,inet6` | `RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6` | | fixme | `ProtectHostname=yes` | ## D-Bus @@ -134,6 +133,7 @@ D-Bus filtering is not implemented for systemd and blocking the system-bus socke | firejail | systemd | | -------- | ------- | | `nogroups` | Not Implemented | | `noroot` | `PrivateUsers=yes` | | Not Implemented | `User=user`<br>`Group=group`<br>`SupplementaryGroups=supp_group1 supp_group2` | | Not Implemented | `DynamicUser=yes` | | Not Implemented | `RemoveIPC=yes` | @@ -149,24 +149,12 @@ D-Bus filtering is not implemented for systemd and blocking the system-bus socke | firejail | systemd | | -------- | ------- | | `include some-common.inc` | Not Implemented<br>You can use symlinks / hardlinks in `/etc/systemd/system/UNIT.d`. | | `ipc-namespace` | `PrivateIPC=yes` | | `join` | `JoinsNamespaceOf=` | | `machine-id` | Not Implemented<br>Maybe you can use `ExecStartPre=!/bin/sh -c "dbus-uuidgen > /etc/machine-id"`, however until now nobody had tested this. | | Not Implemented | `RestrictNamespaces=` | --------------------------------------------------------------------- Copying and distribution of this file, with or without modification, -
Aug 10, 2021 . 1 changed file with 41 additions and 30 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -22,11 +22,10 @@ documentation of the option you use! [`man 1 firejail`]: https://firejail.wordpress.com/features-3/man-firejail/ [`man 5 firejail-profile`]: https://firejail.wordpress.com/features-3/man-firejail-profile/ ## Filesystem | firejail | systemd | | -------- | ------- | | always | `PrivateMounts=yes` | | `blacklist /home`<br>`blacklist /root`<br>`blacklist /run/user` | `ProtectHome=yes` | | `blacklist /boot` | `InaccessiblePaths=/boot` | @@ -61,9 +60,11 @@ documentation of the option you use! | Not Implemented | `ProtectProc=noaccess` | | fixme | `ProcSubset=pid` | | Not Implemented | `RestrictSUIDSGID=yes` | ## Devices | firejail | systemd | | -------- | ------- | | `private-dev` | `PrivateDevices=yes` | | `no3d` | `InaccessiblePaths=/dev/dri` | | `nodvd` | `InaccessiblePaths=/dev/sr*` | @@ -72,9 +73,11 @@ documentation of the option you use! | `notv` | `InaccessiblePaths=/dev/dvb` | | `nou2f` | `InaccessiblePaths=/dev/hidraw*` | | `novideo` | `InaccessiblePaths=/dev/video*` | ## Security filters | firejail | systemd | | -------- | ------- | | `caps.drop all` | `CapabilityBoundingSet=` | | `caps.drop sys_admin,net_admin` | `CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_NET_ADMIN` | | `caps.keep net_bind_service` | `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` | @@ -93,9 +96,11 @@ documentation of the option you use! | `caps.drop syslog`<br>`seccomp.drop syslog`<br>`blacklist /dev/kmsg`<br>`blacklist /proc/kmsg` | `ProtectKernelLogs=yes` | | `caps.drop sys_module`<br>`blacklist /usr/lib/modules`<br>`seccomp.drop @module` | `ProtectKernelModules=yes` | fixme | `LockPersonality=yes` | ## Networking | firejail | systemd | | -------- | ------- | | `dns 9.9.9.9` | Not Implemented | | `hosts-file` | Not Implemented | | `hostname myhost` | Not Implemented | @@ -105,14 +110,15 @@ documentation of the option you use! | `net eth0`<br>`netfilter ipdenyallow.net` | `IPAddressDeny=` `IPAddressAllow=` | | `netns NAME` | `NetworkNamespacePath=/var/run/netns/NAME` | | fixme | `ProtectHostname=yes` | ## D-Bus D-Bus filtering is not implemented for systemd and blocking the system-bus socket breaks systemd. ## Resource Limits | firejail | systemd | | -------- | ------- | | `cpu 0,1` | `CPUAffinity=0,1` | | `nice 2` | `Nice=2` | | `rlimit*` | `Limit*` @@ -122,29 +128,34 @@ documentation of the option you use! | Not Implemented | `KeyringMode=` | | Not Implemented | `OOMScoreAdjust=` | | Not Implemented | `UMask=0077` | ## User/Group | firejail | systemd | | -------- | ------- | | `nogroups` | Not Implemented | | Not Implemented | `User=user`<br>`Group=group`<br>`SupplementaryGroups=supp_group1 supp_group2` | | Not Implemented | `DynamicUser=yes` | | Not Implemented | `RemoveIPC=yes` | ## Environment | firejail | systemd | | -------- | ------- | | `env FOO=bar` | `Environment=FOO=bar` | | `rmenv` | `UnsetEnvironment=EDITOR` | ## Unsorted | firejail | systemd | | -------- | ------- | | `include some-common.inc` | Not Implemented <sup>5</sup> | | `ipc-namespace` | `PrivateIPC=yes` | | `join` | `JoinsNamespaceOf=` | | `machine-id` | Not Implemented <sup>4</sup> | | Not Implemented | `RestrictNamespaces=` | 2. TODO: Write oneshot services `[email protected]` and `[email protected]` that can be used like: `[email protected]` or `After=mkdir@\x2fetc\x2fdnsmasq.service` (depending on the implementation). -
Aug 10, 2021 . 1 changed file with 121 additions and 96 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,7 @@ # Comparison of systemds hardening options with firejail and vice versa **TL;DR:** This tables list equivalent options rather then equal options. Read their docs! **NOTE:** Keep in mind that systemd is made to run and sandbox system-service while firejail has it's focus on desktop programs. Therefore some options differ in there behavior, for example does firejails `private-tmp` always bind-mount @@ -24,99 +22,126 @@ documentation of the option you use! [`man 1 firejail`]: https://firejail.wordpress.com/features-3/man-firejail/ [`man 5 firejail-profile`]: https://firejail.wordpress.com/features-3/man-firejail-profile/ | firejail | systemd | | -------- | ------- | ||| | **filesystem** || ||| | always | `PrivateMounts=yes` | | `blacklist /home`<br>`blacklist /root`<br>`blacklist /run/user` | `ProtectHome=yes` | | `blacklist /boot` | `InaccessiblePaths=/boot` | | `chroot /foobaz` | `RootDirectory=/foobaz` | | `disable-mnt` | `InaccessiblePaths=/mnt`<br>`InaccessiblePaths=/media`<br>`InaccessiblePaths=/run/mount`(breaks systemd)<br>`InaccessiblePaths=/run/media` | | `mkdir` | Not Implemented <sup>2, 3</sup> | | `mkfile` | Not Implemented <sup>2</sup> | | `noexec /tmp` | `NoExecPaths=/tmp` | | Not Implemented | `ExecPaths=/tmp/bin` | | `private-bin basename,bash,cat,dirname,grep,sed` | fixme | | `private-cwd` | `WorkingDirectory=~` | | `private-cwd /root` | `WorkingDirectory=/root` | | `private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl` | `TemporaryFileSystem=/etc`<br>`BindReadOnlyPaths=-/etc/ca-certificates`<br>`BindReadOnlyPaths=-/etc/crypto-policies`<br>`BindReadOnlyPaths=-/etc/nsswitch.conf`<br>`BindReadOnlyPaths=-/etc/pki`<br>`BindReadOnlyPaths=-/etc/resolv.conf`<br>`BindReadOnlyPaths=-/etc/ssl` | | `private-lib` | Not Implemented | | `private-opt vivaldi` | `TemporaryFileSystem=/opt`<br>`BindReadOnlyPaths=/opt/vivaldi` | | `private-srv www` | `TemporaryFileSystem=/srv`<br>`BindReadOnlyPaths=-/srv/www` | | `private-tmp` | `PrivateTmp=yes` | | `read-only /usr` | `ProtectSystem=yes` | | `read-only /usr`<br>`read-only /etc` | `ProtectSystem=full` | | `read-only /` | `ProtectSystem=strict` | | `read-only /home`<br>`read-only /root`<br>`read-only /run/user` | `ProtectHome=read-only` | | `read-only /sys/fs/cgroup` | `ProtectControlGroups=yes` | | `read-only /proc/acpi`<br>`read-only /proc/fs`<br>`read-only /proc/irq`<br>`read-only /proc/latency_stats`<br>`read-only /proc/sys`<br>`read-only /proc/sysrq-trigger`<br>`read-only /proc/timer_stats`<br>`read-only /sys` | `ProtectKernelTunables=yes` | | `read-only /foo` | `ReadOnlyPaths=/foo` | | `read-write /foo/bar` | `ReadWritePaths=/foo/bar` | | `tmpfs /home`<br>`tmpfs /root`<br>`tmpfs /run/user` | `ProtectHome=tmpfs` | | `tmpfs /xyzzy` | `TemporaryFileSystem=/xyzzy` | | `tracelog` | Not Implemented | | `whitelist /mnt/backup` | `TemporaryFileSystem=/mnt`<br>`BindPaths=/mnt/backup` | | fixme | `BindPaths=` `BindReadOnlyPaths=` | | always (via pid-namespace) | `ProtectProc=invisible` | | Not Implemented | `ProtectProc=noaccess` | | fixme | `ProcSubset=pid` | | Not Implemented | `RestrictSUIDSGID=yes` | ||| | **devices** || ||| | `private-dev` | `PrivateDevices=yes` | | `no3d` | `InaccessiblePaths=/dev/dri` | | `nodvd` | `InaccessiblePaths=/dev/sr*` | | `noinput` | `InaccessiblePaths=/dev/input` | | `nosound` | `InaccessiblePaths=/dev/snd` | | `notv` | `InaccessiblePaths=/dev/dvb` | | `nou2f` | `InaccessiblePaths=/dev/hidraw*` | | `novideo` | `InaccessiblePaths=/dev/video*` | ||| | **security filters** || ||| | `caps.drop all` | `CapabilityBoundingSet=` | | `caps.drop sys_admin,net_admin` | `CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_NET_ADMIN` | | `caps.keep net_bind_service` | `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` | | `memory-deny-write-execute` | `MemoryDenyWriteExecute=yes`<br>`SystemCallFilter=~memfd_create` | | `nonewprivs` | `NoNewPrivileges=yes` | | `noroot` | `PrivateUsers=yes` | | `protocol unix,inet,inet6` | `RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6` | | `seccomp` | `SystemCallFilter=<omitted because it is to long, look at syscalls.txt>` | | `seccomp.block-secondary` | `SystemCallArchitectures=native` | | `seccomp.drop @debug` | `SystemCallFilter=~@debug` | | `seccomp.keep @file-system,mount` | `SystemCallFilter=@file-system mount` | | [#3106](https://github.com/netblue30/firejail/issues/3106) | `SystemCallFilter=@sysem-service` | | `seccomp-error-action EPERM` (default) | `SystemCallErrorNumber=EPERM` | | `seccomp-error-action kill` | `SystemCallErrorNumber=` (default) | | `caps.drop sys_time,wake_alarm`<br>`seccomp.drop @clock`<br>`read-only /dev/rtc*` | `ProtectClock=yes` | | `caps.drop syslog`<br>`seccomp.drop syslog`<br>`blacklist /dev/kmsg`<br>`blacklist /proc/kmsg` | `ProtectKernelLogs=yes` | | `caps.drop sys_module`<br>`blacklist /usr/lib/modules`<br>`seccomp.drop @module` | `ProtectKernelModules=yes` | fixme | `LockPersonality=yes` | ||| | **networking** || ||| | `dns 9.9.9.9` | Not Implemented | | `hosts-file` | Not Implemented | | `hostname myhost` | Not Implemented | | `net none` | `PrivateNetwork=yes` | | `net eth0` | fixme | | `netfilter /etc/firejail/myfilter.net` | fixme | | `net eth0`<br>`netfilter ipdenyallow.net` | `IPAddressDeny=` `IPAddressAllow=` | | `netns NAME` | `NetworkNamespacePath=/var/run/netns/NAME` | | fixme | `ProtectHostname=yes` | ||| | **dbus** || ||| | `dbus-system filter` | Not Implemented | | `dbus-system none` | Not Implemented <sup>1</sup> | ||| | **resource limits** || ||| | `cpu 0,1` | `CPUAffinity=0,1` | | `nice 2` | `Nice=2` | | `rlimit*` | `Limit*` | `timeout` | `TimeoutSec=` | | fixme | `RestrictRealtime=yes` | | Not Implemented | `CoredumpFilter=` | | Not Implemented | `KeyringMode=` | | Not Implemented | `OOMScoreAdjust=` | | Not Implemented | `UMask=0077` | ||| | **user/group** || ||| | `nogroups` | Not Implemented | | Not Implemented | `User=user`<br>`Group=group`<br>`SupplementaryGroups=supp_group1 supp_group2` | | Not Implemented | `DynamicUser=yes` | | Not Implemented | `RemoveIPC=yes` | ||| | **environment** || ||| | `env FOO=bar` | `Environment=FOO=bar` | | `rmenv` | `UnsetEnvironment=EDITOR` | ||| | **unsorted** || ||| | `include some-common.inc` | Not Implemented <sup>5</sup> | | `ipc-namespace` | `PrivateIPC=yes` | | `join` | `JoinsNamespaceOf=` | | `machine-id` | Not Implemented <sup>4</sup> | | Not Implemented | `RestrictNamespaces=` | 1. `InaccessiblePaths=/run/dbus` breaks systemd. -
Jul 4, 2021 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -110,6 +110,7 @@ documentation of the option you use! | `BindPaths=` `BindReadOnlyPaths=` | fixme | | `InaccessiblePaths=/dev/dri` | `no3d` | | `InaccessiblePaths=/dev/sr*` | `nodvd` | | `InaccessiblePaths=/dev/input` | `noinput` | | `InaccessiblePaths=/dev/snd` | `nosound` | | `InaccessiblePaths=/dev/dvb` | `notv` | | `InaccessiblePaths=/dev/hidraw*` | `nou2f` | -
Mar 13, 2021 . 1 changed file with 8 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -47,17 +47,20 @@ documentation of the option you use! | Not Implemented | `tracelog` | | `PrivateNetwork=yes` | `net none` | | `RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6` | `protocol unix,inet,inet6` | | `IPAddressDeny=` `IPAddressAllow=` | `net eth0`<br>`netfilter ipdenyallow.net` | | fixme | `net eth0` | | fixme | `netfilter /etc/firejail/myfilter.net` | | `NetworkNamespacePath=/var/run/netns/NAME` | `netns NAME` | | `ProtectHostname=yes` | fixme | | Not Implemented | `dns 9.9.9.9` | | Not Implemented | `hosts-file` | | Not Implemented | `hostname myhost` | | `PrivateUsers=yes` | `noroot` | | Not Implemented | `nogroups` | | `User=user`<br>`Group=group`<br>`SupplementaryGroups=supp_group1 supp_group2` | Not Implemented | | `DynamicUser=yes` | Not Implemented | | `RemoveIPC=yes` | Not Implemented | | fixme | `ipc-namespace` | | `Limit*` | `rlimit*` | | `Nice=2` | `nice 2` | | `UMask=0077` | Not Implemented | @@ -102,12 +105,13 @@ documentation of the option you use! | `ProtectHome=yes` | `blacklist /home`<br>`blacklist /root`<br>`blacklist /run/user` | | `ProtectHome=read-only` | `read-only /home`<br>`read-only /root`<br>`read-only /run/user` | | `ProtectHome=tmpfs` | `tmpfs /home`<br>`tmpfs /root`<br>`tmpfs /run/user` | | `NoExecPaths=/tmp` | `noexec /tmp` | | `ExecPaths=` | Not Implemented | | `BindPaths=` `BindReadOnlyPaths=` | fixme | | `InaccessiblePaths=/dev/dri` | `no3d` | | `InaccessiblePaths=/dev/sr*` | `nodvd` | | `InaccessiblePaths=/dev/snd` | `nosound` | | `InaccessiblePaths=/dev/dvb` | `notv` | | `InaccessiblePaths=/dev/hidraw*` | `nou2f` | | `InaccessiblePaths=/dev/video*` | `novideo` | | `JoinsNamespaceOf=` | `join` | -
Mar 12, 2021 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -93,7 +93,7 @@ documentation of the option you use! | Not Implemented | `private-lib` | | `TemporaryFileSystem=/opt`<br>`BindReadOnlyPaths=/opt/vivaldi` | `private-opt vivaldi` | | `TemporaryFileSystem=/srv`<br>`BindReadOnlyPaths=-/srv/www` | `private-srv www` | | `WorkingDirectory=/foobar` | `private-cwd /foobar` | | `PrivateDevices=yes` | `private-dev` | | `PrivateTmp=yes` | `private-tmp` | | `ProtectSystem=yes` | `read-only /usr` | @@ -111,7 +111,7 @@ documentation of the option you use! | `InaccessiblePaths=/dev/hidraw*` | `nou2f` | | `InaccessiblePaths=/dev/video*` | `novideo` | | `JoinsNamespaceOf=` | `join` | | Not Implemented <sup>5</sup> | `include some-common.inc` | 1. `InaccessiblePaths=/run/dbus` breaks systemd. @@ -123,6 +123,7 @@ documentation of the option you use! 4. Maybe the following can be used. But I did not tested it so far and it might break systemd. `ExecStartPre=!/bin/sh -c "dbus-uuidgen > /etc/machine-id"` Of course it needs a unshared /etc. 5. You can you symlinks. --------------------------------------------------------------------- -
Mar 12, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,133 @@ # Comparison of systemds hardening options with firejail and vice versa *Idea from @glitsj16.* **TL;DR:** This tables list equivalent options rather then equal options. Read there docs! **NOTE:** Keep in mind that systemd is made to run and sandbox system-service while firejail has it's focus on desktop programs. Therefore some options differ in there behavior, for example does firejails `private-tmp` always bind-mount `/tmp/.X11-unix`, while systemds `PrivateTmp=yes` does not. Always read the documentation of the option you use! - [`man 5 systemd.exec`] - [`man 5 systemd.resource-control`] - [`man 5 systemd.service`] - [`man 5 systemd.unit`] - [`man 1 firejail`] - [`man 5 firejail-profile`] [`man 5 systemd.exec`]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html [`man 5 systemd.resource-control`]: https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html [`man 5 systemd.service`]: https://www.freedesktop.org/software/systemd/man/systemd.service.html [`man 5 systemd.unit`]: https://www.freedesktop.org/software/systemd/man/systemd.unit.html [`man 1 firejail`]: https://firejail.wordpress.com/features-3/man-firejail/ [`man 5 firejail-profile`]: https://firejail.wordpress.com/features-3/man-firejail-profile/ | systemd | firejail | | ------- | -------- | | `NoNewPrivileges=yes` | `nonewprivs` | | `CapabilityBoundingSet=` | `caps.drop all` | | `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` | `caps.keep net_bind_service` | | `CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_NET_ADMIN` | `caps.drop sys_admin,net_admin` | | `SystemCallFilter=@file-system mount` | `seccomp.keep @file-system,mount` | | `SystemCallFilter=~@debug` | `seccomp.drop @debug` | | `SystemCallFilter=<omitted; was to long; look at syscalls.txt>` | `seccomp` | | `SystemCallFilter=@sysem-service` | [netblue30/firejail#3106](https://github.com/netblue30/firejail/issues/3106) | | `SystemCallArchitectures=native` | `seccomp.block-secondary` | | `SystemCallErrorNumber=` (default) | `seccomp-error-action kill` | | `SystemCallErrorNumber=EPERM` | `seccomp-error-action EPERM` (default) | | `LockPersonality=yes` | fixme | | `MemoryDenyWriteExecute=yes`<br>`SystemCallFilter=~memfd_create` | `memory-deny-write-execute` | | `ProtectProc=invisible` | always | | `ProtectProc=noaccess` | Not Implemented | | `ProcSubset=pid` | fixme | | `TimeoutSec=` | `timeout` | | Not Implemented | `tracelog` | | `PrivateNetwork=yes` | `net none` | | `RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6` | `protocol unix,inet,inet6` | | `IPAddressDeny=` `IPAddressAllow=` | Not Implemented | | `NetworkNamespacePath=/var/run/netns/NAME` | `netns NAME` | | `ProtectHostname=yes` | fixme | | Not Implemented | `dns 9.9.9.9` | | Not Implemented | `hosts-file` | | fixme | `hostname myhost` | | `PrivateUsers=yes` | `noroot` | | Not Implemented | `nogroups` | | `User=user`<br>`Group=group`<br>`SupplementaryGroups=supp_group1 supp_group2` | Not Implemented | | `DynamicUser=yes` | Not Implemented | | `RemoveIPC=yes` | Not Implemented | | `Limit*` | `rlimit*` | | `Nice=2` | `nice 2` | | `UMask=0077` | Not Implemented | | `CPUAffinity=0,1` | `cpu 0,1` | | Not Implemented <sup>1</sup> | `dbus-system none` | | Not Implemented | `dbus-system filter` | | `Environment=FOO=bar` | `env FOO=bar` | | `UnsetEnvironment=EDITOR` | `rmenv EDITOR` | | Not Implemented <sup>4</sup> | `machine-id` | | `ProtectClock=yes` | `caps.drop sys_time,wake_alarm`<br>`seccomp.drop @clock`<br>`read-only /dev/rtc*` | | `ProtectKernelLogs=yes` | `caps.drop CAP_SYSLOG`<br>`seccomp.drop syslog`<br>`blacklist /dev/kmsg`<br>`blacklist /proc/kmsg` | | `ProtectKernelModules=yes` | `caps.drop sys_module`<br>`blacklist /usr/lib/modules`<br>`seccomp.drop @module` | | `ProtectKernelTunables=yes` | `read-only /proc/acpi`<br>`read-only /proc/fs`<br>`read-only /proc/irq`<br>`read-only /proc/latency_stats`<br>`read-only /proc/sys`<br>`read-only /proc/sysrq-trigger`<br>`read-only /proc/timer_stats`<br>`read-only /sys` | | `ProtectControlGroups=yes` | `read-only /sys/fs/cgroup` | | `RestrictNamespaces=` | Not Implemented | | `RestrictRealtime=yes` | fixme | | `RestrictSUIDSGID=yes` | Not Implemented | | `CoredumpFilter=` | Not Implemented | | `KeyringMode=` | Not Implemented | | `OOMScoreAdjust=` | Not Implemented | | `PrivateMounts=yes` | always | | `InaccessiblePaths=/boot` | `blacklist /boot` | | `ReadOnlyPaths=/foo` | `read-only /foo` | | `ReadWritePaths=/foo/bar` | `read-write /foo/bar` | | `TemporaryFileSystem=/mnt`<br>`BindPaths=/mnt/backup` | `whitelist /mnt/backup` | | Not Implemented <sup>2, 3</sup> | `mkdir` | | Not Implemented <sup>2</sup> | `mkfile` | | `TemporaryFileSystem=/xyzzy` | `tmpfs /xyzzy` | | `RootDirectory=/foobaz` | `chroot /foobaz` | | `InaccessiblePaths=/mnt`<br>`InaccessiblePaths=/media`<br>`InaccessiblePaths=/run/mount`(breaks systemd)<br>`InaccessiblePaths=/run/media`<br> | `disable-mnt` | | `TemporaryFileSystem=/etc`<br>`BindReadOnlyPaths=-/etc/ca-certificates`<br>`BindReadOnlyPaths=-/etc/crypto-policies`<br>`BindReadOnlyPaths=-/etc/pki`<br>`BindReadOnlyPaths=-/etc/resolv.conf`<br>`BindReadOnlyPaths=-/etc/ssl` | `private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl` | | fixme | `private-bin basename,bash,cat,dirname,grep,sed` | | Not Implemented | `private-lib` | | `TemporaryFileSystem=/opt`<br>`BindReadOnlyPaths=/opt/vivaldi` | `private-opt vivaldi` | | `TemporaryFileSystem=/srv`<br>`BindReadOnlyPaths=-/srv/www` | `private-srv www` | | `WorkingDirectory=/foobar` | `private-cwd foobar` | | `PrivateDevices=yes` | `private-dev` | | `PrivateTmp=yes` | `private-tmp` | | `ProtectSystem=yes` | `read-only /usr` | | `ProtectSystem=full` | `read-only /usr`<br>`read-only /etc` | | `ProtectSystem=strict` | `read-only /` | | `ProtectHome=yes` | `blacklist /home`<br>`blacklist /root`<br>`blacklist /run/user` | | `ProtectHome=read-only` | `read-only /home`<br>`read-only /root`<br>`read-only /run/user` | | `ProtectHome=tmpfs` | `tmpfs /home`<br>`tmpfs /root`<br>`tmpfs /run/user` | | Not Implemented | `noexec` | | `BindPaths=` `BindReadOnlyPaths=` | fixme | | `InaccessiblePaths=/dev/dri` | `no3d` | | `InaccessiblePaths=/dev/sr*` | `nodvd` | | `InaccessiblePaths=/dev/snd` | `nosound` | | fixme | `notv` | | `InaccessiblePaths=/dev/hidraw*` | `nou2f` | | `InaccessiblePaths=/dev/video*` | `novideo` | | `JoinsNamespaceOf=` | `join` | | Not Implemented | `include some-common.inc` | 1. `InaccessiblePaths=/run/dbus` breaks systemd. 2. TODO: Write oneshot services `[email protected]` and `[email protected]` that can be used like: `[email protected]` or `After=mkdir@\x2fetc\x2fdnsmasq.service` (depending on the implementation). 3. You can use `RuntimeDirectory=`, `StateDirectory=`, `CacheDirectory=`, `LogsDirectory=`, `ConfigurationDirectory=`. 4. Maybe the following can be used. But I did not tested it so far and it might break systemd. `ExecStartPre=!/bin/sh -c "dbus-uuidgen > /etc/machine-id"` Of course it needs a unshared /etc. --------------------------------------------------------------------- Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.