apparmor

2 files changed, 7 insertions, 2 deletions

diff --git a/etc/firejail-default b/etc/firejail-default
index 5e1f2975c..5aacaec97 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -23,7 +23,7 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) {
 # enough to run "top" or "ps aux".
 ##########
 / r,
-/{usr,bin,dev,etc,home,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
+/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
 /{,var/}run/ r,
 /{,var/}run/** r,
 /{,var/}run/user/**/dconf/ rw,
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 83ac12d86..20f2b7f8c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2262,8 +2262,13 @@ programs and scripts from user home or other directories writable by the user is
 .br
 
 .br
+- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt,
+/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var
+.br
+
+.br
 - Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
-You should have no problems running Chromium or Firefox.
+You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
 
 .TP
 To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example: